3Com® Switch 7750 Family Configuration Guide Switch 7750 Switch 7757 Switch 7758 Switch 7754 www.3Com.com Part No. 10015462, Rev.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2006-2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 17 Related Documentation 1 18 CLI OVERVIEW Introduction to the CLI 19 Command Level/Command View CLI Features 28 2 19 LOGGING INTO AN ETHERNET SWITCH Logging into an Ethernet Switch 33 Introduction to the User Interface 33 3 LOGGING IN THROUGH THE CONSOLE PORT Introduction 35 Logging in through the Console Port 35 Console Port Login Configuration 37 Console Port Login Configuration with Authentication Mode Being None 39 Console Port Login Configuration with Aut
6 LOGGING IN THROUGH NMS Introduction 73 Connection Establishment Using NMS 7 73 USER CONTROL Introduction 75 Controlling Telnet Users 75 Controlling Network Management Users by Source IP Addresses 8 CONFIGURATION FILE MANAGEMENT Introduction to Configuration File 79 Configuration File-Related Operations 79 9 VLAN OVERVIEW VLAN Overview 83 Port-Based VLAN 85 Protocol-Based VLAN 85 10 VLAN CONFIGURATION VLAN Configuration 89 Configuring a Port-Based VLAN 91 Configuring a Protocol-Based VLAN 92 11
Configuring an IP Address for a VLAN Interface Displaying IP Address Configuration 124 IP Address Configuration Example 124 Troubleshooting 124 15 123 IP PERFORMANCE CONFIGURATION IP Performance Overview 125 IP Performance Configuration 125 Configuring TCP Attributes 126 Configuring to Send Special IP Packets to CPU 126 Configuring to Forward Layer 3 Broadcast Packets 126 Displaying and Debugging IP Performance 127 Troubleshooting 127 16 IPX CONFIGURATION IPX Protocol Overview 129 IPX Configuration 130
21 PORT BASIC CONFIGURATION Ethernet Port Overview 165 Ethernet Port Configuration 167 Ethernet Port Configuration Example 174 Troubleshooting Ethernet Port Configuration 22 175 LINK AGGREGATION CONFIGURATION Overview 177 Link Aggregation Configuration 183 Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example 186 23 PORT ISOLATION CONFIGURATION Port Isolation Overview 189 Port Isolation Configuration 189 Displaying Port Isolation Configuration 24 186 190
Centralized MAC Address Authentication Configuration Example 29 MSTP CONFIGURATION MSTP Overview 223 Root Bridge Configuration 228 Leaf Node Configuration 241 The mCheck Configuration 246 Protection Function Configuration 247 Digest Snooping Configuration 250 Rapid Transition Configuration 252 BPDU Tunnel Configuration 255 MSTP Displaying and Debugging 256 MSTP Implementation Example 256 BPDU Tunnel Configuration Example 258 30 IP ROUTING PROTOCOL OVERVIEW Introduction to IP Route and Routing Table Rout
OSPF Network Type Configuration 297 OSPF Route Control 299 OSPF Network Adjustment and Optimization Displaying OSPF Configuration 306 OSPF Configuration Example 307 Troubleshooting OSPF Configuration 311 35 302 IS-IS CONFIGURATION IS-IS Overview 313 Introduction to IS-IS Configuration 318 IS-IS Basic Configuration 319 Displaying Integrated IS-IS Configuration 331 Integrated IS-IS Configuration Example 331 36 BGP CONFIGURATION BGP Overview 335 BGP Configuration Tasks 340 Basic BGP Configuration 340 Conf
40 IGMP SNOOPING CONFIGURATION Overview 385 IGMP Snooping Configuration 390 Displaying and Maintaining IGMP Snooping 394 IGMP Snooping Configuration Example 395 Troubleshooting IGMP Snooping 397 41 COMMON MULTICAST CONFIGURATION Overview 399 Common Multicast Configuration Tasks 399 Displaying Common Multicast Configuration 403 42 STATIC MULTICAST MAC ADDRESS TABLE CONFIGURATION Overview 405 Configuring a Multicast MAC Address Entry Displaying Multicast MAC Address 406 43 IGMP CONFIGURATION Overview 4
802.1x-Related Parameter Configuration Advanced 802.1x Configuration 474 Displaying and Debugging 802.
53 DHCP OVERVIEW Introduction to DHCP 555 DHCP IP Address Assignment 555 DHCP Packet Format 556 DHCP Packet Processing Modes 558 Protocol Specification 558 54 DHCP SERVER CONFIGURATION Introduction to DHCP Server 559 Global Address Pool-Based DHCP Server Configuration 560 Interface Address Pool-based DHCP Server Configuration 566 DHCP Security Configuration 571 Displaying and Debugging a DHCP Server 573 DHCP Server Configuration Example 573 Troubleshooting a DHCP Server 576 55 DHCP RELAY CONFIGURATION
Setting Port Priority 621 Configuring Priority to Be Used When a Packet Enters an Output Queue Configuring Priority Remark 625 Configuring Rate Limit on Ports 626 Configuring TP 627 Configuring Redirect 628 Configuring Queue-scheduling 629 Configuring Congestion Avoidance 631 Configuring Traffic Statistics 632 Configuring Assured Bandwidth 633 Configuring Traffic-Based Flexible QinQ 634 QoS Configuration Example 636 59 MIRRORING CONFIGURATION Overview 639 Mirroring Supported by Switch 7750 Family Mirrorin
64 SNMP CONFIGURATION SNMP Overview 679 Configuring SNMP Basic Functions 681 Configuring Trap 683 Displaying SNMP 685 SNMP Configuration Example 685 65 RMON CONFIGURATION Introduction to RMON 689 RMON Configuration 691 Displaying RMON 692 RMON Configuration Example 66 692 NTP CONFIGURATION Introduction to NTP 695 NTP Implementation Mode Configuration 699 Access Control Permission Configuration 701 NTP Authentication Configuration 701 Configuration of Optional NTP Parameters 703 Displaying and Debuggin
Displaying and Debugging Information Center Configuration Information Center Configuration Examples 767 72 DNS CONFIGURATION DNS Overview 773 Configuring Static DNS Resolution 775 Configuring Dynamic DNS Resolution 775 Displaying and Maintaining DNS 776 Troubleshooting DNS Configuration 777 73 BOOTROM AND HOST SOFTWARE LOADING Introduction to Loading Approaches Local Software Loading 779 Remote Software Loading 788 74 779 BASIC SYSTEM CONFIGURATION & DEBUGGING Basic System Configuration 795 Displayin
79 CONFIGURING HARDWARE-DEPENDENT SOFTWARE Configuring Boot ROM Upgrade with App File 827 Configuring Inter-Card Link State Adjustment 828 Configuring Internal Channel Monitoring 829 Configuring Switch Chip Auto-reset 829 Configuring CPU Usage Threshold 830
ABOUT THIS GUIDE This guide describes the 3Com® Switch 7750 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch. This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches.
ABOUT THIS GUIDE Table 2 Text Conventions Convention Description Words in italics Italics are used to: Emphasize a point. Denote a new term at the place where it is defined in the text. Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents. Click OK. Words in bold Related Documentation Boldface type is used to highlight command names. For example, “Use the display user-interface command to...
1 Introduction to the CLI Command Level/Command View CLI OVERVIEW The 3Com Switch 7750 Family provides a command line interface (CLI) and commands for you to configure and manage the Ethernet switch. The CLI is featured by the following: ■ Commands are grouped by levels. This prevents unauthorized users from operating the switch with relevant commands. ■ Users can gain online help at any time by entering the question mark "?".
CHAPTER 1: CLI OVERVIEW Switching between User Levels A user can switch the user level from one to another by executing a related command after logging into a switch. The administrator can also set user level switching passwords as required. Setting a user level switching password Table 1 lists the operations to set a user level switching password.
Command Level/Command View 21 Table 3 Configure the level of a specific command in a specific view Operation Command Description Required Configure the level of a command-privilege level specific command in a specific level view view command view CLI Views Use this command with caution to prevent inconvenience on maintenance and operation. CLI views are designed for different configuration tasks. They are interrelated.
CHAPTER 1: CLI OVERVIEW ■ BGP IPv4 family multicast view ■ IS-IS view ■ ES-IS view ■ Routing policy view ■ Basic ACL view ■ Advanced ACL view ■ Layer 2 ACL view ■ User-defined ACL view ■ Traffic-group view ■ QoS view ■ QinQ view ■ RADIUS scheme view ■ HWTACACS scheme view ■ ISP domain view ■ PoE-profile view Table 4 lists information about CLI views (including the operations you can performed in these views, how to enter these views, and so on).
Command Level/Command View 23 Table 4 CLI views View Available operation Prompt example Enter method Quit method 100 M Ethernet port view [SW7750-Ethern et3/0/1] Ethernet port view Configure Ethernet port parameters Execute the interface ethernet 3/0/1 command in system view. Gigabit Ethernet port view [SW7750-Gigabit Execute the interface Ethernet4/0/1] gigabitethernet 4/0/1 command in system view. Execute the interface null 0 [SW7750-NULL0] command in system view.
CHAPTER 1: CLI OVERVIEW Table 4 CLI views View Loopback interface view Local user view Available operation Configure Loopback interface parameters Configure local user parameters Prompt example Enter method Execute the interface [SW7750-LoopBa loopback 0 ck0] command in system view Execute the [SW7750-luser-u local-user user1 command in ser1] system view. Quit method Execute the quit command to return to system view. Execute the return command to return to user view.
Command Level/Command View 25 Table 4 CLI views View MSDP domain view Port-isolate-grou p view Available operation Configure MSDP domain parameters Prompt example [SW7750-msdp] Configure [SW7750-port-is port-isolate-grou olate-group1] p parameters Remote ping view Configure remote ping test group parameters Enter method Execute the msdp command in system view. Execute the port-isolate group 1 command in system view. Quit method Execute the quit command to return to system view.
CHAPTER 1: CLI OVERVIEW Table 4 CLI views Available operation Prompt example Configure OSPF protocol parameters Execute the quit command to return to system Execute the ospf view. [SW7750-ospf-1] command in Execute the system view return command to return to user view. OSPF area view Configure OSPF area parameters Execute the quit command to return to OSPF Execute the area view. [SW7750-ospf-11 command in area-0.0.0.1] Execute the OSPF view return command to return to user view.
Command Level/Command View 27 Table 4 CLI views View Available operation Prompt example Execute the route-policy [SW7750-route-p policy1 permit node 10 olicy] command in system view Routing policy view Configure routing policies Basic ACL view Define rules for a basic ACL (ACLs with their IDs [SW7750-aclranging from basic-2000] 2000 to 2999 are basic ACLs.
CHAPTER 1: CLI OVERVIEW Table 4 CLI views View QinQ view RADIUS scheme view HWTACACS scheme view ISP domain view PoE profile view Available operation Prompt example Create QinQ instances and configure parameters for QinQ Execute the vlan-vpn vid 1000 uplink [SW7750-Gigabit Ethernet 1/0/5 Ethernet4/0/1-vid untagged -1000] command in Ethernet port view. Configure RADIUS parameters Execute the quit command to return to system Execute the [SW7750-radius- radius scheme 1 view.
CLI Features boot cd clock copy debugging delete dir display 29 Set boot option Change current directory Specify the system clock Copy from one file to another Enable system debugging functions Delete a file List files on a file system Display current system information Enter a command, a space, and a "?" character (instead of a keyword available in this position of the command) on your terminal to display all the available keywords and their brief descriptions.
CHAPTER 1: CLI OVERVIEW Terminal Display CLI provides the following display feature: ■ Display suspending. That is, the displaying of output information can be split when the screen is full and you can then perform the three operations listed in Table 5 as needed. Table 5 Displaying-related operations Command History Operation Function Press Suspend displaying and executing. Press the space key Scroll the output information up by one page.
CLI Features 31 Table 8 Edit operations Press... To... A common key Insert the character the key represents at the cursor and move the cursor one character to the right if the edit buffer is not full. The Backspace key Delete the character on the left of the cursor and move the cursor one character to the left. The left arrow key or Move the cursor one character to the left. The right arrow key or Move the cursor one character to the right.
CHAPTER 1: CLI OVERVIEW
LOGGING INTO AN ETHERNET SWITCH 2 Logging into an Ethernet Switch You can log into a Switch 7750 Family Ethernet switch in one of the following ways: ■ Logging in locally through the Console port ■ Telneting locally or remotely to an Ethernet port ■ Telneting to the Console port using a modem ■ Logging in through NMS (network management station) Introduction to the User Interface Supported User Interfaces Switch 7750 Family Ethernet switch supports two types of user interfaces: AUX and VTY.
CHAPTER 2: LOGGING INTO AN ETHERNET SWITCH Common User Interface Configuration Table 10 Common user interface configuration Operation Command Description Optional Lock the current user interface lock Execute this command in user view. A user interface is not locked by default.
3 Introduction LOGGING IN THROUGH THE CONSOLE PORT To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. Normally, you can log into a Switch 7750 through its Console port. To log into an Ethernet switch through its Console port, the communication configuration of the user terminal must be in accordance with that of the Console port. Table 11 lists the default settings of a Console port.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Figure 2 Create a connection Figure 3 Specify the port used to establish the connection
Console Port Login Configuration 37 Figure 4 Set port parameters 3 Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as ) appears after you press the Enter key. 4 You can then configure the switch or check the information about the switch by executing the corresponding commands. You can also acquire help by type the ? character.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 12 Common configuration of Console port login Configuration Remarks AUX user Configure the command level Optional interface available to the users logging By default, commands of level 3 are available to configuration into the AUX user interface the users logging into the AUX user interface.
Console Port Login Configuration with Authentication Mode Being None 39 Table 13 Console port login configurations for different authentication modes Authentication mode Console port login configuration AAA configuration specifies whether to Specify to perform local authentication or perform local authentication or RADIUS RADIUS authentication authentication Remarks Optional Local authentication is performed by default. Refer to the AAA&RADIUS&HWTACAC S&EAD module for more.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 14 Console port login configuration with the authentication mode being none Operation Command Description Optional Set the baud rate speed speed-value The default baud rate of an AUX port (also the Console port) is 9,600 bps. Optional Set the check mode parity { even | mark | none | odd | space } Set the flow control mode flow-control { hardware | none | software } Set the stop bits stopbits { 1 | 1.
Console Port Login Configuration with Authentication Mode Being None 41 Table 14 Console port login configuration with the authentication mode being none Operation Command Description Optional The default timeout time of a user interface is 10 minutes. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Network diagram Figure 5 Network diagram for AUX user interface configuration (with the authentication mode being none) (1) (2) (3) (1) RS-232 serial port (2) Console port (3) Configuration cable Configuration procedure # Enter system view. system-view # Enter AUX user interface view. [SW7750] user-interface aux 0 # Specify not to authenticate users logging in through the Console port.
Console Port Login Configuration with Authentication Mode Being Password 43 Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Table 16 Console port login configuration with the authentication mode being password Operation Command Description Enter system view system-view - Enter AUX user interface view user-interface aux 0 Required Configure to authenticate users using the local password Set the local password By default, users logging into a swit
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 16 Console port login configuration with the authentication mode being password Operation Command Description Optional Set history command buffer history-command size max-size value The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
Console Port Login Configuration with Authentication Mode Being Password 45 Network diagram Figure 6 Network diagram for AUX user interface configuration (with the authentication mode being password) (1) (2) (3) (1) RS-232 serial port (2) Console port (3) Configuration cable Configuration procedure # Enter system view. system-view # Enter AUX user interface view. [SW7750] user-interface aux 0 # Specify to authenticate users logging in through the Console port using the local password.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Table 18 Console port login configuration with the authentication mode being scheme Operation Enter system view Enter the default ISP domain view Command Description system-view - domain domain-name scheme { local | none | radius-scheme Specify the radius-scheme-n AAA scheme to ame [ local ] | be applied to hwtacacs-sche the domain Configure the me authent
Console Port Login Configuration with Authentication Mode Being Scheme 47 Table 18 Console port login configuration with the authentication mode being scheme Operation Command Description Set the speed baud speed-value rate Optional Set the parity { even | check mark | none | mode odd | space } Optional Set the Configure the Console flow control port mode The default baud rate of the AUX port (also the Console port) is 9,600 bps.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 19 Determine the command level Scenario Authentication mode authenticationmode scheme [ command-auth orization ] Configuration Example User type Command Users logging into the Console port and pass AAA&RADIUS or local authentication The service-type terminal [ level level ] command is not configured. The service-type terminal [ level level ] command is configured.
Console Port Login Configuration with Authentication Mode Being Scheme 49 [SW7750] local-user guest # Set the authentication password to 1234567890 (in plain text). [SW7750-luser-guest] password simple 1234567890 # Set the service type of the local user to Terminal, with the available command level being 2. [SW7750-luser-guest] service-type terminal level 2 [SW7750-luser-guest] quit # Enter AUX user interface view.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT
4 Introduction LOGGING IN THROUGH TELNET You can manage and maintain a switch remotely by Telneting to the switch. To achieve this, you need to configure both the switch and the Telnet terminal accordingly. Table 20 Requirements for Telnet to a switch Item Requirement Switch The IP address of the VLAN interface of the switch is configured and the route between the switch and the Telnet terminal is available. (Refer to the IP Address&IP Performance&IPX Operation module for more.
CHAPTER 4: LOGGING IN THROUGH TELNET Table 21 Common Telnet configuration Configuration Description Optional Make terminal services available Set the maximum number of lines the screen can contain By default, terminal services are available in all user interfaces Optional By default, the screen can contain up to 24 lines.
Telnet Configuration with Authentication Mode Being None 53 Table 22 Telnet configurations for different authentication modes Authentication mode Telnet configuration Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Description Optional Local authentication is performed by default. Refer to the AAA-RADIUS-HWTACACS-EAD module for more.
CHAPTER 4: LOGGING IN THROUGH TELNET Table 23 Telnet configuration with the authentication mode being none Operation Command Description Optional Set the maximum number of lines the screen can contain By default, the screen can contain up to 24 lines. screen-length screen-length You can use the screen-length 0 command to disable the function to display information in pages. Optional Set the history command buffer size The default history command history-command max-size buffer size is 10.
Telnet Configuration with Authentication Mode Being None 55 Do not authenticate users logging into VTY 0. Commands of level 2 are available to users logging into VTY 0. VTY 0 user interface supports Telnet protocol. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of VTY 0 is 6 minutes.
CHAPTER 4: LOGGING IN THROUGH TELNET # Set the maximum number of commands the history command buffer can store to 20. [SW7750-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.
Telnet Configuration with Authentication Mode Being Password 57 Table 25 Telnet configuration with the authentication mode being password Operation Command Description Optional The default timeout time of a user interface is 10 minutes. Set the timeout time of the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.
CHAPTER 4: LOGGING IN THROUGH TELNET Network diagram Figure 9 Network diagram for Telnet configuration (with the authentication mode being password) Ethernet1/0/1 Ethernet User PC running Telnet Configuration procedure # Enter system view. system-view # Enter VTY 0 user interface view. [SW7750] user-interface vty 0 # Configure to authenticate users logging into VTY 0 using the local password.
Telnet Configuration with Authentication Mode Being Scheme 59 [SW7750-ui-vty0] idle-timeout 6 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Table 27 Telnet configuration with the authentication mode being scheme Operation Enter system view Enter the default ISP domain view Command Description system-view Optional domain domain-name By default, the local AAA scheme is applied.
CHAPTER 4: LOGGING IN THROUGH TELNET Table 27 Telnet configuration with the authentication mode being scheme Operation Make terminal services available Command Description Optional shell Terminal services are available in all use interfaces by default. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages.
Telnet Configuration with Authentication Mode Being Scheme 61 Table 28 Determine the command level when users logging into switches are authenticated in the scheme mode Scenario Authentication mode User type VTY users that are AAA&RADIUS authenticated or locally authenticated Command Command level The user privilege level level command is not executed, and the service-type command does not specify the available command level.
CHAPTER 4: LOGGING IN THROUGH TELNET n Configuration Example Refer to the corresponding modules in this manual for information about AAA, RADIUS, and SSH. Network requirements Perform the following configuration for Telnet users logging into VTY 0: ■ Configure the name of the local user to be "guest". ■ Set the authentication password of the local user to 1234567890 (in plain text). ■ Set the service type of VTY users to Telnet, and the available command level to 2.
Telneting to a Switch 63 [SW7750-luser-guest] service-type telnet level 2 # Enter VTY 0 user interface view. [SW7750] user-interface vty 0 # Configure to authenticate users logging into VTY 0 in the scheme mode. [SW7750-ui-vty0] authentication-mode scheme # Configure Telnet protocol is supported. [SW7750-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30.
CHAPTER 4: LOGGING IN THROUGH TELNET Figure 12 The terminal window ■ Perform the following operations in the terminal window to assign an IP address to the VLAN interface of the switch. # Enter system view system-view # Enter VLAN interface view. [SW7750] interface Vlan-interface 1 # Set the IP address of the VLAN interface to 202.38.160.92, with the mask set 255.255.255.0. [SW7750-Vlan-interface1] ip address 202.38.160.92 255.255.255.
Telneting to a Switch 65 Figure 13 Network diagram for Telnet connection establishment Workstation Ethernet port Ethernet Server Workstation PC w ith Telnet running on it (used to configure the sw itch) 4 Launch Telnet on your PC, with the IP address of the VLAN interface of the switch as the parameter, as shown in Figure 14. Figure 14 Launch Telnet 5 Enter the password when the Telnet window displays "Login authentication" and prompts for login password.
CHAPTER 4: LOGGING IN THROUGH TELNET As shown in Figure 15, after Telneting to a switch (labeled as Telnet client), you can Telnet to another switch (labeled as Telnet server) by executing the telnet command and then to configure the later. Figure 15 Network diagram for Telneting to another switch from the current switch PC Telnet client Telnet server 1 Perform Telnet-related configuration on the switch operating as the Telnet server.
5 Introduction LOGGING IN USING MODEM The administrator can log into the Console port of a remote switch using a modem through PSTN (public switched telephone network) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely. When a network operates improperly or is inaccessible, you can log into the switches in the network in this way to configure these switches, to query logs and warning messages, and to locate problems.
CHAPTER 5: LOGGING IN USING MODEM You can verify your configuration by executing the AT&V command. n The above configuration is unnecessary to the modem on the administrator side. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration n After logging into a switch through its Console port by using a modem, you will enter the AUX user interface.
Modem Connection Establishment 69 AT&S0 ----------------------- Set DSR to high level by force ATEQ1&W ----------------------- Disable the modem from returning command response and the result, save the changes You can verify your configuration by executing the AT&V command. n The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration.
CHAPTER 5: LOGGING IN USING MODEM Figure 17 Set the telephone number Figure 18 Call the modem 5 Provide the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. Refer to the related modules in the command manual for detailed configuration commands.
Modem Attributes Configuration 71 Configuration Procedure Operation Command Description Enter system view system-view - Enter AUX user interface view user-interface aux 0 Required Configuration Example Call-in and call-out are allowed when the command is executed without any keyword. Enable Modem call-in/call-in and call-out modem [ call-in | both ] Set the answer mode to auto answer. modem auto-answer By default, manual answer mode is adopted.
CHAPTER 5: LOGGING IN USING MODEM
6 Introduction LOGGING IN THROUGH NMS You can also log into a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch. ■ The agent here refers to the software running on network devices (switches) and as the server. ■ SNMP (simple network management protocol) is applied between the NMS and the agent. To log into a switch through an NMS, you need to perform related configuration on both the NMS and the switch.
CHAPTER 6: LOGGING IN THROUGH NMS
USER CONTROL 7 Introduction A switch provides ways to control different types of login users, as listed in Table 31. Table 31 Ways to control different types of login users Login mode Control method Implementation Related section By source IP address Through basic ACL “Controlling Telnet Users by Source IP Addresses”. Telnet SNMP By source and Through advanced destination IP address ACL “Controlling Telnet Users by Source and Destination IP Addresses”.
CHAPTER 7: USER CONTROL Table 32 Control Telnet users by source IP addresses Operation Command Description Required Apply the ACL to control Telnet users by source IP addresses Controlling Telnet Users by Source and Destination IP Addresses acl acl-number { inbound | outbound } The inbound keyword specifies to filter the users trying to Telnet to the current switch. The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.
Controlling Network Management Users by Source IP Addresses Prerequisites Controlling Network Management Users by Source IP Addresses ■ Defining an ACL ■ Applying the ACL to control users accessing the switch through SNMP 77 The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
CHAPTER 7: USER CONTROL As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c.
8 Introduction to Configuration File CONFIGURATION FILE MANAGEMENT Configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Upon powered on, a switch loads the configuration file known as saved-configuration file, which resides in the Flash, for initialization. If the Flash contains no configuration file, the system initializes using the default settings.
CHAPTER 8: CONFIGURATION FILE MANAGEMENT Table 35 Configure a configuration file Operation Remove a specific configuration file from the Flash Command Description Optional reset saved-configuration Specify the startup configuration file to saved-configuration { cfgfile be used in the next | device-name } startup You can execute the reset saved-configuration command in user view. Optional You can execute the start saved-configuration command in user view.
Configuration File-Related Operations 81 You are recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. n ■ You are recommended to use the save command to save the configuration before restarting a device, so that the current configuration remains after the device is restarted.
CHAPTER 8: CONFIGURATION FILE MANAGEMENT
9 VLAN OVERVIEW VLAN Overview Introduction to VLAN The traditional Ethernet is a flat network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. The hub is a physical layer device without the switching function, so it forwards the received packet to all ports. The switch is a link layer device which can forward the packet according to the MAC address of the packet.
CHAPTER 9: VLAN OVERVIEW A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN to be dispersed in a looser way. That is, hosts in a VLAN can belong to different physical network segment. Compared with the traditional Ethernet, VLAN enjoys the following advantages. VLAN Principles ■ Broadcasts are confined to VLANs. This decreases bandwidth utilization and improves network performance. ■ Network security is improved.
Port-Based VLAN 85 ■ CFI is a 1-bit field, indicating whether the MAC address is encapsulated in the standard format in different transmission media. This field is not described in detail in this chapter. ■ VLAN ID is a 12-bit field, indicating the ID of the VLAN to which this packet belongs. It is in the range of 0 to 4,095. Generally, 0 and 4,095 is not used, so the field is in the range of 1 to 4,094. VLAN ID identifies the VLAN to which a packet belongs.
CHAPTER 9: VLAN OVERVIEW Figure 25 802.3 standard encapsulation format DA&SA(12) Length(2) DSAP(1) SSAP(1) Control(1) OUI(3) PID(2) DATA In the two figures, DA and SA refer to the destination MAC address and source MAC address of the packet respectively. The number in the bracket indicates the field length in bits. The maximum length of an Ethernet packet is 1500 bytes, that is, 5DC in hexadecimal, so the length field in 802.3 encapsulation is in the range of 0x0000 to 0x05DC.
Protocol-Based VLAN 87 In 802.2 SNAP encapsulation format, the values of the DSAP field and the SSAP field are always AA, and the value of the control field is always 3. The switch differentiates between 802.2 LLC encapsulation and 802.3 SNAP encapsulation according to the values of the DSAP field and the SSAP field. n Procedure for the Switch to Judge Packet Protocol When the OUI is 00-00-00 in 802.
CHAPTER 9: VLAN OVERVIEW The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: ■ The standard template adopts the RFC- or IEEE-defined packet encapsulation formats and values of some specific fields as the matching criteria. ■ The user-defined template adopts the user-defined encapsulation formats and values of some specific fields as the matching criteria.
VLAN CONFIGURATION 10 VLAN Configuration Basic VLAN Configuration Table 37 Basic VLAN configuration Operation Command Description Enter system view system-view - Create a VLAN and enter VLAN view Required vlan vlan-id Assign a name for the current name string VLAN The vlan-id argument ranges from 1 to 4,094. Optional By default, the name of a VLAN is its VLAN ID.
CHAPTER 10: VLAN CONFIGURATION Table 39 Configure VLAN broadcast storm suppression Operation Command Description Enter VLAN view vlan vlan-id - Set VLAN broadcast storm suppression broadcast-suppression { ratio | pps pps } Required A VLAN only supports one broadcast storm suppression mode at one time. If you configure broadcast storm suppression modes multiple times for a VLAN, the latest configuration will overwrite the previous configuration.
Configuring a Port-Based VLAN 91 If a VLAN interface is disabled, its status is not determined by the status of its ports. Displaying VLAN Configuration After the configuration above, you can execute the display command in any view to display the running status after the configuration, so as to verify the configuration.
CHAPTER 10: VLAN CONFIGURATION Network diagram Figure 30 Network diagram for VLAN configuration Switch E1/0/1 E1/0/2 E1/0/3 E1/0/4 VLAN2 VLAN3 Configuration procedure # Create VLAN 2 and enter its view. system-view [SW7750] vlan 2 # Specify the description string of VLAN 2 as home. [SW7750-vlan2] description home # Add Ethernet1/0/1 and Ethernet1/0/2 ports to VLAN 2. [SW7750-vlan2] port Ethernet1/0/1 Ethernet1/0/2 # Create VLAN 3 and enter its view.
Configuring a Protocol-Based VLAN 93 Table 44 Create protocol types of VLANs Operation Command Description Create the protocol template for the VLAN protocol-vlan [ protocol-index ] { at | ip [ ip-address [ net-mask ] ] | ipx { ethernetii | llc | raw | snap } | Required mode { ethernetii [etype etype-id] | llc { dsap dsap-id [ ssap ssap-id] | ssap ssap-id } | snap [etype etype-id] }} When you are creating protocol templates for protocol-based VLANs, the at, ip and ipx keywords are used to create stan
CHAPTER 10: VLAN CONFIGURATION Configuration procedure Table 45 Associate a port with the protocol-based VLAN c Associating a Card with the Protocol-Based VLAN c Operation Command Description Enter system view system-view - Enter port view interface interface-type interface-number - Associate a port with the protocol-based VLAN port hybrid protocol-vlan vlan vlan-id { protocol-index [ Required to protocol-end ] | all } CAUTION: ■ For the operation of adding a port to the VLAN in the unt
Configuring a Protocol-Based VLAN 95 Table 47 Protocol-based VLAN creation on different cards Description Type A card Non-Type-A card Create protocol-based VLAN on specific card in system view. Not supported Supported (only for all IP protocols and subnet IP protocols). Supported Supported (exclude all IP protocols and subnet IP protocols, AppleTalk protocol, and the user-defined LLC template which defines only one of dsap-id and ssap-id).
CHAPTER 10: VLAN CONFIGURATION # Configure the protocol-index to be 1, and the associated protocol to be IP. [SW7750-vlan5] protocol-vlan 1 ip # Enter Ethernet1/0/5 port view. [SW7750-vlan5] interface Ethernet 1/0/5 # Configure the port to be a hybrid port. [SW7750-Ethernet1/0/5] port link-type hybrid # Add the port to VLAN 5 and add VLAN 5 to the untagged VLAN list of the port. [SW7750-Ethernet1/0/5] port hybrid vlan 5 untagged # Associate the port with protocol-index 1.
Configuring a Protocol-Based VLAN # Add the port to VLAN 7, and add VLAN 7 to the list of untagged VLANs permitted to pass through the port. [SW7750-Ethernet1/0/7] port hybrid vlan 7 untagged # Associate the port with the two indexes of VLAN 7.
CHAPTER 10: VLAN CONFIGURATION
VOICE VLAN CONFIGURATION 11 Voice VLAN Overview Voice VLANs are VLANs configured specially for voice data stream. By adding the ports with voice devices attached to voice VLANs, you can perform QoS (quality of service)-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality. Switch 7750 Family Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address.
CHAPTER 11: VOICE VLAN CONFIGURATION For tagged packets sent by the IP voice devices, processing modes in the two modes are the same, that is, tagged packets are only forwarded and no MAC address is learnt. Voice VLAN packets can be forwarded by trunk ports and hybrid ports in voice VLAN. You can enable a trunk port or a hybrid port belonging to other VLANs to forward voice and service packets simultaneously by enabling the voice VLAN function for it.
Voice VLAN Overview 101 Table 50 Matching relationship between port modes and voice stream types Port voice VLAN mode Voice stream type Port type Supported or not Access Not supported Supported Trunk Tagged voice stream Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the packets of the default VLAN.
CHAPTER 11: VOICE VLAN CONFIGURATION Voice VLAN Configuration Configuration Prerequisites Configuring a Voice VLAN to Operate in Automatic Mode ■ Create the corresponding VLAN before configuring a voice VLAN. ■ VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not support the voice VLAN function.
Voice VLAN Configuration 103 Table 52 Configure a voice VLAN to operate in manual mode Operation Command Description Required Enable the voice VLAN function for the port voice vlan enable By default, the voice VLAN function is disabled on a port. Required Set voice VLAN operation mode to manual mode undo voice vlan mode auto The default voice VLAN operation mode is automatic mode.
CHAPTER 11: VOICE VLAN CONFIGURATION Voice VLAN Configuration Displaying ■ Voice VLAN function can be effective only for the static VLAN. Once a dynamic VLAN is enabled with voice VLAN function, it automatically changes to static VLAN. ■ When a voice VLAN operates in the security mode, the devices in it only permit packets whose source addresses are the voice OUI addresses that can be identified.
Voice VLAN Configuration Example [SW7750-vlan2] quit [SW7750] interface Ethernet [SW7750-Ethernet1/0/1] port [SW7750-Ethernet1/0/1] port [SW7750-Ethernet1/0/1] port 105 1/0/1 link-type trunk trunk pvid vlan 6 trunk permit vlan 6 # Enable the voice VLAN function for the port and configure the port to operate in automatic mode. [SW7750-Ethernet1/0/1] voice vlan enable [SW7750-Ethernet1/0/1] voice vlan mode auto # Enable the voice VLAN function globally.
CHAPTER 11: VOICE VLAN CONFIGURATION # Display voice VLAN-related configurations. [SW7750] display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 3 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes Current voice vlan enabled port mode: PORT MODE ---------------------------------------Ethernet1/0/3 MANUAL # Remove Ethernet1/0/3 port from the voice VLAN.
12 ISOLATE-USER-VLAN CONFIGURATION Isolate-User-VLAN Overview Introduction to Isolate-User-VLAN Isolate-user-VLAN is designed for saving VLAN resource by means of copying MAC address entries among the MAC address tables of VLANs in the network, which is utilizing the feature that an hybrid port removes the VLAN tag of packets coming from multiple VLANs. Isolate-user-VLAN adopts Layer 2 VLAN structure, you need to configure two types of VLAN, isolate-user-VLAN and secondary VLAN.
CHAPTER 12: ISOLATE-USER-VLAN CONFIGURATION Figure 31 Diagram for isolate-user-VLAN application Switch A E1/0/1 Switch B Isolate-user-VLAN Isolate-user 5 E1/0/4 VLAN3 Forward packets to Switch A 1 When packets sent by PC reached Ethernet1/0/4, the default VLAN ID, that is, the VLAN tag of VLAN 3 is automatically added to the packets.
Isolate-User-VLAN Configuration 109 Table 54 isolate-user-VLAN configuration tasks Configuring Isolate-User-VLAN c Configuring Secondary VLAN Adding Ports to isolate-user-VLAN and Secondary VLAN Operation Description Related section Add ports to isolate-user-VLAN and secondary VLAN and configure them to perform untag operation on packets Required “Adding Ports to isolate-user-VLAN and Secondary VLAN” Configure the mapping between the isolate-user-VLAN and the secondary VLAN Required “Configur
CHAPTER 12: ISOLATE-USER-VLAN CONFIGURATION Table 57 Add ports to isolate-user-VLAN and secondary VLAN and configure the ports to untagged packets c Configuring Mapping between isolate-user-VLAN and Secondary VLAN c Displaying Isolate-User-VLAN Configuration Operation Command Description Configure a port as a hybrid port port link-type hybrid Required Add a port to the isolate-user-VLAN and the secondary VLAN port hyrbrid vlan vlan-id untagged Required Configure the default VLAN ID of a po
Isolate-User-VLAN Configuration Example ■ 111 VLAN 6 on Switch C is an isolate-user-VLAN which includes the uplink port Ethernet1/0/1 and two secondary VLANs: VLAN 3 and VLAN 4. VLAN 3 includes port Ethernet1/0/3, and VLAN 4 includes port Ethernet1/0/4.
CHAPTER 12: ISOLATE-USER-VLAN CONFIGURATION [SwitchB-Ethernet1/0/5] port hybrid vlan 5 untagged [SwitchB-Ethernet1/0/5] port hybrid pvid vlan 2 # Add port Ethernet1/0/1 to the isolate-user-VLAN and the secondary VLAN, and configure the port to untag the VLAN packets.
Isolate-User-VLAN Configuration Example [SwitchC-Ethernet1/0/1] [SwitchC-Ethernet1/0/1] [SwitchC-Ethernet1/0/1] [SwitchC-Ethernet1/0/1] [SwitchC-Ethernet1/0/1] port port port port port 113 link-type hybrid hybrid vlan 3 untagged hybrid vlan 4 untagged hybrid vlan 6 untagged hybrid pvid vlan 6 # Configure isolate-user-VLAN-to-secondary VLAN mapping.
CHAPTER 12: ISOLATE-USER-VLAN CONFIGURATION
SUPER VLAN 13 n Super VLAN Overview Only the 96 Gbps Switch Fabric (3C16886) supports Super VLAN To save IP address resources, the super VLAN concept (also known as VLAN aggregation) was developed. Its principle is like this: a super VLAN may include multiple sub VLANs, with each as a broadcast domain. Layer 2 isolation is implemented between sub VLANs. The super VLAN can be configured with a Layer 3 interface, but not the sub VLAN.
CHAPTER 13: SUPER VLAN Table 61 Configure a VLAN as a super VLAN c Configuring a Sub VLAN Operation Command Description Enter VLAN view vlan vlan-id - Configure the current VLAN as a super VLAN supervlan Required CAUTION: ■ You can not configure a VLAN which includes Ethernet ports as a super VLAN; and after you configure a super VLAN, you cannot add any Ethernet port to it.
Displaying Super VLAN Configuring Super VLAN to Support DHCP Relay 117 ■ After establishing the mapping between the sub VLAN and the super VLAN, you can still add (or delete) ports to (from) the sub VLAN. ■ A super VLAN can establish mappings with 128 sub VLANs. ■ The system can create up to 1024 sub VLANs. With DHCP relay function enabled on the VLAN interface of the super VLAN, the hosts of all sub VLANs that map with the super VLAN can dynamically obtain IP addresses from the outside networks.
CHAPTER 13: SUPER VLAN Table 64 Display super VLAN configuration Operation Command Display the mapping between display supervlan [ the super VLAN and the sub supervlan-id ] VLAN Description The display command can be executed in any view. Super VLAN Configuration Example Super VLAN Configuration Example Network Requirements ■ Create super VLAN 10 and sub VLANs VLAN 2, VLAN 3, VLAN 5.
Super VLAN Configuration Example 119 [SW7750-vlan10] quit [SW7750] interface Vlan-interface 10 [SW7750-Vlan-interface10] ip address 10.110.1.1 255.255.255.0 n Super VLAN Supporting DHCP Relay Example By default, the ARP proxy function is enabled on the VLAN interface of the super VLAN, and cannot be disabled. Network requirements ■ Create VLAN 6 as a super VLAN, and create VLAN 2 and VLAN 3 as the sub VLANs which map VLAN 6. ■ Configure the IP address of the VLAN 6 as 10.1.1.
CHAPTER 13: SUPER VLAN
14 IP ADDRESS CONFIGURATION IP Address Overview IP Address Classification and Representation An IP address is a 32-bit address allocated to a device connected to the Internet. It consists of two fields: net-id and host-id. To facilitate IP address management, IP addresses are divided into five classes, as shown in Figure 33.
CHAPTER 14: IP ADDRESS CONFIGURATION Table 65 Classes and ranges of IP addresses Network type A B Subnet and Mask Address range IP network range 0.0.0.0 to 1.0.0.0 to 127.255.255.255 126.0.0.0 128.0.0.0 to 128.0.0.0 to 191.255.255.255 191.255.0.0 Description ■ An IP address with all 0s host ID is a network address and is used for network routing. ■ An IP address with all 1s host ID is a broadcast address and is used for broadcast to all hosts on the network. ■ The IP address 0.0.0.
Configuring an IP Address for a VLAN Interface 123 IP address, the part corresponding to the "1" bits in the mask is the subnet address, and the part corresponding to the remaining "0" bits in the mask is the host address. If there is no subnet division, the subnet mask uses the default value and the length of 1s in the mask is equal to the net-id length. Therefore, for IP addresses of classes A, B and C, the default values of the corresponding subnet masks are 255.0.0.0, 255.255.0.0 and 255.255.255.
CHAPTER 14: IP ADDRESS CONFIGURATION Displaying IP Address Configuration After the above configuration, you can execute the display command in any view to display the operating status and configuration on the interface to verify your configuration.
15 IP PERFORMANCE CONFIGURATION IP Performance Overview Introduction to TCP Attributes Introduction to FIB IP performance configuration mainly refers to TCP attribute configuration. The TCP attributes that can be configured include: ■ synwait timer: This timer is started when TCP sends a syn packet. If no response packet is received before the timer times out, the TCP connection will be terminated. The timeout of the synwait timer ranges from 2 to 600 seconds and is 75 seconds by default.
CHAPTER 15: IP PERFORMANCE CONFIGURATION Configuring TCP Attributes Table 69 Configure TCP attributes Operation Command Description Enter system view system-view - Configure timeout time for the synwait timer in TCP tcp timer syn-timeout time-value Configure timeout time for the finwait timer in TCP tcp timer fin-timeout time-value Configure the socket receiving and sending buffer size of TCP Configuring to Send Special IP Packets to CPU Required The default value is 75 seconds Required T
Displaying and Debugging IP Performance 127 following configuration tasks, you can choose to forward the broadcast packet to the network for broadcast. Perform the following configuration in system view.
CHAPTER 15: IP PERFORMANCE CONFIGURATION ■ Use the terminal debugging command to enable debugging information to be output to the console. ■ Use the debugging udp packet command to enable the UDP debugging to trace UDP packets. terminal debugging debugging udp packet The UDP packets are shown in the following format: UDP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.
16 IPX Protocol Overview IPX CONFIGURATION The Internetwork packet exchange (IPX) protocol is a network layer protocol in the NetWare protocol suite. IPX’s position in the Novell Netware protocol is similar to IP’s in the TCP/IP protocol suite. IPX can address, route and forward packets. IPX is a connectionless protocol. Though an IPX packet includes a destination IPX address in addition to the data, there is no guarantee of successful delivery.
CHAPTER 16: IPX CONFIGURATION directly connected to them. However, you cannot use such information directly. Instead, the information is collected by the SAP agents of the switches on the networks and saved in their server information tables.
IPX Configuration 131 Table 76 Configure IPX static routes Operation Command Description Enter VLAN interface view interface Vlan-interface vlan-id Required Configure an IPX network number for the VLAN interface ipx network network Exit VLAN interface view quit By default, the system does not assign network numbers to VLAN interface. That is, IPX is disabled on all the VLAN interfaces Optional Configure IPX static routes ipx route-static network network.
CHAPTER 16: IPX CONFIGURATION Table 78 Configure IPX RIP Operation Command Description Enter system view system-view - Enable IPX ipx enable Configure the update interval ipx rip timer update of IPX RIP seconds Required IPX is disabled by default Optional By default, the update interval of IPX RIP is 60 seconds Optional Configure the aging period of ipx rip multiplier multiplier By default, the aging period is IPX RIP three times the RIP updating interval Optional Configure IPX RIP to impor
IPX Configuration 133 By importing routes, different routing protocols can share their routing information. Note that IPX RIP imports only active static routes; inactive static routes are neither imported nor forwarded. Configuring IPX SAP Enabling IPX SAP After IPX is enabled on VLAN interfaces, the system enables SAP automatically. You can configure SAP parameters and service information as needed.
CHAPTER 16: IPX CONFIGURATION Table 80 Configure IPX SAP Operation Command Description Enter VLAN interface view interface Vlan-interface vlan-id Required Configure an IPX network number for the VLAN interface ipx network network By default, the system does not assign network numbers to VLAN interface.
IPX Configuration 135 Table 81 Configure IPX GNS Operation Command Description Optional Respond to GNS requests with the information of the server picked out by round-robin polling ipx sap gns-load-balance Configure GNS reply of IPX SAP By default, the switch responds to SAP GNS requests with the information of a server that is picked out in turn from all the known servers.
CHAPTER 16: IPX CONFIGURATION Table 82 Configure IPX service information Operation Command Description Enter system view system-view - Enable IPX ipx enable Configure a static IPX service entry ipx service service-type name network.
Displaying and debugging IPX 137 Table 83 Configure IPX forwarding Operation Command Configure the encapsulation format of the IPX frame ipx encapsulation [ dot2 | dot3 | ethernet-2 | snap ] Description Optional Enable the forwarding of type ipx netbios-propagation 20 broadcast packets Displaying and debugging IPX By default, the encapsulation format of the IPX frame is 802.
CHAPTER 16: IPX CONFIGURATION Network diagram Figure 36 IPX network diagram Switch A Switch B VLAN intefae 1 VLAN interface 1 IPX 1000.00e0-fc01-0000 1000.00e0-fc01-0001 VLAN interface 2 2.00e0-fc01-0000 VLAN interface 2 3.00e0-fc01-0001 Server Client Configuration procedure 1 Configure Switch A. # Enable IPX. system-view [SW7750] ipx enable # Assign the network number 2 to VLAN interface 2 to enable IPX on the VLAN interface.
Troubleshooting IPX 139 # Assign the network number 1000 to VLAN interface 1 to enable IPX on the VLAN interface. [SW7750] interface Vlan-interface 1 [SW7750-Vlan-interface1] ipx network 1000 # Configure a static route with the destination network number 2. [SW7750-Vlan-interface1] quit [SW7750] ipx route-static 2 1000.00e0-fc01-0000 tick 7 hop 2 # Configure a service information entry, indicating that Server can provide the file service. [SW7750] ipx service 4 fileserver 2.
CHAPTER 16: IPX CONFIGURATION Solutions: ■ Use the display ipx interface command to check whether the forwarding of type 20 IPX packets is enabled on the input and output interfaces. ■ Use the debugging ipx packet command to enable debugging for IPX packets. Check whether there is a prompt message of "Transport Control field of IPX type-20 packet >= 8!" A type 20 IPX packet can only be forwarded up to eight times; for the ninth forwarding attempt, the packet is dropped.
Troubleshooting IPX 141 Solutions: ■ Use the display ipx service-table inactive command to check whether the service information is in the inactive service information table. If yes, there is no active route to the server. ■ Check whether the VLAN interface is UP and SAP is enabled with the display ipx interface command. ■ Check whether the hop count of the route to the server is smaller than 16 with the display ipx routing-table command.
CHAPTER 16: IPX CONFIGURATION Solutions: ■ Check whether there are update packets with the debugging ipx packet and debugging ipx sap packet verbose commands. Check whether the MTU of the SAP packets is smaller than the MTU of the VLAN interface to guarantee that they are not dropped by the underlying layer. ■ Use the display current-configuration command to check whether the triggered updates feature is configured on the VLAN interface.
Troubleshooting IPX 143 ■ Use the display ipx routing-table verbose command to check whether the number of the existing dynamic routes to the destination network is under the limit. ■ If the number of dynamic route entries with the destination network number reaches the limit, use the ipx route max-reserve-path command to set a higher limit to accommodate new dynamic route information.
CHAPTER 16: IPX CONFIGURATION
17 GVRP CONFIGURATION Introduction to GARP and GVRP Introduction to GARP GARP (generic attribute registration protocol) offers a mechanism that is used by the members in the same switching network to distribute, propagate and register such information as VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP and GMRP. GVRP is described in the section 1.1.
CHAPTER 17: GVRP CONFIGURATION n GVRP Mechanism ■ The value of GARP timer will be used in all the GARP applications, including GVRP and GMRP, running in one switching network. ■ In one switching network, the GARP timers on all the switching devices should be set to the same value. Otherwise, GARP application cannot work normally. GARP Timers GARP timers include Hold timer, Join timer, Leave timer and LeaveAll timer.
Introduction to GARP and GVRP 147 The protocol packets of GARP entity use specific multicast MAC addresses as their destination MAC addresses. When receiving these packets, the switch distinguishes them by their destination MAC addresses and delivers them to different GARP application (for example, GVRP) for further processing. GVRP Packet Format The GVRP packets are in the following format: Figure 37 Format of GVRP packets The following table describes the fields of a GVRP packet.
CHAPTER 17: GVRP CONFIGURATION Table 85 Description of GVRP packet fields Protocol Specifications GVRP Configuration Configuration Prerequisite Configuration Procedure Field Description Value End Mark End mark of the GVRP PDU. - GVRP is defined in IEEE 802.1Q standard. The GVRP configuration tasks include configuring the GARP timers, enabling GVRP, and configuring the GVRP port registration mode. The port on which GVRP will be enabled must be set to a trunk port.
Displaying and Maintaining GVRP 149 The following table describes the relations between the timers: Table 87 Relations between the timers Timer n Displaying and Maintaining GVRP Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one-half of the timeout time of the Join timer. You can change the threshold by changing the timeout time of the Join timer. Join This lower threshold is greater than or equal to twice the timeout time of the Hold timer.
CHAPTER 17: GVRP CONFIGURATION GVRP Configuration Example Network requirements Network diagram You need to enable GVRP on the switches to enable dynamic VLAN information registration and update between the switches. Figure 38 Network diagram for GVRP configuration E1/0/1 E1/0/2 Switch A Configuration procedure ■ Switch B Configure switch A. # Enable GVRP globally. system-view [SW7750] gvrp GVRP is enabled globally.
18 QINQ CONFIGURATION QinQ Overview Introduction to QinQ The QinQ function enables packets to be transmitted across the operators’ backbone networks with VLAN tags of private networks encapsulated in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks which are encapsulated in the VLAN tags of public networks are shielded.
CHAPTER 18: QINQ CONFIGURATION packet already carries a VLAN tag, the packet becomes a dual-tagged packet. Otherwise, the packet becomes a packet carrying the default VLAN tag of the port. Inner-to-Outer Tag Priority Mapping As shown in Figure 41, IEEE 802.
Displaying QinQ n c Displaying QinQ 153 The Voice VLAN feature is mutually exclusive with the QinQ feature for a port. ■ When you use the specific command to enable the Voice VLAN feature for a QinQ-enabled port, the switch will prompt errors. ■ If you use the copy configuration command to duplicate the configuration of a port to a QinQ-enabled port, the Voice VLAN feature is not duplicated. CAUTION: The 3C16863 and 3C16862 I/O Modules do not support the QinQ feature.
CHAPTER 18: QINQ CONFIGURATION Configuration procedure 1 Configure Switch A and Switch C. As the configuration performed on Switch A and Switch C is the same, configuration on Switch C is omitted. # Configure Ethernet1/0/2 port as a trunk port. Add the port to VLAN 10. system-view [SwitchA] vlan 10 [SwitchA-vlan10] quit [SwitchA] interface Ethernet1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan 10 # Enable QinQ for Ethernet1/0/1 port.
QinQ Configuration Example ■ 155 It is the same case when a packet travels from Switch C to Switch A. After the configuration, the networks connecting Switch A and Switch C can receive packets from each other.
CHAPTER 18: QINQ CONFIGURATION
SELECTIVE QINQ CONFIGURATION 19 Selective QinQ Overview Selective QinQ Implementation On the Switch 7750, selective QinQ can be implemented in the following ways. 1 Enabling QinQ on ports In this type of implementations, QinQ is enabled on ports and a received packet is tagged with the default VLAN tag of the receiving port no matter whether or not the packet already carries a VLAN tag. If the packet already carries a VLAN tag, the packet becomes a dual-tagged packet.
CHAPTER 19: SELECTIVE QINQ CONFIGURATION Table 91 Configure selective QinQ c c Operation Command Description Configure the outer VLAN tag to be added to a packet and configure the upstream port for this packet vlan-vpn vid vlan-id uplink interface-type Required interface-number [ unTagged ] Specify the inner VLAN tags by specifying VLAN IDs raw-vlan-id inbound vlan-id-list Required CAUTION: ■ You need to execute the vlan-vpn enable command on the inbound ports before performing the operatio
Selective QinQ Configuration Example Confiuguration Procedure 159 # Enter system view. system-view # Enter GigabitEthernet2/0/1 port view. [SwitchA] interface GigabitEthernet 2/0/1 # Configure this port to be a hybrid port. And configure to keep the outer tags of packets of VLAN 10 and VLAN 100 and remove the outer tags of packets of other VLANs.
CHAPTER 19: SELECTIVE QINQ CONFIGURATION [SwitchA-GigabitEthernet1/0/1-vid-100] raw-vlan-id inbound 20 to 25 n The above configuration causes the packets reaching GigabitEthernet1/0/1 port being processed as follows: ■ Inserting VLAN 10 tag as the outer VLAN tag to single-tagged packets with their tags being that of VLAN 8 through VLAN 15. ■ Inserting VLAN 100 tag as the outer VLAN tag to single-tagged packets with their tags being that of VLAN 20 through VLAN 25.
20 Shared VLAN Overview Generation of Shared VLAN SHARED VLAN CONFIGURATION Shared VLAN is special VLAN which is created based on I/O Modules of the device. It is designed to avoid packet broadcast in the applications of selective QinQ. Like a QinQ-enabled port, a port with the selective QinQ enabled also learns the source MAC addresses of user packets to the MAC address table of the default VLAN of the port.
CHAPTER 20: SHARED VLAN CONFIGURATION outgoing port for a packet according to the MAC address table of the shared VLAN and unicast the packet. Working Principle of Shared VLAN After shared VLAN is configured, all the MAC address entries learned by ports will be maintained on the MAC address forwarding table of the shared VLAN, which can be used to forward all the VLAN packets in the device.
Displaying Shared VLAN 163 c Displaying Shared VLAN After the above-mentioned configuration, you can execute the display command in any view to view the running information about the shared VLAN, so as to verify the configuration. Table 94 Display shared VLAN Operation Command Description Display the shared VLANs configured for all the I/O display shared-vlan Modules and Switch Fabrics in the system You can execute the display command in any view.
CHAPTER 20: SHARED VLAN CONFIGURATION [SW7750-vlan100] quit [SW7750] shared-vlan 100 slot 3 # Add the ports of all the packets forwarded on the card in slot 3 to VLAN 100. Refer to VLAN in this manual for detailed configuration.
PORT BASIC CONFIGURATION 21 Ethernet Port Overview Link Types of Ethernet Ports n An Ethernet port on a Switch 7750 Family can operate in one of the three link types: ■ Access: An access port can belong to only one VLAN, and is generally used to connect user PCs. ■ Trunk: A trunk port can belong to more than one VLAN. It can receive/send packets from/to multiple VLANs, and is generally used to connect another switch. ■ Hybrid: A hybrid port can belong to more than one VLAN.
CHAPTER 21: PORT BASIC CONFIGURATION Table 95 Processing of incoming/outgoing packets Processing of an incoming packet Port type If the packet does not carry a VLAN tag If the packet carries a VLAN tag ■ If the VLAN ID is just the default VLAN ID, receive the packet. ■ If the VLAN ID is not the default VLAN ID, discard the packet. Access Trunk Receive the packet and add the default tag to the packet. ■ If the VLAN ID is just the default VLAN ID, receive the packet.
Ethernet Port Configuration 167 Ethernet Port Configuration Initially Configuring a Port Table 96 Initially configure a port Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number Optional Enable the Ethernet port undo shutdown By default, the port is enabled. Use the shutdown command to disable the port.
CHAPTER 21: PORT BASIC CONFIGURATION Table 97 Precautions in duplex mode setting Port type Precautions in duplex mode setting Management port Its duplex mode cannot be set. Table 98 Precautions in port rate setting Configuring Broadcast/Multicast/Unk nown Unicast Suppression Port type Precautions in duplex mode setting 100 Mbps electrical Ethernet port Its rate can be set to 10 Mbps or 100 Mbps as required.
Ethernet Port Configuration Enabling Flow Control on a Port 169 Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: ■ The local switch sends a message to notify the peer switch of stopping sending packets to itself temporarily. ■ The peer switch will stop sending packets to the local switch or reduce the sending rate temporarily when it receives the message; and vice versa. By this way, packet loss is avoided and the network service operates normally.
CHAPTER 21: PORT BASIC CONFIGURATION n Configuring Access Port Attribute You can set the delay of reporting down state either in system view or Ethernet port view. If you perform this configuration in both system view and Ethernet port view, the configuration performed in Ethernet port view is given priority.
Ethernet Port Configuration 171 Table 104 Configure trunk port attribute Copying the Configuration of a Port to Other Ports Operation Command Description Add the current trunk port to a specified VLAN port trunk permit vlan { vlan-id-list | all } Optional To make some other ports have the same configuration as that of a specific port, you can copy the configuration of the specific port to the ports.
CHAPTER 21: PORT BASIC CONFIGURATION After you enable loopback detection on Ethernet ports, the switch can monitor if external loopback occurs on each port periodically. If loopback occurs on a port, the system will process the port in the user-defined mode.
Ethernet Port Configuration 173 Table 108 Set the interval to perform statistical analysis on port traffic Setting Speedup for a Port Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Set the interval to perform statistical analysis on port traffic flow-interval interval Optional By default, this interval is 300 seconds. Perform the following configuration to speed up the hardware in a port or out of a port.
CHAPTER 21: PORT BASIC CONFIGURATION Table 110 Allow a port to output the UP/Down log information Operation Command Description Enter Ethernet port view interface interface-type interface-number Required Allow the port to output the UP/Down log information Displaying Basic Port Configuration enable log updown By default, a port is allowed to output the UP/Down log information.
Troubleshooting Ethernet Port Configuration 175 Network diagram Figure 45 Network diagram for Ethernet port configuration E1/0/1 E1/0/1 Switch A Switch B Configuration procedure n ■ Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. ■ This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet port view of Ethernet1/0/1.
CHAPTER 21: PORT BASIC CONFIGURATION
LINK AGGREGATION CONFIGURATION 22 Overview Introduction to Link Aggregation Link aggregation means aggregating several ports together to form an aggregation group, so as to implement outgoing/incoming load sharing among the member ports in the group and to enhance the connection reliability. Depending on different aggregation modes, aggregation groups fall into three types: manual, static LACP, and dynamic LACP.
CHAPTER 22: LINK AGGREGATION CONFIGURATION Operation Key An operation key of an aggregation port is a configuration combination generated by system depending on the configurations of the port (rate, duplex mode, other basic configuration, and management key) when the port is aggregated. 1 The selected ports in a manual/static aggregation group must have the same operation key. 2 The management key of an LACP-enable static aggregation port is equal to its aggregation group ID.
Overview Static LACP Aggregation Group 179 Introduction to static LACP aggregation A static LACP aggregation group is also manually created. All its member ports are manually added and can be manually removed (it inhibits the system from automatically adding/removing ports to/from it). Each static aggregation group must contain at least one port. When a static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group.
CHAPTER 22: LINK AGGREGATION CONFIGURATION Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system. Users cannot add/remove ports to/from it. Ports can be aggregated into a dynamic aggregation group only when they are connected to the same peer device and have the same basic configuration (such as rate and duplex mode).
Overview 181 Table 112 Link aggregation types and related descriptions Aggregation type Basic description Specific description ■ For Type-A cards, an aggregation group supports up to 8 selected GE ports or 16 selected FE ports ■ For non-Type-A cards, an aggregation group supports up to 8 selected GE ports or 8 selected FE ports ■ For Type-A cards, an aggregation group supports up to 8 selected GE ports ■ For Type-A cards, an aggregation group supports up to 24 FE ports, including up to 16 selecte
CHAPTER 22: LINK AGGREGATION CONFIGURATION Table 114 Restriction of non-type-A I/O Modules on link aggregation I/O Module type Non-type-A I/O Module Aggregation Group Categories Cross-chip aggregation Supported Aggregation type Maximum number of ports in an aggregation group Maximum number of selected ports in an aggregation group Manual aggregation 8 8 Static/dynamic aggregation The number of ports on the I/O Module 8 Depending on whether or not load sharing is implemented, aggregation
Link Aggregation Configuration 183 Link Aggregation Configuration c Configuring a Manual Aggregation Group CAUTION: ■ The following ports cannot be added to an aggregation group: destination ports to be mirrored to, reflection ports to be remotely mirrored to, ports configured with static MAC addresses, static-ARP-enabled ports, and 802.1x-enabeld ports. ■ Ports where the IP-MAC address binding is configured cannot be added to an aggregation group.
CHAPTER 22: LINK AGGREGATION CONFIGURATION 2 When a manual or static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group. Configuring a Static LACP Aggregation Group You can create a static LACP aggregation group, or remove an existing static aggregation group (after that, the system will re-aggregate the original member ports in the group to form one or more dynamic aggregation groups.).
Link Aggregation Configuration 185 Table 117 Configure a dynamic LACP aggregation group Operation Command Description Enter system view system-view - Optional Configure a description for an link-aggregation group aggregation group agg-id description agg-name By default, an aggregation group has no description.
CHAPTER 22: LINK AGGREGATION CONFIGURATION Table 118 Configure parameters for HASH Operation Command Description By default, Type A I/O Modules use four-tuple hash { dstip | dstmac | ip | (dstip, dstmac, srcip and Configure parameters used by l4port | mac | srcip | srcmac } srcmac) as the parameter of the HASH algorithm in link { ioboard slot slot-number | HASH algorithm. I/O Modules aggregation mainboard } other than Type A use ip as the parameter of HASH algorithm.
Link Aggregation Configuration Example 187 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. 1 Adopt the manual aggregation mode # Create manual aggregation group 1. system-view System View: return to User View with Ctrl+Z [SW7750] link-aggregation group 1 mode manual # Add Ethernet1/0/1 through Ethernet1/0/3 to aggregation group 1.
CHAPTER 22: LINK AGGREGATION CONFIGURATION
PORT ISOLATION CONFIGURATION 23 Port Isolation Overview Introduction to Port Isolation Through the port isolation feature, you can add the ports to be controlled into an isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can improve the network security and network in a more flexible way. Currently, you can configure 64 isolation groups on a switch. The number of Ethernet ports an isolation group can accommodate is not limited.
CHAPTER 23: PORT ISOLATION CONFIGURATION Currently, A type card (3C16860, 3C16861, 3C16858, 3C16859) cannot support Port Isolation feature. Displaying Port Isolation Configuration After the above configuration, you can execute the display command in any view to view the information about the Ethernet ports added to the isolation group.
24 PORT SECURITY CONFIGURATION Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication. Port security defines various security modes that allow devices to learn legal source MAC addresses, in order for you to implement different network security management as needed.
CHAPTER 24: PORT SECURITY CONFIGURATION Table 122 Description of port security modes Security mode Description Feature secure In this mode, the port is disabled from learning MAC In the secure mode, the device will trigger addresses. NTK and intrusion Only those packets whose source MAC addresses are protection upon static MAC addresses configured can pass through detecting an illegal the port. packet. userlogin In this mode, port-based 802.1x authentication is performed for access users.
Port Security Configuration n 193 When a port works in the userlogin-secure-else-mac-ext mode or the userlogin-secure-else-mac mode, for the same packet, intrusion protection can be triggered only after both MAC authentication and 802.1x authentication fail.
CHAPTER 24: PORT SECURITY CONFIGURATION To avoid confliction, the following restrictions on the 802.1x authentication and MAC address authentication will be taken after port security is enabled: 1 The access control mode (set by the dot1x port-control command) automatically changes to auto. 2 The dot1x, dot1x port-method, dot1x port-control, and mac-authentication commands cannot be used. n Displaying Port Security Configuration ■ For details about 802.1x authentication, refer to the 802.
Port Security Configuration Example Network diagram Figure 47 Network diagram for port security configuration Switch A Switch B Ethernet1/0/1 PC1 MAC: 0001-0002-0003 Configuration procedure Configure switch A as follows: # Enter system view. system-view # Enable port security. [SW7750] port-security enable # Enter GigabitEthernet1/0/1 port view. [SW7750] interface GigabitEthernet1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80.
CHAPTER 24: PORT SECURITY CONFIGURATION
PORT BINDING CONFIGURATION 25 Port Binding Overview Introduction Configuring Port Binding Port binding enables the network administrator to bind the MAC and IP addresses of a legal user to a specific port. After the binding, the specific port can only forward packets coming from or going to legal user. This improves network security and enhances security monitoring.
CHAPTER 25: PORT BINDING CONFIGURATION Network diagram Figure 48 Network diagram for port binding configuration Switch A Switch B Ethernet 1/0/1 PC1 PC2 MAC: 0001-0002-0003 IP Address: 10.12.1.1 Configuration procedure Configure switch A as follows: # Enter system view. system-view # Enter Ethernet1/0/1 port view. [SW7750] interface Ethernet1/0/1 # Bind the MAC address and the IP address of PC1 to Ethernet1/0/1. [SW7750-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.
26 DLDP Overview DLDP CONFIGURATION As shown in Figure 49 and Figure 50, you may have encountered unidirectional links in networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device.
CHAPTER 26: DLDP CONFIGURATION Figure 50 Fiber which is not connected or disconnected GE2/0/3 SwitchA GE2/0/4 GE2/0/3 SwitchB GE2/0/4 PC DLDP provides the following features: DLDP Fundamentals ■ As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device.
DLDP Overview 201 Table 127 DLDP status Status Description Delaydown When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first. When a device changes to the delaydown state, the related DLDP neighbor information remains, and the Delaydown timer is triggered.
CHAPTER 26: DLDP CONFIGURATION Table 128 DLDP timers Timer Description In enhanced mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP enables the enhanced timer for the neighbor. The timeout time for the enhanced timer is 10 seconds. The enhanced timer then sends two probe packets every one second and totally eight packets continuously to the neighbor.
DLDP Overview 203 DLDP implementation 1 If the DLDP-enabled link is up, DLDP sends DLDP packets to the peer device, and analyses and processes DLDP packets received from the peer device. DLDP in different status sends different packets.
CHAPTER 26: DLDP CONFIGURATION Table 132 Processing procedure when no echo packet is received from the neighbor No Echo packet received Processing procedure from the neighbor In normal mode, no echo packet is received when the echo waiting timer expires In enhanced mode, no echo packet is received when the enhanced timer expires Precautions During DLDP Configuration DLDP turns into disable status. It outputs log and tracking information, sends flush packets.
DLDP Configuration 205 DLDP Configuration Configuring DLDP n For a port with DLDP enabled, you are not recommended to execute the port monitor last command on the port. If it is necessary, the value argument in this command must be less than 10.
CHAPTER 26: DLDP CONFIGURATION Table 133 DLDP configuration tasks Operation Command display dldp [ Display the configuration information interface-type about the DLDP-enabled ports interface-number ] n Description - ■ When you use the dldp enable/dldp disable command in system view to enable/disable DLDP globally on all optical ports of the switch, this command is only valid for existing optical ports on the device, however, it is not valid for those added subsequently.
DLDP Network Example ■ DLDP Network Example 207 If a port is DLDP down, it can return to the up state automatically. You do not need to reset DLDP on the port. Network requirements As shown in Figure 51: ■ Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP; ■ Suppose the fibers between Switch A and Switch B are cross-connected.
CHAPTER 26: DLDP CONFIGURATION [SW7750A] dldp unidirectional-shutdown auto # Display the DLDP status [SW7750A] display dldp n If the fibers are correctly connected between the two switches, the system displays the connections with the neighbor as bidirectional links.
MAC ADDRESS TABLE MANAGEMENT 27 n This chapter describes the management of static and dynamic MAC address entries. For information on the management of multicast MAC address entries, refer to the section related to multicast protocol in 3Com Switch 7750 Family Ethernet Switches Operation Manual. Overview Introduction to MAC Address Learning An Ethernet switch maintains a MAC address table to forward packets quickly. A MAC address table is a port-based Layer 2 address table.
CHAPTER 27: MAC ADDRESS TABLE MANAGEMENT Figure 52 Packets forwarded by using a MAC address table. MAC address Address MAC MACD D MAC MACA A Port MACAA MAC 1 MACBB MAC 1 MACCC MAC 2 MACDD MAC 2 ...... Port 1 Port 2 MAC MACD D MAC MACA A ...... After learning the source address of the packet, the switch searches the MAC address table for the destination MAC address of the received packet: ■ If it finds a match, it directly forwards the packet.
Configuring MAC Address Table Management Entries in a MAC Address Table 211 Entries in a MAC address table fall into the following two categories according to their characteristics and configuration methods: ■ Static MAC address entry: Also known as permanent MAC address entry. This type of MAC address entries are added/removed manually and can not age out by themselves.
CHAPTER 27: MAC ADDRESS TABLE MANAGEMENT Table 137 Add a MAC address entry c Setting the Aging Time for MAC Address Entries Operation Command Description Enter system view system-view - Add a MAC address entry mac-address { static | dynamic } mac-address Required interface interface-type interface-number vlan vlan-id CAUTION: For a MAC address entry to be added, the port specified by the interface keyword must belong to the VLAN specified by the vlan keyword in the command.
Configuring MAC Address Table Management 213 Table 139 Set the maximum number of MAC addresses a port can learn Disabling MAC Address Learning Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Set the maximum number of MAC addresses the port can learn mac-address max-mac-count count Required By default, the number of the MAC addresses a port can learn is not limited.
CHAPTER 27: MAC ADDRESS TABLE MANAGEMENT Disabling HiGig Ports from Learning MAC Addresses The Switch 7750 Family learn MAC address entries in one of the following ways: ■ Through MAC address learning on the port ■ By synchronizing MAC address entries between chips HiGig ports are special ports on boards for connecting the boards to the backplane. HiGig ports can also learn and synchronize MAC addresses.
Displaying and Maintaining MAC Address Configuration Displaying and Maintaining MAC Address Configuration 215 To verify your configuration, you can display information about the MAC address table by executing the display command in any view.
CHAPTER 27: MAC ADDRESS TABLE MANAGEMENT [SW7750] mac-address timer aging 500 # Display the information about the MAC address entries in system view.
CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION 28 n Centralized MAC Address Authentication Overview Currently, 3C16860, 3C16861, 3C16859, and 3C16858 I/O Modules of 3Com Switch 7750 Family Ethernet switches do not support the centralized MAC address authentication. Centralized MAC address authentication is port- and MAC address-based authentication used to control user permissions to access a network. Centralized MAC address authentication can be performed without client-side software.
CHAPTER 28: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC Address Authentication Configuration The following are centralized MAC address authentication configuration tasks: c Enabling Centralized MAC Address Authentication Globally ■ “Enabling Centralized MAC Address Authentication Globally” ■ “Enabling Centralized MAC Address Authentication for a Port” ■ “Configuring Centralized MAC Address Authentication Mode” ■ “Configuring the ISP Domain for MAC Address Authentica
Centralized MAC Address Authentication Configuration 219 Table 146 Enable centralized MAC address authentication for a port in system view Operation Command Enable centralized MAC address authentication for specified ports mac-authentication interface interface-list Description Required By default, centralized MAC address authentication is disabled on a port.
CHAPTER 28: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Configuring the Timers Used in Centralized MAC Address Authentication The following timers are used in centralized MAC address authentication: ■ Offline detect timer, which sets the time interval for a switch to test whether a user goes offline. Upon detecting a user is offline, a switch notifies the RADIUS server of the user to trigger the RADIUS server to stop the accounting on the user.
Displaying and Debugging Centralized MAC Address Authentication n Displaying and Debugging Centralized MAC Address Authentication 221 ■ If the MAC address re-authentication function is enabled globally, when the Reauth-period times out, the device initiates a re-authentication. If disabled globally, the MAC address re-authentication function will not take effect. ■ You must enable the MAC address re-authentication function globally before you can re-authenticate a specified MAC address.
CHAPTER 28: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION The device administrator intends to perform ■ The device administrator intends to control users to access the internet by performing MAC address authentication on all ports of the device. ■ The device tests whether the user is offline every 180 seconds. And when the user authentication fails, the device waits for 30 seconds before it authenticates the user again. ■ All users belong to domain aabbcc.
29 MSTP Overview MSTP CONFIGURATION Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or the port is an edge port. This slows down the spanning tree convergence of STP.
CHAPTER 29: MSTP CONFIGURATION Figure 55 Basic MSTP terminologies Region A0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST CIST: Common and Internal Spanning Tree MSTI: Multiple Spanning Tree Instance BPDU BPDU A B C CST: Common Spanning Tree D BPDU Region A0 vlan 1 mapping to Instance 1, region root B vlan 3 mapped to Instance 2 , region root C Other vlans mapped to CIST RegionB0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped t
MSTP Overview 225 ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it belongs to an MST region and is a branch of CIST. In Figure 55, each MST region has an IST, which is a branch of the CIST. CST A CST is the spanning tree in a switched network that connects all MST regions in the network.
CHAPTER 29: MSTP CONFIGURATION n ■ A port can play different roles in different MSTIs. ■ The role a region edge port plays is consistent with the role it plays in the CIST. For example, port 1 on switch A in Figure 56 is a region edge port, and it is a master port in the CIST. So it is a master port in all MSTIs in the region.
MSTP Overview 227 Generating the CIST Through configuration BPDU comparing, the switch that is of the highest priority in the network is chosen as the root of the CIST. In each MST region, an IST is figured out by MSTP. At the same time, MSTP regards each MST region as a switch to figure out the CST of the network. The CST, together with the ISTs, forms the CIST of the network.
CHAPTER 29: MSTP CONFIGURATION First, the switch generates a designated port configuration BPDU for each of its port using the root port configuration BPDU and the root port path cost, with the root ID being replaced with that of the root port configuration BPDU, root path cost being replaced with the sum of the path cost of the root port configuration BPDU and the path cost of the root port, the ID of the designated bridge being replaced with that of the switch, and the ID of the designated port bein
Root Bridge Configuration 229 Table 154 Root bridge configuration Operation Remarks Related section Network diameter configuration Optional “Network Diameter Configuration” MSTP time-related configuration Timeout time factor configuration The default is recommended. Optional The defaults are recommended. Optional “MSTP Time-related Configuration” “Timeout Time Factor Configuration” Maximum transmitting speed configuration Optional The default is recommended.
CHAPTER 29: MSTP CONFIGURATION Table 155 Configure an MST region Operation Command Description Display the currently valid configuration of the MST region Display stp region-configuration You can execute this command in any view. Configuring MST region-related parameters (especially the VLAN mapping table) results in spanning trees being regenerated.
Root Bridge Configuration 231 Table 156 Specify the current switch as the root bridge of a specified spanning tree Operation Command Description Specify the current switch as the root bridge of a specified spanning tree stp [ instance instance-id ] root primary [ bridge-diameter bridgenumber ] [ hello-time centi-seconds ] Required Secondary root bridge configuration Table 157 Specify the current switch as the secondary root bridge of a specified spanning tree Operation Command Description Enter s
CHAPTER 29: MSTP CONFIGURATION ■ You can also configure the current switch as the root bridge by setting the priority of the switch to 0. Note that once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified. Configuration example # Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning tree instance 2.
Root Bridge Configuration ■ 233 MSTP mode: In this mode, the protocol packets sent out of the ports of the switch are MSTP packets, or STP packets if the ports have STP-enabled switches connected. But multiple spanning tree function is only enabled for MSTP packets.
CHAPTER 29: MSTP CONFIGURATION Configuration example # Configure the maximum hops of the MST region to be 30 (assuming that the current switch operates as the region root). system-view [SW7750] stp max-hops 30 Network Diameter Configuration In a switched network, any two switches can communicate with each other through a path, on which there may be some other switches.
Root Bridge Configuration ■ 235 The Hello time parameter is for link testing. A switch regularly sends hello packets to other switches in the interval specified by the Hello time parameter to test the links. ■ The Max age parameter is used to judge whether or not a configuration BPDU is obsolete. Obsolete configuration BPDUs will be discarded.
CHAPTER 29: MSTP CONFIGURATION 2 x (Forward delay - 1 second) >= Max age Max age >= 2 x (Hello time + 1 second) You are recommended to specify the network diameter of the switched network and the Hello time by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are determined automatically.
Root Bridge Configuration 237 Configuration procedure (in system view) Table 164 Configure the maximum transmitting speed for specified ports in system view Operation Command Description Enter system view system-view - Configure the maximum transmitting speed for specified ports stp interface interface-list transmit-limit packetnum Required The maximum transmitting speed of all Ethernet ports on a switch defaults to 10.
CHAPTER 29: MSTP CONFIGURATION Table 166 Configure a port as an edge port (in system view) Operation Command Configure the specified ports as edge ports stp interface interface-list edged-port enable Description Required By default, all the Ethernet ports of a switch are non-edge ports.
Root Bridge Configuration 239 Configuration procedure (in system view) Table 168 Specify whether or not the links connected to the specified ports are point-to-point links (in system view) Operation Command Description Enter system view system-view Required The auto keyword is adopted by default. Specify whether or not the links connected to the specified ports are point-to-point links The force-true keyword specifies that the links connected to the specified ports are point-to-point links.
CHAPTER 29: MSTP CONFIGURATION After you configure the link of a port as a point-to-point link, the configuration applies to all spanning tree instances. If the actual physical link of a port is not a point-to-point link and you forcibly configure the link as a point-to-point link, temporary loops may be incurred. Configuration example # Configure the link connected to port Ethernet1/0/1 as a point-to-point link. 1 Configure in system view.
Leaf Node Configuration 241 Table 171 Disable MSTP in Ethernet port view Operation Command Description Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. Disable MSTP on the port stp disable To enable a switch to operate more flexibly, you can disable MSTP on specific ports. As MSTP-disabled ports do not participate in spanning tree generation, this operation saves CPU resources.
CHAPTER 29: MSTP CONFIGURATION Table 172 Leaf node configuration Operation Remarks Related section Point-to-point link related configuration Optional “Point-to-point Link-Related Configuration” n In a network that contains switches with both GVRP and MSTP employed, GVRP packets are forwarded along the CIST.
Leaf Node Configuration 243 Table 173 Specify the standard for calculating path costs Operation Command Description Enter system view system-view - Specify the standard to be used to calculate the default path costs of the links connected to the ports of the switch Optional stp pathcost-standard { By default, the legacy dot1d-1998 | dot1t | legacy } standard is used to calculate the default path costs.
CHAPTER 29: MSTP CONFIGURATION Path cost = 200,000,/ link transmission speed, Where the link transmission speed is the sum of the speeds of the unblocked ports on the aggregated link, which is measured in 100 Kbps.
Leaf Node Configuration 245 [SW7750-Ethernet1/0/1] quit [SW7750] stp pathcost-standard dot1d-1998 Port Priority Configuration Port priority is an important criterion on determining the root port. In the same condition, ports with smaller port priority values are more potential to become the root port than those with bigger priority values. A port on a MSTP-enabled switch can have different port priorities and play different roles in different spanning tree instances.
CHAPTER 29: MSTP CONFIGURATION system-view [SW7750] interface ethernet1/0/1 [SW7750-Ethernet1/0/1] stp instance 1 port priority 16 Point-to-point Link-Related Configuration MSTP Configuration The mCheck Configuration Refer to “Point-to-point Link-Related Configuration”. Refer to “MSTP Configuration”. As mentioned previously, ports on an MSTP-enabled switch can operate in three modes: STP-compatible, RSTP-compatible, and MSTP.
Protection Function Configuration ■ 247 Configure in system view. system-view [SW7750] stp interface ethernet1/0/1 mcheck ■ Configure in Ethernet port view. system-view [SW7750] interface ethernet1/0/1 [SW7750-Ethernet1/0/1] stp mcheck Protection Function Configuration Introduction The following protection functions are available on an MSTP-enabled switch: BPDU protection, root protection, loop guard, and topology change BPDU (TC-BPDU) attack guard.
CHAPTER 29: MSTP CONFIGURATION because of network congestions and link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port; the original root port becomes a designated port; and the blocked ports transit to forwarding state. This may cause loops in the network. The loop guard function suppresses loops.
Protection Function Configuration 249 Configuration example # Enable the BPDU guard function. system-view [SW7750] stp bpdu-protection c Root Guard Configuration CAUTION: As Gigabit ports of the Switch 7750 Family cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports. Configuration prerequisites MSTP is enabled on the current switch.
CHAPTER 29: MSTP CONFIGURATION Table 184 Enable the loop prevention function on a port Operation Command Description Enter Ethernet port view interface interface-type interface-number - Enable the loop prevention function on the current port Required stp loop-protection The loop prevention function is disabled by default. Configuration example # Enable loop prevention function on Ethernet1/0/1 port.
Digest Snooping Configuration 251 of the BPDUs between them. (A configuration ID contains information such as region ID and configuration digest.) As some partners’ switches adopt proprietary spanning tree protocols, they cannot interwork with other switches in an MST region even if they are configured with the same MST region-related settings as other switches in the MST region. This problem can be overcome by implementing the digest snooping feature.
CHAPTER 29: MSTP CONFIGURATION ■ To enable the digest snooping feature, the interconnected switches must be configured with exactly the same MST region-related configurations (including region name, revision level, and VLAN-to-MSTI mapping). ■ The digest snooping feature must be enabled on all the ports of the Switch 7750 Family that are connected to a partners’ proprietary protocol-adopted switches in the same MST region.
Rapid Transition Configuration 253 Figure 58 The MSTP rapid transition mechanism Upstream sw itch Dow nstream switch Send proposal packets to request rapid transition Root port blocks other non-edge ports Send agreement packets Send agreement packets Designated port change to Forw arding state Root port changes to Forw arding state and sends agreement packets to upstream switch Root port Designated port Limitation on the combination of RSTP and MSTP exists to implement rapid transition.
CHAPTER 29: MSTP CONFIGURATION Figure 59 Network diagram for rapid transition configuration Sw itch coming from other manufacturers Port 1 Port 2 Switch 7750 Configuration procedure 1 Configure the rapid transition feature in system view.
BPDU Tunnel Configuration 255 BPDU Tunnel Configuration Introduction The BPDU Tunnel function enables BPDUs to be transparently transmitted between geographically dispersed user networks through specified VLAN VPNs in operator’s networks, through which spanning trees can be generated across these user networks and are independent of those of the operator’s network. As shown in Figure 60, the upper part is the operator’s network, and the lower part is the user network.
CHAPTER 29: MSTP CONFIGURATION Table 189 Configure the BPDU Tunnel function Operation Command Description Required Enable the VLAN VPN vlan-vpn enable function for the Ethernet port n MSTP Displaying and Debugging By default, the VLAN VPN function is disabled on all ports. ■ The BPDU Tunnel function can only be enabled on devices with STP enabled. ■ The BPDU Tunnel function can only be enabled on access ports.
MSTP Implementation Example 257 Network diagram Figure 61 Network diagram for implementing MSTP Permit :all VLAN Switch A Switch B Permit : VLAN 20, 30 Permit : VLAN 10, 20 Permit : VLAN 10, 20 Permit : VLAN 20, 30 Switch D Switch C Permit :VLAN 20, 40 n The "Permit:" shown in Figure 61 means the corresponding link permits packets of specific VLANs. Configuration procedure 1 Configure Switch A. # Enter MST region view.
CHAPTER 29: MSTP CONFIGURATION # Activate the settings of the MST region. [SW7750-mst-region] active region-configuration # Specify Switch B as the root bridge of spanning tree instance 3. [SW7750] stp instance 3 root primary 3 Configure Switch C. # Enter MST region view. system-view [SW7750] stp region-configuration # Configure the MST region.
BPDU Tunnel Configuration Example ■ 259 Switch C and Switch D connect to each other through the configured trunk port of the switch, and are enabled with the BPDU Tunnel function. Thereby transparent transmission is realized between the user’s network and the operator’s network. Network diagram Figure 62 Network diagram for BPDU Tunnel configuration E 1/0/2 E 1/0/1 Switch C E 1/0/1 Switch D E 1/0/2 Switch A E 0/1 Switch B E 0/1 Configuration procedure 1 Configure Switch A. # Enable RSTP.
CHAPTER 29: MSTP CONFIGURATION # Add port Ethernet1/0/1 to VLAN 10. [SW7750] vlan 10 [SW7750-Vlan10] port Ethernet 1/0/1 [SW7750-Vlan10] quit # Disable STP on port Ethernet1/0/1 and then enable the VLAN-VPN function on it. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] port access vlan 10 [SW7750-Ethernet1/0/1] stp disable [SW7750-Ethernet1/0/1] vlan-vpn enable [SW7750-Ethernet1/0/1] quit # Configure port Ethernet1/0/2 as a trunk port.
IP ROUTING PROTOCOL OVERVIEW 30 n When running a routing protocol, the Ethernet switch also functions as a router. The word "router" and the router icons covered in the following text represent routers in common sense and Ethernet switches running a routing protocol. To improve readability, this will not be mentioned again in this manual. Introduction to IP Route and Routing Table IP Route and Route Segment Routers are used for route selection on the Internet.
CHAPTER 30: IP ROUTING PROTOCOL OVERVIEW greatly, the actual length of router segments may be different from each other. Therefore, you can put different weights to different route segments (so that, for example, a route segment can be considered as two segments if the weight is two), In this way, the length of the path can be measure by the number of weighted route segments.
Routing Management Policy 263 ■ Direct route: The router is directly connected to the network where the destination resides. ■ Indirect route: The router is not directly connected to the network where the destination resides. In order to avoid an oversized routing table, you can set a default route. All the packets for which the router fails to find a matching entry in the routing table will be forwarded through this default route.
CHAPTER 30: IP ROUTING PROTOCOL OVERVIEW Routing Protocols and Preferences Different routing protocols may discover different routes to the same destination, but only one route among these routes and the static routes is optimal. In fact, at any given moment, only one routing protocol can determine the current route to a specific destination. Routing protocols (including static routing) are endowed with different preferences.
Routing Management Policy 265 switchover from the main route to a backup route is implemented. When the main route recovers, the router will restore it and re-select a route. And, as the main route has the highest preference, the router will choose the main route to send data. This process is the automatic switchover from the backup route to the main route.
CHAPTER 30: IP ROUTING PROTOCOL OVERVIEW
STATIC ROUTE CONFIGURATION 31 Introduction to Static Route Static Route Static routes are special routes. They are manually configured by the administrator. By configuring static routes, you can build an interconnecting network. The problem for such configuration is when a fault occurs on the network, a static route cannot change automatically to steer away from the fault point without the help of the administrator.
CHAPTER 31: STATIC ROUTE CONFIGURATION the packet; in this case, if there is no default route, the packet will be discarded, and an Internet control message protocol (ICMP) packet will be returned to inform the source host that the destination host or network is unreachable.
Static Route Configuration Example 269 Table 193 Display the routing table Operation Command Description Display routing table summary display ip routing-table Display routing table details display ip routing-table verbose display ip routing-table Display the detailed ip-address [ mask ] [ information of a specific route longer-match ] [ verbose ] Static Route Configuration Example Display the routes in a specified address range display ip routing-table ip-address1 mask1 ip-address2 mask2 [ verbos
CHAPTER 31: STATIC ROUTE CONFIGURATION Configuration procedure n Before the following configuration, make sure that the Ethernet link layer works normally and the IP addresses of the VLAN interfaces have been configured correctly. # Configure static routes on Switch A. system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Configure static routes on Switch B.
32 Selective Route Overview SELECTIVE ROUTE CONFIGURATION Selective route implements access control on network resources by controlling packet forwarding. Compared with access control implemented using ACLs only, using selective routes for access control requires easy configuration and saves system resources. Selective route works as follows. The router matches the packet received against the ACL applied.
CHAPTER 32: SELECTIVE ROUTE CONFIGURATION Network diagram Figure 66 Network diagram for selective route configuration Configuration procedure Perform the following configuration on Switch: # Create an ACL numbered 2000 to permit the packets from HostA (whose IP ad dress is 59.67.69.8) and HostB (whose IP address is 59.67.70.52). system-view [Switch] acl number 2000 [Switch-acl-basic-2000] rule 0 permit source 59.67.69.8 0 [Switch-acl-basic-2000] rule 1 permit source 59.67.70.
Selective Route Overview 273 [Switch] ip route-static 0.0.0.0 0 59.67.64.
CHAPTER 32: SELECTIVE ROUTE CONFIGURATION
33 RIP Overview Basic Concepts RIP CONFIGURATION Routing information protocol (RIP) is a simple interior gateway protocol (IGP) suitable for small-sized networks. RIP RIP is a distance-vector (D-V) algorithm-based protocol. It exchanges routing information via UDP packets. RIP uses hop count (also called routing cost) to measure the distance to a destination address.
CHAPTER 33: RIP CONFIGURATION RIP Startup and Operation ■ Timeout timer: If a RIP route is not updated (that is, the switch does not receive any routing update packet from the neighbor) within the timeout time of this timer, the route is considered unreachable. ■ Garbage-collection timer: An unreachable route will be completely deleted from the routing table if no update packet for the route is received from the neighbor before this timer times out.
Basic RIP Configuration 277 Table 195 RIP configuration tasks Configuration Task Setting the additional routing metrics of an interface Related section Optional “Setting the additional routing metrics of an interface” Configuring RIP route Optional summary “Configuring RIP route summary” Disabling the receiving of host routes Optional “Disabling the receiving of host routes” Optional “Configuring RIP to filter or advertise the received routes” Configuring RIP Route Configuring RIP to Control fi
CHAPTER 33: RIP CONFIGURATION Table 196 Enable RIP globally and on the interface of a specified network segment Operation Command Description Enable RIP globally and enter RIP view rip - Enable RIP on the interface of network network-address a specified network segment n Required By default, RIP is disabled on any interface. ■ RIP can be enabled on an interface only after it has been enabled globally.
RIP Route Control RIP Route Control 279 In actual implementation, it may be needed to control RIP routing information more accurately to accommodate complex network environments. By performing the configuration described in the following sections, you can: Configuration Prerequisites Configuring RIP Route Control ■ Control route selection by adjusting additional routing metrics on interfaces running RIP.
CHAPTER 33: RIP CONFIGURATION Configuring RIP route summary Route summary means that different subnet routes in the same natural network segment can be aggregated into one route with a natural mask for transmission to another network segment. This function is used to reduce the routing traffic on the network as well as to reduce the size of the routing table. Route summary does not work for RIP-1. RIP-2 supports route summary.
RIP Route Control 281 Table 202 Configure RIP to filter incoming/outgoing routes Operation Command filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] | gateway ip-prefix-name } import [ interface interface-type interface-number ] Configure RIP to filter incoming routes filter-policy route-policy route-policy-name import filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] Configure RIP to filter outgoing routes n filter-policy route-policy
CHAPTER 33: RIP CONFIGURATION Configuring RIP to import routes from another protocol Table 205 Configure RIP to import routes from another protocol Operation Command Description Enter system view system-view - Enter RIP view rip Optional Set the default cost for RIP to import routes from other protocols default cost value When you use the import-route command without specifying the cost of imported routes, the default cost you set here will be used.
RIP Network Adjustment and Optimization n 283 When configuring the values of RIP timers, you should take network performance into consideration and perform consistent configuration on all routers running RIP to avoid unnecessary network traffic and network route oscillation.
CHAPTER 33: RIP CONFIGURATION Table 209 Set RIP-2 packet authentication mode Operation Command Description Required Set RIP-2 packet authentication mode rip authentication-mode { simple password | md5 { rfc2453 key-string | rfc2082 key-string key-id } } If you specify to use MD5 authentication, you must specify one of the following MD5 authentication types: rfc2453 (this type supports the packet format defined in RFC 2453) rfc2082 (this type supports the packet format defined in RFC 2082) Config
Troubleshooting RIP Configuration 285 correctly to ensure the interworking between the networks connected to SwitchC, SwitchA and SwitchB. Network diagram Figure 67 RIP configuration Network address: 155.10.1.0/24 Interface address: 155.10.1.1/24 Switch A Interface address: 110.11.2.1/24 Ethernet Interface address: 110.11.2.3/24 Network address: 110.11.2.2/24 Switch C Switch B Interface address: 117.102.0.1/16 Interface address: 196.38.165.1/24 Network address: Network address: 196.38.165.
CHAPTER 33: RIP CONFIGURATION the network command on the interface. The peer routing device is configured to work in the multicast mode (for example, the rip version 2 multicast command is executed) but the multicast mode is not configured on the corresponding interface of this switch.
34 OSPF CONFIGURATION OSPF Overview Introduction to OSPF OSPF Route Calculation Open shortest path first (OSPF) is a link state-based interior gateway protocol developed by IETF. At present, OSPF version 2 (RFC 2328) is used, which has the following features: ■ High applicability: OSPF supports networks of various sizes and can support up to several hundred routers.
CHAPTER 34: OSPF CONFIGURATION topology of the whole network. Obviously, all routers get exactly the same map. ■ A router uses the shortest path first (SPF) algorithm to calculate the shortest path tree with itself as the root. The tree shows the routes to the nodes in the autonomous system. External routes are leaf nodes, which are marked with the routers from which they are advertised to record information outside the AS. Obviously, the routing tables obtained by different routers are different.
OSPF Overview 289 A stub area cannot import any external route. For this reason the concept NSSA area (not-so-stubby area) is introduced. In an NSSA area, type 7 LSAs are allowed to be propagated. A type 7 LSA is generated by an ASBR (autonomous system boundary router) in a NSSA area. A type 7 LSA reaching an ABR in the NSSA area is transformed into an AS-external LSA, which is then advertised to other areas. Backbone area and virtual link Backbone Area With OSPF area partition, not all areas are equal.
CHAPTER 34: OSPF CONFIGURATION OSPF Network Type Four OSPF network types OSPF divides networks into four types by link layer protocols: ■ Broadcast: If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast. In a broadcast network, protocol packets are sent in multicast (224.0.0.5 and 224.0.0.6) by default. ■ Non-broadcast multi-access (NBMA): If Frame Relay, ATM, or X.25 is adopted, OSPF defaults the network type to NBMA. In an NBMA network, protocol packets are sent in unicast.
OSPF Overview 291 problem, DR is defined in OSPF so that all routers send information to the DR only and the DR broadcasts the network link states in the network. If the DR fails, a new DR must be elected and synchronized with the other routers on the network. The process takes quite a long time; in the process, route calculation is incorrect. To shorten the process, BDR is introduced in OSPF. In fact, a BDR provides backup for a DR. DR and BDR are elected at the same time.
CHAPTER 34: OSPF CONFIGURATION OSPF Packets ■ DR election is required for broadcast or NBMA interfaces but is not required for P2P or P2MP interfaces. ■ DR is based on the router interfaces in a certain segment. A router may be a DR on an interface and a BDR or DR Other on another interface. ■ If a new router is added after DR and BDR election, the router does not become the DR immediately even if it has the highest DR priority.
OSPF Overview 293 ■ Network-LSA: Type-2 LSAs, generated by the DRs of broadcast or NBMA network to describe the link states of the current network segment and are advertised only in the area where the DRs reside. ■ Summary-LSA: Type-3 and Type-4 LSAs, generated by ABRs and advertised in the areas associated with the LSAs. Each Summary-LSA describes a route to a destination in another area of the AS (also called inter-area route).
CHAPTER 34: OSPF CONFIGURATION Introduction to OSPF Configuration Tasks Table 212 OSPF configuration tasks Configuration Task Description Related section Basic OSPF Configuration Required “Basic OSPF Configuration” OSPF Area Attribute Configuration Optional “OSPF Area Attribute Configuration” Configuring the Network Type of an OSPF Interface Optional “Configuring the Network Type of an OSPF Interface” Setting an NBMA Neighbor Optional “Setting an NBMA Neighbor” Setting the DR Priority
Basic OSPF Configuration 295 Table 212 OSPF configuration tasks Configuration Task Displaying OSPF Configuration Basic OSPF Configuration Configuration Prerequisites Basic OSPF Configuration Description Related section Optional “Displaying OSPF Configuration” Before you can configure other OSPF features, you must first enable OSPF and specify the interface and area ID.
CHAPTER 34: OSPF CONFIGURATION Table 213 Basic OSPF configuration Operation Command Description Optional n OSPF Area Attribute Configuration If multiple OSPF processes run on a router, you are recommended to use the router-id keyword in the following command to specify different router IDs for different processes.
OSPF Network Type Configuration Configuring OSPF Area Attributes 297 Table 214 Configure OSPF area attributes Operation Command Description Enter system view system-view - Enter OSPF view ospf [ process-id [ router-id router-id ] ] - Enter OSPF area view area area-id - Configure the current area to be a stub area stub [ no-summary ] By default, no area is configured as a stub area.
CHAPTER 34: OSPF CONFIGURATION Configuring the Network Type of an OSPF Interface n Setting an NBMA Neighbor ■ Configuring the network layer address of the interface so that the adjacent node is reachable at network layer ■ Performing basic OSPF configuration Table 215 Configure the network type of an OSPF interface Operation Command Description Enter system view system-view - Enter interface view interface interface-type interface-number - Configure the network type of the OSPF interfa
OSPF Route Control n OSPF Route Control Configuration Prerequisites Configuring OSPF Route Summary 299 The DR priorities configured by the ospf dr-priority command and the peer command have different purpose: ■ The priority set with the ospf dr-priority command is used for actual DR election. ■ The priority set with the peer command is used to indicate if a neighbor has the right to vote.
CHAPTER 34: OSPF CONFIGURATION Table 219 Configure ASBR route summary Operation Command Enable ASBR route summary asbr-summary ip-address mask [ not-advertise | tag value ] Description Required Configuring OSPF to Filter Received Routes n Configuring the Cost for Sending Packets on an OSPF Interface This command takes effect only when it is configured on an ASBR. By default, summary of imported routes is disabled.
OSPF Route Control 301 Table 222 Set OSPF route priority Operation Command Description Enter OSPF view ospf [ process-id [ router-id router-id ] ] Optional Set OSPF route priority Configuring the Maximum Number of OSPF Equal-Cost Routes Configuring OSPF to Import External Routes preference [ ase ] value By default, the OSPF route priority is 10 and the priority of OSPF ASE is 150.
CHAPTER 34: OSPF CONFIGURATION n OSPF Network Adjustment and Optimization Configuration Prerequisites Configuring OSPF Timers ■ The import-route command cannot import the default route. To import the default route, you must use the default-route-advertise command. ■ The filtering of advertised routes by OSPF means that OSPF only converts the external routes meeting the filter criteria into Type-5 or Type-7 LSAs and advertises them.
OSPF Network Adjustment and Optimization 303 Table 225 Configure OSPF timers Operation Command Description Optional Set the hello interval on the interface ospf timer hello seconds Set the poll interval on the NBMA interface ospf timer poll seconds By default, p2p and broadcast interfaces send Hello packets every 10 seconds; while p2mp and NBMA interfaces send Hello packets every 30 seconds. Optional By default, poll packets are sent every 120 seconds.
CHAPTER 34: OSPF CONFIGURATION interval, you can lighten the negative affection caused by frequent network changes. Table 227 Set the SPF calculation interval Disabling OSPF Packet Transmission on an Interface Operation Command Description Enter system view system-view - Enter OSPF view ospf [ process-id [ router-id router-id ] ] - Set the SPF calculation interval spf-schedule-interval interval Optional By default, the SPF calculation interval is five seconds.
OSPF Network Adjustment and Optimization 305 Table 229 Configure OSPF authentication n Configuring to Fill the MTU Field When an Interface Transmits DD Packets Operation Command Description Return to system view quit - Enter interface view interface interface-type interface-number - Configure the authentication mode of the OSPF interface Required ospf authentication-mode { By default, OSPF packets are simple password | md5 not authenticated on an key-id key } interface.
CHAPTER 34: OSPF CONFIGURATION Table 232 Configure OSPF MIB binding Operation Command Description Optional Configure OSPF MIB binding Enable OSPF Trap Displaying OSPF Configuration By default, MIB is bound to the first enabled OSPF ospf mib-binding process-id process. When multiple OSPF processes are enabled, you can configure to which OSPF process the MIB is bound.
OSPF Configuration Example 307 Table 233 Display configuration Operation Command Display brief information about one or all OSPF processes display ospf [ process-id ] brief Display OSPF statistics display ospf [ process-id ] cumulative Display OSPF LSDB information display ospf [ process-id ] [ area-id ] lsdb [ brief | [ asbr | ase | network | nssa | router | summary [ ip-address | verbose ] ] [ originate-router ip-address | self-originate ] ] Display OSPF peer information display ospf [ process-
CHAPTER 34: OSPF CONFIGURATION Network diagram Figure 70 DR election based on OSPF priority Sw itch A 1.1.1.1 Sw itch D 4.4.4.4 DR 196.1.1.4/24 196.1.1.1/24 196.1.1.3/24 196.1.1.2/24 BDR Sw itch B 2.2.2.2 Sw itch C 3.3.3.3 Configuration procedure # Configure SwitchA. system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 [SwitchA-Vlan-interface1] ospf dr-priority 100 [SwitchA] router id 1.1.1.
OSPF Configuration Example 309 [SwitchD-Vlan-interface1] ip address 196.1.1.4 255.255.255.0 [SwitchD] router id 4.4.4.4 [SwitchD] ospf [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 On SwitchA, run the display ospf peer command to display its OSPF peers. Note that SwitchA has three peers. The state of each peer is full, which means that adjacency is established between SwitchA and each peer.
CHAPTER 34: OSPF CONFIGURATION Network diagram Figure 71 OSPF virtual link configuration Sw itch A 1.1.1.1 Area 0 196.1.1.2/24 196.1.1.1/24 Sw itch B 2.2.2.2 Area 1 197.1.1.2/24 Virtual link 197.1.1.1/24 152.1.1.1/24 Sw itch C 3.3.3.3 Area 2 Configuration procedure # Configure SwitchA. system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] router id 1.1.1.
Troubleshooting OSPF Configuration 311 [SwitchC-Vlan-interface1] quit [SwitchC] interface Vlan-interface 2 [SwitchC-Vlan-interface2] ip address 197.1.1.1 255.255.255.0 [SwitchC-Vlan-interface2] quit [SwitchC] router id 3.3.3.3 [SwitchC] ospf [SwitchC-ospf-1] area 1 [SwitchC-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] quit [SwitchC-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [SwitchC-ospf-1] area 2 [SwitchC-ospf-1-area-0.0.0.2] network 152.1.1.0 0.0.0.
CHAPTER 34: OSPF CONFIGURATION ■ Ensure that the backbone area is connected to all the other areas. ■ Ensure that no virtual link passes through a stub area. Global fault removal: If OSPF still cannot discover the remote routes after the above procedure is performed, check the following configurations: ■ If two or more areas are configured on a router, at least one area should be configured to be connected to the backbone area.
35 IS-IS Overview IS-IS CONFIGURATION The intermediate system-to-intermediate system (IS-IS) is a dynamic routing protocol standardized by the International Organization for Standardization (ISO) to operate on connectionless network protocol (CLNP). The IS-IS routing protocol has been adopted in RFC 1195 by the International Engineer Task Force (IETF) to be applied in both TCP/IP and OSI reference models, and this form is called Integrated IS-IS or Dual IS-IS.
CHAPTER 35: IS-IS CONFIGURATION IS-IS network types IS-IS supports two network types: ■ Broadcast networks, such as Ethernet and Token-Ring ■ Point-to-point networks, such as PPP and HDLC For non-broadcast multi-access (NBMA) network, such as ATM, you need to configure point-to-point or broadcast network on its sub-interfaces. IS-IS does not run on point to multipoint (P2MP) links.
IS-IS Overview 315 Figure 73 An example of the IS-IS topology I Area 3 L1 Area 2 L1/2 L1/2 L2 L2 Area 1 L2 L2 Area 5 Area 4 L1/2 L1/2 L1 L1 L1 L1 L1 Figure 74 shows another network topology running the IS-IS protocol. The Level-1-2 routers connect the Level-1 and Level-2 routers, and also forms the IS-IS backbone together with the Level-2 routers. There is no area defined as the backbone in this topology.
CHAPTER 35: IS-IS CONFIGURATION The DSP includes the high order DSP (HODSP), the System ID and SEL, where the HODSP identifies the area, the System ID identifies the host, and the SEL indicates the type of service. The length of IDP and DSP is variable. The length of the NSAP address varies from 8 bytes to 20 bytes.
IS-IS Overview 317 The Level-1 router makes routing decisions based on the system ID. If the destination is not in the area, the packet is forwarded to the nearest Level-1-2 router. NET The network entity title (NET) is an NSAP with SEL of 0. It indicates the network layer information of the IS itself. SEL=0 means it provides no transport layer information. In normal condition, a router only needs one NET. But a router can have three NETs at most for smooth area merging and partitioning.
CHAPTER 35: IS-IS CONFIGURATION Introduction to IS-IS Configuration Table 234 IS-IS configuration tasks Operation Integrated IS-IS configuration Description Related section Enable IS-IS.
IS-IS Basic Configuration IS-IS Basic Configuration 319 All configuration tasks, except enabling IS-IS, are optional.
CHAPTER 35: IS-IS CONFIGURATION Table 235 Enabling IS-IS Operation Command Configure ISIS isis [ tag ] Description Required Configuring a NET By default, no IS-IS routing process is enabled. A NET defines the current IS-IS area address and router system ID.
IS-IS Basic Configuration 321 Table 239 Configure router type n Configuring the Line Type of an Interface Operation Command Configure router type is-level { level-1 | level-1-2 | level-2 } Description Optional By default, the router type is level-1-2. Changing interface line type makes sense only when the interface is on a Level-1-2 router. Otherwise, the router type determines the adjacency hierarchy that can be established.
CHAPTER 35: IS-IS CONFIGURATION Configuring received route filtering Table 242 Configure received route filtering Operation Command Description Enter system view system-view - Enter IS-IS view isis [ tag ] Required Set the policy for filtering received routes filter-policy acl-number import Required By default, IS-IS does not filter received routes.
IS-IS Basic Configuration 323 Table 245 Configure route summarization Operation Command Description Enter system view system-view - Enter IS-IS view isis [ tag ] Required Optional Configure route summarization Configuring Default Route Generation summary ip-address ip-mask By default, the system [ level-1 | level-1-2 | level-2 ] performs no route summarization.
CHAPTER 35: IS-IS CONFIGURATION Table 248 Configure IS-IS route cost style Configuring Interface Cost Configuring IS-IS Timer Operation Command Description Enter system view system-view - Enter IS-IS view isis [ tag ] Required Optional Configure a cost style cost-style { narrow | wide | wide-compatible | { compatible | narrow-compatible } [ relax-spf-limit ] } By default, IS-IS receives/sends only the packets with routing cost expressed in the Narrow mode.
IS-IS Basic Configuration 325 Table 251 Configure the CSNP packets sending interval Operation Command Configure the CSNP packets sending interval, in seconds isis timer csnp seconds [ level-1 | level-2 ] Description Optional The default CSNP packets sending interval is 10 seconds. Configuring the LSP sending interval LSPs are used to advertise link state records within an area.
CHAPTER 35: IS-IS CONFIGURATION Table 254 Configure the number of Hello packets expected from the remote router before it is considered dead n Configuring Authentication Operation Command Description Enter interface view interface interface-type interface-number Required Configure the number of Hello packets expected from the remote router before it is considered dead isis timer holding-multiplier value [ level-1 | level-2 ] Optional By default, three Hello packets are expected from the remo
IS-IS Basic Configuration 327 Table 256 Configure authentication Operation Command Description Define the area authentication mode area-authentication-mode { simple | md5 } password [ ip | Optional osi ] Define the domain authentication mode Optional domain-authentication-mo de { simple | md5 } password By default, no password is defined and no authentication [ ip | osi ] is enabled.
CHAPTER 35: IS-IS CONFIGURATION When the overload tag is set, other routers will not ask the router to forward packets. Table 259 Configure overload tag Operation Command Description Enter system view system-view - Enter IS-IS view isis [ tag ] Required Configure overload tag set-overload Optional Configuring to Discard LSPs with Incorrect Checksum No overload tag is set by default.
IS-IS Basic Configuration Assigning an LSP Maximum Aging Time 329 An LSP is given a maximum aging value when it is generated by the router. When the LSP is sent to other routers, its maximum aging value goes down gradually. If the router does not get the update for the LSP before the maximum aging value reaches 0, the LSP will be deleted from the LSDB.
CHAPTER 35: IS-IS CONFIGURATION Configuring SPF to release CPU resources automatically In IS-IS, SPF calculation may occupy system resources for a long time and slow down console response. To avoid this, you can configure SPF to automatically release CPU resources each time a specified number of routes are processed and continue to calculate the remaining routes after one second.
Displaying Integrated IS-IS Configuration Displaying Integrated IS-IS Configuration 331 After the above-mentioned configuration, you can use the display command in any view to display the IS-IS running state. By performing the following operations, you can display IS-IS link state database, packet transmission, and SPF calculation, so as to verify IS-IS route maintenance.
CHAPTER 35: IS-IS CONFIGURATION Network diagram Figure 76 Network diagram for IS-IS basic configuration Switch A Vlan-interf ace 101 100.0.0.1/24 Vlan-interf ace 100 100.10.0.1/24 Vlan-interf ace 102 100.20.0.1/24 Switch D Vlan-interf ace 102 100.20.0.2/24 Vlan-interf ace 100 100.30.0.1/24 Vlan-interf ace 102 200.0.0.1/24 Switch B Vlan-interf ace 100 100.10.0.2/24 Vlan-interf ace 101 200.10.0.1/24 Vlan-interf ace 101 200.10.0.2/24 Switch C Vlan-interf ace 100 200.20.0.
Integrated IS-IS Configuration Example [SwitchC] interface vlan-interface 101 [SwitchC-Vlan-interface101] ip address 200.10.0.2 255.255.255.0 [SwitchC-Vlan-interface101] isis enable [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] ip address 200.20.0.1 255.255.255.0 [SwitchC-Vlan-interface100] isis enable # Configure Switch D. [SwitchD] isis [SwitchD-isis] network-entity 86.0001.0000.0000.0008.00 [SwitchD] interface vlan-interface 102 [SwitchD-Vlan-interface102] ip address 100.20.0.
CHAPTER 35: IS-IS CONFIGURATION
BGP CONFIGURATION 36 BGP Overview Introduction to BGP Border gateway protocol (BGP) is a dynamic routing protocol designed to be used between autonomous systems (AS). An AS is a group of routers that adopt the same routing policy and belong to the same technical management department. Four versions of BGP exist: BGP-1 (described in RFC1105), BGP-2 (described in RFC1163), BGP-3 (described in RFC1267), and BGP-4 (described in RFC1771).
CHAPTER 36: BGP CONFIGURATION ■ IBGP (Internal BGP) ■ EBGP (External BGP) When BGP runs inside an AS, it is called interior BGP (IBGP); when BGP runs among different ASs, it is called exterior BGP (EBGP). BGP Message Type Format of a BGP packet header BGP is message-driven. There are five types of BGP packets: Open, Update, Notification, Keepalive, and Route-refresh. They share the same packet header, the format of which is shown by Figure 77.
BGP Overview 337 ■ My Autonomous System: Local AS number. By comparing this filed of both sides, a router can determine whether the connection between itself and the BGP peer is of EBGP or IBGP. ■ Hold time: Hold time is to be determined when two BGP speakers negotiate for the connection between them. The Hold times of two BGP peers are the same.
CHAPTER 36: BGP CONFIGURATION Notification When BGP detects error state, it sends the Notification message to peers and then tear down the BGP connection. Figure 80 shows the format of an Notification message. Figure 80 BGP Notification message format 0 7 Error Code 15 Error Subcode 31 Data The fields of a Notification message are described as follows. ■ Error Code: Error code used to identify the error type.
BGP Overview 339 ■ When there are multiple optional routes, a BGP speaker chooses only the optimal one; ■ A BGP speaker advertises only the local routes to its peers; ■ A BGP speaker advertises the routes obtained from EBGP to all its BGP peers (including both EBGP and IBGP peers); ■ A BGP speaker does not advertise the routes obtained from IBGP to its IBGP peers; ■ A BGP speaker advertises the routes obtained from IBGP to its EBGP peers (in the Switch 7750 Family, BGP and IGP do not synchronize
CHAPTER 36: BGP CONFIGURATION settings on the peer group. Note that, the members and the group must have consistent route update policies, but they can have different entrance policies.
Basic BGP Configuration Configuring BGP Multicast Address Family 341 Table 272 Configure BGP multicast address family Operation Command Description Enter system view system-view Required Start BGP and enter BGP view bgp as-number Enter multicast address family ipv4-family multicast view n Configuring Basic BGP Functions By default, the system does not run BGP. Required Commands are configured in a similar way in multicast address family view and in BGP view.
CHAPTER 36: BGP CONFIGURATION Table 273 Configure basic BGP functions Operation Command Description Optional Allow routers that belong to non-directly connected networks to establish EBGP connections. c peer group-name ebgp-max-hop [hop-count ] By default, routers that belong to two non-directly connected networks cannot establish EBGP connections. You can configure the maximum hops of EBGP connection by specifying the hop-count argument.
Configuring the Way to Advertise/Receive Routing Information 343 You can filter IGP routing information by routing protocols before the IGP routing information is imported to BGP routing table. Table 274 Import routes Operation Command Description Enter system view system-view - Enable BGP, and enter BGP view bgp as-number Import and advertise routing information generated by other protocols.
CHAPTER 36: BGP CONFIGURATION Table 275 Configure BGP route aggregation Operation Command Description Required Enable BGP, and enter BGP view Configure BGP route aggregation Enabling Default Route Advertising bgp as-number Enable automatic route aggregation summary Enable manual route aggregation aggregate ip-address mask [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]* By default, BGP is disabled.
Configuring the Way to Advertise/Receive Routing Information 345 Table 277 Configure the BGP route advertising policy Operation Filter the routing information to be advertised to a peer group c Configuring BGP Route Receiving Policy Command Specify an ACL-based peer group-name BGP route filtering filter-policy acl-number policy for a peer export group Specify an AS path ACL-based BGP filtering policy for a peer group peer group-name as-path-acl acl-number export IP prefix-based BGP route filtering
CHAPTER 36: BGP CONFIGURATION Table 279 Configure BGP-IGP route synchronization Operation Command Enable BGP, and enter BGP view bgp as-number Description Required By default, BGP is disabled. Required Disable BGP-IGP route synchronization undo synchronization By default, BGP routes and IGP routes are not synchronized. c CAUTION: BGP-IGP route synchronization is not supported on 3Com Switch 7750 Family Ethernet switches.
Configuring BGP Route Attributes 347 Table 281 Configure BGP load balance Operation Command Description Enable BGP and enter BGP view bgp as-number - Configure BGP load balance balance num Required By default, the system does not adopt BGP load balance. Configuring BGP Route Attributes Configuring BGP Route Attributes BGP possesses many route attributes for you to control BGP routing policies.
CHAPTER 36: BGP CONFIGURATION Table 282 Configure BGP route attributes Operation Command Description Optional peer { group-name | ip-address } allow-as-loop By default, the number of local AS number [ number ] occurrences allowed is 1. Optional Configure the AS_Path attribute peer group-name as-number as-number By default, the local AS number is not assigned to a peer group.
Adjusting and Optimizing a BGP Network 349 implementations, BGP supports the route-refresh function. With route-refresh function enabled on all the BGP routers, if BGP routing policy changes, the local router sends refresh messages to its peers. And the peers receiving the message in turn send their routing information to the local router. In this way, you can apply new routing policies and have the routing table dynamically updated seamlessly.
CHAPTER 36: BGP CONFIGURATION Table 283 Adjust and optimize a BGP network Operation Command Description Optional By default, the interval at which a peer group sends the same route update packet to IBGP peers is 15 seconds, and to EBGP peers is 30 seconds.
Configuring a Large-Scale BGP Network 351 Community can also be used to ease the routing policy management. And its management range is much wider than that of the peer group. It controls the routing policy of multiple BGP routers. In an AS, to ensure the connectivity among IBGP peers, you need to set up full connection among them. When there are too many IBGP peers, it will cost a lot in establishing a full connection network. Using RR or confederation can solve the problem.
CHAPTER 36: BGP CONFIGURATION ■ Configuring BGP Community If there already exists a peer in a peer group, you can neither change the AS number of the peer group, nor delete a specified AS number through the undo command. Table 285 Configure BGP community Operation Command Description Enter system view system-view - Enable BGP, and enter BGP view bgp as-number Required By default, the system does not operate BGP.
Displaying and maintaining BGP Configuring BGP Confederation 353 Table 287 Configure BGP confederation Operation Enter system view Command Description system-view Required bgp as-number By default, the system does not operate BGP.
CHAPTER 36: BGP CONFIGURATION Table 288 Display BGP Operation Command Display routing information about a specified BGP community. display bgp [ multicast ] routing-table community [ aa:nn | no-export-subconfed | no-advertise | no-export ]* [ whole-match ] Display the route matching with the specific BGP community ACL.
Configuration Example 355 Configuration Example Configuring BGP AS Confederation Attribute Network requirements Divide the AS 100 shown in the following figure into three sub-ASs: 1001, 1002, and 1003. Configure EBGP, Confederation EBGP, and IBGP. Network diagram Figure 81 Diagram for AS confederation AS100 AS1001 AS1002 Switch B Switch A 172.68.10.2 172.68.10.1 Ethernet 172.68.10.3 172.68.1.1 156.10.1.1 172.68.1.2 Switch C AS1003 Switch D 156.10.1.
CHAPTER 36: BGP CONFIGURATION [SwitchB-bgp] peer 172.68.10.1 group confed1001 as-number 1001 [SwitchB-bgp] group confed1003 external [SwitchB-bgp] peer 172.68.10.3 group confed1003 as-number 1003 # Configure SwitchC. [SwitchC] bgp [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] Configuring BGP RR 1003 confederation id 100 confederation peer-as 1001 1002 group confed1001 external peer 172.68.10.
Configuration Example 357 [SwitchA-bgp] peer 192.1.1.2 group ex as-number 200 [SwitchA-bgp] network 1.0.0.0 255.0.0.0 2 Configure SwitchB. # Configure VLAN2. [SwitchB] interface Vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0 # Configure VLAN3. [SwitchB] interface Vlan-interface 3 [SwitchB-Vlan-interface3] ip address 193.1.1.2 255.255.255.0 # Configure a BGP peer. [SwitchB] bgp [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] 200 group ex external peer 192.1.1.
CHAPTER 36: BGP CONFIGURATION between SwitchA and SwitchB, and between SwitchA and SwitchC. IBGP is running between SwitchB and SwitchC, and between SwitchB and SwitchD. Network diagram Figure 83 Diagram for BGP routing To network 2.0.0.0 2.2.2.2 VLAN 2 192.1.1.2/24 Switch B VLAN 2 192.1.1.1/24 1.1.1.1 Switch D IBGP EBGP To network 1.0.0.0 VLAN 4 194.1.1.1/24 IBGP EBGP Switch A AS200 VLAN 4 194.1.1.2/24 VLAN 3 193.1.1.1/24 AS100 Switch C VLAN 3 193.1.1.2/24 VLAN 5 195.1.1.2/24 4.4.4.
Configuration Example [SwitchA-route-policy] [SwitchA-route-policy] [SwitchA] route-policy [SwitchA-route-policy] [SwitchA-route-policy] [SwitchA-route-policy] 359 apply cost 50 quit apply_med_100 permit node 10 if-match acl 2000 apply cost 100 quit # Apply apply_med_50 to the outbound routing update of neighbor Switch C (193.1.1.2), and apply apply_med_100 to the outbound routing update of neighbor Switch B (192.1.1.2).
CHAPTER 36: BGP CONFIGURATION [SwitchD] bgp [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] 200 undo synchronization group in internal peer 195.1.1.2 group in peer 194.1.1.2 group in ■ To make the configuration take effect, all BGP neighbors need to execute the reset bgp all command. ■ After the above configuration, because the MED attribute value of the route 1.0.0.0 learnt by Switch C is smaller than that of the route 1.0.0.0 learnt by Switch B, Switch D will choose the route 1.0.0.
BGP Error Configuration Example 361 ■ Check the AS number of the neighbor. ■ Check the IP address of the neighbor. ■ Use the ping command to check the TCP connection. As a router may have more than one interface to reach the peer, you should use the ping -a ip-address expanded command to specify a source IP address for sending ping packets. ■ If you cannot ping through the neighbor device, check whether there is a route to the neighbor in the routing table.
CHAPTER 36: BGP CONFIGURATION
IP ROUTING POLICY CONFIGURATION 37 IP Routing Policy Overview When a router distributes or receives routing information, it may need to implement some policies to filter the routing information, so as to receive or distribute only the routing information meeting given conditions. A routing protocol (RIP, for example) may need to import the routing information discovered by other protocols to enrich its routing knowledge.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION ACL Normally, a basic ACL is used to filter routing information. You can specify a range of IP addresses or subnets when defining a basic ACL so as to match the destination network segment addresses or next-hop addresses of routing information. If an advanced ACL is used, the specified range of source addresses will be used for matching. ip-prefix ip-prefix plays a role similar to ACL. But it is more flexible than ACL and easier to understand.
IP Routing Policy Configuration n ■ IP prefix list ■ AS path list ■ Community attribute list 365 Refer to the QoS/ACL module in this operation manual for ACL configuration. 2 You can have routing policy applied in the following cases: Configuring a Route-Policy ■ When routes are imported ■ When routes are advertised/received A route-policy can comprise multiple nodes. Each node is a unit for matching test, and the nodes will be matched in the order of their sequence numbers.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION n Among the nodes defined in a route-policy, at least one node should be in permit mode. When a route-policy is applied to filtering routing information, if a piece of routing information does not match any node, the routing information will be denied by the route-policy. If all the nodes in the route-policy are in deny mode, all routing information will be denied by the route-policy.
IP Routing Policy Configuration 367 Defining apply Clauses for a Route-Policy Node apply clauses in a node specify the actions performed after all the filtering conditions of the if-match clauses in the node are satisfied. The actions include modifying the attributes of routing information. Perform the following configuration in route-policy view.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION independently specify the match range in network prefix form. Index-numbers specify the matching order of the items in the ip-prefix. Perform the following configuration in system view.
Displaying IP Routing Policy 369 You can perform the following configuration in system view.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION IP Routing Policy Configuration Example Configuring IP Routing Policy Network requirements ■ As shown in Figure 84, Switch A communicates with Switch B using OSPF protocol. Switch A’s router ID is 1.1.1.1 and Switch B’s is 2.2.2.2. ■ Configure OSPF routing process on Switch A, and configure three static routes. ■ Configure a routing policy for Switch A to filter imported static routes. In this example, the routes in 20.0.0.0 and 40.0.0.
Troubleshooting IP Routing Policy 371 [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule permit source any [SwitchA-acl-basic-2000] quit # Configure a route-policy. [SwitchA] route-policy ospf permit node 10 [SwitchA -route-policy] if-match acl 2000 [SwitchA -route-policy] quit # Apply route policy when the static routes are imported.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION does not pass the filtering of the route-policy. Therefore, when all the nodes in the route-policy are in the deny mode, no routing information will pass the filtering of the route-policy. At least one item in an ip-prefix list should be in permit mode. The items in deny mode can be defined first to rapidly filter out the routing information not meeting the condition. However, if all the items are in the deny mode, no route will pass the ip-prefix filtering.
ROUTE CAPACITY CONFIGURATION 38 Route Capacity Configuration Overview Introduction In actual networking applications, there are a large number of routes, especially OSPF routes and BGP routes, in the routing table. If the routing table occupies too much memory, the switch performance will decline.
CHAPTER 38: ROUTE CAPACITY CONFIGURATION Table 298 Set the lower limit and the safety value of switch memory Operation Command Description Enter system view system-view - Optional Set the lower limit and the memory { safety safety-value safety-value defaults to 40 safety value of switch memory | limit limit-value }* and limit-value defaults to 30. n Enabling/Disabling Automatic Protocol Connection Recovery The safety-value must be greater than the limit-value.
MULTICAST OVERVIEW 39 n Multicast Overview "Router" or a router icon in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. This will not be otherwise described in this manual. With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks.
CHAPTER 39: MULTICAST OVERVIEW Information Transmission in the Broadcast Mode When you adopt broadcast, the system transmits information to all users on a network. Any user on the network can receive the information, no matter the information is needed or not. Figure 86 shows information transmission in broadcast mode. Figure 86 Information transmission in the broadcast mode User A User B Broadcast User C User D Server User E Assume that users B, D, and E need the information.
Multicast Overview 377 Multicast solves this problem. When some users on a network require specified information, the multicast information sender (namely, the multicast source) sends the information only once. With tree-type routes established for multicast data packets through a multicast routing protocol, the packets are duplicated and distributed at the nearest nodes as shown in Figure 87: transmit the information to the right users, it is necessary to group users B, D and E into a receiver set.
CHAPTER 39: MULTICAST OVERVIEW ■ Optimal performance: Multicast reduces redundant traffic. ■ Distributive application: Multicast makes multiple-point application possible. Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an IP network, multicast greatly saves network bandwidth and reduces network load.
Multicast Architecture 379 The multicast addressing mechanism involves the planning of multicast addresses. Host registration and multicast routing are implemented based on the IP multicast protocol. Multicast application software is not described in this chapter. Multicast Address ■ Addressing mechanism: Information is sent from a multicast source to a group of receivers through multicast addresses.
CHAPTER 39: MULTICAST OVERVIEW Note that: ■ The IP addresses of a permanent multicast group keep unchanged, while the members of the group can be changed. ■ There can be any number of, or even zero, members in a permanent multicast group. ■ Those IP multicast addresses not assigned to permanent multicast groups can be used by temporary multicast groups. Class D IP addresses range from 224.0.0.0 to 239.255.255.255. For details, see Table 301.
Multicast Architecture 381 Table 302 Reserved IP multicast addresses n Class D address range Description 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork bandwidth management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual router redundancy protocol (VRRP) 224.0.0.19- 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the network segments ranging from 239.0.0.0 to 239.255.255.
CHAPTER 39: MULTICAST OVERVIEW IP Multicast Protocols IP multicast protocols include the multicast group management protocol and the multicast routing protocol. Figure 90describes the positions of the protocols related to multicast in the network.
Forwarding Mechanism of Multicast Packets 383 receiver sites can receive the packets. Therefore the forwarding process of multicast is more complicated than unicast. In order to guarantee the transmission of multicast packets in the network, multicast packets must be forwarded based on unicast routing tables or those specially provided to multicast (such as an MBGP multicast routing table).
CHAPTER 39: MULTICAST OVERVIEW
40 IGMP SNOOPING CONFIGURATION Overview IGMP Snooping Fundamentals Internet group management protocol snooping (IGMP Snooping) is a multicast control mechanism running on Layer 2 switch. It is used to manage and control multicast groups. When the IGMP messages transferred from the hosts to the router pass through the Layer 2 switch, the switch uses IGMP Snooping to analyze and process the IGMP messages, as shown in Table 303.
CHAPTER 40: IGMP SNOOPING CONFIGURATION Figure 91 Multicast packet transmission with or without IGMP Snooping being enabled Multicast packet transmission without IGMP Snooping Video stream Muliticast router Multicast packet transmission with IGMP Snooping Video stream Video stream Internet Video stream Muliticast router VOD server Video stream VOD server Layer 2 Ethernet sw itch Video stream Video stream Multicast Non-multicast NonNonNon-multicast group member group member group member IG
Overview 387 Figure 92 IGMP Snooping implementation Internet Internet IGMP-enabled router IGMP message IGMP Snooping-enabled Ethernet switch IGMP message To implement Layer 2 multicast, the switch processes four different types of IGMP messages it received, as shown in Table 305.
CHAPTER 40: IGMP SNOOPING CONFIGURATION Table 305 IGMP Snooping messages Message Sender Receiver Purpose Action of the multicast member switch If yes, add the IP multicast group address to the MAC multicast group table. If yes, add the port to the IP multic ast group.
Overview 389 Table 305 IGMP Snooping messages Message Sender Receiver Purpose Action of the multicast member switch If the multicast group responds, the switch checks whether the port is the last host port corresponding to the MAC multicast group. IGMP leave message Host Notify the multicast router Multicast and multicast router switch and multicast that the host is switch leaving its multicast group.
CHAPTER 40: IGMP SNOOPING CONFIGURATION IGMP Snooping Configuration Table 306 IGMP Snooping configuration tasks Enabling IGMP Snooping Operation Description Related section Enable IGMP Snooping Required “Enabling IGMP Snooping” Configure timers Optional “Configuring Timers” Enable IGMP fast leave Optional “Enabling IGMP Fast Leave for a Port or All Ports” Configure IGMP Snooping filter Optional “Configuring IGMP Snooping Filtering ACLs” Configure to limit the number Optional of multi
IGMP Snooping Configuration ■ 391 If the switch receives no IGMP host report message within the aging time of the member port, it sends IGMP group-specific query to the port and enables the query response timer of the IP multicast group. Table 308 Configure timers Operation Command Description Enter system view system-view - Configure the aging timer of the router port igmp-snooping router-aging-time seconds Optional By default, the aging time of the router port is 105 seconds.
CHAPTER 40: IGMP SNOOPING CONFIGURATION Configuring IGMP Snooping Filtering ACLs You can configure multicast filtering ACLs on the switch ports connected to user ends so as to use the IGMP Snooping filter function to limit the multicast streams that the users can access. With this function, you can treat different VoD users in different ways by allowing them to access the multicast streams in different multicast groups.
IGMP Snooping Configuration ■ Configuring to Limit Number of Multicast Groups on a Port 393 Most devices broadcast unknown multicast packets. In order that multicast packets are not sent to filtered ports as unknown multicast packets, this function is generally used together with the unknown multicast drop function. With a limit imposed on the number of multicast groups on the switch port, users can no longer have as many multicast groups as they want when demanding multicast group programs.
CHAPTER 40: IGMP SNOOPING CONFIGURATION Table 315 Configure multicast VLAN c Displaying and Maintaining IGMP Snooping Operation Command Description Enter system view system-view - Enable the IGMP snooping function globally igmp-snooping enable Required Enter VLAN view vlan vlan-id - Enable the IGMP snooping function igmp-snooping enable Required Enable the multicast VLAN function multicast-vlan enable Required Configure the mapping relationship between multicast VLAN and multicast
IGMP Snooping Configuration Example 395 IGMP Snooping Configuration Example Configure IGMP Snooping on a switch Network requirements Connect the router port on the switch to the router, and other non-router ports which belong to VLAN 10 to user PCs. Enable IGMP Snooping on the switch. Network diagram Figure 93 Network diagram for IGMP Snooping configuration Internet Router Multicast Switch Configuration procedure # Enable IGMP Snooping in system view.
CHAPTER 40: IGMP SNOOPING CONFIGURATION Table 317 List of network device configurations Device ID Router A Device type Port Router GigabitEthernet0/0/0 Device connected to the port Description Switch B GigabitEthernet0/0/0 belongs to VLAN1024, where the PIM-SM and IGMP protocols are enabled. GigabitEthernet1/0/1 belongs to VLAN1024.
Troubleshooting IGMP Snooping 397 Configuration procedure # Configure Router A. system-view [Router-A] multicast routing-enable [Router-A] interface GigabitEthernet0/0/0 [Router-A-GigabitEthernet0/0/0] pim sm [Router-A-GigabitEthernet0/0/0] igmp enable [Router-A-GigabitEthernet0/0/0] quit # Configure Switch B.
CHAPTER 40: IGMP SNOOPING CONFIGURATION
41 Overview COMMON MULTICAST CONFIGURATION Common multicast configuration tasks are the common contents of multicast group management protocol and multicast routing protocol. You must enable the common multicast configuration on the switch before enabling the two protocols.
CHAPTER 41: COMMON MULTICAST CONFIGURATION Enable Multicast Routing and Configure Limit on the Number of Multicast Route Entries Table 319 Enable multicast routing and configure limit on the number of multicast route entries Operation Command Description Enter system view system-view Required Enable multicast routing Configure limit on the number of multicast route entries c Configure Suppression on the Multicast Source Port multicast routing-enable Multicast routing must be enabled before
Common Multicast Configuration Tasks 401 forwarding entry, the packet is regarded as a wrongif packet. The wrongif packet will be reported to the CPU for processing. In some network, many wrongif packets will be reported to the CPU of the switch for processing, thus aggravating the workload of the switch.
CHAPTER 41: COMMON MULTICAST CONFIGURATION ■ Enable multicast routing globally ■ Allocate an Ethernet port to the corresponding VLAN ■ Configure an IP address for the VLAN ■ Enable the multicast routing protocol on the VLAN interface ■ Bring the Ethernet port to the up state Configure static router ports in Ethernet port view Table 323 Configure static router ports Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface
Displaying Common Multicast Configuration Displaying Common Multicast Configuration 403 After the configuration above, you can execute the display command to verify the configuration by checking the displayed information. The multicast forwarding table is mainly used for debugging. Generally, you can get the required information by checking the core multicast routing table. Table 325 Display common multicast configuration Operation Command Description You can execute the display commanding any view.
CHAPTER 41: COMMON MULTICAST CONFIGURATION Table 325 Display common multicast configuration Operation Command Description display multicast routing-table [ group-address [ mask { group-mask | mask-length } ] | Display the information about source-address [ mask { group-mask | mask-length } ] | the multicast routing table incoming-interface { interface-type interface-number | register } ]* display multicast forwarding-table [ group-address [ mask { group-mask | mask-length } ] | source-address [ mas
STATIC MULTICAST MAC ADDRESS TABLE CONFIGURATION 42 Overview In Layer 2 multicast, the system can add multicast forwarding entries dynamically through Layer 2 multicast protocol. However, you can also statically bind a port to a multicast address entry by configuring a multicast MAC address entry manually. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch will broadcast the packet in the VLAN to which the port belongs.
CHAPTER 42: STATIC MULTICAST MAC ADDRESS TABLE CONFIGURATION Displaying Multicast MAC Address After the configuration above, you can execute the display command to verify the configuration effect by checking the displayed information. Table 327 Display the multicast MAC addresses Operation Command Description Display the static multicast MAC addresses display mac-address multicast [ count ] You can use the display command in any view.
43 IGMP CONFIGURATION Overview Introduction to IGMP Internet group management protocol (IGMP) is responsible for the management of IP multicast members. It is used to establish and maintain membership between IP hosts and their directly connected neighboring routers. The IGMP feature does not transmit and maintain the membership information among multicast routers. This task is completed by multicast routing protocols. All the hosts participating in multicast must support the IGMP feature.
CHAPTER 43: IGMP CONFIGURATION In IGMP Version 1, the multicast routing protocol selects the querier. In IGMP Version 2, it is defined that the multicast router with the lowest IP address is selected as the querier when there are multiple multicast routers in a network segment. Leave group mechanism In IGMP Version 1, hosts leave the multicast group quietly without informing any multicast router. Only when a query message times out can the multicast router know that a host has left the group.
Overview 409 Figure 95 Working mechanism of IGMPv1 DR query Ethernet report Assert query Host A query report Host B query report Host C query report A host joins in the multicast group in the following procedure: ■ The IGMP querier (such as DR) periodically multicasts IGMP general group query messages to all the hosts in the shared network segment whose address is 224.0.0.1. ■ All hosts in the network receive the query messages.
CHAPTER 43: IGMP CONFIGURATION To reduce the workload of configuration and management without affecting the multicast connection of leaf networks, you can configure an IGMP Proxy in a Layer 3 switch in the leaf network (Switch B in the figure). The Layer 3 switch will then forward IGMP join or IGMP leave messages sent by the connected hosts. After the configuration of IGMP Proxy, the leaf switch is no longer a PIM neighbor but a host for the external network.
IGMP Configuration Tasks 411 Similarly, when Switch B receives the IGMP general group or group-specific query message from the Layer 3 Switch A, it will also change the source address of the query message to the IP address of VLAN interface 2: 22.22.22.1 and send the message from VLAN interface 2. In Figure 96, VLAN interface 2 of Switch B is called the client and VLAN interface 1 of Switch B is called the proxy.
CHAPTER 43: IGMP CONFIGURATION segment have members according to the returned IGMP report packets. The multicast router also sends query packets periodically. When it receives the IGMP join packets of a group member, it will refresh the membership information of the network segment. IGMP group-specific packets The query router (querier for short) maintains the IGMP joins packets on the interface on the shared network.
IGMP Configuration Tasks 413 Table 330 Configure IGMP query messages Operation Command Description Enter system view system-view - Enable the multicast routing protocol multicast routing-enable Required Enter VLAN interface view interface Vlan-interface interface-number Required Enable IGMP on the current interface igmp enable Configure the query interval igmp timer query seconds Configuring the interval of sending IGMP group-specific query packets igmp lastmember-queryinterval seconds C
CHAPTER 43: IGMP CONFIGURATION interface of the switch may fail when plenty of multicast groups join in the routing interface. You can configure limit on the number of IGMP multicast groups on the interface of the switch. Thus, when users are ordering the programs of multicast groups, the network bandwidth can be controlled because the number of multicast groups is limited.
IGMP Configuration Tasks 415 Table 331 Configure IGMP multicast groups on the interface Operation Command Description Optional Limit the range of multicast groups that the interface serves c Configuring Router Ports to Join the Specified Multicast Group igmp group-policy acl-number vlan vlan-id By default, the filter is not configured, that is, any multicast group is permitted on the port. The port must belong to the IGMP-enabled VLAN specified in the command.
CHAPTER 43: IGMP CONFIGURATION Table 332 Configure router ports to join the specified multicast group Operation Command Description Optional Configure router ports to join igmp host-join a multicast group group-address vlan vlan-id Configuring IGMP Proxy By default, the router port does not join in any multicast group.
Displaying IGMP 417 When the suppression on IGMP host report packets is enabled, the Layer 3 switch will receive only the first IGMP host report packet from the hosts in a multicast group and drop the other IGMP host report packets from the multicast group.
CHAPTER 43: IGMP CONFIGURATION
44 PIM Overview PIM CONFIGURATION Protocol independent multicast (PIM) means that the unicast routing protocols providing routes for the multicast could be static routes, RIP, OSPF, IS-IS, or BGP. The multicast routing protocol is independent of unicast routing protocols only if unicast routing protocols can generate route entries. With the help of the reverse path forwarding, PIM can transmit multicast information in the network.
CHAPTER 44: PIM CONFIGURATION ■ RPF check ■ Assert mechanism Neighbor discovery In PIM-DM network, the multicast router needs to use Hello messages to perform neighbor discovery and maintain the neighbor relation when it is started. All routers keep in touch with each other through sending Hello messages periodically, and thus SPT is established and maintained. SPT establishment The procedure of establishing SPT is also called Flooding&Prune.
PIM Overview 421 Figure 97 Diagram for SPT establishment in PIM-DM User A Receiver User B Source Prune User C Multicast Prune Receiver Server User D packets SPT Prune Receiver User E The process above is called "Flooding and Pruning". Every pruned node also provides timeout mechanism. If pruning behavior times out, the router will initiate another flooding and pruning process. This process is performed periodically for PIM-DM.
CHAPTER 44: PIM CONFIGURATION Assert mechanism In the shared network such as Ethernet, the same packets may be sent repeatedly. For example, the LAN network segments contains many multicast routers, A, B, C, and D. They each have their own receiving path to the multicast source S.
PIM Overview 423 In the receiving end, the router connected to the information receiver sends join messages to the RP corresponding to the multicast group. The join message reaches the root (namely, RP) after passing each router. The passed paths become the branches of the rendezvous point tree (RPT). If the sending end wants to send data to a multicast group, the first hop router will send registration information to RP.
CHAPTER 44: PIM CONFIGURATION Hello DR Hello Hello Ethernet Figure 99 Diagram for DR election Ethernet 424 User A Hello Source Hello DR RP Ethernet Join Register Hello Hello Hello User B Hello Hello Hello Register Message Hello Join Each router on the shared network sends Hello messages with the DR priority option to each other. The router with the highest DR priority is elected as the DR in the network.
PIM Overview 425 One or more candidate BSRs must be configured in a PIM domain. Through the auto-election, the candidate BSRs elect a BSR which is responsible for collecting and advertising RP information. The auto-election among candidate BSRs is described in the following section: ■ Specify a PIM-SM-enabled interface when configuring a router as a candidate BSR.
CHAPTER 44: PIM CONFIGURATION Figure 101 Diagram for RPT building in PIM-SM User A Receiver User B Source Multicast RP Join Join User C Join Receiver Server User D packets Join RPT Receiver User E Each router on the path from the leaf router to RP will generate (*, G) entries in the forwarding table. The routers on the path forms a branch of RPT. A (*, G) entry represents the information from any source to the multicast group G. RP is the root of RPT and the receivers are leaves of RPT.
Common PIM Configuration 427 Figure 102 Diagram for SPT building in PIM-SM User A Receiver User B Source Multicast RP Join User C Join Register Receiver Server User D packets Join SPT Receiver Register User E When RP receives the registration information from S, it will decapsulate the registration information and forward the multicast information to the receiver along RPT, and on the other hand, it will send (S, G) join messages to S hop by hop.
CHAPTER 44: PIM CONFIGURATION Table 337 Configuration tasks Enabling PIM-DM (PIM-SM) on the Interface Configuring the Interval of Sending Hello Packets Operation Description Related section Enable PIM-DM (PIM-SM) on the interface Required “Enabling PIM-DM (PIM-SM) on the Interface” Configure the interval of sending Hello packets Optional “Configuring the Interval of Sending Hello Packets” Configure PIM neighbors Optional “Configuring PIM Neighbors” Clear the related PIM entries Optiona
Common PIM Configuration 429 neighbors on the router interface. However, the total number of PIM neighbors of a router is defined by the system, and you cannot modify it through commands. You can configure basic ACL 2000 to 2999 (refer to the part about ACL in this manual). Only the filtered Layer 3 switches (routers) cam serve as the PIM neighbors of the current interface.
CHAPTER 44: PIM CONFIGURATION PIM-DM Configuration Configuring Filtering Policies for Multicast Source/Group Perform the following configuration to configure PIM-DM. When the router runs in PIM-DM domain, you are recommended to enable PIM-DM on all the interfaces of non-boarder routers.
PIM-SM Configuration 431 Table 344 Configure BSR/RP Operation Command Configure candidate BSRs c-bsr interface-type interface-number hash-mask-len [ priority ] Description Optional By default, candidate BSRs are not set for the switch and the value of priority is 0. Optional Configure candidate RPs c-rp interface-type interface-number [ group-policy acl-number | priority priority ]* You can configure to filter the IP addresses of some multicast groups in ACL.
CHAPTER 44: PIM CONFIGURATION Configuring PIM-SM Domain Boundary ■ The limit on the range of valid BSRs is to prevent the valid BSRs in the network being replaced maliciously. The other BSR information except the range will not be received by the Layer 3 switch, and thus the security of BSRs in the network is protected. ■ The limit on the range of C-RPs is to avoid C-RP cheating. You can limit the range of valid C-RPs and limit the range of multicast groups that each C-RP serves.
Displaying and Debugging PIM 433 Table 346 Filter the registration packets from RP to DR Operation Command Description Required Configure to filter the registration packets from RP to DR c Configuring the Threshold for RPT-to-SPT Switchover register-policy acl-number You can configure to filter the IP addresses of some multicast groups in ACL. By default, the switch does not filter the registration packets from DR.
CHAPTER 44: PIM CONFIGURATION Table 348 Display and maintain PIM Configuration Command Display PIM multicast routing tables display pim routing-table [ { { *g [ group-address [ mask { mask-length | mask } ] ] | **rp [ rp-address [ mask { mask-length | mask } ] ] } | { group-address [ mask { mask-length | mask } ] | source-address [ mask { mask-length | mask } ] } * } | incoming-interface { interface-type interface-number | null } | { dense-mode | sparse-mode }]* display pim interface [ Display the
PIM Configuration Examples Network diagram Figure 103 Network diagram for PIM-DM configuration VLAN20 VLAN10 VLAN11 RECEIVER 1 Lanswitch2 VLAN30 Multicast Source Lanswitch1 VLAN12 Lanswitch3 RECEIVER 2 Configuration procedure Only the configuration procedure on Lanswitch1 is listed. The configuration procedure of Lanswitch2 and Lanswitch3 is similar to that of Lanswitch1.
CHAPTER 44: PIM CONFIGURATION ■ LS_B is connected to LS_A through Vlan-interface 10, to LS_C through Vlan-interface 11 and to LS_D through Vlan-interface 12. ■ LS_C is connected to Host B through Vlan-interface 10, to LS_B through Vlan-interface 11 and to LS_A through Vlan-interface 12. Host A is the receiver of the multicast group whose multicast IP address is 225.0.0.1. Host B begins to send data to the destination 225.0.0.1 and LS_A receives the multicast data from Host B through LS_B.
PIM Configuration Examples 437 [SW7750-Vlan-interface12] pim sm [SW7750-Vlan-interface12] quit 2 Configure LS_B # Enable PIM-SM.
CHAPTER 44: PIM CONFIGURATION [SW7750-Vlan-interface10] igmp enable [SW7750-Vlan-interface10] pim sm [SW7750-Vlan-interface10] quit [SW7750] vlan 11 [SW7750-vlan11] port Ethernet 1/0/4 to Ethernet 1/0/5 [SW7750-vlan11] quit [SW7750] interface Vlan-interface 11 [SW7750-Vlan-interface11] pim sm [SW7750-Vlan-interface11] quit [SW7750] vlan 12 [SW7750-vlan12] port Ethernet 1/0/6 to Ethernet 1/0/7 [SW7750-vlan12] quit [SW7750] interface Vlan-interface 12 [SW7750-Vlan-interface12] pim sm [SW7750-Vlan-interf
MSDP CONFIGURATION 45 Overview Introduction to MSDP Internet service providers (ISP) are not willing to rely on devices of their competitors to forward multicast traffic. On the other hand, ISPs want to obtain information from information sources no matter where the information resources reside and forward the information to their own members. MSDP is designed to address this issue and used to discover multicast sources in other protocol independent multicast sparse mode (PIM-SM) domains.
CHAPTER 45: MSDP CONFIGURATION between RPs in the same PIM-SM domain, between an RP and a common router, or between common routers. Figure 105 shows the MSDP peering relationship between RPs. Unless otherwise specified, examples in the following descriptions are based on MSDP peering relationship between RPs. An active multicast source S exists in the PIM-SM1 domain.
Overview 441 Figure 106 Typical networking of Anycast RP S2 S1 RP1 SA RP2 MSDP user user PIM-SM user user user SA message MSDP peers Typically, a multicast source S registers with the nearest RP to create an SPT, and receivers also send Join messages to the nearest RP to construct an RPT. Therefore, it is likely that the RP with which the multicast source has registered is not the RP that receivers join.
CHAPTER 45: MSDP CONFIGURATION Figure 107 Identifying the multicast source and receiving multicast data RP2 PIM-SM 2 user (4) (5) (4) (4) RP1 (2) Source DR PIM-SM 1 (3) user RP4 PIM-SM 4 (4) (5) (1) (5) (4) RP3 PIM-SM 3 Flow MSDP peers The complete interoperation process between a multicast source S in the PIM-SM1 domain and receivers in the PIM-SM1 and PIM-SM4 domains is as follows: 1 The multicast source S in the PIM-SM1 domain begins to send data packets; 2 The designated router (DR)
Overview 443 Assume that three autonomous systems (ASs) exist. They are AS1, AS2, and AS3. Each AS has a PIM-SM domain associated with it. Each PIM-SM domain contains at least one RP. See Figure 108. Figure 108 Forwarding SA messages between MSDP peers RP2 AS2 (4) RP4 mesh group static peer (1) Source (6) (2) (3) RP3 RP1 (5) AS1 RP6 AS3 RP5 MSDP peers SA message As shown above, RP1 belongs to AS1. RP2, RP3 and RP4 belong to AS2. RP5 and RP6 belong to AS3.
CHAPTER 45: MSDP CONFIGURATION Configuring MSDP Basic Functions To enable exchange of information from the multicast source S between two PIM-SM domains, you need to establish MSDP peering relationships between RPs in these PIM-SM domains. In this way, the information from the multicast source can be sent through SA messages between the MSDP peers, and the receivers in other PIM-SM domains can finally receive the multicast source information.
Configuring Connection between MSDP Peers 445 Table 349 Configure MSDP basic functions Operation Command Description Required Enable IP multicast routing multicast routing-enable Enable MSDP function and enter MSDP view msdp Other multicast configurations do not take effect until multicast routing is enabled.
CHAPTER 45: MSDP CONFIGURATION Configuring Description Information for MSDP Peers ■ Basic functions of IP multicast ■ PIM-SM basic functions ■ MSDP basic functions You can configure description information for each MSDP peer to manage and memorize the MSDP peers.
Configuring SA Message Transmission n Configuring MSDP Peer Connection Control 447 ■ Before you configure an MSDP mesh group, make sure that the routers are fully connected with one another. ■ The same group name must be configured on all the peers. ■ If you add the same MSDP peer to multiple mesh groups, only the latest configuration takes effect. The connection between MSDP peers can be flexibly controlled.
CHAPTER 45: MSDP CONFIGURATION Configuration Prerequisites Configuring the Transmission and Filtering of SA Request Messages Before you configure SA message transmission, perform the following tasks: ■ Configuring a unicast routing protocol. ■ Configuring basic IP multicast functions. ■ Configuring basic PIM-SM functions. ■ Configuring basic MSDP functions.
Configuring SA Message Transmission 449 Table 355 Configure a rule for filtering multicast sources using SA messages Operation Command Description Enter system view system-view - Enter MSDP view msdp Optional Configure to filter multicast sources using SA messages Configuring a Rule for Filtering Received and Forwarded SA Messages import-source [ acl acl-number ] By default, all the (S, G) entries in the domain are advertised in the SA message.
CHAPTER 45: MSDP CONFIGURATION and on all the MSDP peers on a router is limited by the system. To protect a router against Deny of Service (DoS) attacks, you can manually configure the maximum number of SA messages cached on the router. Generally, the configured number of SA messages cached should be less than the system limit.
MSDP Configuration Example 451 Table 359 Trace the transmission path of an SA message over the network Operation Command msdp-tracert source-address group-address Trace the transmission path of an SA message rp-address [ max-hops max-hops ] [ next-hop-info | sa-info | peer-info ]* [ over the network skip-hops skip-hops ] You can locate message loss and configuration errors by tracing the network path of the specified (S, G, RP) entries.
CHAPTER 45: MSDP CONFIGURATION Configuration procedure 1 Configure interface IP addresses and unicast routing protocol on the switches. In each PIM-SM domain, configure the interface IP addresses on the switches and interconnect the switches through OSPF.
MSDP Configuration Example 453 [SwitchC-bgp] import-route ospf [SwitchC-bgp] quit # Configure IBGP and EBGP on Switch F, and import OSPF routes. [SwitchF] router id 3.3.3.3 [SwitchF] bgp 200 [SwitchF-bgp] group as100 external [SwitchF-bgp] peer as100 as-number 100 [SwitchF-bgp] peer 192.168.1.1 group as100 [SwitchF-bgp] group as200 [SwitchF-bgp] peer 192.168.3.1 group as200 [SwitchF-bgp] import-route ospf [SwitchF-bgp] quit # Configure IBGP on Switch D, and import OSPF routes. [SwitchD] router id 2.2.2.
CHAPTER 45: MSDP CONFIGURATION # 192.168.3.2/32 # I 0.0.0.0 192.168.3.1 0 0 100 IGP IGP 100 100 5 Configure MSDP peers # Configure an MSDP peer on Switch C. [SwitchC] msdp [SwitchC-msdp] peer 192.168.1.2 connect-interface Vlan-interface110 [SwitchC-msdp] quit # Configure an MSDP peer on Switch D. [SwitchD] msdp [SwitchD-msdp] peer 192.168.3.2 connect-interface Vlan-interface101 [SwitchD-msdp] quit # Configure MSDP peers on Switch F. [SwitchF] msdp [SwitchF-msdp] peer 192.168.1.
MSDP Configuration Example 455 Input queue size: 0, Output queue size: 0 Counters for MSDP message: Count of RPF check failure: 0 Incoming/outgoing SA messages: 0/0 Incoming/outgoing SA requests: 0/0 Incoming/outgoing SA responses: 0/0 Incoming/outgoing data packets: 0/0 Configuration Example of Anycast RP Application Network requirements Each PIM-SM network is a single-BSR administrative domain, with multiple multicast sources (S) and receivers.
CHAPTER 45: MSDP CONFIGURATION [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] pim sm [SwitchC-Vlan-interface100] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] pim sm [SwitchC-Vlan-interface200] quit [SwitchC] interface vlan-interface 110 [SwitchC-Vlan-interface110] pim sm [SwitchC-Vlan-interface110] quit # Configure the same Loopback10 interface address on SwitchC and SwitchD and configure the locations of C-BSRs and C-RPs.
MSDP Configuration Example 457 [SwitchD-msdp] peer 1.1.1.1 connect-interface loopback0 [SwitchD-msdp] quit # Carry out the display msdp brief command to view the MSDP peering relationship established between switches. The MSDP peering relationship established between Switch C and Switch D is displayed as follows: [SwitchC] display msdp brief MSDP Peer Brief Information Peer’s Address State 2.2.2.2 Up [SwitchD] display msdp brief MSDP Peer Brief Information Peer’s Address State 1.1.1.
CHAPTER 45: MSDP CONFIGURATION Configuration procedure 1 Configure the interface IP addresses and unicast routing protocols for each switch Configure interface IP addresses for each switch, and configure OSPF for interconnection between switches in each PIM-SM domain.
Troubleshooting MSDP Configuration 459 4 Configure a static RPF peer # Configure Switch D and Switch F as static RPF peers of Switch C. [SwitchC] ip ip-prefix list-df permit 192.168.0.0 16 greater-equal 16 less-equal 32 [SwitchC] msdp [SwitchC-msdp] peer 192.168.3.1 connect-interface Vlan-interface101 [SwitchC-msdp] peer 192.168.1.2 connect-interface Vlan-interface110 [SwitchC-msdp] static-rpf-peer 192.168.3.1 rp-policy list-df [SwitchC-msdp] static-rpf-peer 192.168.1.
CHAPTER 45: MSDP CONFIGURATION Solution 1 Check the connectivity of the route between the routers. Use the display ip routing-table command to check that the unicast route between the routers is correct. 2 Further check that a unicast route exists between two routers that will become MSDP peers and that the route leads to the two peers. 3 Check that the interface addresses of the MSDP peers are consistent.
46 Introduction to 802.1x 802.1X CONFIGURATION The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems. 802.1x is a port-based network access control protocol. It authenticates and controls devices requesting for access in terms of the ports of LAN access control devices. With the 802.
CHAPTER 46: 802.1X CONFIGURATION ■ The authentication server system is an entity that provides authentication service to the authenticator system. Normally in the form of a RADIUS server, the authentication server system serves to perform AAA (authentication, authorization, and accounting) . It also stores user information, such as user name, password, the VLAN a user belongs to, priority, and the ACLs (access control list) applied.
Introduction to 802.1x MAC address-based authentication. All supplicant systems connected to a port have to be authenticated individually in order to access the network. And when a supplicant system goes offline, the others are not affected. ■ The Mechanism of an 802.1x Authentication System 463 IEEE 802.1x authentication system uses extensible authentication protocol (EAP) to exchange information between the supplicant system and the authentication server. Figure 113 The mechanism of an 802.
CHAPTER 46: 802.1X CONFIGURATION 02: Indicates that the packet is an EAPoL-logoff packet, which sends logging off requests. 03: Indicates that the packet is an EAPoL-key packet, which carries key information packets. 04: Indicates that the packet is an EAPoL-encapsulated-ASF-Alert packet, which is used to support the alerting messages of ASF (alerting standards forum). ■ The Length field indicates the size of the Packet body field. A value of 0 indicates that the Packet Body field does not exist.
Introduction to 802.1x ■ 465 The Type Date field differs according to different types of Request and Response packets. Newly added fields for EAP authentication Two fields, EAP-message and Message-authenticator, are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introduction to RADIUS protocol section in the AAA&RADIUS&RADIUS&HWTACACS&EAD Operation Manual for format of a RADIUS protocol packet.) The EAP-message field, shown in Figure 117, is used to encapsulate EAP packets.
CHAPTER 46: 802.1X CONFIGURATION ■ PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAP negotiations to verify supplicant systems. Figure 119 describes the basic EAP-MD5 authentication procedure. Figure 119 802.
Introduction to 802.1x 467 database, encrypts the password using a randomly-generated key, and sends the key to the switch through an RADIUS access-challenge packet. The switch then sends the key to the 802.1x client.
CHAPTER 46: 802.1X CONFIGURATION Figure 120 802.
Introduction to 802.1x 802.1x Implementation on the Switch 7750 Family 469 ■ Supplicant system timer (supp-timeout): This timer sets the supp-timeout period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant system. The switch sends another request/challenge packet to the supplicant system if the supplicant system fails to respond when this timer times out. ■ RADIUS server timer (server-timeout): This timer sets the server-timeout period.
CHAPTER 46: 802.1X CONFIGURATION ■ The 802.1x clients are capable of detecting multi-network adapter, proxies, and IE proxies. ■ CAMS is configured to disable the use of multiple network adapters, proxies, or IE proxies. By default, an 802.1x client program allows use of multiple network adapters, a proxy server, and an IE proxy server. If CAMS is configured to disable use of multiple network adapters, proxies, or IE proxies, it prompts the 802.
802.1x Configuration 471 Refer to AAA&RADIUS&RADIUS&HWTACACS&EAD Operation Manual for detailed information about dynamic VLAN assignment function. 802.1x Configuration 802.1x provides a solution for authenticating users. To implement this solution, you need to execute 802.1x-related commands. You also need to configure AAA schemes on switches and to specify the authentication scheme (RADIUS authentication scheme or local authentication scheme). Figure 121 802.1x configuration Local authenticati on 802.
CHAPTER 46: 802.1X CONFIGURATION Table 360 Configure basic 802.1x functions Operation Command Enable 802.1x globally dot1x Description Required By default, 802.1x is disabled globally. Use the following command in system view: Enable 802.1x for specified ports dot1x [ interface interface-list ] Use the following command in port view: Required By default, 802.1x is disabled for all ports.
802.1x-Related Parameter Configuration ■ 802.1x-Related Parameter Configuration 473 After re-authentication is enabled on a port, you cannot change the dynamic VLAN delivery attribute value for the port; if you do so, the re-authentication will cause users to be offline. Table 361 Configure 802.
CHAPTER 46: 802.1X CONFIGURATION Advanced 802.1x Configuration Advanced 802.1x configurations, as listed below, are all optional. Prerequisites Configuring Proxy Checking ■ CAMS cooperation configuration, including multiple network adapters detecting, proxy detecting, and so on. ■ Client version checking configuration ■ DHCP -triggered authentication ■ Guest VLAN configuration Configuration of basic 802.1x This function needs the support of 802.1x client program and CAMS, as listed below.
Advanced 802.1x Configuration Configuring Client Version Checking 475 Table 363 Configure client version checking Operation Command Description Enter system view system-view - Enable 802.1x client version checking dot1x version-check [ interface interface-list ] By default, 802.1x client version checking is disabled on a port.
CHAPTER 46: 802.1X CONFIGURATION Displaying and Debugging 802.1x After performing the above configurations, you can display and verify the 802.1x-related configuration by executing the display command in any view. You can clear 802.1x-related statistics information by executing the reset command in user view. Table 366 Display and debug 802.1x Operation Command Description Display the configuration, session, and statistics information about 802.
Configuration Example 477 being the primary authentication and the secondary counting server, and the latter the secondary authentication and the primary counting server. Configure the interaction password between the switch and the authenticating RADIUS server to be "name", and "money" for interaction between the switch and the counting RADIUS.
CHAPTER 46: 802.1X CONFIGURATION [SW7750] dot1x port-method macbased interface Ethernet 1/0/1 # Create a RADIUS scheme named "radius1" and enter RADIUS scheme view. [SW7750] radius scheme radius1 # Assign IP addresses to the primary authentication and accounting RADIUS servers. [SW7750-radius-radius1] primary authentication 10.11.1.1 [SW7750-radius-radius1] primary accounting 10.11.1.2 # Assign IP addresses to the secondary authentication and accounting RADIUS server.
Configuration Example [SW7750-isp-aabbcc.net] access-limit enable 30 # Enable the idle disconnecting function and set the related parameters. [SW7750-isp-aabbcc.net] [SW7750-isp-aabbcc.net] # Configure the default [SW7750] domain default idle-cut enable 20 2000 quit user domain named "aabbcc.net". enable aabbcc.net # Create a local access user account.
CHAPTER 46: 802.
47 Introduction to HABP HABP CONFIGURATION With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. If ports connected to the switch are not authenticated and authorized by 802.1x, their received packets will be filtered. This means that users can no longer manage the attached switches. To address this problem, 3Com authentication bypass protocol (HABP) has been developed.
CHAPTER 47: HABP CONFIGURATION Table 367 Configure an HABP server Operation Command Description Required Configure the current switch to be an HABP server habp server vlan vlan-id By default, a switch operates as an HABP client after you enable HABP on the switch, and if you want to use the switch as a management switch, you must configure the switch to be an HABP server. Optional Configure the interval to send habp timer interval HABP request packets.
HABP Configuration Example ■ The two ports permit packets of all the VLANs. Network diagram Figure 123 Network diagram for HABP configuration GigabitEthernet1/0/2 GigabitEthernet1/0/1 Switch A Switch B Configuration procedure 1 Configure Switch B. # Enable HABP globally. system-view [SW7750]habp enable # Configure the HABP server. [SW7750]habp server vlan 2 # Enable the 802.1x globally. [SW7750]dot1x 802.1x is enabled globally. # Enable the 802.1x on GigabitEthernet1/0/2.
CHAPTER 47: HABP CONFIGURATION
48 AAA & RADIUS & HWTACACS CONFIGURATION Overview Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure the three security functions to implement the network security management. The network security mentioned here mainly refers to access control.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Accounting AAA supports the following accounting methods: ■ None accounting: No accounting is performed for users. ■ Remote accounting: User accounting is performed on the remote RADIUS server or TACACS server. Generally, AAA adopts the client/server structure, where the client acts as the managed resource and the server stores user information. This structure has good scalability and facilitates the centralized management of user information.
Overview 487 ■ Users: This database stores information about users (such as user name, password, adopted protocol and IP address). ■ Clients: This database stores the information about RADIUS clients (such as shared keys). ■ Dictionary: This database stores the information used to interpret the attributes and attribute values of the RADIUS protocol.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Figure 125 Basic message exchange procedure of RADIUS RADIUS Server server RADIUS Client client PC (1) The user inputs the user name and password Access -Request (3) Access -Accept (4) Accounting -Request (start) (5) Accounting -Response (6) The user starts to access the resources (7) Accounting - Request (stop) (8) Accounting -Response (9) Inform the user the access is ended The basic message exchange procedure of RADIUS is as follows: 1 The us
Overview 489 management, retransmission, and backup server. Figure 126 depicts the structure of the RADIUS packets. Figure 126 RADIUS packet structure Code Identifier Length Authenticator Attribute 1 The Code field decides the type of the RADIUS packet, as shown in Table 370. Table 370 Description on major values of the Code field Code Packet type Packet description Direction: client->server.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION 4 The Authenticator field (16 bytes) is used to verify the packet returned from the RADIUS server; it is also used in the password hiding algorithm. There are two kinds of authenticators: Request and Response. 5 The Attribute field contains special authentication, authorization, and accounting information to provide the configuration details of a request or response packet.
Overview 491 Figure 127 depicts the structure of attribute 26. The Vendor-ID field representing the code of the vendor occupies four bytes. The first byte is 0, and the other three bytes are defined in RFC1700. Here, the vendor can encapsulate multiple customized sub-attributes (containing Type, Length and Value) to obtain extended RADIUS implementation.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Figure 128 Network diagram for a typical HWTACACS application Basic message exchange procedure in HWTACACS For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user.
Overview 493 Figure 129 The AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: 1 A user requests access to the switch; the TACACS client sends an authentication start request packet to TACACS server upon receipt of the request. 2 The TACACS server sends back an authentication response requesting for the username; the TACACS client asks the user for the username upon receipt of the response.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION 7 The TACACS client sends the user authorization request packet to the TACACS server. 8 The TACACS server sends back the authorization response, indicating that the user has passed the authorization. 9 Upon receipt of the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10 The TACACS client sends an accounting start request packet to the TACACS server.
Configuration Tasks 495 Table 373 Configuration tasks Operation RADIUS configuration Description Related section Create a RADIUS scheme Required “Creating a RADIUS Scheme” Configure RADIUS authentication/authorization servers Required “Configuring RADIUS Authentication/Autho rization Servers” Configure RADIUS accounting servers Required “Configuring RADIUS Accounting Servers” Configure shared keys for RADIUS packets Optional “Configuring Shared Keys for RADIUS Packets” Configure the maximu
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 373 Configuration tasks Operation Description Related section Required “Creating a HWTACACS Scheme” Configure HWTACACS authentication servers Required “Configuring HWTACACS Authentication Servers” Configure HWTACACS authorization servers Required “Configuring HWTACACS Authorization Servers” HWTACACS Configure HWTACACS configuration accounting servers Optional “Configuring HWTACACS Accounting Servers” Optional “Configuring Shared Ke
AAA Configuration Configuring the Attributes of an ISP Domain 497 Table 375 Configure the attributes of an ISP domain Operation Command Description Enter system view system-view - Create an ISP domain or enter the view of an existing ISP domain isp-name domain Required Optional Activate/deactivate the ISP domain state { active | block } By default, once an ISP domain is created, it is in the active state and all the users in this domain are allowed to access the network.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Configuring an AAA Scheme for an ISP Domain You can configure an AAA scheme in one of the following two ways: Configuring a bound AAA scheme You can use the scheme command to specify an AAA scheme. If you specify a RADIUS or HWTACACS scheme, the authentication, authorization and accounting will be uniformly implemented by the RADIUS server or TACACS server specified in the RADIUS or HWTACACS scheme.
AAA Configuration 499 authorization and accounting) respectively. The following gives the implementations of this separate way for the services supported by AAA. ■ For terminal users Authentication: RADIUS, local, HWTACACS, or none. Authorization: none or HWTACACS Accounting: RADIUS, HWTACACS or none. You can configure combined authentication, authorization and accounting schemes by using the above implementations. ■ For FTP users Only authentication is supported for FTP users.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION executed, the authorization information returned from the RADIUS or local scheme still takes effect. Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access.
AAA Configuration 501 Table 379 Configure dynamic VLAN assignment c Configuring the Attributes of a Local User Operation Command Description Set the VLAN assignment mode vlan-assignment-mode { integer | string } Create a VLAN and enter its view vlan vlan-id - Set a VLAN name for VLAN assignment name string This operation is required if the VLAN assignment mode is set to string. Optional By default, the VLAN assignment mode is integer.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 380 Configure the attributes of a local user Operation Command Authorize the user to access the specified type(s) of service(s) service-type { ftp | lan-access | { telnet | ssh | terminal }* [ level level ] } Set the priority level of the user level level Description Required By default, the system does not authorize the user to access any service. Optional By default, the priority level of the user is 0.
RADIUS Configuration n RADIUS Configuration 503 Telnet and FTP users can use the display connection command to view the connection, but they cannot use the cut connection command to cut down the connection. The RADIUS protocol configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 383 Configure RADIUS authentication/authorization server Operation Set the IP address and port number of the primary RADIUS authentication/authorization server Set the IP address and port number of the secondary RADIUS authentication/authorization server c Configuring RADIUS Accounting Servers Command Description Required primary authentication ip-address [ port-number ] By default, the IP address and UDP port number of the primary server a
RADIUS Configuration 505 Table 384 Configure RADIUS accounting server Operation Command Description Optional Set the maximum number of real-time accounting request attempts c Configuring Shared Keys for RADIUS Packets retry realtime-accounting retry-times By default, the maximum number of real-time accounting request attempts is 5. After that, the user connection is cut down.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 385 Configure shared keys for RADIUS packets Operation Command Set a shared key for the RADIUS accounting packets key accounting string Description Required By default, no shared key is set.
RADIUS Configuration 507 After the time the primary server keeps in the block state exceeds the time set with the timer quiet command, the switch will try to communicate with the primary server again when it receives a RADIUS request.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 389 Configure the attributes for data to be sent to the RADIUS servers Operation Command Description RADIUS scheme view Optional nas-ip ip-address By default, no source IP address is specified; and the IP address of the outbound interface is used as the source IP address.
RADIUS Configuration Configuring the Timers of RADIUS Servers 509 If the switch gets no response from the RADIUS server after sending out a RADIUS request (authentication/authorization request or accounting request) and waiting for a period of time, it should retransmit the packet to ensure that the user can obtain the RADIUS service.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION In an environment with a CAMS server, if the switch reboots after an exclusive user (a user whose concurrent online number is set to 1 on the CAMS) gets authenticated and authorized and begins being charged, the switch will give a prompt that the user has already been online when the user re-logs in to the network before CAMS performs online user detection, and the user cannot get authenticated.
HWTACACS Configuration 511 Table 393 Create a HWTACACS scheme Operation Command Description Enter system view system-view - Create a HWTACACS scheme hwtacacs scheme and enter HWTACACS view hwtacacs-scheme-name c Configuring HWTACACS Authentication Servers Required By default, no HWTACACS scheme exists. CAUTION: The system supports up to 16 HWTACACS schemes. You can only delete the schemes that are not being used.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 395 Configure TACACS authorization servers Operation Command Description Required Set the IP address and port number of the secondary TACACS authorization server c Configuring HWTACACS Accounting Servers secondary authorization ip-address [ port ] By default, the IP address of the secondary authorization server is 0.0.0.0, and the port number is 0. CAUTION: ■ The primary and secondary authorization servers cannot use the same IP address.
HWTACACS Configuration 513 by using the shared keys that have been set on them, and can accept and respond to the packets sent from each other only if both of them have the same shared keys.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Configuring the Timers of TACACS Servers Table 399 Configure the timers of TACACS servers Operation Command Description Enter system view system-view - Create a HWTACACS scheme hwtacacs scheme and enter its view hwtacacs-scheme-name Set the response timeout time timer response-timeout of TACACS servers seconds Set the wait time for the primary server to restore the active state Required By default, no HWTACACS scheme exists.
Displaying and Maintaining AAA & RADIUS & HWTACACS Information 515 Table 400 Display AAA information Operation Command Display the configuration information about one specific or all ISP domains display domain [ isp-name ] Description display connection [ access-type dot1x | domain domain-name | interface interface-type Display the information about interface-number | ip user connections ip-address | mac mac-address | radius-scheme You can execute the display radius-scheme-name | vlan command in any
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION Table 402 Display and maintain HWTACACS protocol information Operation Command Description Display the configuration or display hwtacacs [ statistic information about hwtacacs-scheme-name [ one specific or all HWTACACS statistics] ] schemes Display the buffered HWTACACS stop-accounting request packets that are not responded to display stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop
AAA & RADIUS & HWTACACS Configuration Example 517 ■ Set the shared key it uses to exchange packets with the switch to "expert". ■ Set the port number for authentication. ■ Add Telnet user names and login passwords. The Telnet user name added to the RADIUS server must be in the format of userid@isp-name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION [SW7750] domain cams [SW7750-isp-cams] scheme radius-scheme cams A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain. Local Authentication of FTP/Telnet Users n The configuration procedure for the local authentication of FTP users is similar to that of Telnet users.
AAA & RADIUS & HWTACACS Configuration Example 519 Method 2: using a local RADIUS server This method is similar to the remote authentication method described in section “Remote RADIUS Authentication of Telnet/SSH Users” . You only need to change the server IP address, the authentication password, and the UDP port number for authentication service in configuration step "Configure a RADIUS scheme" in section “Remote RADIUS Authentication of Telnet/SSH Users” to 127.0.0.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION [SW7750-hwtacacs-hwtac] user-name-format without-domain [SW7750-hwtacacs-hwtac] quit # Configure the domain name of the HWTACACS scheme to hwtac. [SW7750] domain hwtacacs [SW7750-isp-hwtacacs] scheme hwtacacs-scheme hwtac Troubleshooting AAA & RADIUS & HWTACACS Configuration Troubleshooting the RADIUS Protocol The RADIUS protocol is at the application layer in the TCP/IP protocol suite.
Troubleshooting AAA & RADIUS & HWTACACS Configuration Troubleshooting the HWTACACS Protocol 521 ■ The accounting port number is not properly set - Be sure to set a correct port number for RADIUS accounting. ■ The switch requests that both the authentication/authorization server and the accounting server use the same device (with the same IP address), but in fact they are not resident on the same device - Be sure to configure the RADIUS servers on the switch according to the actual situation.
CHAPTER 48: AAA & RADIUS & HWTACACS CONFIGURATION
49 Introduction to EAD EAD CONFIGURATION Endpoint admission defense (EAD) is an attack defense solution that monitors endpoint admission. This enhances the active defense ability of endpoints, and prevents viruses and worms from spreading on the network.
CHAPTER 49: EAD CONFIGURATION software and install system patches. Figure 134 shows the typical network application of EAD. Figure 134 Typical network application of EAD The security client (software installed on PC) checks the security status of a client that just passes the authentication, and interacts with the security policy server.
EAD Configuration Example 525 Table 403 EAD configuration Operation Command Description Enter RADIUS scheme view radius scheme radius-scheme-name Optional Configure the RADIUS server type to radius server-type radius By default, for a new RADIUS scheme, the server type is standard; The type of RADIUS server in the default RADIUS scheme "system" is radius.
CHAPTER 49: EAD CONFIGURATION Network diagram Figure 135 EAD configuration example Authentication server (IP Address 10.110.91.164 ) Ethernet 1/0/1 Internet Internet User Security policy server (IP Address:10.110.91.166 ) Virus patch server (IP Address:10.110.91.168 ) Configuration procedure # Configure 802.1X on the switch. Refer to the 802.1X module in 3Com Switch 7750 Family Ethernet Switches Operation Manual for detailed description. # Configure domain.
50 VRRP Overview VRRP CONFIGURATION Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. As shown in “LAN Networking”, in general, ■ A default route (for example, the next hop address of the default route is 10.100.10.1, as shown in the following figure) is configured for every host on a network.
CHAPTER 50: VRRP CONFIGURATION Figure 137 Virtual router Network Actual IP address10.100.10.2 Actual IP address10.100.10.3 Master Backup Virtual IP address10.100.10.1 Virtual IP address10.100.10.1 10.100.10.7 Host 1 Ethernet 10.100.10.8 Host 2 10.100.10.9 Host 3 The switches in a backup group have the following features: ■ This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the backup group).
VRRP Overview 529 ■ You can specify the virtual router IP address as the IP address used by a member switch in the backup group. In this case, the switch is called an IP address owner. ■ A backup group is established if it is assigned an IP address for the first time. If you then add other IP addresses to the backup group, the IP addresses are added to the virtual router IP address list of the backup group.
CHAPTER 50: VRRP CONFIGURATION the master switch unless they operate in preemptive mode. The switch operating in preemptive mode will become the master switch when it finds its priority is higher than that of the current master switch, and the former master switch becomes a backup switch accordingly. You can configure the Switch 7750 Family to operate in preemptive mode. You can also set the delay period. A backup switch waits for a period of time (the delay period) before becoming a master switch.
VRRP Configuration 531 switches will result in master-down-interval timing out and state changing abnormally. Such problems can be solved through prolonging the adver-interval and setting delay time. If you configure the preemption delay for a backup switch, the switch preempts the master after the period specified by the preemption delay if it does not receive a VRRP packet from the master for the period specified by the master-down-interval argument.
CHAPTER 50: VRRP CONFIGURATION Table 405 Configure a virtual router IP address Operation Command Description Enter system view system-view - Configure that the virtual IP address can be pinged vrrp ping-enable Optional By default, the virtual IP address cannot be pinged. Optional Map the virtual router IP address to a MAC address vrrp method { real-mac | virtual-mac } By default, the virtual IP address of a backup group is mapped to a virtual router IP address.
Displaying and Maintaining VRRP 533 Table 406 Configure backup group-related parameters Displaying and Maintaining VRRP Operation Command Description Specify the interface/Ethernet port to be tracked Optional vrrp vrid virtual-router-id track interface interface-type value-reduced: Value by which the priority is to be interface-number [ reduced reduced. By default, this value value-reduced ] is 10.
CHAPTER 50: VRRP CONFIGURATION Table 408 Network description Switch Ethernet port connecting to Host A IP address of the VLAN interface Switch priority in the backup group LSW-A Ethernet 1/0/6 202.38.160.1/24 110 Enabled LSW-B Ethernet 1/0/5 202.38.160.2/24 100 (default) Enabled Preemptive mode Network diagram Figure 138 Network diagram for single-VRRP backup group configuration Host B Internet LSW-A Vlan-interface2: 202.38.160.1 LSW-B Virtual IP address: 202.38.160.
VRRP Configuration Example 535 # Set the priority for the backup group. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 110 # Configure the preemptive mode for the backup group. [LSW-A-Vlan-interface2] vrrp vrid 1 preempt-mode ■ Configure Switch B. # Configure VLAN 2. system-view [LSW-B] vlan 2 [LSW-B-Vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.
CHAPTER 50: VRRP CONFIGURATION Network diagram Figure 139 Network diagram for interface tracking configuration 10.2.3.1 Host B Internet Vlan-interface3: 10.100.10.2 LSW-A Vlan-interface2: 202.38.160.1 LSW-B Virtual IP address: 202.38.160.111 Vlan-interface2: 202.38.160.2 - 202.38.160.3 Host A Configuration procedure ■ Configure Switch A. # Configure VLAN 2.
VRRP Configuration Example 537 # Configure that the master switch to send VRRP packets once in every 5 seconds. [LSW-A-Vlan-interface2] vrrp vrid 1 timer advertise 5 # Set the tracked VLAN interface. [LSW-A-Vlan-interface2] vrrp vrid 1 track interface Vlan-interface 3 reduced 30 ■ Configure switch B. # Configure VLAN 2. system-view [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.
CHAPTER 50: VRRP CONFIGURATION Network diagram Figure 140 Network diagram for multiple-VRRP backup group configuration 10.2.3.1 Host B Internet Vlan-interface3: 10.100.10.2 Switch_A Switch_B Vlan-interface2: 202.38.160.2 - Vlan-interface2: - 202.38.160.1 Backup goup 2: Virtual IP address: 202.38.160.112 Backup goup 1: Virtual IP address: 202.38.160.111 202.38.160.3 Host A Configuration procedure ■ Configure Switch A. # Configure VLAN 2.
Troubleshooting VRRP 539 [LSW-B-vlan2] port Ethernet 1/0/6 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 # Create backup group 1. [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Create backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 # Set the priority for backup group 2.
CHAPTER 50: VRRP CONFIGURATION
HA CONFIGURATION 51 HA Overview Switch 7758 supports high availability (HA) feature. This feature is to achieve a high availability of the system and to recover the system as soon as possible in the event of failures so as to shorten the mean time between failures (MTBF) of the system. The functions of HA are mainly implemented by the application running on Switch Fabric board.
CHAPTER 51: HA CONFIGURATION HA Configuration HA Configuration Overview Table 409 HA configuration tasks overview Configuration Description Related section Set the slave board restart manually Required “Setting the Slave Board Restart Manually” Perform the master-slave switchover manually Required “Performing the Master-Slave Switchover Manually” Enable automatic synchronization Required “Enabling Automatic Synchronization” Synchronize the configuration Required file of the system manuall
Displaying HA 543 Table 411 Perform the master-slave switchover manually Enabling Automatic Synchronization Operation Command Description Perform the master-slave switchover manually slave switchover Optional Switch 7758 supports automatic synchronization.
CHAPTER 51: HA CONFIGURATION
52 ARP CONFIGURATION Introduction to ARP Address resolution protocol (ARP) is used to map IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly. Necessity of the Address Resolution After a packet is forwarded to the destination network, MAC address is necessary for the packet to reach the very device. So the destination IP address carried in a packet need to be translated into the corresponding MAC address.
CHAPTER 52: ARP CONFIGURATION Table 415 Description on the fields of an ARP packet Field Description Hardware Type Identifies the type of the hardware interface. Refer to Table 416 for the information about the field values. Protocol type Protocol type specifies the type of protocol address being mapped. Its value is 0x0800 for IP addresses.
Introduction to ARP 547 Figure 142 An ARP mapping table IF index Physical address IP address Type Entry 1 Entry 2 Entry 3 Entry 4 Entry 5 … Entry n Table 417 describes the APR mapping table fields.
CHAPTER 52: ARP CONFIGURATION corresponding to IP_B exists. If yes, Host A encapsulates the IP packet into a frame with the MAC address of Host B inserted to it and sends it to Host B. ■ If the corresponding MAC address is not found in the ARP mapping table, Host A adds the packet in the transmission queue, creates an ARP request packet and broadcasts it throughout the Ethernet.
Introduction to ARP Introduction to Gratuitous ARP 549 The following are the characteristics of gratuitous ARP packets: ■ Both source and destination IP addresses carried in a gratuitous ARP packet are the local addresses, and the source MAC address carried in it is the local MAC addresses. ■ If a device finds that the IP addresses carried in a received gratuitous packet conflict with those of its own, it returns an ARP response to the sending device to notify of the IP address conflict.
CHAPTER 52: ARP CONFIGURATION load and network traffic. To solve this problem, the device allows you to configure the gratuitous ARP update interval. Introduction to ARP Proxy ARP proxy: A host in a network sends an ARP request to an isolated port in the same network or to a host in another network. Devices enabled with the ARP proxy function forward the ARP request, so as to realize the Layer 3 connectivity among the Lay 2 isolated ports.
ARP Configuration 551 Table 418 ARP entries Introduction to ARP Configuration Tasks Adding a Static ARP Mapping Entry Manually ARP entry Generation Method Maintenance Mode Static ARP entry Manually configured Manual maintenance Dynamic ARP entry Dynamically generated ARP entries of this type age with time. The aging period is set by the ARP aging timer.
CHAPTER 52: ARP CONFIGURATION Configuring Maximum Number of ARP Entries to Be Learnt Use the following commands to configure the maximum number of ARP entries that can be learnt.
ARP Configuration 553 Table 424 Configure the gratuitous ARP packet learning function Operation Command Enable the gratuitous ARP packet learning function gratuitous-arp-learning enable Description Required Configuring the Gratuitous ARP Update Interval By default, the gratuitous ARP packet learning function is disabled.
CHAPTER 52: ARP CONFIGURATION Table 427 Configure ARP source suppression Operation Command Description Optional The default value is related with the type of ARP packets Configure the maximum arp source-suppression number of ARP packets of a limit { total | local | through type sent to the CPU at a time } limit-value Displaying and Debugging ARP ■ When total is adopted, the default value is 100. ■ When local is adopted, the default value is 3.
53 Introduction to DHCP DHCP OVERVIEW With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology.
CHAPTER 53: DHCP OVERVIEW ■ Obtaining IP Addresses Dynamically Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address at the expiration of the period. This policy applies to most clients.
DHCP Packet Format 557 of the BOOTP packets. The following table describes the packet format (the number in the brackets indicates the field length, in bytes): Figure 145 Format of DHCP packets op(1) htype (1) hlen(1) hops(1) xid(4) secs(2) flags(2) ciaddr(4) yiaddr(4) siaddr(4) giaddr(4) chaddr(16) sname(64) file(128) option(variable) The field meanings are illustrated as follows: ■ op: Operation types of DHCP packets: 1 for request packets and 2 for response packets.
CHAPTER 53: DHCP OVERVIEW DHCP Packet Processing Modes After the DHCP server is enabled on a device, the device processes the DHCP packet received from a DHCP client in one of the following three modes depending on your configuration: ■ Global address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients.
54 DHCP SERVER CONFIGURATION Introduction to DHCP Server Usage of DHCP Server DHCP Address Pool Generally, DHCP servers are used in the following networks to assign IP addresses: ■ Large-sized networks, where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way. ■ Networks where the number of available IP addresses is less than that of the hosts.
CHAPTER 54: DHCP SERVER CONFIGURATION segment or some subnets (such as domain name), you just need to configure them on the network segment or the corresponding subnets. The following is the details of configuration inheritance. DHCP IP Address Preferences ■ A newly created child address pool inherits the configurations of its parent address pool.
Global Address Pool-Based DHCP Server Configuration 561 Table 429 Configure global address pool-based DHCP server Configuration task Enabling DHCP Remarks Section Configure to bind IP address statically to a Configure the interface(s) to operate DHCP client in global address pool Configure to assign IP mode addresses dynamically One among these two options is required. “Configuring How to Only one mode can Assign IP Addresses in be selected for the a Global Address same global address Pool” pool.
CHAPTER 54: DHCP SERVER CONFIGURATION Configuring How to Assign IP Addresses in a Global Address Pool You can specify to bind an IP address in a global address pool statically to a DHCP client or assign IP addresses in the pool dynamically to DHCP clients as needed. In the global address pool, you can bind an IP address statically to a DHCP client and assign other IP addresses in the pool dynamically to DHCP clients.
Global Address Pool-Based DHCP Server Configuration 563 segments that are previously specified. Currently, an address pool can contain only one address segment, whose ranges are determined by the subnet mask. To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those that are not occupied by specific network devices (such as gateways and FTP servers). The lease time can differ with address pools. But that of the IP addresses of the same address pool are the same.
CHAPTER 54: DHCP SERVER CONFIGURATION Table 434 Configure DNS services for the DHCP server Operation Command Description Enter system view system-view - Create a DHCP address pool and enter DHCP address pool view dhcp server ip-pool pool-name Required By default, no global DHCP address pool is created Required Configure a domain name for domain-name domain-name By default, no domain name is DHCP clients configured for DHCP clients Configure DNS server addresses for DHCP clients Configuring N
Global Address Pool-Based DHCP Server Configuration 565 Table 435 Configure NetBIOS services for the DHCP server Operation Command Configure WINS server addresses for DHCP clients nbns-list ip-address&<1-8> Description Required By default, no WINS server address is configured Optional Configure DHCP clients to be of a specific NetBIOS node type Customizing DHCP Service netbios-type { b-node | h-node | m-node | p-node } By default, no NetBIOS node type of the DHCP client is specified and a DHCP cli
CHAPTER 54: DHCP SERVER CONFIGURATION Interface Address Pool-based DHCP Server Configuration c CAUTION: In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the segment of the interface address pool and assigns them to the DHCP clients.
Interface Address Pool-based DHCP Server Configuration 567 Table 439 Enable DHCP Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients Operation Command Description Enter system view system-view - Enable DHCP dhcp enable Required By default, DHCP is enabled If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients.
CHAPTER 54: DHCP SERVER CONFIGURATION ■ The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment. ■ There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment. ■ An IP address can be statically bound to only one MAC address.
Interface Address Pool-based DHCP Server Configuration n Configuring DNS Services for the DHCP Server 569 ■ The dhcp server forbidden-ip command can be executed repeatedly. That is, you can repeatedly configure IP addresses that are not dynamically assigned to DHCP clients. ■ Use the dhcp server forbidden-ip command to configure the IP addresses that are not assigned dynamically in global address pools and interface address pools.
CHAPTER 54: DHCP SERVER CONFIGURATION Configuring NetBIOS Services for DHCP Clients For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by WINS servers. So you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight WINS addresses for a DHCP address pool. Host name-to-IP address mappings are needed for DHCP clients communicating through the NetBIOS protocol.
DHCP Security Configuration 571 Table 444 Configure NetBIOS services for the DHCP server Operation Command Description interface interface-type interface-number Configure the current dhcp server interface netbios-type { b-node | h-node | m-node | p-node } Configure NetBIOS node types for DHCP clients Configure multiple interfaces in system view Customizing DHCP Service Required quit By default, no NetBIOS node type is dhcp server specified and a DHCP netbios-type { client uses an h-node.
CHAPTER 54: DHCP SERVER CONFIGURATION Prerequisites Configuring Private DHCP Server Detecting Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration). A private DHCP server on a network also answers IP address request packets and assigns IP addresses to DHCP clients. However, the IP addresses they assigned may conflict with those of other hosts.
Displaying and Debugging a DHCP Server Displaying and Debugging a DHCP Server 573 You can verify your DHCP-related configuration by executing the display command in any view. To clear the information about DHCP servers, execute the reset command in user view.
CHAPTER 54: DHCP SERVER CONFIGURATION Network requirements The DHCP server assigns IP addresses dynamically to the DHCP clients on the same network segment. The network segment 10.1.1.0/24, to which the IP addresses of the address pool belong, is divided into two sub-network segment: 10.1.1.0/25 and 10.1.1.128/25. The switch operating as the DHCP server hosts two VLANs, whose interface IP addresses are 10.1.1.1/25 and 10.1.1.129/25 respectively. The DHCP settings of the 10.1.1.
DHCP Server Configuration Example 575 Network diagram Figure 146 Network diagram for DHCP configuration NetBIOS Server Client Client Client VLAN-interface1 VLAN-interface2 10.1.1.129/25 10.1.1.1/25 LAN LAN Switch A DHCP Server Switch B VLAN-interface1 DNS Server Client Client Client Configuration procedure 1 Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted). 2 Configure DHCP service. # Enable DHCP.
CHAPTER 54: DHCP SERVER CONFIGURATION [SW7750] dhcp server [SW7750-dhcp-pool-2] [SW7750-dhcp-pool-2] [SW7750-dhcp-pool-2] [SW7750-dhcp-pool-2] [SW7750-dhcp-pool-2] [SW7750-dhcp-pool-2] Troubleshooting a DHCP Server ip-pool 2 network 10.1.1.128 mask 255.255.255.128 domain-name aabbcc.com dns-list 10.1.1.2 expired day 5 nbns-list 10.1.1.4 gateway-list 10.1.1.254 Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of another host.
55 DHCP RELAY CONFIGURATION Introduction to DHCP Relay Usage of DHCP Relay Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical. DHCP Relay is designed to address this problem.
CHAPTER 55: DHCP RELAY CONFIGURATION 3 The DHCP server assigns IP addresses and transmits the configuration information to the clients through the DHCP relay so that the clients can be configured dynamically. The transmission mode depends on the flag field in the DHCP-DISCOVER packet. For details, see section “DHCP Packet Format”. Option 82 Supporting Introduction to option 82 supporting Option 82 is a relay agent information option in DHCP packets.
DHCP Relay Configuration 579 DHCP server directly. The following are the mechanism of option 82 supporting on DHCP relay. 1 A DHCP client broadcasts a request packet when it initiates. 2 The DHCP relay on the local network receives the request packet, and then checks whether the packet contains option 82 and processes the packet accordingly.
CHAPTER 55: DHCP RELAY CONFIGURATION Enabling DHCP Make sure to enable DHCP before you perform other DHCP relay-related configurations, since other DHCP-related configurations cannot take effect with DHCP disabled.
DHCP Relay Configuration ■ 581 When the flag field is set to 0, the DHCP relay agent unicasts the response packets to the clients. In actual networking, if clients have special requirements, the Switch 7750 Family supports the following commands so as to force the DHCP relay agent to broadcast the responses to the clients. After this function is enabled, even if the flag field in the DHCP-DISCOVER packet is set to 0, the DHCP relay agent still broadcasts responses to the clients.
CHAPTER 55: DHCP RELAY CONFIGURATION can pass DHCP security check; otherwise you cannot access the network even if you have obtained a valid IP address. If you invalidate the dynamic IP-to-MAC mapping entries generated by the DHCP relay agent, this means that you specify the clients as freely-connected hosts.
DHCP Relay Configuration ■ 583 If the DHCP server returns the DHCP-NAK packet, it indicates that the lease of the IP address is not expired. The DHCP relay does not age the corresponding entry. After the DHCP relay handshake function is disabled, the DHCP relay does not send the handshake packet (the DHCP-REQUEST packet) periodically to the DHCP server. ■ When the DHCP client releases this IP address, the client unicasts the DHCP-RELEASE packet to the DHCP server.
CHAPTER 55: DHCP RELAY CONFIGURATION ■ Configure network parameters and relay function of the DHCP relay device. ■ Perform assignment strategy-related configurations, such as network parameters of the DHCP server, address pool, and lease time. ■ The routes between the DHCP relay and the DHCP server are reachable. Enabling option 82 supporting on a DHCP relay The following operations need to be performed on a DHCP relay-enabled network device.
Troubleshooting DHCP Relay 585 Network diagram Figure 148 Network diagram for DHCP relay DHCP client DHCP client DHCP Server 202.38.1.2 10.110.0.0 Ethernet 10.110.1.1 202.38.1.1 Internet Switch ( DHCP Relay ) Ethernet Ethernet 202.38.1.0 Configuration procedure # Enter system view. system-view # Enable DHCP. [SW7750] dhcp enable # Create DHCP server group 1 and configure an IP address of 202.38.1.2 for it. [SW7750] dhcp-server 1 ip 202.38.1.
CHAPTER 55: DHCP RELAY CONFIGURATION Solution ■ Check if DHCP is enabled on the DHCP server and the DHCP relay. ■ Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. ■ Check if a reachable route is configured between the DHCP relay and the DHCP server. ■ Check the DHCP relay-enabled network devices. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides.
56 DHCP SNOOPING CONFIGURATION DHCP-Snooping Configuration Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients. ■ Layer 3 switches can track DHCP client IP addresses through DHCP relay.
CHAPTER 56: DHCP SNOOPING CONFIGURATION Figure 150 illustrates the interaction between a DHCP client and a DHCP server.
DHCP-Snooping Option 82 589 Table 460 Configure the DHCP snooping function n Operation Command Set the port connected to a DHCP server to a trusted port dhcp-snooping trust Description Required By default, all ports of a switch are untrusted ports ■ DHCP relay and DHCP snooping cannot be enabled at the same time. If you have enabled DHCP relay on the device, you will fail to enable DHCP snooping.
CHAPTER 56: DHCP SNOOPING CONFIGURATION n Enabling DHCP-Snooping Option 82 ■ If the option 82 field is inserted by the switch, the switch removes the option 82 field from the message, and then forwards the message containing the DHCP configuration information to the DHCP client. ■ If the option 82 field is not inserted by the switch, the switch obtains the VLAN information contained in this field and broadcasts the returned message in this VLAN.
Configuration Example 591 Table 462 Display and debug DHCP-Snooping Operation Command Display the IP/MAC mapping relations recorded by the DHCP-Snooping-enabled switch display dhcp-snooping Display DHCP-Snooping status display dhcp-snooping and trusted port information trust Display the total number of display dhcp-snooping DHCP-Snooping binding table count entries Configuration Example Display the DHCP-Snooping binding table entries of the specified VLAN display dhcp-snooping vlan { vlan-list | al
CHAPTER 56: DHCP SNOOPING CONFIGURATION # Enter system view. system-view [SW7750] # Enable the DHCP snooping function. [SW7750] dhcp-snooping # Enable DHCP-Snooping option 82. [SW7750] dhcp-Snooping information enable # Enter Ethernet1/0/1 port view. [SW7750] interface ethernet1/0/1 # Set the port to a trusted port.
ACL CONFIGURATION 57 n ACL Overview Type A I/O Modules refer to the following: 3C16860, 3C16861, 3C16858, and 3C16859. An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass.
CHAPTER 57: ACL CONFIGURATION ACL referenced by the upper-level modules The switch also uses ACLs to filter packets processed by software and implements traffic classification. In this case, there are two types of match orders for the rules in an ACL: config (user-defined match order) and auto (the system performs automatic ordering, namely according "depth-first" order). In this scenario, you can specify the match order for multiple rules in an ACL.
Choosing ACL Mode for Traffic Flows 595 Layer 2 ACL depth-first order With the depth-first rule adopted, the rules of a Layer 2 ACL are matched in the order of the mask length of the source MAC address and destination MAC address. The longer of the mask is, the higher the match priority is. If two mask lengths are the same, the priority of the match rule configured earlier is higher.
CHAPTER 57: ACL CONFIGURATION system-view [SW7750] acl mode link-based [SW7750] display acl mode The current acl mode: link-based. Specifying the Matching Order of ACL Rules Sent to a Port Configuration Procedure The acl match-order { config | auto } command is used to set the matching order of ACL rules when they are referenced by softwares. While the acl order command is used to set the matching order of ACL rules after they are applied to a port).
Defining Basic ACLs 597 Table 465 Configure a time range Operation Command Display a time range or all the display time-range { all | time ranges time-name } Description Optional This command can be executed in any view. Note that: Configuration Example ■ If only a periodic time section is defined in a time range, the time range is active only within the defined periodic time section.
CHAPTER 57: ACL CONFIGURATION Table 466 Define a basic ACL rule Operation Command Description Create or enter basic ACL view acl { number acl-number | name acl-name [ advanced | Required basic | link | user ] } [ By the default, the match match-order { config | auto order is config.
Defining Advanced ACLs Configuration Preparation 599 Before configuring an ACL rule containing time range arguments, you need to configure define the corresponding time ranges. For the configuration of time ranges, refer to “Configuring Time Ranges”. The values of source and destination IP addresses, the type of the protocols carried by IP, and protocol-specific features in the rule have been defined.
CHAPTER 57: ACL CONFIGURATION Table 468 Rule information n Parameter Type Function Description precedence precedence Packet precedence Packet priority Value range: 0 to 7 tos tos Packet precedence ToS priority Value range: 0 to 15 dscp dscp Packet precedence DSCP priority Value range: 0 to 63 fragment Specifies that the ACL rule is effective for Fragment information non-initial fragment packets time-range time-name Time range information Specifies the time range in which the ACL
Defining Advanced ACLs 601 Table 470 Description of IP precedence value Keyword IP Precedence value in decimal IP Precedence value in binary routine 0 000 priority 1 001 immediate 2 010 flash 3 011 flash-override 4 100 critical 5 101 internet 6 110 network 7 111 To define the ToS value, you can directly input a value ranging from 0 to 15, or input a keyword listed in the following table.
CHAPTER 57: ACL CONFIGURATION Table 472 TCP/UDP-specific rule information Parameter established n Type Function Description TCP connection established" flag Indicates that the ACL rule is only valid for TCP-specific the first SYN packet argument (when the TCP connection began) Only Type A I/O Modules support the "range" operation on the TCP/UDP port.
Defining Layer 2 ACLs 603 In the case that you specify the rule ID when defining a rule: ■ If the rule corresponding to the specified rule ID already exists, you will edit the rule, and the modified part in the rule will replace the original content, while other parts remain unchanged. ■ If the rule corresponding to the specified rule ID does not exists, you will create and define a new rule.
CHAPTER 57: ACL CONFIGURATION Table 475 Create a Layer 2 ACL rule Operation Command Description Required rule [ rule-id ] { permit | deny If you do not specify the rule-string parameter, the } [ rule-string ] switch will choose ingress any egress any by default. Define an ACL rule Display ACL information display acl config { all | acl-number | acl-name } Optional This command can be executed in any view.
Defining Layer 2 ACLs 605 Table 476 Rule information Parameter time-range time-name Type Time range information Function Description Specifies the time range in which the rule is active time-name: specifies the name of the time range in which the ACL rule is active; a string of 1 to 32 characters To define the CoS, you can directly input a value ranging from 0 to 7, or input a keyword listed in the following table.
CHAPTER 57: ACL CONFIGURATION Defining User-Defined ACLs Using a byte, which is specified through its offset from the packet header, in the packet as the starting point, user-defined ACLs perform logical AND operations on packets and compare the extracted string with the user-defined string to find the matching packets for processing. User-defined ACL numbers range from 5,000 to 5,999.
Applying ACLs on Ports Applying ACLs on Ports Configuration Preparation Configuration Procedure 607 By applying ACLs on ports, you can filter certain packets. You need to define an ACL before applying it on a port. For operations to define ACLs, refer to “Defining Basic ACLs”, “Defining Advanced ACLs”, “Defining Layer 2 ACLs”, and “Defining User-Defined ACLs”.
CHAPTER 57: ACL CONFIGURATION Table 481 Combined application of ACLs on I/O Modules other than Type A.
ACL Configuration Example 609 Table 483 Display ACL configuration Operation Command Description Display a time range or time ranges display time-range { all | time-name } Display the configured ACL rule(s) display acl { all | acl-number } Display the statistics information about the configured ACL rules display acl config statistics Display the remain ACL resource of a specified slot display acl remaining entry These commands can be slot slot-number executed in any view.
CHAPTER 57: ACL CONFIGURATION system-view [SW7750] time-range test 8:00 to 18:00 working-day 2 Define an ACL for filtering requests destined for the wage server. # Create ACL 3000. [SW7750] acl number 3000 # Define an ACL rule for requests destined for the wage server. [SW7750-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 255. 255.255.0 time-range test [SW7750-acl-adv-3000] quit 3 Apply the ACL on a port. # Apply ACL 3000 on the Ethernet 1/0/1 port.
ACL Configuration Example 611 # Define an access rule to deny packets with their source IP addresses being 10.1.1.1. [SW7750-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [SW7750-acl-basic-2000] quit 3 Apply the ACL on the port # Apply ACL 2000 on the port.
CHAPTER 57: ACL CONFIGURATION [SW7750-acl-link-4000] rule 1 deny ingress 00e0-fc01-0101 ffff-ffffffff egress 00e0-fc01-0303 ffff-ffff-ffff time-range test [SW7750-acl-link-4000] quit 3 Apply the ACL on a port. # Apply ACL 4000 on the port Ethernet1/0/1.
QOS CONFIGURATION 58 Overview Quality of Service (QoS) is a concept generally existing in occasions with service supply and demand. It evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to grade precisely. Its purpose is to analyze the conditions when the service is the best and the conditions when the service still needs improvement and then to make improvements in the specified aspects.
CHAPTER 58: QOS CONFIGURATION Precedence 1 IP precedence, ToS precedence and differentiated services code point (DSCP) precedence Figure 156 DS fields and TOS bytes The TOS field in an IP header contains 8 bits: ■ The first three bits indicate IP precedence in the range of 0 to 7. ■ Bit 3 to bit 6 indicate ToS precedence in the range of 0 to 15. ■ RFC2474 re-defines the ToS field in the IP packet header, which is called the DS field.
Overview 615 ■ Class selector (CS) class: This class comes from the IP TOS field and includes 8 classes; ■ Best Effort (BE) class: This class is a special class without any assurance in the CS class. The AF class can be degraded to the BE class if it exceeds the limit. Current IP network traffic belongs to this class by default.
CHAPTER 58: QOS CONFIGURATION The 4-bit 802.1Q tag header contains a 2-bit Tag Protocol Identifier (TPID) whose value is 8100 and a 2-bit Tag Control Information (TCI). TPID is a new class defined by IEEE to indicate a packet with an 802.1Q tag. Figure 158 describes the detailed contents of an 802.1Q tag header. Figure 158 802.1Q tag headers In the figure above, the 3-bit priority field in TCI is 802.1p priority in the range of 0 to 7.The 3 bits specify the precedence of the frame.
Overview 617 Step1: Classify the inbound packets to the port by the set classification rule. Step 2: Perform the filter--drop operation on the classified packets. The packet filter function can be implemented by applying ACL rules on the port. Refer to the description in the ACL module for detailed configurations. Rate Limit on Ports TP Rate limit on ports is port-based rate limit. It limits the total rate of outbound packets on a port.
CHAPTER 58: QOS CONFIGURATION When the token bucket evaluates the traffic, its parameter configurations include: ■ Average rate: The rate at which tokens are put into the bucket, namely, the permitted average rate of the traffic. It is generally set to committed information rate (CIR). ■ Burst size: The capacity of the token bucket, namely, the maximum traffic size that is permitted in every burst. It is generally set to committed burst size (CBS).
Overview Redirect Queue Scheduling 619 ■ Modify the precedence and forward: Modify the priority of the packets whose evaluation result is "partly-conforming" and forward them. ■ Enter the next-rank policing: TP can be piled up rank by rank and each rank polices more detailed objects. You can re-specify the forwarding port of packets as required by your own QoS policy.
CHAPTER 58: QOS CONFIGURATION The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be "starved to death" because they are not served.
QoS Supported by Switch 7750 Family QoS Supported by Switch 7750 Family Setting Port Priority 621 ■ When the queue length is smaller than the lower limit, packets are not dropped. ■ When the queue length is bigger than the upper limit, all inbound packets all dropped. ■ When the queue length is in the range of the upper limit and the lower limit, the inbound packets are dropped at random.
CHAPTER 58: QOS CONFIGURATION Configuration procedure Table 488 Set to use the port priority Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Set the port priority priority priority-level Optional By default, the port priority is 0 Configuration example ■ Set the port priority of Ethernet 1/0/1 to 7. Configuration procedure: system-view System View: return to User View with Ctrl+Z.
Configuring Priority to Be Used When a Packet Enters an Output Queue 623 Table 489 The mapping relationship between the 802.1p priority values and queues 802.
CHAPTER 58: QOS CONFIGURATION Configuration prerequisites The priority to be used when a packet enter a queue is specified.
Configuring Priority Remark 625 system-view [SW7750] qos cos-local-precedence-map 2 3 4 1 7 0 5 6 [SW7750] display qos cos-local-precedence-map cos-local-precedence-map: cos : 0 1 2 3 4 5 6 7 -------------------------------------------------------------------------local-precedence : 2 3 4 1 7 0 5 6 Configuring Priority Remark Refer to “Priority Remark” for the introduction to priority remark.
CHAPTER 58: QOS CONFIGURATION acl-rule: Applied ACL rules which can be the combination of various ACL rules.
Configuring TP Configuration Procedure Table 498 Configure rate limit on ports Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enter QoS view qos - Configure port-based rate limit line-rate [ kbps ] target-rate Required Display the precedence of the display protocol-priority protocol packet n Configuration Example 627 Optional You can execute the display command in any view Only non-type-A I/O Modules sup
CHAPTER 58: QOS CONFIGURATION Table 499 Configure TP Operation Command Description Display the parameters for traffic policing display qos-interface [ interface-type interface-number ] traffic-limit Optional display qos-interface [ Display all the QoS settings of interface-type interface-number ] all the port You can execute the display command in any view. acl-rule: Applied ACL rules which can be the combination of various ACL rules.
Configuring Queue-scheduling 629 Table 500 Configure redirect Operation Command Description Configure redirect traffic-redirect inbound acl-rule [ system-index system-index ] { cpu | interface interface-type interface-number } Required Display the parameters for traffic redirect display qos-interface [ interface-type interface-number ] traffic-redirect display qos-interface [ Display all the QoS settings of interface-type the port interface-number ] all Optional You can execute the display comman
CHAPTER 58: QOS CONFIGURATION Configuration Procedure Table 501 Configure queue scheduling Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enter QoS view qos - Configure the queue scheduling mode queue-scheduler { rr | strict-priority | wrr queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight queue8-weight } Display the parameters for traffic redirect display
Configuring Congestion Avoidance COSQ 4 = 5 packets COSQ 5 = 10 packets COSQ 6 = 5 packets COSQ 7 = 10 packets Egress port queue statistics(in bytes): Priority CosQ Threshold Count 0 2 18432 0 1 0 2560 0 2 1 2560 0 3 3 2560 0 4 4 2560 0 5 5 2560 0 6 6 2560 0 7 7 2560 0 common queue statistics(in bytes): 49152 0 Configuring Congestion Avoidance Configuration Prerequisites Configuration Procedure 631 Used(%): 0 0 0 0 0 0 0 0 0 When congestion happens, the switch will drop packets as soon as possible to
CHAPTER 58: QOS CONFIGURATION Configuration Example ■ GigabitEthernet1/0/1 is accessed to the network segment 10.1.1.1/24. ■ Perform the RED queue scheduling algorithm for all the inbound traffic from 10.1.1.1/24 ■ Set the parameters as follows: the packets are dropped at random when the queue length exceeds 64 kbytes, all packets are dropped when the queue length exceeds 128 kbytes, and the drop probability is 20%.
Configuring Assured Bandwidth Clearing Traffic Statistics Information 633 Table 504 Clear traffic statistics information Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enter QoS view qos - reset traffic-statistic { inbound | outbound } acl-rule Required Clear the statistics of the traffic matching with the specified ACL rules reset traffic-statistic inbound acl-rule Type-A I/O Modules support this command.
CHAPTER 58: QOS CONFIGURATION Table 505 Configure assured bandwidth Operation Command Description Enable ACLs to identify traffic and provide assured bandwidth for the specified traffic traffic-bandwidth outbound acl-rule [ system-index system-index ] min-guaranteed-bandwidth max-guaranteed-bandwidth weight Required Display the traffic statistics display qos-interface [ interface-type interface-number ] traffic-bandwidth display qos-interface [ Display all the QoS settings on interface-type in
Configuring Traffic-Based Flexible QinQ Configuration Prerequisites Configuration Procedure 635 ■ ACL rules used for traffic identifying are defined.
CHAPTER 58: QOS CONFIGURATION Configuration Example ■ The traffic-based flexible QinQ function is generally configured on the hybrid port of the edge device connecting the user device to the carrier’s network. ■ QinQ is mutually exclusive with Voice VLAN. That is, you cannot configure both features on the same port. ■ The port on which the traffic-based flexible QinQ function is configured and the specified uplink port cannot be in the same aggregation group.
QoS Configuration Example 637 Network diagram Figure 162 Network diagram for TP and rate limit configuration To the router Salary query server 129 .110 .1.2 E1 /0 /1 Switch R&D department Configuration procedure n Only the commands related with QoS/ACL configurations are listed in the following configurations. 1 Define the outbound traffic of the salary query server # Enter ACL 3000 view. system-view [SW7750] acl number 3000 # Define ACL 3000 rules.
CHAPTER 58: QOS CONFIGURATION Network diagram Figure 163 Network diagram for priority remark configuration Configuration procedure 1 Define the time range from 8:00 to 18:00 # Define the time range system-view [SW7750] time-range test 8:00 to 18:00 daily 2 Define the traffic rules of PC packets # Enter number-identification-based basic ACL view identified. [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule 0 permit source 1.0.0.
59 Overview MIRRORING CONFIGURATION Mirroring refers to the process of copying packets that meet the specified rules to a destination port. Generally, a destination port is connected to a data detect device, which you can use to analyze the mirrored packets for monitoring and troubleshooting the network.
CHAPTER 59: MIRRORING CONFIGURATION There are three types of switches with the RSPAN enabled. ■ Source switch: The switch to which the monitored port belongs. The source switch copies the mirrored traffic flows to the remote-probe VLAN, and then through Layer 2 forwarding, the mirrored flows are sent to an intermediate switch or destination switch. ■ Intermediate switch: Switches between the source switch and destination switch on the network.
Overview 641 To implement remote port mirroring, you need to define a special VLAN, called remote-probe VLAN, on all the three types of switches. In this VLAN, no normal data but only mirrored packets are transmitted. All mirrored packets will be transferred to the specified port of the destination switch from the source switch through this VLAN. Thus, the destination switch can monitor the packets sent from the ports of the remote source switch.
CHAPTER 59: MIRRORING CONFIGURATION Mirroring Supported by Switch 7750 Family Table 509 Mirroring functions supported by Switch 7750 Family and related command Function Description Related command Related section mirroring-group mirroring-group mirroring-port Support local port mirroring mirroring-group monitor-port “Configuring Local Port Mirroring” monitor-port mirroring-port mirroring-group mirroring-group mirroring-port Support remote port mirroring mirroring-group monitor-port mirroring
Mirroring Configuration Configuring Local Port Mirroring 643 Configuration prerequisites ■ The source port is specified and whether the packets to be mirrored are inbound or outbound is specified. ■ The destination port is specified.
CHAPTER 59: MIRRORING CONFIGURATION Configuration Example ■ The source port is GigabitEthernet 1/0/1. Mirror all packets received and sent via this port. ■ The destination port is GigabitEthernet 1/0/4.
Mirroring Configuration 645 Table 512 Configure RSPAN on the source switch Operation Command Description Required This setting is required for source switch ports that connected with the intermediate switch or destination switch.
CHAPTER 59: MIRRORING CONFIGURATION reflector port; and vice versa, you are not recommended to enable STP or DLDP on a reflector port. ■ The reflector port cannot forward traffics as a normal port. Therefore, it is recommended that you use an idle and in-down-state port as the reflector port, and be careful to not add other settings on this port. ■ Be sure not to configure a port used to connect the intermediate and destination switches as the mirroring source port.
Mirroring Configuration 647 Table 514 Configure RSPAN on the destination switch Operation Command Description Create a remote-probe VLAN and enter VLAN view vlan vlan-id vlan-id is the ID of the remote-probe VLAN.
CHAPTER 59: MIRRORING CONFIGURATION port because the incoming port learns the source MAC addresses and destination MAC addresses of packets at the same time. If the incoming port of a packet is the same as the outgoing port of the packet, the packet is dropped. Refer to the QoS module in this manual for configuring traffic redirect. ■ You can configure only one reflector port of a remote source mirroring group or one destination port of a local mirroring group on each centralized I/O Module.
Mirroring Configuration 649 Figure 166 Network diagram for RSPAN 3 Configuration procedure # Configure Switch C.
CHAPTER 59: MIRRORING CONFIGURATION [SW7750-acl-link-4500] quit [SW7750] interface GigabitEthernet 1/0/2 [SW7750-GigabitEthernet1/0/2] qos [SW7750-qosb-GigabitEthernet1/0/2] traffic-redirect inbound link-gro up 4500 rule 1 interface GigabitEthernet 1/0/1 # Configure Switch A.
Mirroring Configuration 651 Table 515 Configure traffic mirroring in Ethernet port view Operation Command Description Enter Ethernet port view of the source port interface interface-type interface-number - Enter QoS view qos - Reference ACLs for identifying traffic flows and perform traffic mirroring for packets that match.
CHAPTER 59: MIRRORING CONFIGURATION n To define a destination port for mirroring, you can also enter the port view of the specified port directly to execute the mirroring-group group-id monitor-port command. Refer to corresponding command manual for detail. Configuration example 1 Network requirements: ■ GigabitEthernet 1/0/1 on the switch is connected to the 10.1.1.1/24 network segment. ■ Mirror the packets from the 10.1.1.1/24 network segment to GigabitEthernet 1/0/4, the destination port.
Mirroring Configuration 653 Table 518 Configure the source switch Operation Command Configure the current port as a trunk port port link-type trunk Description Required By default, the type of the port is access. Required This configuration is required on the source switch ports that connect with the intermediate switch and the destination switch must be configured so. Configure the relay port to permit packets from the remote-probe VLAN to pass.
CHAPTER 59: MIRRORING CONFIGURATION n ■ You can configure only one reflector port of a remote source mirroring group or one destination port of a local mirroring group on each centralized I/O Module. As for the distributed system, you can configure only one reflector port of a remote source mirroring group or one destination port of a local mirroring group for the whole system.
Mirroring Configuration Figure 167 Network diagram for remote traffic mirroring GE 1/0/2 Sw itch A GE 1/0/1 GE 1/0/1 Sw itch B GE 1/0/2 GE 1/0/1 Sw itch C GE 1/0/2 10.1.1.1/24 3 Configuration procedure # Configure Switch A.
CHAPTER 59: MIRRORING CONFIGURATION [SW7750-GigabitEthernet1/0/1] port link-type trunk [SW7750-GigabitEthernet1/0/2] port trunk permit vlan 10 # Configure Switch C system-view [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.
Mirroring Configuration 657 Table 519 Configure mirroring to a module Operation Define the mirroring source port or mirroring source I/O Module Display the settings about mirroring Command Description mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound } You must perform one of the two operations. The mirroring source I/O Module can be a distributed or centralized I/O Module; however, the mirroring source ports must be ports on distributed I/O Modules.
CHAPTER 59: MIRRORING CONFIGURATION
60 POE CONFIGURATION PoE Overview Introduction to PoE Power over Ethernet (PoE) uses 10BaseT, 100Base-TX, and 1000Base-T twisted pairs to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously. Advantages of PoE ■ Reliability: The centralized power supply provides backup convenience, unified management, and safety. ■ Easy connection: Network terminals only require an Ethernet cable, but no external power supply.
CHAPTER 60: POE CONFIGURATION External PSE2500-A1 Power System ■ The Switch 7750 supplies power through the Ethernet electrical ports on the service boards. Each service board can supply power to up to 48 remote devices at the maximum distance of 100 m (328 feet). ■ Each Ethernet port can supply at most a power of 15.4 W to remote PDs. ■ When the Switch 7750 Family supplies power to remote devices, the maximum total power that it can provide is 2,400 W.
PoE Configuration 661 port priority. Note that the switch can compare only the priority of ports on the same board.
CHAPTER 60: POE CONFIGURATION n Setting the PoE Feature of a PoE Port ■ You can successfully enable PoE on a board only when the remaining power of the switch is not less than the full power of this board. ■ The required power of PDs may exceed the power configured for them due to their unstable status, thus causing the PDs connected to the last port on the board to be powered off.
Displaying PoE Configuration Upgrading the PSE Processing Software Online 663 ■ When a board is almost fully loaded and a new PD is added, the switch will respond to the PD according to the PoE management mode. For details, see “Setting PoE Management Mode”. ■ In auto mode, when the switch is reaching its full load in supplying power, the switch decides whether to supply power to remote PDs on a port based on the port priority.
CHAPTER 60: POE CONFIGURATION Table 525 Display and maintain PoE Operation Command Description Display the PoE status of a display poe interface { specific port or all ports of the interface-type switch interface-number | all } Display the PoE power information of a specific port or all ports of the switch display poe interface power { interface-type interface-number | all } Display the PSE parameters display poe powersupply You can execute the display command in any view Display the power s
PoE Configuration Example 665 Networking diagram Figure 168 Network diagram for PoE S6506 Ethernet3/0/1~Ethernet3/0/48 1HWZRUN Ethernet5/0/1~Ethernet5/0/48 ,3 3KRQH $3 ,3 3KRQH $3 ,3 3KRQH $3 ,3 3KRQH $3 Configuration procedure # Enter system view. system-view # Online upgrade the PSE processing software of the PoE board in slot 5 of the Switch 7757. [SW7750] poe upgrade refresh 0400_001.S19 # Enable the PoE feature on the boards in slot 3 and slot 5.
CHAPTER 60: POE CONFIGURATION # Disable the PoE feature on Ethernet3/0/23 and Ethernet3/0/24. [SW7750]interface Ethernet 3/0/23 [SW7750-Ethernet3/0/23] undo poe enable [SW7750-Ethernet3/0/23] quit [SW7750]interface Ethernet 3/0/24 [SW7750-Ethernet3/0/24] undo poe enable [SW7750-Ethernet3/0/24] quit # Set the priority of Ethernet3/0/48 to critical, so that the devices connected to Ethernet3/0/48 can be provided with power preferentially without interrupting power supply to the current ports.
POE PSU SUPERVISION CONFIGURATION 61 Introduction to PoE PSU Supervision The PoE-enabled Switch 7750 Family can monitor the external PoE power supply units (PSUs) through Switch Fabrics.
CHAPTER 61: POE PSU SUPERVISION CONFIGURATION ■ Set the undervoltage alarm threshold of AC input for PoE PSUs to 181.0 V. Configuration procedure # Enter the system view. system-view # Set the overvoltage alarm threshold of AC input for PoE PSUs to 264.0 V. [SW7750] poe-power input-thresh upper 264.0 # Set the undervoltage alarm threshold of AC input for PoE PSUs to 181.0 V. [SW7750] poe-power input-thresh lower 181.0 # Display the AC input state of the PoE PSUs.
Displaying PoE Supervision Information 669 [SW7750] poe-power output-thresh lower 47.0 # Display the DC output state of the PoE PSUs. [SW7750] display poe-power dc-output state # Display the DC output voltage/current values of the PoE PSUs. [SW7750] display poe-power dc-output value Displaying PoE Supervision Information After the above configuration, you can execute the display commands in any view to display the PoE operation of the switch and verify the configuration.
CHAPTER 61: POE PSU SUPERVISION CONFIGURATION Network diagram Figure 169 Network diagram for PoE supervision configuration S6506 Ethernet3/0/1~Ethernet3/0/48 IP Phone Network IP Phone IP Phone IP Phone Configuration procedure # Enter the system view. system-view # Enable PoE on the board in slot 3. [SW7750] poe enable slot 3 # Set the overvoltage alarm threshold of AC input for the PoE PSUs to 264.0 V. [SW7750] poe-power input-thresh upper 264.
62 Introduction to PoE Profile POE PROFILE CONFIGURATION On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 7750 Family Ethernet switches provide the PoE profile features. Features of PoE profile: PoE Profile Configuration Tasks ■ Various PoE profiles can be created. PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles.
CHAPTER 62: POE PROFILE CONFIGURATION Table 530 Configure PoE profile Operation Apply the existing PoE profile to the specified Ethernet port n Displaying PoE Profile Configuration Command Description apply poe-profile profile-name interface interface-type System view interface-number [ to interface-type Required interface-number ] Users can decide whether to interface configure the settings in Enter Ethernet interface-type system view or port view port view In interface-number Ethernet Apply th
PoE Profile Configuration Example 673 ■ The PoE priority for Ethernet1/0/1 through Ethernet1/0/5 is Critical, whereas the PoE priority for Ethernet1/0/6 through Ethernet1/0/10 is High. ■ The maximum power for Ethernet1/0/1 through Ethernet1/0/5 ports is 3,000 mW, whereas the maximum power for Ethernet1/0/6 through Ethernet1/0/10 is 15,400 mW. Based on the above requirements, two PoE profiles are made for users of group A.
CHAPTER 62: POE PROFILE CONFIGURATION # Display detailed configuration information for Profile1. [SW7750] display poe-profile name Profile1 Poe-profile: Profile1, 2 action poe max-power 3000 poe priority critical # Create Profile2, and enter poe-profile view. [SW7750] poe-profile Profile2 # In Profile2, add the PoE policy configuration applicable to Ethernet1/0/6 through Ethernet1/0/10 ports for users of group A.
UDP-HELPER CONFIGURATION 63 Introduction to UDP-Helper UDP-Helper is designed to relay specified UDP broadcast packets. It enables a device to operate as a UDP packet relay. That is, it can convert UDP broadcast packets into unicast packets and forward them to a specified server. Normally, all the received UDP broadcast packets are passed to the UDP module.
CHAPTER 63: UDP-HELPER CONFIGURATION Table 533 Configure UDP-Helper Operation c Displaying and Debugging UDP-Helper Command Description This operation is unnecessary if the port is among the default UDP ports listed in Table 532.
UDP-Helper Configuration Example 677 Table 534 Display and debug UDP-Helper Operation Command Description Display the information about the destination servers and display udp-helper server [ the number of the packets interface vlan-interface forwarded to each destination vlan-id ] server You can use the display command in any view Clear the statistics about packets forwarded by UDP-Helper reset udp-helper packet You can use the reset command in user view Enable debugging for UDP-Helper debugging
CHAPTER 63: UDP-HELPER CONFIGURATION [SW7750] udp-helper port 55 Port has been configured. Please check the port again. # Configure the server with the IP address of 202.38.1.2 as a destination server for the UDP broadcast packets. [SW7750] interface Vlan-interface 1 [SW7750-Vlan-interface1] ip address 10.110.1.1 16 [SW7750-Vlan-interface1] udp-helper server 202.38.1.
64 SNMP Overview SNMP CONFIGURATION By far, the simple network management protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network.
CHAPTER 64: SNMP CONFIGURATION MIBs Supported by the Device ■ Define MIB view that a community can access. ■ Set read-only or read-write right to access MIB objects for the community. The read-only community can only query device information, while the read-write community can configure the device. ■ Set the basic ACL specified by the community name. The management variable in the SNMP packet is used to describe management objects of a device.
Configuring SNMP Basic Functions 681 Table 535 Common MIBs MIB attribute MIB content References DHCP MIB DHCP MIB QACL MIB ADBM MIB IGMP Snooping MIB - RSTP MIB VLAN MIB Private MIB Device management Interface management Configuring SNMP Basic Functions QACL MIB - ADBM MIB - RSTP MIB - VLAN MIB - Device management - Interface management - The configuration of SNMP V3 configuration is different from that of SNMP V1 and SNMP V2C, therefore SNMP basic function configurations for different
CHAPTER 64: SNMP CONFIGURATION Table 536 Configure SNMP basic functions for SNMP V1 and SNMP V2C Operation Command Set a Direct community configuration name Set a community name and access authority Description snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Add a new user for an SNMP group snm
Configuring Trap 683 Table 537 Configure SNMP basic functions (SNMP V3) Operation Command Description Set an SNMP group snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Required Add a new user for an SNMP group snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password [ Required privacy-mode des56 priv-password ] ] [ acl acl-number ] Set the size of SNMP p
CHAPTER 64: SNMP CONFIGURATION Table 538 Configure Trap Operation Command Enable the device to send Trap packets snmp-agent trap enable [ bgp [ backwardtransition | established ]* | configuration | flash | ospf [ process-id ] [ ospf-trap-list ] | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system | vrrp [ authfailure | newmaster ] ] Enter port view or interface view Enable the port to send Trap packets Description Optional By default, the port or the interface is e
Displaying SNMP 685 and "ifType" (interface type) to a trap packet. The two objects facilitate your understanding and failure port location. Displaying SNMP After the above configuration is completed, execute the display command in any view to view the running status of SNMP, and to verify the configuration.
CHAPTER 64: SNMP CONFIGURATION Network diagram Figure 173 Network diagram for SNMP 10.10.10.1 10.10.10 .2 NMS Ethernet Network procedure # Set the community name, group name and user. [SW7750] [SW7750] [SW7750] [SW7750] [SW7750] [SW7750] system-view snmp-agent snmp-agent sys-info version all snmp-agent community write public snmp-agent mib-view include internet 1.3.6.
SNMP Configuration Example 687 password respectively according to different security levels. In addition, you must set timeout time and retry times. You can query and configure the Ethernet switch through the NMS. For more information, refer to the manuals of 3Com’s NMS products. n NMS configuration must be consistent with device configuration; otherwise, the NMS cannot manage the device.
CHAPTER 64: SNMP CONFIGURATION
65 Introduction to RMON RMON CONFIGURATION Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF) and is a most important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.
CHAPTER 65: RMON CONFIGURATION Commonly Used RMON Groups Event group The event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used in alarm group and extended alarm group to trigger alarms.
RMON Configuration 691 With the history data management function, you can configure network devices, such as collecting history data, collecting the data of a specific port periodically and saving them. Statistics group Statistics group contains the statistics of each monitored port on a network device. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created.
CHAPTER 65: RMON CONFIGURATION Table 540 Configure RMON n Displaying RMON Operation Command Description Add a history entry rmon history entry-number buckets number interval sampling-interval [ owner text ] Optional Add a statistics entry rmon statistics entry-number Optional [ owner text ] ■ The rmon alarm and rmon prialarm commands take effect on existing nodes only. ■ For each port, only one RMON statistics entry can be created.
RMON Configuration Example Network diagram Figure 174 Network diagram for RMON configuration Internet Netw ork Port Console Port Sw itch Configuration procedures # Configure RMON. system-view [SW7750] interface Ethernet1/0/1 [SW7750-Ethernet1/0/1] rmon statistics 1 owner user1-rmon # View RMON configuration. [SW7750-Ethernet1/0/1] display rmon statistics Ethernet1/0/1 Statistics entry 1 owned by user1-rmon is VALID. Interface : Ethernet1/0/1
CHAPTER 65: RMON CONFIGURATION
NTP CONFIGURATION 66 Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined by RFC1305. It is used for time synchronization among a set of distributed time servers and clients. NTP transmits packets through UDP port 123. NTP is intended for time synchronization of all devices that have clocks in a network, so that the clocks of all devices can keep consistent. This enables the applications that require unified time.
CHAPTER 66: NTP CONFIGURATION with the increasing of stratum number. The clocks with the stratum of 16 are in unsynchronized state and cannot serve as reference clocks. Working Principle of NTP The working principle of NTP is shown in Figure 175. In Figure 175, The Ethernet switch A (LS_A) is connected to the Ethernet switch B (LS_B) through their Ethernet ports. Both of them have system clocks of their own, and they need to synchronize the clocks of each other through NTP.
Introduction to NTP 697 ■ Before this NTP packet leaves LS_B, LS_B inserts its own timestamp once again, which identifies 11:00:02am (noted as T3). ■ When receiving the response packet, LS_A inserts a new timestamp, which identifies 10:00:03am (noted as T4), into it. At this time, LS_A has enough information to calculate the following two parameters: ■ The delay for an NTP packet to make a round trip between LS_A and LS_B: delay = (T4 -T1)-(T3 -T2).
CHAPTER 66: NTP CONFIGURATION Broadcast mode Figure 178 NTP implementation mode: broadcast mode Server Client Netw ork Work as a server automatically and send response packets Broadcast clock synchronization Initiate a client/server mode request after receiving the packets periodically first broadcast packet Client/Server mode request Obtain the delay betw een the client and the server and work as Response packet a client in broadcast mode Broadcast clock synchronization packets periodically Receiv
NTP Implementation Mode Configuration 699 Table 542 NTP implementation modes on the Switch 7750 Family NTP implementation mode Configuration on Switch 7750 Family ■ Configure the Switch 7750 Family to operate in NTP broadcast server mode. In this case, the Switch 7750 Family broadcasts NTP packets through the VLAN interface configured on the switch. ■ Configure the Switch 7750 Family to operate in NTP broadcast client mode.
CHAPTER 66: NTP CONFIGURATION Table 543 Configure NTP implementation modes Operation Command Description Configure to operate in the NTP peer mode ntp-service unicast-peer { remote-ip | peer-name } [ authentication-keyid key-id | priority | source-interface interface -type interface-number | version number ]* Enter VLAN interface view interface interface -type interface-number Configure to operate in the NTP broadcast client mode ntp-service broadcast-client By default, no Ethernet switch ope
Access Control Permission Configuration 701 in the NTP broadcast client mode will respond this packet and start the clock synchronization procedure. NTP multicast server mode When the Switch 7750 operates in NTP multicast server mode, it multicasts a clock synchronization packet periodically. The devices which are configured to be in the NTP multicast client mode will respond this packet and start the clock synchronization procedure. In this mode, the switch can accommodate up to 1,024 multicast clients.
CHAPTER 66: NTP CONFIGURATION performed on the server (assuming that the related configurations are performed). Configuring NTP Authentication ■ You need to couple the NTP authentication with a trusted key. ■ The configurations performed on the server and the client must be the same. ■ A client with NTP authentication enabled is only synchronized to a server that can provide a trusted key.
Configuration of Optional NTP Parameters 703 Configuring NTP authentication on the server Table 546 Configure NTP authentication on the server Operation Command Description Enter system view system-view - Enable NTP authentication ntp-service authentication enable Required By default, NTP authentication is disabled ntp-service Required Configure NTP authentication authentication-keyid key-id authentication-model md5 By default, NTP authentication key key is not configured value Required Configure
CHAPTER 66: NTP CONFIGURATION Table 547 Configure optional NTP parameters Operation Command Description Configure the local clock as the NTP master clock ntp-service refclock-master Optional [ ip-address ] [ stratum ] Configure the local interface that sends NTP packets ntp-service source-interface interface-type interface-number Configure the number of the sessions that can be established locally ntp-service max-dynamic-sessions number Enter VLAN interface view interface interface-type inte
Configuration Example 705 Configuration Example NTP Server Mode Configuration Network requirements Configure the local clock of Switch 7750 Family-1 to be the NTP master clock, with the stratum being 2. Switch 7750 Family-2 operates in client mode, with Switch 7750 Family-1 as the time server. Switch 7750 Family-1 operates in server mode automatically. Network diagram Figure 180 Network diagram for the NTP server mode configuration 1.0.1.12/24 1.0.1.
CHAPTER 66: NTP CONFIGURATION [Switch 7750 Family-2] display ntp-service status Service status: enabled Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequence: 250.0000 Hz Actual frequence: 249.9992 Hz Clock precision: 2^19 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 6 2001 (BF422AE4.
Configuration Example 707 Network diagram Figure 181 Network diagram for NTP peer mode configuration Switch 7750 2 3.0.1.31/24 3.0.1.32/24 Switch 7750 3 3.0.1.33/24 Switch 7750 Configuration procedures 1 Configure Switch 7750. # Set Switch 7750 2 to be the time server. system-view [Switch 7750 Family] ntp-service unicast-server 3.0.1.31 2 Configure Switch 7750 3 (after Switch 7750 is synchronized with Switch 7750 2). # Enter system view.
CHAPTER 66: NTP CONFIGURATION The output information indicates that Switch 7750 is synchronized to Switch 7750 3 and the stratum of its local clock is 2, one stratum higher than Switch 7750 3. # View the information about the NTP sessions of Switch 7750 and you can see that a connection is established between Switch 7750 and Switch 7750 3.
Configuration Example 709 # Enter system view. system-view [Switch 7750-1] # Enter VLAN-interface 2 view. [Switch 7750-1] interface Vlan-interface 2 [Switch 7750-1-Vlan-Interface2] # Configure Switch 7750-1 to be a broadcast client. [Switch 7750-1-Vlan-Interface2] ntp-service broadcast-client 3 Configure Switch 7750-2 # Enter system view. system-view [Switch 7750-2] # Enter VLAN-interface 2 view.
CHAPTER 66: NTP CONFIGURATION # View the information about the NTP sessions of Switch 7750-1 and you can see that a connection is established between Switch 7750-1 and Switch 7750-3. [Switch 7750-1] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [1]3.0.1.31 127.127.1.0 2 1 64 377 26.1 199.53 9.
Configuration Example 711 # Enter VLAN-interface 2 view. [[Switch 7750-1] interface vlan-interface 2 # Configure Switch 7750-4 to be a multicast client. [Switch 7750-1-Vlan-interface2] ntp-service multicast-client 3 Configure Switch 7750-2. # Enter system view. system-view [Switch 7750-2] # Enter VLAN-interface 2 view. [[Switch 7750-2] interface Vlan-interface 2 # Configure Switch 7750-2 to be a multicast client.
CHAPTER 66: NTP CONFIGURATION NTP Server Mode with Authentication Configuration Network requirements The local clock of Switch 7750-1 operates as the master NTP clock, with the clock stratum being 2. Switch 7750-2 operates in client mode with Switch 7750-1 as the time server. Switch 7750-1 operates in the server mode automatically. Meanwhile, NTP authentication is enabled on both sides. Network diagram Figure 184 Network diagram for NTP server mode with authentication configuration 1.0.1.12/24 1.0.1.
Configuration Example 713 [Switch 7750-1] ntp-service authentication-keyid 42 authentication-model md5 aNiceKey # Specify the key to be a trusted key. [Switch 7750-1] ntp-service reliable authentication-keyid 42 After the above configuration, Switch 7750-2 can be synchronized to Switch 7750-1. You can view the status of Switch 7750-2 after the synchronization. [Switch 7750-2] display ntp-service status Service status: enabled Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.
CHAPTER 66: NTP CONFIGURATION
67 SSH TERMINAL SERVICES SSH Terminal Services Introduction to SSH Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely through an insecure network environment. As an SSH server, a switch can connect to multiple SSH clients; as an SSH client, a switch can establish SSH connections with switch or UNIX host that support SSH server.
CHAPTER 67: SSH TERMINAL SERVICES Figure 186 Establish SSH channels through WAN Workstation Local Switch Local Ethernet Laptop Server PC SSH-Client Workstation WAN Remote Switch SSH-Server Remote Ethernet Laptop PC Server The communication process between the server and client includes these five stages: 1 Version negotiation stage. These operations are completed at this stage: ■ The client sends TCP connection requirement to the server.
SSH Terminal Services n 717 ■ The server authenticates the username information from the client. If the user is configured as no authentication on the server, authentication stage is skipped and session request stage starts directly. ■ The client authenticates information from the user at the server till the authentication succeeds or the connection is turned off due to authentication timeout. SSH supports two authentication types: password authentication and RSA authentication.
CHAPTER 67: SSH TERMINAL SERVICES Table 549 Configure SSHv2.0 server Configuration Keyword Set SSH authentication timeout time ssh server timeout Set SSH authentication retry times ssh server authentication-retries Set the update interval for the ssh server rekey-interval server key Specify the server compatible with the SSHv1.x version-supported client.
SSH Terminal Services 719 use the display rsa local-key-pair public command to display the generated key pairs. After you configure the rsa local-key-pair command, the system prompts you to define the key length. ■ In SSHv1.x, the key length is in the range of 512 to 2,048 (bits). ■ In SSHv2.0, the key length is in the range of 768 to 2,048 (bits).
CHAPTER 67: SSH TERMINAL SERVICES Table 553 Configure authentication type Operation Command Description Optional ssh user username Configure authentication type authentication-type { password | rsa | for SSH users password-publickey | all } By default, the system does not specify available authentication types for SSH users, that is, they can not access the switch Note that: c ■ Use the ssh authentication-type default command to configure the default authentication type for all users.
SSH Terminal Services 721 Table 554 Configure server SSH attributes Operation Command Set SSH server compatible with SSHv1.x client ssh server compatible-ssh1x enable Description Optional By default, SSH server is compatible with SSHv1.x client. Configuring client public keys You can configure RSA public keys for client users on the switch and specify RSA private keys, which correspond to the public keys, on the client. Then client keys are generated randomly by the SSHv2.0 client software.
CHAPTER 67: SSH TERMINAL SERVICES SSH Client Configuration Configuration prerequisites Make sure that the SSH server is configured. Refer to “SSH Server Configuration” for configuration details. Configure the device as an SSH client When a device operating as an SSH client connects to the server, you can specify whether the SSH client performs first authentication for the SSH server to be accessed.
SSH Terminal Services 723 Table 557 Configure a device as an SSH client Operation Command Description ssh2 { host-ip | host-name } [ port-number ] [ prefer_kex { Connect the SSH client to the dh_group1 | SSH server, and specify the dh_exchange_group } | preferred key exchange prefer_ctos_cipher { des | algorithm, the preferred aes128} | prefer_stoc_cipher Required encryption algorithm and the { des | aes128 } | preferred HMAC algorithm prefer_ctos_hmac { sha1 | for the SSH client and the SSH sha1_96 |
CHAPTER 67: SSH TERMINAL SERVICES n If the local RSA key pair has been generated in previous operations, skip this step here. 2 Set authentication type. Settings for the two authentication types are described respectively in the following: ■ Password authentication # Set AAA authentication on the user interfaces. [SW7750] user-interface vty 0 4 [SW7750-ui-vty0-4] authentication-mode scheme # Set the user interfaces to support SSH.
SSH Terminal Services 725 # Start the SSH client software on the host which stores the RSA private keys and make corresponding configuration to establish an SSH connection. SSH Client Configuration Example Network requirements As shown in Figure 188, ■ Switch A serves as an SSH client with user name as client003. ■ Switch B serves as an SSH server, with its IP address 10.1.1.3. Network diagram Figure 188 Network diagram for SSH client configuration Switch B SSH Server IP address ˖10.165.87.
CHAPTER 67: SSH TERMINAL SERVICES [SW7750] ssh2 10.1.1.3 username: client003 Username: 123 Trying 10.1.1.3 ... Press CTRL+K to abort Connected to 10.1.1.3 ... The Server is not autherncated.Do you continue access it?(Y/N):y Do you want to save the server’s public key?(Y/N):y Enter password: ************************************************************************** * Copyright(c) 1998-2006 3Com Corporation Co., Ltd. All rights reserved.
SFTP Service 727 Enabling the SFTP server Table 560 Enable the SFTP server Operation Command Description Enter system view system-view - Enable the SFTP server sftp server enable Required SFTP Client Configuration By default, the SFTP server is not enabled.
CHAPTER 67: SSH TERMINAL SERVICES Table 562 Enable the SFTP client Operation Command Description Enter system view system-view - Enable the SFTP client sftp { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | Required prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]* Disabling the SFTP client Table 563 Disable the SFTP client Ope
SFTP Service 729 Table 565 Operate with SFTP files Operation Command Enter system view system-view Enter SFTP client view sftp { host-ip | host-name } Change the name of a file on the remote SFTP server rename old-name new-name Download a file from the remote SFTP server get remote-file [ local-file ] Upload a file to the remote SFTP server put local-file [ remote-file ] Description Optional dir [ remote-path ] Display the list of the files in a directory ls [ remote-path ] Optional delete
CHAPTER 67: SSH TERMINAL SERVICES Network diagram Figure 189 Network diagram for SFTP configuration Switch B SFTP Server IP address ˖10.111.27.91 Switch A SFTP Client PC Configuration procedure 1 Configure Switch B (SFTP server) # Enable the SFTP server. [SW7750] sftp server enable # Specify SFTP service for SSH user abc. [SW7750] ssh user abc service-type sftp 2 Configure Switch A (SFTP client) # Establish a connection to the remote SFTP server and enter SFTP client view. [SW7750] sftp 10.111.
SFTP Service 731 # Create directory new1 and verify the operation. sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone -rwxrwxrwx 1 noone -rwxrwxrwx 1 noone drwxrwxrwx 1 noone -rwxrwxrwx 1 noone drwxrwxrwx 1 noone nogroup nogroup nogroup nogroup nogroup nogroup 1759 225 283 0 225 0 Aug Aug Aug Sep Sep Sep 23 24 24 01 01 02 06:52 08:01 07:39 06:22 06:55 06:30 vrpcfg.cfg pubkey2 pubkey1 new pub new1 # Change the name of directory new1 to new2 and verify the operation.
CHAPTER 67: SSH TERMINAL SERVICES
FILE SYSTEM MANAGEMENT 68 n You can provide the directory argument in the following two ways in this chapter. ■ In the form of [drive] [path]. In this case, the argument can be a string containing 1 to 64 characters. ■ By specifying the name of a storage device, such as flash:/ and cf:/. You can provide the file-url argument in the following two ways in this chapter. ■ In the form of [drive] [path] [file name]. In this case, the argument can be a string containing 1 to 64 characters.
CHAPTER 68: FILE SYSTEM MANAGEMENT Table 567 n Operation Command Description Enter the root directory of a CF card cd cf: Required Disable a CF card umount cf: Required Currently, only the 96Gbps Switch Fabric (3C16886) Switch Fabric supports a Compact Flash (CF) card. The operations listed in Table 568 are available in the directories on a CF card.
File System Configuration 735 Table 570 File-related operations Operation Command Description Optional Delete a file A deleted file can be restored if you delete it by executing the delete command with the delete [ /unreserved ] file-url /unreserved keyword not specified. You can use the undelete command to restore a deleted file of this kind. Optional This operation can only restore the files deleted with the /unreserved keyword not specified.
CHAPTER 68: FILE SYSTEM MANAGEMENT Table 571 Storage device-related operations Prompt Mode Configuration Operation Command Description Format a storage device format device Required Restore a storage device fixdisk device Optional You can set the file system prompt mode to be alert or quiet. When in the alert mode, the file system prompts for confirmation when you perform irreversible operations (such as deleting a file completely or overwriting a file).
File System Configuration 5 drw- - Apr 10 2005 19:07:59 dd 6 -rw- 11779 Apr 05 2006 10:23:03 test.bak 7 -rw- 19307 Apr 16 2006 11:15:55 1.txt 8 9 -rwdrw- 66 - Apr 05 2006 11:32:28 Apr 25 2006 16:27:46 temp1 test 31877 KB total (15876 KB free) dir flash:/test/ Directory of flash:/test/ 0 -rw- 3980 Apr 25 2006 16:33:21 31877 KB total (15869 KB free) # Enter directory test. cd test # Rename 1.cfg as c.cfg. rename 1.cfg c.cfg . %Renamed file flash:/1.cfg to flash:/c.cfg.
CHAPTER 68: FILE SYSTEM MANAGEMENT
69 Introduction to BIMS Basic Principles and Functions of BIMS BIMS CONFIGURATION To manage a network device through SNMP or Telnet, you need to know its IP address. This is difficult however when the device obtains address through DHCP or when the device resides behind a NAT device. Branch intelligent management system (BIMS) was thus developed, delivering automatic configuration file and application update. BIMS comprises the BIMS center side and the device side.
CHAPTER 69: BIMS CONFIGURATION 5 Using the obtained URL, the device requests the BIMS center for downloading the device file. 6 The device verifies the device software obtained from the BIMS center and updates it to the local. Then the device sends an acknowledgement to the BIMS center. 7 Upon receipt of the acknowledgement, the BIMS center logs the event and sends back a response. BIMS Device Configuration Tasks c Basic Configuration of BIMS Device BIMS is a convenient management tool.
Configuring BIMS Access Mode 741 c CAUTION: The same port number must be configured on the BIMS device and on the BIMS center. Enabling BIMS Device to Access BIMS Center upon Power-on After you make the following configuration, the BIMS device can access the BIMS center after it is powered on and initialized.
CHAPTER 69: BIMS CONFIGURATION Operation Command Description Configure the BIMS device to access the BIMS center at the specified time Optional bims specify-time start-time If desired, configure the By default, no specific time [ [ end-time ] period device to access the BIMS that the BIMS device accesses numberdays ] center from then on at regular the BIMS center is configured.
BIMS Configuration Example n 743 For detailed configuration procedures, refer to the part discussing the BIMS component in 3Com’s Network Management System User Manual. 2 Configure the BIMS device # Enter system view. system-view # Enable BIMS. [SW7750] bims enable bims is enable # Assign the device a unique identifier ar18-20-907. [SW7750] bims device-id ar18-20-907 # Configure the shared key used between the BIMS center and device.
CHAPTER 69: BIMS CONFIGURATION [SW7750] bims specify-time 12:10 2005/05/01 23:50 2005/10/01 period 2
70 FTP AND TFTP CONFIGURATION FTP Configuration Introduction to FTP FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP. At present, although E-mail and Web are the usual methods for file transmission, FTP still has its strongholds. As an application layer protocol, FTP is used for file transfer between remote server and local host.
CHAPTER 70: FTP AND TFTP CONFIGURATION Table 578 Configurations needed when a switch operates as an FTP server c Device Configuration Default PC Log into a switch operating as an FTP server through an FTP client application. Description - CAUTION: The FTP-related functions require that the route between a FTP client and the FTP server is reachable. ■ FTP client A switch can operate as an FTP client, through which you can access files on FTP servers.
FTP Configuration 747 Configuration procedure Table 580 Configure an FTP server Operation Command Description Enter system view system-view Required Enable the FTP server function ftp server enable By default, the FTP server function is disabled. Optional Set the connection idle time n ftp timeout minutes The default connection idle time is 30 minutes. ■ Only one user can access the Switch 7750 at a given time when the latter operates as an FTP server.
CHAPTER 70: FTP AND TFTP CONFIGURATION Configuration Example: A Switch Operating as an FTP Server Network requirements A switch operates as an FTP server and a remote PC as an FTP client. ■ Create a user account on the FTP server with the user name "switch" and password "hello". The work directory assigned for FTP clients is the root directory of the flash. ■ Configure the IP address 1.1.1.1 for a VLAN interface on the switch, and 2.2.2.2 for the PC. Ensure the route between the two is reachable.
FTP Configuration 749 # Access the Ethernet switch through FTP. Input the user name "switch" and pass word "hello" to log in and enter FTP view. C:\> ftp 1.1.1.1 Connected to 1.1.1.1. 220 FTP service ready. User (1.1.1.1:(none)): switch 331 Password required for switch. Password: 230 User logged in. ftp> # Upload the switch.app file. ftp> put switch.app 200 Port command okay. 150 Opening ASCII mode data connection for switch.app. 226 Transfer complete. # Download the vrpcfg.cfg file. ftp> get vrpcfg.
CHAPTER 70: FTP AND TFTP CONFIGURATION Table 582 Basic FTP client configuration Operation Command Description Enter FTP client view ftp [ ftp-server [ port-number ]] Optional Specify to transfer files in the ASCII mode ascii By default, files are transferred in ASCII characters. Specify to transfer files in the binary mode binary Optional Specify to transfer files in the passive mode passive Optional By default, the passive mode is adopted.
FTP Configuration 751 Table 582 Basic FTP client configuration Operation Command Description Enable debugging for FTP debugging Optional Enable the verbose function verbose Optional Configuration Example: A Switch Operating as an FTP Client The verbose function is enabled by default. Network requirements A switch operates as an FTP client and a remote PC as an FTP server.
CHAPTER 70: FTP AND TFTP CONFIGURATION ftp 2.2.2.2 Trying ... Press CTRL+K to abort Connected. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(none):switch 331 Give me your password, please Password: 230 Logged in successfully [ftp] # Run the put command to upload the configuration file named vrpcfg.cfg to the FTP server. [ftp] put vrpcfg.cfg # Run the get command to download the file named switch.app to the flash of t he switch. [ftp] get switch.
TFTP Configuration 753 ■ Before performing TFTP-related configurations, you need to configure IP addresses for the TFPT client and the TFTP server, and make sure the route between the two is reachable. ■ A switch can only operate as a TFTP client. Figure 193 Network diagram for TFTP configuration Network Network Switch PC Table 583 describes the operations needed when a switch operates as a TFTP client.
CHAPTER 70: FTP AND TFTP CONFIGURATION Table 584 Basic TFTP configurations TFTP Configuration Example Operation Command Description Specify the ACL adopted when a switch attempts to connect a TFTP server tftp-server acl acl-number Optional Network requirements A switch operates as a TFTP client and a PC as the TFTP server. ■ The TFTP work directory is configured on the TFTP server. ■ The IP address of a VLAN interface on the switch is 1.1.1.1.
TFTP Configuration 755 # Use the boot boot-loader command to specify the downloaded file (switch.app) to be the startup file used when the switch starts the next time, and restart the switch. Thus the switch application is upgraded. boot boot-loader switch.app reboot n For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging part module of this manual.
CHAPTER 70: FTP AND TFTP CONFIGURATION
71 Information Center Overview INFORMATION CENTER Information center is an indispensable part of Ethernet switches and exists as an information hub of system software modules. The information center manages most information outputs; it sorts information carefully, and hence can screen information in an efficient way. Combined with the debugging program (debugging commands), it provides powerful support for network administrators and developers in network operation monitoring and fault diagnosis.
CHAPTER 71: INFORMATION CENTER Note that a space separates the time stamp and host name. 3 Host name It refers to the system name of the host, which is "3Com" by default. You can modify the host name with the sysname command. Refer to System Maintaining and Debugging part of the manual for detailed operations. Note that a space separates the host name and module name. 4 Module name It indicates the modules that generate the information.
Information Center Overview Table 585 Modules generating information Module name Description IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module IPX IPX protocol module ISIS Intermediate system-to-intermediate system intra-domain routing information exchange protocol module L2INF Layer 2 interface management module LACL Lanswitch access control list module LARP Address Resolution protocol module LETH Ethernet debugging module LINKAGG Link aggregation
CHAPTER 71: INFORMATION CENTER Table 585 Modules generating information Module name Description UDPH UDP helper module USERLOG User log module VFS Virtual file system module VLAN Virtual local area network module VRRP VRRP (virtual router redundancy protocol) module VTY VTY (virtual type terminal) module default Default settings for all the modules Note that a slash (/) separates the module name and severity level.
Information Center Configuration n Information Center Configuration 761 The above section describes the log information format sent to a log server by a switch. Some log server software will resolve the received information as well as its format, so that you may see the log format displayed on the log server is different from the one described in this manual.
CHAPTER 71: INFORMATION CENTER Table 588 Enable information output to a log host Operation Command Description Required By default, the switch does not output information to the log host. info-center loghost host-ip-addr [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ] * After you configure the switch to output information to the log host, the switch uses information channel 2 by default.
Information Center Configuration 763 Table 589 Enable information output to the console Operation Command Description Set the format of time stamp info-center timestamp { log | trap | debugging } { boot | Optional date | none } To view debugging/log/trap output information on the console, you should also enable the corresponding debugging/log/trap information terminal display on the switch.
CHAPTER 71: INFORMATION CENTER Table 591 Enable information output to a monitor terminal Operation Command Description Define an information source info-center source { modu-name | default } channel { channel-number | Required channel-name } [ { log | trap | debug } { level severity | state state } ]* Optional Set the format of time stamp n This is to set the time stamp info-center timestamp { log format for log/debugging/trap | trap | debugging } { boot | information output.
Information Center Configuration 765 Table 592 Enable debugging/log/trap terminal display Operation Command Description Optional Enable trap information terminal display function Enabling Information Output to the Log Buffer terminal trapping By default, trap information terminal display is enabled for terminal users. Table 593 lists the related configurations on the switch.
CHAPTER 71: INFORMATION CENTER Table 594 Enable information output to the trap buffer Operation Command Description Enable information output to the trap buffer info-center trapbuffer [channel { channel-number | channel-name } | size buffersize]* Define an information source info-center source { modu-name | default } channel { channel-number | Required channel-name } [ { log | trap | debug } { level severity | state state } ]* Optional By default, the switch uses information channel 3 to output
Displaying and Debugging Information Center Configuration Displaying and Debugging Information Center Configuration 767 ■ To view debug information of specific modules, you need to set the information type as debug in the info-center source command, and enable debugging on corresponding modules with the debugging command as well. ■ To send information to remote SNMP workstation properly, related configurations are required on both the switch and the SNMP workstation.
CHAPTER 71: INFORMATION CENTER Network diagram Figure 195 Network diagram for log output to a Unix log host Network Switch PC Configuration procedure 1 Configure the switch: # Enable the information center. system-view [SW7750] info-center enable # Disable for all modules the function of outputting information to log host channels. [SW7750] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host.
Information Center Configuration Examples 769 ■ No space is allowed at the end of a file name. ■ The facility and received log information severity level specified in the file "/etc/syslog.conf" must be the same as those corresponding parameters configured in the commands info-center loghost and info-center source. Otherwise, log information may not be output to the log host normally. Step 3: After the log file "information" is created and the file "/etc/syslog.
CHAPTER 71: INFORMATION CENTER [SW7750] info-center loghost 202.38.1.10 facility local7 language english [SW7750] info-center source default channel loghost log level errors debug state off trap state off 2 Configure the log host: Step 1: Execute the following commands as the superuser (root user). # mkdir /var/log/3Com # touch /var/log/3Com/information Step 2: Edit the file "/etc/syslog.conf" as the superuser (root user) to add the following selector/action pair.
Information Center Configuration Examples 771 Network diagram Figure 197 Network diagram for log output to the console console 3& Switch Configuration procedure # Enable the information center. system-view [SW7750] info-center enable # Disable for all modules the function of outputting information to the console channels. [SW7750] undo info-center source default channel console # Enable log information output to the console.
CHAPTER 71: INFORMATION CENTER
72 DNS Overview DNS CONFIGURATION Domain name system (DNS) is a distributed database system that provides domain name-to-IP address mappings for TCP/IP applications. With DNS, users using IP applications can directly use meaningful easy-to-remember domain names, which will be resolved and mapped to corresponding IP addresses by DNS servers. There are two types of DNS resolution, “Static DNS Resolution” and “Dynamic DNS Resolution”.
CHAPTER 72: DNS CONFIGURATION Figure 198 Dynamic DNS resolution Request Request User program Resolver Response Response Save Read DNS Server Cache DNS Client Figure 198 shows the relationship between the user program, DNS Client and DNS Server. The resolver and cache compose the DNS Client. The user program runs on the same machine as the DNS client, while the DNS Server and the DNS Client must run on different machines.
Configuring Static DNS Resolution n Configuring Static DNS Resolution 775 If you have configured aliases for domain names on the DNS server, the Ethernet switch can resolve a host IP address according to its alias. Table 597 Configure static DNS resolution Operation Command Description Enter system view system-view - Add a hostname-to-address mapping entry n Required ip host hostname ip-address There is no entry in the static DNS list by default.
CHAPTER 72: DNS CONFIGURATION Network diagram Figure 199 Network diagram for dynamic DNS resolution 2.1.1.2/16 3.1. 3.1.1.1/16 S6506 2.1.1.1/16 DNS Server 1.1.1.1/16 Internet DNS Client host1 Configuration procedure n Before doing the following configuration, suppose the route between the Switch 7757 and host 1 is reachable, the DNS server works normally, and a mapping entry from host 1 to IP address 3.1.1.1/16 exists on the DNS server. # Enable dynamic DNS resolution.
Troubleshooting DNS Configuration 777 Table 599 Display and maintain DNS Operation Command Clear the dynamic DNS cache. reset dns dynamic-host Troubleshooting DNS Configuration Description Execute the reset command in user view. Symptom Dynamic DNS resolution is enabled, but the user cannot get the correct IP address from a domain name. Analysis DNS client needs to be used in conjunction with the DNS server to get the correct IP address through domain name resolution.
CHAPTER 72: DNS CONFIGURATION
BOOTROM AND HOST SOFTWARE LOADING 73 Traditionally, the loading of switch software is accomplished through a serial port. This approach is slow, inconvenient, and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port. This chapter introduces how to load BootROM and host software to a switch locally and how to do this remotely.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING ****************************************** Copyright (c) 1998-2006 3Com Tech. Co.,Ltd. All rights reserved. Creation date : Apr 21 2006, 19:38:53 CPU type : MPC8245 CPU Clock Speed : 300Mhz BUS Clock Speed : 33Mhz BOOT_FLASH type : AMD29LV040B Flash Size : 32MB Memory Size : 256MB Switch 7757 main board self testing................................ SDRAM Data lines Selftest.................................OK! SDRAM Address lines Selftest..................
Local Software Loading 781 program checks the packet using the agreed method. If the check succeeds, the receiving program sends an acknowledgement character and the sending program proceeds to send another packet; otherwise, the receiving program sends a negative acknowledgement character and the sending program retransmits the packet.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING Step 4: Choose [File/Properties] in HyperTerminal, click in the pop-up dialog box, and then select the baud rate of 115200 bps in the Console port configuration dialog box that appears, as shown in Figure 200, Figure 201.
Local Software Loading 783 Step 5: Click the button to disconnect the HyperTerminal from the switch and then click the button to reconnect the HyperTerminal to the switch, as shown in Figure 202. Figure 202 Connect and disconnect buttons n The new baud rate takes effect only after you disconnect and reconnect the HyperTerminal program. Step 6: Press to start downloading the program.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING Figure 204 Sending file page Step 9: After the download completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baud rate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted. The system will display the following information when it completes the loading. Bootrom updating.....................................
Local Software Loading 785 Step 2: Enter 3 in the above menu to download the host software using XMODEM. The subsequent steps are the same as those for loading the BootROM software, except that the system gives the prompt for host software loading instead of BootROM loading. Loading Software Using TFTP through Ethernet Port Introduction to TFTP TFTP, one protocol in TCP/IP protocol suite, is used for trivial file transfer between client and server.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING Step 5: Press . The system displays the following information: Are you sure you want update Fabric bootrom?Yes or No(Y/N) Step 6: Enter Y to start file downloading or N to return to the Bootrom update menu. If you enter Y, the system begins to download and update the BootROM software. Upon completion, the system displays the following information: Prepare for loading...OK! Loading........................................done Bootrom updating........
Local Software Loading 787 Step 1: As shown in Figure 206, connect the switch through an Ethernet port to the FTP server, and connect the switch through the Console port to the configuration PC. n You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING Enter 2 in the above menu to download the host software using FTP. The subsequent steps are the same as those for loading the BootROM program, except for that the system gives the prompt for host software loading instead of BootROM loading.
Remote Software Loading n 789 When using different FTP server software on PC, different information will be output to the switch. Step 2: Update the BootROM program on Switch Fabric of the switch. boot bootrom 77503_02_00rc08.btm slot 0 This will update BootRom file on board 0 . Continue? [Y/N] y Board 0 upgrading BOOTROM, please wait... Upgrade board 0 BOOTROM succeeded! Step 3: Restart the switch.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING Step 1: As shown in Figure 208, connect the switch through an Ethernet port to the PC (with IP address 10.1.1.1) Step 2: Configure the IP address of VLAN1 on the switch to 192.168.0.65, and subnet mask to 255.255.255.0. n You can configure the IP address for any VLAN on the switch for FTP transmission. However, before configuring the IP address for a VLAN interface, you have to make sure whether the IP addresses of this VLAN and PC are routable.
Remote Software Loading 791 Figure 210 Switch to BootROM Step 6: Enter "ftp 192.168.0.65" and enter the user name test, password pass, as shown in Figure 211, to log on the FTP server. Figure 211 Log on the FTP server Step 7: Use the put command to upload the file to the switch, as shown in Figure 212.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING Figure 212 Upload file to the switch Step 8: Configure 77503_02_00rc08.btm to be the BootROM at reboot, and then restart the switch. boot bootrom 77503_02_00rc08.btm slot 0 This will update BootRom file on board 0 . Continue? [Y/N] y Board 0 upgrading BOOTROM, please wait... Upgrade board 0 BOOTROM succeeded! reboot When rebooting the switch, use the file 77503_02_00rc08.btm as BootROM to finish BootROM loading.
Remote Software Loading n 793 Caution ■ Switch Fabric software and I/O Module (line processing unit) software must be identical. Otherwise Switch 7750 Family Ethernet Switches cannot work normally. ■ To keep the software of Switch Fabric and I/O Module identical, you need to restart the I/O Module after you upgrade the host software of the Switch Fabric of the Switch 7750 Family Ethernet switches. ■ Switch 7758 feature the double Switch Fabrics and active-standby switchover function.
CHAPTER 73: BOOTROM AND HOST SOFTWARE LOADING
74 BASIC SYSTEM CONFIGURATION & DEBUGGING Basic System Configuration Basic System Configuration Tasks Entering System View from User View Setting the System Name of the Switch Setting the Date and Time of the System Table 600 Basic system configuration tasks Operation Description Related section Enter system view from user view - “Entering System View from User View” Set the system name of the switch Optional “Setting the System Name of the Switch” Set the date and time of the system Optiona
CHAPTER 74: BASIC SYSTEM CONFIGURATION & DEBUGGING Setting the Local Time Zone This configuration task is to set the name of the local time zone and the difference between the local time zone and the standard UTC (universal time coordinated) time. Table 604 Set the local time zone Setting the Summer Time Operation Command Description Set the local time zone Optional clock timezone zone-name { By default, it is the UTC time add | minus } HH:MM:SS zone.
Displaying the System Status Returning from Current View to Lower Level View Returning from Current View to User View Displaying the System Status 797 Table 607 Return from current view to lower level view Operation Command Description Return from current view to lower level view quit This operation will result in exiting the system if current view is user view.
CHAPTER 74: BASIC SYSTEM CONFIGURATION & DEBUGGING 3 1 Debugging information 2 Figure 213 Debugging information output Protocol debugging switches ON 1 1 3 OFF 3 ON Terminal display switches ON 3 1 OFF You can use the following commands to operate the two kinds of switches. Perform the following operations in user view. Table 610 Enable debugging and terminal display Operation Command Description By default, all debugging is disabled in the system.
System Debugging Displaying Operating Information about Modules in System 799 When your Ethernet switch is in trouble, you may need to view a lot of operating information to locate the problem. Each functional module has its own operating information display command(s). You can use the command here to display the current operating information about the modules (settled when this command is designed) in the system for troubleshooting your system. Perform the following operation in any view.
CHAPTER 74: BASIC SYSTEM CONFIGURATION & DEBUGGING
NETWORK CONNECTIVITY TEST 75 Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host.
CHAPTER 75: NETWORK CONNECTIVITY TEST Table 614 The tracert command Operation Command Support IP protocol tracert [ -a source-ip | -f first-TTL | -m max-TTL | -p port | -q num-packet | -w timeout ] * host Support CLNS protocol tracert clns [ -m max-TTL | -n num-packet | -t timeout | -v ]* nsap-address
DEVICE MANAGEMENT 76 n Introduction to Device Management When Two 96Gbps Switch Fabrics (3C16886) are inserted into a Switch 7758 8-slot chassis the following functionality is available: ■ The first two SFP interfaces of the primary board and the first two SFP interfaces of the secondary board work normally. Services will not be interrupted during active-standby switchover.
CHAPTER 76: DEVICE MANAGEMENT Restarting the Ethernet Switch You can perform the following operation in user view when the switch is in trouble or needs to be restarted. Table 616 Restart the Ethernet switch n Rebooting a Card of Ethernet Switch Operation Command Description Restart the Ethernet switch reboot - When rebooting, the system checks whether there is any configuration change. If there is, it prompts you to indicate whether or not to proceed.
Device Management Configuration 805 Table 619 Specify the APP to be adopted at reboot Operation Command Specify the APP to be adopted boot boot-loader { primary at reboot | backup } file-url Updating the BootROM Description Optional You can use the BootROM application saved in the Flash memory of the switch to update the running BootROM application. With this command, a remote user can conveniently update the BootRom by uploading the BootROM to the switch through FTP and running this command.
CHAPTER 76: DEVICE MANAGEMENT Enabling/Disabling RDRAM Using the following command, yon can enable or disable RDRAM (Rambus Dynamic Random Access Memory) of the device. Table 623 Enable/Disable RDRAM Configuring Pause Frame Protection Mechanism Operation Command Description Enter system view system-view - Enable RDRAM of the device rdram enable Optional Disable RDRAM of the device rdram disable By default, RDRAM is disabled.
Configuring Queue Traffic Monitoring 807 to be detected. Users can then locate, solve, and log link problems by monitoring the peer devices through the received ARP response packets. n This function requires no Layer 3 device existing between the local peer and the remote peer.
CHAPTER 76: DEVICE MANAGEMENT Queue Traffic Monitoring Configuration Task Queue Traffic Monitoring Configuration Example The following describes configuration tasks of queue traffic monitoring. Table 626 Configure queue traffic monitoring Operation Command Description Enter system view system-view - Enable queue traffic monitoring qe monitor enable This function is enabled by default.
Displaying the Device Management Configuration 809 Table 627 Configure error packets monitoring Operation Command Description Required. If you specify the keyword all in the command, the switch detects all error packets on current interface. Enable error packets monitoring qe monitor errpkt { all | none | runt } If you specify the keyword runt, the switch only detects error packets that are of runt type on current interface.
CHAPTER 76: DEVICE MANAGEMENT Table 628 Display the operating status of the device management Operation Command Description Display the APP to be adopted display boot-loader at reboot Display the module type and operating status of each board display device [ detail | [ shelf shelf-no ] [ frame frame-no ] [ slot slot-number ]] Display information about display environment environment used by a switch Display the operating status of display fan [ fan-id ] the built-in fan Display the usage of s sw
Remote Switch Update Configuration Example 811 Configuration procedure 1 Configure the following FTP server-related parameters on the PC: an FTP user with the username and password as switch and hello respectively, and specify the working directory of the user as Switch. The detailed configuration is omitted here. 2 Configure the switch as follows: # On the switch, configure a level 3 telnet user with the username and password as user and hello respectively.
CHAPTER 76: DEVICE MANAGEMENT # Specify the downloaded application program as the host software to be adopted when the switch starts next time. Then restart the switch to update the host software of the switch. boot boot-loader primary switch.app The specified file will be booted next time on unit 1! display boot-loader The primary app to boot of board 0 at the next time is: flash:/switch.app The backup app to boot of board 0 at the next time is: flash:/old.
77 Introduction to Remote Ping REMOTE PING CONFIGURATIONS Remote Ping is a network diagnostic tool used to test the performance of protocols (only ICMP by far) operating on network. It is an enhanced alternative to the ping command. Remote Ping test group is a set of Remote Ping test parameters. A test group contains several test parameters and is uniquely identified by an administrator name plus a test tag.
CHAPTER 77: REMOTE PING CONFIGURATIONS 2 Test type Currently, Remote Ping supports only one test type: ICMP. 3 Number of test packets sent in a test If this parameter is set to a number greater than one, the system sends the second test packet once it receives a response to the first one, or when the test timer times out if it receives no response after sending the first one, and so forth until the last test packet is sent out. This parameter is equivalent to the -n keyword in the ping command.
Remote Ping Configuration 815 Table 629 Configure Remote Ping Operation Command Description Required Configure the destination-ip destination IP address ip-address of the test By default, no destination IP address is configured. Optional Configure the type of test-type type the test. Configure the test parameters By default, the test type is ICMP. Optional Configure the packet sending times in each count times test. By default, the packet sending times in each test is 1.
CHAPTER 77: REMOTE PING CONFIGURATIONS [SW7750] remote ping administrator icmp # Specify the test type as ICMP.. [SW7750-remote ping-administrator-icmp] test-type icmp # Specify the destination IP address as 1.1.1.99. [SW7750-remote ping-administrator-icmp] destination-ip 1.1.1.99 # Set the number of test packets sent in a test to 10. [SW7750-remote ping-administrator-icmp] count 10 # Set the timeout time of test operations to 5.
78 Introduction to Password Control Configuration PASSWORD CONTROL CONFIGURATION OPERATIONS The password control feature is designed to manage the following passwords: ■ Telnet passwords: passwords for logging into the switch through Telnet. ■ SSH passwords: passwords for logging into the switch through SSH. ■ FTP passwords: passwords for logging into the switch through FTP.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION OPERATIONS Table 631 Functions provided by password control Function Description Application Password protection and encryption Encrypted display: The switch protects the displayed password. The password is always displayed as a string containing only asterisks (*) in the configuration file or on user terminal. All passwords Saving passwords in ciphertext: The switch encrypts and saves the configured passwords in ciphertext in the configuration file.
Password Control Configuration 819 Password Control Configuration Configuration Prerequisites Configuration Tasks A user PC is connected to the switch to be configured; both devices are operating normally.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION OPERATIONS After password aging is enabled, the device will decide whether the user password ages out when a user logging into the system is undergoing the password authentication. This has three cases: 1 The password has not expired. The user logs in before the configured alert time. In this case, the user logs in successfully. 2 The password has not expired. The user logs in after the configured alert time.
Password Control Configuration 821 same password or using the old password, thus enhancing the security. You can configure the maximum number of history records that the system can record.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION OPERATIONS Configuring Login Attempts Limitation and Failure Processing Mode Table 637 Configure the login attempts limitation and the failure processing mode Operation Command Description Enter system view system-view - Enable the login attempts limitation, configure the maximum number of attempts and configure the processing mode used when the maximum number of attempts is exceeded.
Displaying Password Control 823 Table 639 Configure the timeout time for users to be authenticated Displaying Password Control Operation Command Description Enter system view system-view - Configure the timeout time for users to be authenticated password-control authentication-timeout authentication-timeout Optional By default, it is 60 seconds.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION OPERATIONS Password:********** confirm:********** # Change the system login password to 0123456789. [SW7750-luser-test]password Password:********** Confirm :********** Updating the password file ,please wait ... # Enable password aging. [SW7750-luser-test] quit [SW7750]password-control aging enable Password aging enabled for all users. # Enable the limitation of the minimum password length.
Password Control Configuration Example 825 If you input "Y", the system removes the history records of all users and gives the following prompt: All historical passwords have been cleared.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION OPERATIONS
CONFIGURING HARDWARE-DEPENDENT SOFTWARE 79 Configuring Boot ROM Upgrade with App File By enabling Boot ROM to upgrade together with the app file, you can ensure that the Boot ROM versions of the current Switch Fabric and service cards can match the version of the current app file, thus avoiding invalid feature implementation caused by mismatching.
CHAPTER 79: CONFIGURING HARDWARE-DEPENDENT SOFTWARE boot bootrom default # Use the specified App file (abcd.app) to upgrade the Boot ROMs of all normal I/O Module boards in position. boot bootrom abcd.app # Specify the App file abcd.app as the primary startup file for next booting and use it to upgrade the Boot ROMs. boot boot-loader primary abcd.
Configuring Internal Channel Monitoring 829 Configuring Internal Channel Monitoring Introduction An internal channel refers to the interface channel between the Switch Fabric and the service cards. The Switch Fabric sends handshake packets to each service card every second. After receiving the handshake packets, the service cards reports the result to the Switch Fabric. In this case, the Switch Fabric knows that the service cards are operating normally.
CHAPTER 79: CONFIGURING HARDWARE-DEPENDENT SOFTWARE Switch Chip Auto-reset Configuration Table 644 Configure switch chip auto-reset Operation Command Description Enter system view system-view - Enable the function of monitoring internal channels monitor inner-channel Required Required Enable switch chip auto-reset monitor slot slot-id enable Disable switch chip auto-reset monitor slot slot-id disable By default, switch chips cannot be reset automatically when the internal channel handshak
