3Com® Switch 7750 Family Configuration Guide Switch 7750 Switch 7754 Switch 7757 Switch 7758 www.3Com.com Part Number: 10015462 Rev.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2006-2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 17 Related Documentation 1 17 CLI OVERVIEW Introduction to the CLI 19 Command Level/Command View CLI Features 29 2 19 LOGGING INTO AN ETHERNET SWITCH Logging into an Ethernet Switch 33 Introduction to the User Interface 33 3 LOGGING IN THROUGH THE CONSOLE PORT Introduction 35 Logging in through the Console Port 35 Console Port Login Configuration 37 Console Port Login Configuration with Authentication Mode Being None 39 Console Port Login Configuration with Aut
CONTENTS 6 LOGGING IN THROUGH THE WEB-BASED NETWORK MANAGEMENT SYSTEM Introduction 71 Establishing an HTTP Connection 71 Configuring the Login Banner 72 Enabling/Disabling the WEB Server 73 7 LOGGING IN THROUGH NMS Introduction 75 Connection Establishment Using NMS 8 75 USER CONTROL Introduction 77 Controlling Telnet Users 77 Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address 80 9 CONFIGURATION FILE MANAGEMENT Introduction to Configuration File
Contents 14 SUPER VLAN Super VLAN Overview 121 Super VLAN Configuration 121 Displaying Super VLAN 123 Super VLAN Configuration Example 15 124 IP ADDRESS CONFIGURATION IP Address Overview 127 Configuring an IP Address for a VLAN Interface Displaying IP Address Configuration 130 IP Address Configuration Example 130 Troubleshooting 130 16 129 IP PERFORMANCE CONFIGURATION IP Performance Overview 131 IP Performance Configuration 131 Configuring TCP Attributes 132 Configuring to Send Special IP Packets to
CONTENTS Selective QinQ Configuration 165 Configuring Outer Tag Replacement 166 Selective QinQ Configuration Example 167 21 SHARED VLAN CONFIGURATION Shared VLAN Overview 169 Shared VLAN Configuration 170 Displaying Shared VLAN 170 Shared VLAN Configuration Example 22 171 PORT BASIC CONFIGURATION Ethernet Port Configuration 173 Ethernet Port Configuration Example 180 Troubleshooting Ethernet Port Configuration 23 181 LINK AGGREGATION CONFIGURATION Overview 183 Link Aggregation Configuration 189
Contents 28 MAC ADDRESS TABLE MANAGEMENT Overview 225 Configuring MAC Address Table Management 227 Displaying and Maintaining MAC Address Configuration Configuration Example 231 29 230 CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC Address Authentication Overview 233 Centralized MAC Address Authentication Configuration 234 Displaying and Debugging Centralized MAC Address Authentication 237 Centralized MAC Address Authentication Configuration Example 237 30 MSTP CONFIGURATION MST
CONTENTS Troubleshooting RIP Configuration 34 300 OSPF CONFIGURATION OSPF Overview 301 Introduction to OSPF Configuration Tasks 307 Basic OSPF Configuration 309 OSPF Area Attribute Configuration 311 OSPF Network Type Configuration 312 OSPF Route Control 313 OSPF Network Adjustment and Optimization 316 Displaying OSPF Configuration 320 OSPF Configuration Example 321 Troubleshooting OSPF Configuration 325 35 IS-IS CONFIGURATION IS-IS Overview 327 Introduction to IS-IS Configuration 332 IS-IS Basic Co
Contents 39 802.1X CONFIGURATION Introduction to 802.1x 389 802.1x Configuration 399 Basic 802.1x Configuration 399 802.1x-Related Parameter Configuration Advanced 802.1x Configuration 401 Displaying and Debugging 802.
CONTENTS 46 IGMP CONFIGURATION Overview 449 IGMP Configuration Tasks Displaying IGMP 460 47 454 PIM CONFIGURATION PIM Overview 461 Common PIM Configuration 469 PIM-DM Configuration 472 PIM-SM Configuration 472 Displaying and Debugging PIM 475 PIM Configuration Examples 476 Troubleshooting PIM 479 48 MSDP CONFIGURATION MSDP Overview 481 Configuring MSDP Basic Functions 487 Configuring Connection between MSDP Peers 488 Configuring SA Message Transmission 490 Displaying and Debugging MSDP Configurat
Contents 52 VRRP CONFIGURATION VRRP Overview 553 VRRP Configuration 557 Displaying and Maintaining VRRP 559 VRRP Configuration Example 559 Troubleshooting VRRP 565 53 HA CONFIGURATION HA Overview 567 HA Configuration 568 Displaying HA 569 54 ARP CONFIGURATION Introduction to ARP 571 Configuring ARP 575 Displaying and Maintaining ARP Configuration ARP Configuration Example 580 55 PROXY ARP CONFIGURATION Proxy ARP Overview 583 Configuring Proxy ARP 584 Proxy ARP Configuration Example 56 579 584 DH
CONTENTS Troubleshooting DHCP Relay Agent 59 621 DHCP SNOOPING CONFIGURATION Configuring DHCP Snooping 623 DHCP Snooping Configuration 628 Displaying and Maintaining DHCP Snooping 632 DHCP Snooping Configuration Example 632 60 ACL CONFIGURATION ACL Overview 637 Choosing ACL Mode for Traffic Flows 639 Specifying the Matching Order of ACL Rules Sent to a Port Configuring Time Ranges 640 Defining Basic ACLs 641 Defining Advanced ACLs 642 Defining Layer 2 ACLs 647 Defining User-Defined ACLs 649 Applyi
Contents Management Device Configuration 708 Member Device Configuration 711 Intra-Cluster Configuration 713 Displaying and Maintaining a Cluster 713 Cluster Configuration Example 714 64 POE CONFIGURATION PoE Overview 719 PoE Configuration 721 Displaying PoE Configuration 723 PoE Configuration Example 724 65 POE PSU SUPERVISION CONFIGURATION Introduction to PoE PSU Supervision 727 AC Input Alarm Thresholds Configuration 727 DC Output Alarm Threshold Configuration 728 Displaying PoE Supervision Informat
CONTENTS 70 NTP CONFIGURATION Introduction to NTP 753 NTP Implementation Mode Configuration 757 Access Control Permission Configuration 759 NTP Authentication Configuration 759 Configuration of Optional NTP Parameters 761 Displaying and Debugging NTP 762 Configuration Example 762 71 SSH TERMINAL SERVICES SSH Terminal Services SFTP Service 784 72 773 FILE SYSTEM MANAGEMENT File System Configuration 73 791 BIMS CONFIGURATION Introduction to BIMS 797 BIMS Device Configuration Tasks 798 Basic Conf
Contents Remote Software Loading 78 846 BASIC SYSTEM CONFIGURATION & DEBUGGING Basic System Configuration 853 Displaying the System Status 855 System Debugging 855 79 NETWORK CONNECTIVITY TEST Network Connectivity Test 80 859 DEVICE MANAGEMENT Introduction to Device Management 861 Device Management Configuration 861 Configuring Pause Frame Protection Mechanism 866 Configuring Layer 3 Connectivity Detection 867 Configuring Queue Traffic Monitoring 868 Configuring Error Packets Monitoring 868 Display
CONTENTS 85 MONITOR LINK CONFIGURATION Introduction to Monitor Link 931 Configuring Monitor Link 932 Displaying Monitor Link Configuration 934 Monitor Link Configuration Example 934 86 CONFIGURING HARDWARE-DEPENDENT SOFTWARE Configuring Boot ROM Upgrade with App File 937 Configuring Inter-Card Link State Adjustment 938 Configuring Internal Channel Monitoring 939 Configuring Switch Chip Auto-reset 939 Configuring CPU Usage Threshold 940
ABOUT THIS GUIDE This guide describes the 3Com® Switch 7750 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch. This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches.
ABOUT THIS GUIDE ■ Switch 7750 Release Notes — Contains the latest information about your product. If information in this guide differs from information in the release notes, use the information in the Release Notes. These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the CD-ROM that accompanies your router or on the 3Com World Wide Web site: http://www.3com.
1 Introduction to the CLI Command Level/Command View CLI OVERVIEW A 3Com series Ethernet switch provides a command line interface (CLI) and commands for you to configure and manage the Ethernet switch. The CLI is featured by the following: ■ Commands are grouped by levels. This prevents unauthorized users from operating the switch with relevant commands. ■ Users can gain online help at any time by entering the question mark “?”.
CHAPTER 1: CLI OVERVIEW Switching between User Levels A user can switch the user level from one to another by executing a related command after logging into a switch. The administrator can also set user level switching passwords as required. Setting a user level switching password Table 1 lists the operations to set a user level switching password.
Command Level/Command View 21 Table 3 Configure the level of a specific command in a specific view Operation Command Configure the level of command-privilege level level a specific command in view view command a specific view CLI Views Description Required Use this command with caution to prevent inconvenience on maintenance and operation. CLI views are designed for different configuration tasks. They are interrelated.
CHAPTER 1: CLI OVERVIEW ■ BGP view ■ BGP IPv4 family multicast view ■ IS-IS view ■ ES-IS view ■ Routing policy view ■ Basic ACL view ■ Advanced ACL view ■ Layer 2 ACL view ■ User-defined ACL view ■ Traffic-group view ■ QoS view ■ QinQ view ■ RADIUS scheme view ■ HWTACACS scheme view ■ ISP domain view ■ RprGE view ■ PoE-profile view ■ Traffic-accounting view ■ Netstream autonomous system view ■ Netstream protocol - port aggregation view ■ Netstream source prefix
Command Level/Command View 23 Table 4 CLI views View M-Ethernet interface view Ethernet port view Available operation Prompt example Configure M-Ethernet interface parameters [SW7750-M-Eth Manage Ethernet ernet0/0/0] port view. Configure Ethernet port parameters [SW7750-Ethern 100 M Ethernet et3/0/1] port view Enter method Execute the interface m-ethernet 0/0/0 command in system view. Execute the interface ethernet 3/0/1 command in system view.
CHAPTER 1: CLI OVERVIEW Table 4 CLI views View Loopback interface view Local user view User interface view Available operation Prompt example Configure Loopback interface parameters [SW7750-LoopB Execute the ack0] interface loopback 0 command in system view Configure local [SW7750-luseruser user1] parameters Configure user [SW7750-ui0] interface parameters FTP client view Configure FTP client parameters SFTP client view Configure SFTP client parameters Cluster view Configure
Command Level/Command View 25 Table 4 CLI views View Available operation MSDP Configure domain view MSDP domain parameters Prompt example Enter method [SW7750-msdp] Execute the msdp command in system view. Quit method Execute the quit command to return to system view. Execute the return command to return to user view.
CHAPTER 1: CLI OVERVIEW Table 4 CLI views View OSPF area view Available operation Prompt example Configure OSPF area parameters [SW7750-ospf-1 Execute the area 1 Execute the quit -area-0.0.0.1] command in OSPF command to return to view OSPF view. Enter method Quit method Execute the return command to return to user view.
Command Level/Command View 27 Table 4 CLI views View Available operation Prompt example Enter method Quit method Layer 2 ACL Define the view sub-rules of Layer 2 ACLs, which is numbered from 4,000 to 4,999. [SW7750-acl-lin Execute the acl k-4000] number 4000 command in system view. Execute the quit command to return to system view.
CHAPTER 1: CLI OVERVIEW Table 4 CLI views Available operation Prompt example Configure RprGE logical interface attributes [SW7750-RprGE Execute the 1/0/1] interface RprGE 1/0/1 command in system view. Execute the quit command to return to system view. Configure PoE profile parameters [SW7750 Execute the -poe-profile-test poe-profile test ] command in system view. Execute the quit command to return to system view.
CLI Features 29 Table 4 CLI views View Smart-link group view Available operation Prompt example Configure smart-link group parameters [SW7750-smlkgroup1] Enter method Quit method Execute the smart-link group command in system view. Execute the quit command to return to system view. Execute the return command to return to user view. CLI Features Online Help CLI provides two types of online help: complete online help and partial online help. They assist you with your configuration.
CHAPTER 1: CLI OVERVIEW The string means no argument is available in the position occupied by the “?” character. You can execute the command without providing any other information. Partial online help Enter a string followed directly by a “?” character on your terminal to display all the commands beginning with the string.
CLI Features n Error Messages 31 As the Up and Down keys have different meanings in HyperTerminal running on Windows 9x, these two keys can be used to recall history commands only in terminals running Windows 3.x or Telnet running in Windows 3.x. You can press or in Windows 9x to achieve the same purpose. If the command you enter passes the syntax check, it will be successfully executed; otherwise an error message will appear. Table 7 lists the common error messages.
CHAPTER 1: CLI OVERVIEW
LOGGING INTO AN ETHERNET SWITCH 2 Logging into an Ethernet Switch You can log into a Switch 7750 Ethernet switch in one of the following ways: ■ Logging in locally through the Console port ■ Telneting locally or remotely to an Ethernet port ■ Telneting to the Console port using a modem ■ Logging in through NMS (network management station) Introduction to the User Interface Supported User Interfaces n User Interface Number Switch 7750 Ethernet switch supports two types of user interfaces: AUX and
CHAPTER 2: LOGGING INTO AN ETHERNET SWITCH Common User Interface Configuration Table 10 Common user interface configuration Operation Command Lock the current user interface lock Description Optional Execute this command in user view. A user interface is not locked by default.
3 Introduction LOGGING IN THROUGH THE CONSOLE PORT To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. Normally, you can log into a Switch 7750 Ethernet switch through its Console port. To log into an Ethernet switch through its Console port, the communication configuration of the user terminal must be in accordance with that of the Console port. Table 11 lists the default settings of a Console port.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Figure 2 Create a connection Figure 3 Specify the port used to establish the connection
Console Port Login Configuration 37 Figure 4 Set port parameters 3 Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as ) appears after you press the Enter key. 4 You can then configure the switch or check the information about the switch by executing the corresponding commands. You can also acquire help by type the ? character.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 12 Common configuration of Console port login Configuration Remarks AUX user interface configuration Configure the command Optional level available to the By default, commands of level 3 are available to users logging into the the users logging into the AUX user interface.
Console Port Login Configuration with Authentication Mode Being None 39 Table 13 Console port login configurations for different authentication modes Authentication mode Scheme n Console port login configuration Remarks Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Configure user name and password Configure user names and passwords for local/RADIUS users Required Local authent
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 14 Console port login configuration with the authentication mode being none Operation Configure the Console port Command Set the baud rate speed speed-value Description Optional The default baud rate of an AUX port (also the Console port) is 9,600 bps.
Console Port Login Configuration with Authentication Mode Being None 41 Table 14 Console port login configuration with the authentication mode being none Operation Command Description Set the timeout time for the user interface idle-timeout minutes [ seconds ] Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Network diagram Figure 5 Network diagram for AUX user interface configuration (with the authentication mode being none) RS-232 Console port Configuration cable PC Switch Configuration procedure # Enter system view. system-view # Enter AUX user interface view. [SW7750] user-interface aux 0 # Specify not to authenticate users logging in through the Console port.
Console Port Login Configuration with Authentication Mode Being Password 43 Table 16 Console port login configuration with the authentication mode being password Operation Command Enter AUX user interface user-interface aux 0 view Description - Configure to authenticate users using the local password authentication-mode password Required Set the local password set authentication password { cipher | simple } password Required Configure the Console port Set the baud rate speed speed-value Optio
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 16 Console port login configuration with the authentication mode being password Operation Command Description Set the timeout time for the user interface idle-timeout minutes [ seconds ] Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.
Console Port Login Configuration with Authentication Mode Being Password 45 Network diagram Figure 6 Network diagram for AUX user interface configuration (with the authentication mode being password) RS-232 Console port Configuration cable PC Switch Configuration procedure # Enter system view. system-view # Enter AUX user interface view. [SW7750] user-interface aux 0 # Specify to authenticate users logging in through the Console port using the local password.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Table 18 Console port login configuration with the authentication mode being scheme Operation Command Description Enter system view system-view - Config ure the authen tication mode domain domain-name Optional Enter the default ISP domain view Specify the AAA scheme to be scheme { local | none | applied to the domain radius-scheme radius-scheme-name [
Console Port Login Configuration with Authentication Mode Being Scheme 47 Table 18 Console port login configuration with the authentication mode being scheme Operation Command Description Configure to authenticate users locally or remotely authentication-mode scheme [ commandauthorization ] Required The specified AAA scheme determines whether to authenticate users locally or remotely. Users are authenticated locally by default.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 18 Console port login configuration with the authentication mode being scheme Operation Command Description Set history command buffer size history-command max-size value Optional idle-timeout minutes [ seconds ] Optional Set the timeout time for the user interface The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.
Console Port Login Configuration with Authentication Mode Being Scheme 49 ■ Configure to authenticate users logging in through the Console port in the scheme mode. ■ The baud rate of the Console port is 19,200 bps. ■ The screen can contain up to 30 lines. ■ The history command buffer can store up to 20 commands. ■ The timeout time of the AUX user interface is 6 minutes.
CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT [SW7750-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes.
4 Introduction LOGGING IN THROUGH TELNET You can manage and maintain a switch remotely by Telneting to the switch. To achieve this, you need to configure both the switch and the Telnet terminal accordingly. Table 20 Requirements for Telnet to a switch Item Requirement Switch The IP address of the VLAN interface of the switch is configured and the route between the switch and the Telnet terminal is available. (Refer to “Configuring an IP Address for a VLAN Interface” on page 129 for more.
CHAPTER 4: LOGGING IN THROUGH TELNET Telnet Configurations for Different Authentication Modes Table 22 lists Telnet configurations for different authentication modes.
Telnet Configuration with Authentication Mode Being None 53 Table 23 Telnet configuration with the authentication mode being none Operation Command Configure the command level user privilege level level available to users logging into VTY user interface Description Optional By default, commands of level 0 are available to users logging into VTY user interfaces.
CHAPTER 4: LOGGING IN THROUGH TELNET Table 24 Determine the command level when users logging into switches are not authenticated Scenario Authentication mode None (authenticationmode none) Configuration Example User type Command Command level VTY users The user privilege level level command is not executed Level 0 The user privilege level level command is already executed Determined by the level argument Network requirements Perform the following configuration for Telnet users logging into VT
Telnet Configuration with Authentication Mode Being Password 55 # Specify commands of level 2 are available to users logging into VTY 0. [SW7750-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [SW7750-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [SW7750-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.
CHAPTER 4: LOGGING IN THROUGH TELNET Table 25 Telnet configuration with the authentication mode being password Operation Command Description Set the maximum number of lines the screen can contain screen-length screen-length Optional By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages.
Telnet Configuration with Authentication Mode Being Password ■ Telnet protocol is supported. ■ The screen can contain up to 30 lines. ■ The history command buffer can contain up to 20 commands. ■ The timeout time of VTY 0 is 6 minutes. 57 Network diagram Figure 9 Network diagram for Telnet configuration (with the authentication mode being password) Ethernet2/0/1 Ethernet User PC running Telnet Configuration procedure # Enter system view. system-view # Enter VTY 0 user interface view.
CHAPTER 4: LOGGING IN THROUGH TELNET # Set the timeout time to 6 minutes.
Telnet Configuration with Authentication Mode Being Scheme 59 Table 27 Telnet configuration with the authentication mode being scheme Operation Command Description Configure the supported protocol protocol inbound { all | ssh | telnet } Optional Make terminal services available shell Optional Set the maximum number of lines the screen can contain screen-length screen-length Both Telnet protocol and SSH protocol are supported by default.
CHAPTER 4: LOGGING IN THROUGH TELNET Table 28 Determine the command level when users logging into switches are authenticated in the scheme mode Scenario Authentication mode Scheme (authenticationmode scheme) [ command-aut horization ] Command level User type Command VTY users that are AAA&RADIUS authenticated or locally authenticated The user privilege level level command is not executed, and the service-type command does not specify the available command level.
Telnet Configuration with Authentication Mode Being Scheme Configuration Example 61 Network requirements Perform the following configuration for Telnet users logging into VTY 0: ■ Configure the name of the local user to be “guest”. ■ Set the authentication password of the local user to 1234567890 (in plain text). ■ Set the service type of VTY users to Telnet, and the available command level to 2. ■ Configure to authenticate users logging into VTY 0 in scheme mode.
CHAPTER 4: LOGGING IN THROUGH TELNET [SW7750-ui-vty0] authentication-mode scheme # Configure Telnet protocol is supported. [SW7750-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [SW7750-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [SW7750-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.
Telneting to a Switch 63 [SW7750-Vlan-interface1] ip address 202.38.160.92 255.255.255.0 2 Perform Telnet-related configuration on the switch. Refer to “Telnet Configuration with Authentication Mode Being None” on page 52, “Telnet Configuration with Authentication Mode Being Password” on page 55, and “Telnet Configuration with Authentication Mode Being Scheme” on page 58 for more. 3 Connect your PC/terminal and the Switch to an Ethernet, as shown in Figure 12.
CHAPTER 4: LOGGING IN THROUGH TELNET By default, commands of level 0 are available to Telnet users authenticated by password. Refer to “Command Level/Command View” on page 19 for information about command hierarchy. Telneting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server.
5 Introduction LOGGING IN USING MODEM The administrator can log into the Console port of a remote switch using a modem through PSTN (public switched telephone network) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely. When a network operates improperly or is inaccessible, you can log into the switches in the network in this way to configure these switches, to query logs and warning messages, and to locate problems.
CHAPTER 5: LOGGING IN USING MODEM You can verify your configuration by executing the AT&V command. n The above configuration is unnecessary to the modem on the administrator side. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration n After logging into a switch through its Console port by using a modem, you will enter the AUX user interface.
Modem Connection Establishment 67 AT&S0 ----------------------- Set DSR to high level by force ATEQ1&W ----------------------- Disable the modem from returning com mand response and the result, save the changes You can verify your configuration by executing the AT&V command. n ■ The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration.
CHAPTER 5: LOGGING IN USING MODEM Figure 16 Set the telephone number Figure 17 Call the modem 5 Provide the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. Refer to the related modules in the command manual for detailed configuration commands.
Modem Attributes Configuration Configuration Procedure Configuration Example 69 Table 30 Configuration procedures of the Modem attribute Operation Command Description Enter system view system-view - Enter AUX user interface view user-interface aux 0 - Enable Modem call-in/call-in and call-out modem [ call-in | both ] Required Set the answer mode to auto answer.
CHAPTER 5: LOGGING IN USING MODEM
6 Introduction LOGGING IN THROUGH THE WEB-BASED NETWORK MANAGEMENT SYSTEM A Switch 7750 has a Web server built in. It enables you to log into a Switch 7750 through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server. To log into a Switch 7750 through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.
CHAPTER 6: LOGGING IN THROUGH THE WEB-BASED NETWORK MANAGEMENT SYSTEM Figure 18 Establish an HTTP connection between your PC and the switch HTTP Connection PC Switch 4 Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar. (Make sure the route between the Web-based network management terminal and the switch is available.
Enabling/Disabling the WEB Server 73 Network diagram Figure 20 Network diagram for login banner configuration HTTP Connection PC Switch Configuration Procedure # Enter system view. system-view # Configure the banner “Welcome” to be displayed when a user logs into the switch through Web. [SW7750] header login %Welcome% Assume that a route is available between the user terminal (the PC) and the switch.
CHAPTER 6: LOGGING IN THROUGH THE WEB-BASED NETWORK MANAGEMENT SYSTEM Table 33 Enable/Disable the WEB Server Operation Command Disable the Web server undo ip http shutdown n Description Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration. ■ Enabling the Web server (by using the undo ip http shutdown command) opens TCP 80 port.
7 Introduction LOGGING IN THROUGH NMS You can also log into a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch. ■ The agent here refers to the software running on network devices (switches) and as the server. ■ SNMP (simple network management protocol) is applied between the NMS and the agent. To log into a switch through an NMS, you need to perform related configuration on both the NMS and the switch.
CHAPTER 7: LOGGING IN THROUGH NMS
USER CONTROL 8 Introduction A switch provides ways to control different types of login users, as listed in Table 35.
CHAPTER 8: USER CONTROL Table 36 Control Telnet users by source IP addresses Operation Command Description Quit to system view quit - Enter user interface view user-interface [ type ] first-number [ last-number ] - Apply the ACL to control Telnet users by source IP addresses acl acl-number { inbound | outbound } Required The inbound keyword specifies to filter the users trying to Telnet to the current switch.
Controlling Network Management Users by Source IP Addresses Controlling Network Management Users by Source IP Addresses 79 You can manage a 3Com series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
CHAPTER 8: USER CONTROL n You can specify different ACLs while configuring the SNMP community name, the SNMP group name, and the SNMP user name. As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c.
Controlling Web Users by Source IP Address 81 You need to perform the following two operations to control Web users by source IP addresses. Prerequisites Controlling Web Users by Source IP Addresses ■ Defining an ACL ■ Applying the ACL to control Web users The controlling policy against Web users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
CHAPTER 8: USER CONTROL Network diagram Figure 24 Network diagram for controlling Web users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. system-view [SW7750] acl number 2030 [SW7750-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [SW7750-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch.
9 Introduction to Configuration File CONFIGURATION FILE MANAGEMENT Configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Upon powered on, a switch loads the configuration file known as saved-configuration file, which resides in the Flash, for initialization. If the Flash contains no configuration file, the system initializes using the default settings.
CHAPTER 9: CONFIGURATION FILE MANAGEMENT Table 41 Configure a configuration file Operation Command Description Remove a specific configuration file from the Flash reset saved-configuration Optional You can execute the reset saved-configuration command in user view. Specify the startup Optional configuration file to be saved-configuration { cfgfile | You can execute the start used in the next startup device-name } saved-configuration command in user view.
Configuration File-Related Operations 85 You are recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. n ■ You are recommended to use the save command to save the configuration before restarting a device, so that the current configuration remains after the device is restarted.
CHAPTER 9: CONFIGURATION FILE MANAGEMENT
10 VLAN OVERVIEW VLAN Overview Introduction to VLAN The traditional Ethernet is a flat network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. The hub is a physical layer device without the switching function, so it forwards the received packet to all ports. The switch is a link layer device which can forward the packet according to the MAC address of the packet.
CHAPTER 10: VLAN OVERVIEW Figure 25 A VLAN implementation Router Switch VLAN A Switch VLANB VLAN A VLAN A VLANB VLAN B A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN to be dispersed in a looser way. That is, hosts in a VLAN can belong to different physical network segment. Compared with the traditional Ethernet, VLAN enjoys the following advantages. VLAN Principles ■ Broadcasts are confined to VLANs.
Port-Based VLAN 89 In Figure 26 DA refers to the destination MAC address, SA refers to the source MAC address, and Type refers to the protocol type of the packet. IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN. Figure 27 Format of VLAN tag VLAN Tag DA&SA TPID Priority CFI VLAN ID Type As shown in Figure 27, a VLAN tag contains four fields, including TPID, priority, CFI, and VLAN ID.
CHAPTER 10: VLAN OVERVIEW You can configure all the three types of ports on the same device. However, note that you cannot directly switch a port between trunk and hybrid and you must set the port as access before the switching. For example, to change a trunk port to hybrid, you must first set it as access and then hybrid. Adding an Ethernet Port to Specified VLANs You can add the specified Ethernet port to a specified VLAN.
Protocol-Based VLAN 91 Table 44 Packet processing of a Hybrid port Processing of an incoming packet If the packet does not carry a VLAN tag If the packet carries a VLAN Processing of an outgoing tag packet If the port is already added to its default VLAN, add the default VLAN tag to the packet and then forward the packet. If the VLAN ID is one of the VLAN IDs allowed to pass through the port, receive the packet.
CHAPTER 10: VLAN OVERVIEW In the two figures, DA and SA refer to the destination MAC address and source MAC address of the packet respectively. The number in the bracket indicates the field length in bits. The maximum length of an Ethernet packet is 1500 bytes, that is, 5DC in hexadecimal, so the length field in 802.2/802.3 encapsulation is in the range of 0x0000 to 0x05DC. Whereas, the type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF.
Protocol-Based VLAN 93 The switch differentiates between 802.2 LLC encapsulation and 802.3 SNAP encapsulation according to the values of the DSAP field and the SSAP field. n Procedure for the Switch to Judge Packet Protocol When the OUI is 00-00-00 in 802.2 SNAP encapsulation, the PID field has the same meaning as the type field in Ethernet II encapsulation, which both refer to globally unique protocol number.
CHAPTER 10: VLAN OVERVIEW Implementation of Protocol-Based VLAN Switch 7750 Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: ■ The standard template adopts the RFC- or IEEE-defined packet encapsulation formats and values of some specific fields as the matching criteria.
VLAN CONFIGURATION 11 VLAN Configuration Basic VLAN Configuration Create a Range of VLANs Table 46 Basic VLAN configuration Operation Command Description Enter system view system-view - Create a VLAN and enter VLAN view vlan vlan-id Required The vlan-id argument ranges from 1 to 4,094. Assign a name for the current name string VLAN Optional Specify the description string of the current VLAN Optional description string By default, the name of a VLAN is its VLAN ID.
CHAPTER 11: VLAN CONFIGURATION Table 48 Configure VLAN broadcast storm suppression Operation Command Description Enter VLAN view vlan vlan-id - Set VLAN broadcast storm suppression broadcast-suppression { rati Required o | pps pps } A VLAN only supports one broadcast storm suppression mode at one time. If you configure broadcast storm suppression modes multiple times for a VLAN, the latest configuration will overwrite the previous configuration.
Configuring a Port-Based VLAN 97 If a VLAN interface is disabled, its status is not determined by the status of its ports. Displaying VLAN Configuration After the configuration above, you can execute the display command in any view to display the running status after the configuration, so as to verify the configuration.
CHAPTER 11: VLAN CONFIGURATION Configuring a Hybrid-Port-Based VLAN A Hybrid port may belong to multiple VLANs, and this configuration can only be performed in Ethernet port view. Follow these steps to configure the Hybrid-port-based VLAN: n Configuring a Trunk-Port-Based VLAN To do... Use the command...
Configuring a Port-Based VLAN ■ Displaying and Maintaining Port-Based VLAN Configuring a Port-Based VLAN 99 The default VLAN IDs of the Trunk ports on the local and peer devices must be the same. Otherwise, packets cannot be transmitted properly. To do... Use the command... Display the hybrid or trunk display port { hybrid | trunk } ports Remarks Available in any view. Configuration prerequisites Create a VLAN before configuring a port-based VLAN.
CHAPTER 11: VLAN CONFIGURATION Configuring a Protocol-Based VLAN Creating Protocol Template for Protocol-Based VLAN Configuration prerequisites Create a VLAN before configuring a protocol-based VLAN.
Configuring a Protocol-Based VLAN ■ Associating a Port with the Protocol-Based VLAN 101 ip [ ip-address [ net-mask ] ] defines IPv4-based VLAN. If you want to define the VLANs based on IP or other encapsulation formats, use mode { ethernetii [ etype etype-id ] } and snap [ etype etype-id ], in which, etype-id is 0x0800.
CHAPTER 11: VLAN CONFIGURATION ■ Currently, only non-Type-A modules, including I/O Modules and Fabric, support this command. ■ If a protocol-based VLAN has been associated with a module, the VLAN cannot be removed. ■ If a protocol in a VLAN has been associated with a module, the protocol cannot be removed from the VLAN.
Configuring a Protocol-Based VLAN Protocol-Based VLAN Configuration Example 103 Standard-template-protocol-based VLAN configuration example 1 Network requirements ■ Create VLAN 5 and configure it to be a protocol-based VLAN, with the protocol-index being 1 and the protocol being IP. ■ Associate Ethernet2/0/5 port with the protocol-based VLAN to enable IP packets received by this port to be tagged with the tag of VLAN 5 and be transmitted in VLAN 5.
CHAPTER 11: VLAN CONFIGURATION system-view [SW7750] vlan 7 [SW7750-vlan7] # Configure index 1 of VLAN 7 according to the network requirement. [SW7750-vlan7] protocol-vlan 1 mode llc dsap 01 ssap ac # Configure index 2 of VLAN 7 according to the network requirement. [SW7750-vlan7] protocol-vlan 2 mode snap etype abcd # Enter port view of the Ethernet2/0/7. [SW7750-vlan7] interface Ethernet 2/0/7 # Configure Ethernet2/0/7 as a hybrid port.
VOICE VLAN CONFIGURATION 12 Voice VLAN Overview Voice VLANs are VLANs configured specially for voice data stream. By adding the ports with voice devices attached to voice VLANs, you can perform QoS (quality of service)-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality. Switch 7750 Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address.
CHAPTER 12: VOICE VLAN CONFIGURATION VLAN; voice ports cannot be added into or removed from the voice VLAN through manual configurations. ■ In manual mode: you need to execute related configuration commands to add a voice port to the voice VLAN or remove a voice port from the voice VLAN. Tagged packets from IP voice devices are forwarded based on their tagged VLAN IDs, whether the automatic or manual mode is used. Voice VLAN packets can be forwarded by trunk ports and hybrid ports in voice VLAN.
Voice VLAN Overview 107 Table 58 Matching relationship between port modes and voice stream types Port voice VLAN mode Voice stream type Port type Supported or not Manual mode Tagged voice stream Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the packets of the default VLAN.
CHAPTER 12: VOICE VLAN CONFIGURATION Voice VLAN Configuration Configuration Prerequisites Configuring a Voice VLAN to Operate in Automatic Mode n Configuring a voice VLAN to operate in manual mode ■ Create the corresponding VLAN before configuring a voice VLAN. ■ As the default VLAN, VLAN 1 cannot be bound to a port as a voice VLAN.
Voice VLAN Configuration 109 Table 60 Configure a voice VLAN to operate in manual mode Operation Command Description Enable the voice VLAN function for voice vlan enable the port Required Bind a VLAN to the port as a voice voice vlan vlan-id VLAN Required Enable the voice VLAN legacy function on the port Optional voice vlan legacy By default, the voice VLAN function is disabled on a port. By default, no voice VLAN is bound to a port. By default, voice VLAN legacy is disabled.
CHAPTER 12: VOICE VLAN CONFIGURATION Displaying and Maintaining Voice VLAN Configuration ■ Voice VLAN function can be effective only for the static VLAN. Once a dynamic VLAN is enabled with voice VLAN function, it automatically changes to static VLAN. ■ When a voice VLAN operates in the security mode, the devices in it only permit packets whose source addresses are the voice OUI addresses that can be identified.
Voice VLAN Configuration Example 111 system-view [SW7750] vlan 2 # Configure Ethernet2/0/1 port to be a Trunk port, with VLAN 6 as the default VLAN, and permit packets of VLAN 6 to pass through the port.
CHAPTER 12: VOICE VLAN CONFIGURATION Voice Vlan aging time: 1440 minutes Current voice vlan enabled port mode: PORT MODE STATUS Voice Vlan ID -------------------------------------------------------------------Ethernet2/0/3 MANUAL ENABLE 3 # Remove Ethernet2/0/3 port from the voice VLAN.
13 ISOLATE-USER-VLAN CONFIGURATION Isolate-User-VLAN Overview Introduction to Isolate-User-VLAN Isolate-user-VLAN is designed for saving VLAN resource by means of copying MAC address entries among the MAC address tables of VLANs in the network, which is utilizing the feature that an hybrid port removes the VLAN tag of packets coming from multiple VLANs. Isolate-user-VLAN adopts Layer 2 VLAN structure, you need to configure two types of VLAN, isolate-user-VLAN and secondary VLAN.
CHAPTER 13: ISOLATE-USER-VLAN CONFIGURATION Figure 35 Diagram for isolate-user-VLAN application SwitchA Eth2/0/1 SwitchB Isolate-user-VLAN 5 Eth2/0/2 VLAN3 Host Forward packets to Switch A 1 When packets sent by PC reached Ethernet2/0/4, the default VLAN ID, that is, the VLAN tag of VLAN 3 is automatically added to the packets.
Isolate-User-VLAN Configuration 115 Table 62 isolate-user-VLAN configuration tasks Configuring Isolate-User-VLAN c Configuring Secondary VLAN Adding Ports to isolate-user-VLAN and Secondary VLAN Operation Description Related section Configure the mapping between the isolate-user-VLAN and the secondary VLAN Required “Configuring Mapping between isolate-user-VLAN and Secondary VLAN” on page 116 You can use the following commands to create an isolate-user-VLAN for a switch.
CHAPTER 13: ISOLATE-USER-VLAN CONFIGURATION Table 65 Add ports to isolate-user-VLAN and secondary VLAN and configure the ports to untagged packets c Configuring Mapping between isolate-user-VLAN and Secondary VLAN c Displaying Isolate-User-VLAN Configuration Operation Command Description Add a port to the isolate-user-VLAN and the secondary VLAN port hybrid vlan vlan-id untagged Required Configure the default VLAN ID of a port port hybrid pvid vlan vlan-id Required CAUTION: When you use th
Isolate-User-VLAN Configuration Example 117 Network diagram Figure 36 Diagram for isolate-user-VLAN configuration Switch A VLAN 5 VLAN 6 Eth2/0 /1 Eth2/0/1 Switch B Switch C Eth2/0/2 Eth2 /0/5 Eth2/0 /3 VLAN 3 VLAN 2 VLAN 3 Eth2/0 /4 VLAN 4 Configuration procedure ■ Configure Switch B # Configure the isolate-user-VLAN system-view [SwitchB] vlan 5 [SwitchB-vlan5] isolate-user-vlan enable # Configure the secondary VLAN.
CHAPTER 13: ISOLATE-USER-VLAN CONFIGURATION [SwitchB-Ethernet2/0/5] port hybrid pvid vlan 2 [SwitchB-Ethernet2/0/5] undo port hybrid vlan 1 # Add port Ethernet2/0/1 to the isolate-user-VLAN and the secondary VLAN, and configure the port to untag the VLAN packets. Remove the port from VLAN 1.
Isolate-User-VLAN Configuration Example [SwitchC-Ethernet2/0/4] quit [SwitchC] interface Ethernet [SwitchC-Ethernet2/0/1] port [SwitchC-Ethernet2/0/1] port [SwitchC-Ethernet2/0/1] port [SwitchC-Ethernet2/0/1] port [SwitchC-Ethernet2/0/1] port [SwitchB-Ethernet2/0/1] undo 119 2/0/1 link-type hybrid hybrid vlan 3 untagged hybrid vlan 4 untagged hybrid vlan 6 untagged hybrid pvid vlan 6 port hybrid vlan 1 # Configure isolate-user-VLAN-to-secondary VLAN mapping.
CHAPTER 13: ISOLATE-USER-VLAN CONFIGURATION
SUPER VLAN 14 n Super VLAN Overview Only the 96Gbps switch fabrics support the super VLAN. To save IP address resources, the super VLAN concept (also known as VLAN aggregation) was developed. Its principle is like this: a super VLAN may include multiple sub VLANs, with each as a broadcast domain. Layer 2 isolation is implemented between sub VLANs. The super VLAN can be configured with a Layer 3 interface, but not the sub VLAN.
CHAPTER 14: SUPER VLAN Table 69 Configure a VLAN as a super VLAN Operation Command Description Enter system view system-view - Enter VLAN view vlan vlan-id - Configure the current VLAN as a super VLAN supervlan Required c CAUTION: You can not configure a VLAN which includes Ethernet ports as a super VLAN; and after you configure a super VLAN, you cannot add any Ethernet port to it. Configuring a Sub VLAN You can configure a sub VLAN just as configuring an ordinary VLAN.
Displaying Super VLAN ■ Configuring Super VLAN to Support DHCP Relay 123 After establishing the mapping between the sub VLAN and the super VLAN, you can still add (or delete) ports to (from) the sub VLAN. With DHCP relay function enabled on the VLAN interface of the super VLAN, the hosts of all sub VLANs that map with the super VLAN can dynamically obtain IP addresses from the outside networks.
CHAPTER 14: SUPER VLAN Super VLAN Configuration Example Super VLAN Configuration Example Network Requirements ■ Create super VLAN 10 and sub VLANs VLAN 2, VLAN 3, VLAN 5. ■ Configure ports Ethernet2/0/1 and Ethernet2/0/2 to belong to VLAN 2, Ethernet2/0/3 and Ethernet2/0/4 to belong to VLAN 3 and Ethernet2/0/5 and Ethernet2/0/6 to belong to VLAN 5. ■ Configure Layer 3 connectivity between sub VLANs, and all sub VLANs use the Layer 3 interface of the super VLAN (with the IP address being 10.110.
Super VLAN Configuration Example 125 ■ Configure the IP address of the VLAN 6 as 10.1.1.1, and the sub network mask as 255.255.255.0. ■ Enable the DHCP relay function on the VLAN interface of VLAN 6, and establish the mapping between VLAN 6 and the remote DHCP server group 2 to make the hosts in VLAN 2 and VLAN 3 being able to dynamically obtain IP addresses from the DHCP server group 2. Configuration Procedure # Create VLAN 6, and configure it as a super VLAN.
CHAPTER 14: SUPER VLAN
15 IP ADDRESS CONFIGURATION IP Address Overview IP Address Classification and Representation An IP address is a 32-bit address allocated to a device connected to the Internet. It consists of two fields: net-id and host-id. To facilitate IP address management, IP addresses are divided into five classes, as shown in Figure 37.
CHAPTER 15: IP ADDRESS CONFIGURATION Table 73 Classes and ranges of IP addresses Network type A B C Subnet and Mask Address range IP network range 0.0.0.0 to 127.255.255.255 1.0.0.0 to 126.0.0.0 128.0.0.0 to 191.255.255.255 192.0.0.0 to 223.255.255.255 128.0.0.0 to 191.255.0.0 192.0.0.0 to 223.255.255.0 Description ■ An IP address with all 0s host ID is a network address and is used for network routing.
Configuring an IP Address for a VLAN Interface 129 address, and the part corresponding to the remaining “0” bits in the mask is the host address. If there is no subnet division, the subnet mask uses the default value and the length of 1s in the mask is equal to the net-id length. Therefore, for IP addresses of classes A, B and C, the default values of the corresponding subnet masks are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively.
CHAPTER 15: IP ADDRESS CONFIGURATION Displaying IP Address Configuration After the above configuration, you can execute the display command in any view to display the operating status and configuration on the interface to verify your configuration.
16 IP PERFORMANCE CONFIGURATION IP Performance Overview Introduction to TCP Attributes Introduction to FIB IP performance configuration mainly refers to TCP attribute configuration. The TCP attributes that can be configured include: ■ synwait timer: This timer is started when TCP sends a syn packet. If no response packet is received before the timer times out, the TCP connection will be terminated. The timeout of the synwait timer ranges from 2 to 600 seconds and is 75 seconds by default.
CHAPTER 16: IP PERFORMANCE CONFIGURATION Configuring TCP Attributes Configuring to Send Special IP Packets to CPU Table 77 Configure TCP attributes Operation Command Description Enter system view system-view - Configure timeout time for the synwait timer in TCP tcp timer syn-timeout time-value Required Configure timeout time for the finwait timer in TCP tcp timer fin-timeout time-value Configure the socket receiving and sending buffer size of TCP tcp window window-size The default value
Disabling ICMP Error Message Sending 133 If you reference an ACL to filter directed broadcasts, only the directed broadcasts that pass the ACL filtering can be forwarded to the directly connected network.
CHAPTER 16: IP PERFORMANCE CONFIGURATION Table 81 Display IP performance Operation Command Description Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics You can execute the display command in any view.
Troubleshooting 135 Then the TCP packets received or sent will be displayed in the following format in real time: TCP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.
CHAPTER 16: IP PERFORMANCE CONFIGURATION
17 IPX Protocol Overview IPX CONFIGURATION The Internetwork packet exchange (IPX) protocol is a network layer protocol in the NetWare protocol suite. IPX’s position in the Novell Netware protocol is similar to IP’s in the TCP/IP protocol suite. IPX can address, route and forward packets. IPX is a connectionless protocol. Though an IPX packet includes a destination IPX address in addition to the data, there is no guarantee of successful delivery.
CHAPTER 17: IPX CONFIGURATION directly connected to them. However, you cannot use such information directly. Instead, the information is collected by the SAP agents of the switches on the networks and saved in their server information tables.
IPX Configuration 139 Table 85 Configure IPX static routes Operation Command Description Enable IPX ipx enable Required IPX is disabled by default Enter VLAN interface view interface Vlan-interface vlan-id - Configure an IPX network ipx network network number for the VLAN interface Required Exit VLAN interface view - By default, the system does not assign network numbers to VLAN interface.
CHAPTER 17: IPX CONFIGURATION Table 87 Configure IPX RIP Operation Command Description Enter system view system-view - Enable IPX ipx enable Required Configure the update interval of IPX RIP ipx rip timer update seconds Optional IPX is disabled by default By default, the update interval of IPX RIP is 60 seconds Configure the aging period ipx rip multiplier multiplier of IPX RIP Optional By default, the aging period is three times the RIP updating interval Configure IPX RIP to import sta
IPX Configuration 141 to forward an IPX packet. A longer delay means slower forwarding whereas a shorter delay means faster forwarding. By importing routes, different routing protocols can share their routing information. Note that IPX RIP imports only active static routes; inactive static routes are neither imported nor forwarded. Configuring IPX SAP Enabling IPX SAP After IPX is enabled on VLAN interfaces, the system enables SAP automatically.
CHAPTER 17: IPX CONFIGURATION Table 89 Configure IPX SAP Operation Command Description Configure the aging period of IPX SAP ipx sap multiplier multiplier Optional Enter VLAN interface view interface Vlan-interface vlan-id - Configure an IPX network number for the VLAN interface ipx network network Required Enable IPX SAP undo ipx sap disable By default, an IPX SAP service entry is deleted if it is not updated after three update intervals By default, the system does not assign network n
IPX Configuration 143 Table 90 Configure IPX GNS Operation Configure GNS reply of IPX SAP Command Description Respond to GNS ipx sap gns-load-balance requests with the information of the server picked out by round-robin polling Optional Respond to GNS undo ipx sap requests with gns-load-balance the information of the nearest server Optional Enter VLAN interface view interface Vlan-interface vlan-id Configure an IPX network ipx network network number for the VLAN interface Disable GNS reply on th
CHAPTER 17: IPX CONFIGURATION Table 91 Configure IPX service information Configuring IPX forwarding Operation Command Description Configure a static IPX service entry ipx service service-type name network.
Displaying and Debugging IPX 145 Table 92 Configure IPX forwarding Displaying and Debugging IPX Operation Command Description Enable the forwarding of type 20 broadcast packets ipx netbios-propagation Optional By default, type 20 broadcast packets are not forwarded After the above-mentioned configuration, use the display command in any view to view the running of IPX and to verify the effect of the configuration. Use the reset command in user view to clear the IPX statistics.
CHAPTER 17: IPX CONFIGURATION Network diagram Figure 40 IPX network diagram IPX Vlan- int1 1000 .000 f-e 20f-0001 Vlan -int1 1000.000f-e20 f-0000 Switch A Switch B Vlan -int2 2 .000 f-e 20f-0000 Server Vlan-int2 3 .000 f-e 20f-0001 Client Configuration procedure 1 Configure Switch A. # Enable IPX. system-view [Switch] ipx enable # Assign the network number 2 to VLAN interface 2 to enable IPX on the VLAN interface.
Troubleshooting IPX 147 # Assign the network number 3 to VLAN interface 2 to enable IPX on the VLAN interface. [Switch] interface Vlan-interface 2 [Switch-Vlan-interface2] ipx network 3 # Set the packet encapsulation format to Ethernet_SNAP on VLAN interface 2. [Switch-Vlan-interface2] ipx encapsulation snap [Switch-Vlan-interface2] quit # Assign the network number 1000 to VLAN interface 1 to enable IPX on the VLAN interface.
CHAPTER 17: IPX CONFIGURATION operations: Display the MTU setting on the VLAN interface with the display interface command and the RIP/SAP packet size with the display ipx interface command. Check whether the RIP/SAP packet size is smaller than the MTU setting on the VLAN interface. Symptom 3: The switch cannot receive SAP packets. Solutions: ■ Use the display ipx interface command to check whether SAP is disabled on the VLAN interface.
Troubleshooting IPX 149 Troubleshooting IPX SAP Symptom 1: Unable to add static service information into the service information table. Solutions: ■ Use the display ipx service-table inactive command to check whether the service information is in the inactive service information table. If yes, there is no active route to the server. ■ Check whether the number of service information entries exceeds the limitation with the display ipx service-table command.
CHAPTER 17: IPX CONFIGURATION ■ Check whether there are update packets with the debugging ipx packet and debugging ipx sap packet verbose commands. All the received/transmitted packets can be displayed through debugging information. If there are no update packets, check whether the underlying network connection is available. ■ Use the display ipx interface command to check whether SAP is enabled. ■ Check whether the hop count of the active route to the server is smaller than 16.
Troubleshooting IPX ■ 151 If Round-Robin is enabled, check whether multiple equivalent service entries are available for the service request. The service entries are considered equivalent only when they have the same RIP delay, RIP hop count, SAP hop count and SAP preference. Troubleshooting IPX routing management Symptom 1: The current switch receives the routing information from a neighbor device, but the route cannot be found on the current switch with the display ipx routing-table verbose command.
CHAPTER 17: IPX CONFIGURATION
18 GVRP CONFIGURATION Introduction to GARP and GVRP Introduction to GARP GARP (generic attribute registration protocol) offers a mechanism that is used by the members in the same switching network to distribute, propagate and register such information as VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP and GMRP.
CHAPTER 18: GVRP CONFIGURATION n GVRP Mechanism ■ The value of GARP timer will be used in all the GARP applications, including GVRP and GMRP, running in one switching network. ■ In one switching network, the GARP timers on all the switching devices should be set to the same value. Otherwise, GARP application cannot work normally. GARP Timers GARP timers include Hold timer, Join timer, Leave timer and LeaveAll timer.
Introduction to GARP and GVRP 155 distinguishes them by their destination MAC addresses and delivers them to different GARP application (for example, GVRP) for further processing. GVRP Packet Format The GVRP packets are in the following format: Figure 41 Format of GVRP packets DA SA length 1 DSAP SSAP Ctrl PDU N 3 Protocol ID 1 Ethernet Frame Message 1 ...
CHAPTER 18: GVRP CONFIGURATION Table 94 Description of GVRP packet fields Protocol Specifications GVRP Configuration Configuration Prerequisite Configuration Procedure Field Description Value End Mark End mark of the GVRP PDU. The value of this field is fixed to 0x00. GVRP is defined in IEEE 802.1Q standard. The GVRP configuration tasks include configuring the GARP timers, enabling GVRP, and configuring the GVRP port registration mode.
Displaying and Maintaining GVRP 157 The following table describes the relations between the timers: Table 96 Relations between the timers n Displaying and Maintaining GVRP Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one-half of the timeout time of the Join timer. You can change the threshold by changing the timeout time of the Join timer. Join This lower threshold is greater than or equal to twice the timeout time of the Hold timer.
CHAPTER 18: GVRP CONFIGURATION GVRP Configuration Example Network requirements Network diagram You need to enable GVRP on the switches to enable dynamic VLAN information registration and update between the switches. Figure 42 Network diagram for GVRP configuration Eth2/0/1 Switch A Configuration procedure ■ Eth2/0/2 Switch B Configure switch A. # Enable GVRP globally. system-view [SW7750] gvrp GVRP is enabled globally.
19 QINQ CONFIGURATION QinQ Overview Introduction to QinQ The QinQ function enables packets to be transmitted across the operators’ backbone networks with VLAN tags of private networks encapsulated in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks which are encapsulated in the VLAN tags of public networks are shielded.
CHAPTER 19: QINQ CONFIGURATION Implementation of QinQ ■ Saves public network VLAN ID resource. ■ You can have VLAN IDs of your own, which is independent of public network VLAN IDs. ■ Provides simple Layer 2 VPN solutions for small-sized MANs or intranets. QinQ can be implemented by enabling the QinQ function on ports.
Displaying QinQ 161 Table 98 Configure QinQ Operation Command Description Enter Ethernet port view interface interface-type interface-number - Enable QinQ for the port vlan-vpn enable Required By default, QinQ is disabled on a port. Configure inner-to-outer tag priority mapping n c Displaying QinQ vlan-vpn priority inner-priority remark outer-priority Optional The Voice VLAN feature is mutually exclusive with the QinQ feature for a port.
CHAPTER 19: QINQ CONFIGURATION Network diagram Figure 46 Network diagram for QinQ configuration Eth2 /0/1(access VLAN 10, VLAN VPN port) Switch A Eth2 /0/2 (trunk permit VLAN 10) Eth2 /1/2 (trunk permit VLAN 10) Switch B Eth2 /1/1 (trunk permit VLAN 10) Eth2/0 /2 (trunk permit VLAN 10) Switch C Eth2/0 /1 (access VLAN 10, VLAN VPN port) Configuration procedure 1 Configure Switch A and Switch C.
QinQ Configuration Example n 163 The following describes how a packet is forwarded from Switch A to Switch C. ■ As QinQ is enabled on Ethernet2/0/1 port of Switch A, when a packet from the user’s private network reaches Ethernet2/0/1 port of Switch A, it is tagged with the default VLAN tag of the port (VLAN 10 tag) and is then forwarded to Ethernet2/0/2 port. ■ When the packet reaches Ethernet2/0/2 port of Switch B, it is forwarded in VLAN 10 and is passed to Ethernet2/0/1 port.
CHAPTER 19: QINQ CONFIGURATION
SELECTIVE QINQ CONFIGURATION 20 Selective QinQ Overview Selective QinQ Implementation On a Switch 7750 Ethernet switch, selective QinQ can be implemented in the following ways. 1 Enabling QinQ on ports In this type of implementations, QinQ is enabled on ports and a received packet is tagged with the default VLAN tag of the receiving port no matter whether or not the packet already carries a VLAN tag. If the packet already carries a VLAN tag, the packet becomes a dual-tagged packet.
CHAPTER 20: SELECTIVE QINQ CONFIGURATION Configuring Selective QinQ Table 100 Configure selective QinQ Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enable QinQ for the port vlan-vpn enable Required By default, QinQ is disabled.
Selective QinQ Configuration Example 167 Selective QinQ Configuration Example Network Requirements Network Diagram ■ Switch A is a Switch 7750. ■ Enable QinQ on GigabitEthernet2/0/1 port. Set the PVID of the port to 8. ■ Insert the tag of VLAN 10 to packets of VLAN 8 through VLAN 15 as the outer VLAN tag. Insert the tag of VLAN 100 to packets of VLAN 20 through VLAN 25 as the outer VLAN tag. ■ GigabitEthernet2/0/1 is the upstream port of the outer VLAN tag.
CHAPTER 20: SELECTIVE QINQ CONFIGURATION # Configure the port to permit the packets of all the VLANs. [SwitchA-GigabitEthernet2/0/1] port hybrid vlan 1 to 4094 untagged # Set the PVID of the port to 8. [SwitchA-GigabitEthernet2/0/1] port hybrid pvid vlan 8 # Enable QinQ.
21 Shared VLAN Overview Generation of Shared VLAN SHARED VLAN CONFIGURATION Shared VLAN is special VLAN which is created based on I/O Modules of the device. It is designed to avoid packet broadcast in the applications of selective QinQ. Like a QinQ-enabled port, a port with the selective QinQ enabled also learns the source MAC addresses of user packets to the MAC address table of the default VLAN of the port.
CHAPTER 21: SHARED VLAN CONFIGURATION Working Principle of Shared VLAN After shared VLAN is configured, all the MAC address entries learned by ports will be maintained on the MAC address forwarding table of the shared VLAN, which can be used to forward all the VLAN packets in the device. With shared VLAN configured, the forwarding information about packets with the destination MAC address MAC-A learned by the customer port will be saved in the MAC address forwarding table of the shared VLAN.
Shared VLAN Configuration Example 171 Table 104 Display shared VLAN Operation Command Description Display the shared VLANs configured for all the I/O Modules and Fabrics in the system display shared-vlan You can execute the display command in any view. Shared VLAN Configuration Example Network Requirements Network Diagram ■ The selective QinQ feature is enabled on the hybrid port Ethernet2/0/6 which is connected to the customer network.
CHAPTER 21: SHARED VLAN CONFIGURATION
22 PORT BASIC CONFIGURATION Ethernet Port Configuration Configuring the Basic Settings of an Ethernet Port Table 105 Configure the basic settings of an Ethernet port Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enable the Ethernet port undo shutdown Optional By default, the port is enabled. Use the shutdown command to disable the port.
CHAPTER 22: PORT BASIC CONFIGURATION Table 106 Duplex mode setting for an Ethernet port Port type Duplex mode setting 100 Mbps electrical Ethernet port It can work in full-duplex mode, half-duplex mode or auto-negotiation mode as required. Gigabit electrical Ethernet port It can work in full-duplex mode, half-duplex mode or auto-negotiation mode. However, if the rate is set to 1000 Mbps, its duplex mode can be set to full or auto.
Ethernet Port Configuration 175 Table 108 Configure auto-negotiation speeds for a port n Configuring Broadcast/Multicast/Unk nown Unicast Suppression Operation Command Remarks Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* Optional ■ By default, the port speed is determined through auto-negotiation.
CHAPTER 22: PORT BASIC CONFIGURATION Enabling Flow Control on a Port Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: ■ The local switch sends a message to notify the peer switch of stopping sending packets to itself temporarily. ■ The peer switch will stop sending packets to the local switch or reduce the sending rate temporarily when it receives the message; and vice versa.
Ethernet Port Configuration Copying the Configuration of a Port to Other Ports 177 To make some other ports have the same configuration as that of a specific port, you can copy the configuration of the specific port to the ports. Specifically, the following types of port configuration can be copied from one port to other ports: VLAN configuration, protocol-based VLAN configuration, LACP configuration, QoS configuration, STP configuration and initial port configuration.
CHAPTER 22: PORT BASIC CONFIGURATION Configuring Loopback Detection for a Port Loopback detection is used to monitor if loopback occurs on a switch port. After you enable loopback detection on Ethernet ports, the switch can monitor if external loopback occurs on each port periodically. If loopback occurs on a port, the system will process the port in the user-defined mode.
Ethernet Port Configuration 179 Last 100 seconds input: 0 packets/sec 0 bytes/sec Last 100 seconds output: 0 packets/sec 0 bytes/sec Table 115 Set the interval to perform statistical analysis on port traffic Setting Speedup for a Port Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Set the interval to perform statistical analysis on port traffic flow-interval interval Optional By default, this interval is 300
CHAPTER 22: PORT BASIC CONFIGURATION Table 117 Allow a port to output the UP/Down log information Displaying Basic Port Configuration Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Allow the port to output the UP/Down log information enable log updown Required By default, a port is allowed to output the UP/Down log information.
Troubleshooting Ethernet Port Configuration 181 Network diagram Figure 50 Network diagram for Ethernet port configuration Eth2/0/1 Eth2/0/1 Switch A Switch B Configuration procedure n ■ Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. ■ This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet port view of Ethernet2/0/1.
CHAPTER 22: PORT BASIC CONFIGURATION
23 LINK AGGREGATION CONFIGURATION Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing incoming/outgoing traffic on the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.
CHAPTER 23: LINK AGGREGATION CONFIGURATION Operational Key Manual Aggregation Group When aggregating ports, link aggregation control automatically assigns each port an operational key based on its rate, duplex mode, and other basic configurations. ■ In a manual or static LACP aggregation group, the selected ports share the same operational key.
Overview 185 port, you cannot remove the port unless you remove the whole aggregation group. LACP is enabled on the member ports of static aggregation groups, and disabling LACP on such a port will not take effect. When you remove a static aggregation group, the system will remain the member ports of the group in LACP-enabled state and re-aggregate the ports to form one or more dynamic LACP aggregation groups.
CHAPTER 23: LINK AGGREGATION CONFIGURATION Besides multiple-port aggregation groups, the system is also able to create single-port aggregation groups, each of which contains only one port. LACP is enabled on the member ports of dynamic aggregation groups. Port status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states: selected or standby.
Overview 187 Table 119 Link aggregation types and related descriptions Aggregation type Basic description Specific description Manual aggregation Support up to 384 aggregation groups, including 64 load sharing aggregation groups ■ For Type-A modules, an aggregation group supports up to 8 selected GE ports or 16 selected FE ports ■ For non-Type-A modules, an aggregation group supports up to 8 selected GE ports or 8 selected FE ports ■ For Type-A modules, an aggregation group supports up to 8 sele
CHAPTER 23: LINK AGGREGATION CONFIGURATION Table 120 Restriction of type-A I/O Modules on link aggregation I/O Module Cross-chip type aggregation Type-A I/O Module Not supported Maximum number of ports in an aggregation group Maximum number of selected ports in an aggregation group Aggregation type I/O Module specificatio n Manual aggregation 3C16860/3C 16 16860 16 3C16861/LS8 16 1FS24A/3C1 6861/LS81FS 24 16 3C16858/3C 8 16859/3C16 858/3C1685 9 8 3C16860/3C 24 16860 16 3C16861/LS8 24 1
Link Aggregation Configuration 189 ■ An aggregation group containing special ports (such as 10GE port) which require hardware aggregation resources has higher priority than any aggregation group containing no special port. ■ A manual or static aggregation group has higher priority than a dynamic aggregation group (unless the latter contains special ports while the former does not).
CHAPTER 23: LINK AGGREGATION CONFIGURATION Table 122 Configure a manual aggregation group Operation Command Add a group of ports to a new link-aggregation manual aggregation group interface-type interface-number to interface-type interface-number [ both ] Description Optional Configure a description for the aggregation group link-aggregation group Optional agg-id description agg-name By default, an aggregation group has no description.
Link Aggregation Configuration n 191 For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group. For example, suppose port 1 of the local device is connected to port 2 of the peer device. To avoid cross-connecting cables, do not connect port 2 of the local device to port 1 of the peer device. Otherwise, packets may be lost.
CHAPTER 23: LINK AGGREGATION CONFIGURATION ■ When a dynamic aggregation group or a static aggregation group is changed into a manual aggregation group, the system will disable LACP on all the member ports automatically. When a dynamic aggregation group is changed into a static aggregation group, LACP on all the member ports remains enabled. Note that if a manual aggregation group or a static aggregation group contains only one port, this port cannot be removed from the aggregation group.
Link Aggregation Configuration Example 193 Table 126 Display and maintain link aggregation configuration Operation Command Display the ID of the local device display lacp system-id Display link aggregation details of a specified port or port range display link-aggregation interface interface-type interface-number | [ to interface-type interface-number ] Clear LACP statistics about a specified port or reset lacp statistics [ interface port range interface-type interface-number [ to interface-type int
CHAPTER 23: LINK AGGREGATION CONFIGURATION # Create static aggregation group 1. [SW7750] link-aggregation group 1 mode static # Add Ethernet 2/0/1 through Ethernet 2/0/3 to aggregation group 1.
PORT ISOLATION CONFIGURATION 24 Port Isolation Overview Introduction to Port Isolation Through the port isolation feature, you can add the ports to be controlled into an isolation group to isolate Layer 2 and Layer 3 data between ports in the isolation group. Thus, it can improve network security and deliver flexible networking solutions. Currently, you can configure 64 isolation groups on a switch. The number of Ethernet ports an isolation group can accommodate is not limited.
CHAPTER 24: PORT ISOLATION CONFIGURATION n Displaying Port Isolation Configuration Port Isolation Configuration Example ■ An Ethernet port belongs to only one port isolation group. If you add an Ethernet port to different isolation groups, the port belongs to only the latest isolation group to which the port is added. ■ Currently, modules of Type A (3C16860, 3C16861, LS81FS24A, 3C16858, and 3C16859) do not support the Port Isolation feature.
Port Isolation Configuration Example 197 [SW7750-port-isolate-group1] port Ethernet2/0/2 to Ethernet2/0/4 # Display information about the ports in the isolation group.
CHAPTER 24: PORT ISOLATION CONFIGURATION
PORT SECURITY CONFIGURATION 25 n Currently, A type modules (3C16860, 3C16860, 3C16861, 3C16861, LS81FS24A, LS81FS24, 3C16858, 3C16858, 3C16859, and 3C16859) do not support the port security feature. Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
CHAPTER 25: PORT SECURITY CONFIGURATION Table 129 Description of port security modes Security mode Description Feature autolearn In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.
Port Security Overview 201 Table 129 Description of port security modes Security mode Description Feature userlogin-se The port is enabled only after an access user passes the cure MAC-based 802.1x authentication. When the port is enabled, only the packets of the successfully authenticated user can pass through the port. In any of these modes, the device will trigger NTK and intrusion In this mode, only one 802.1x-authenticated user is allowed protection upon to access the port.
CHAPTER 25: PORT SECURITY CONFIGURATION Port Security Configuration Table 130 Port security configuration tasks Task Remarks “Enabling Port Security” on page 202 Required “Setting the Maximum Number of MAC Addresses Allowed Optional on a Port” on page 202 “Setting the Port Security Mode” on page 203 Required “Configuring Port Security “Configuring the NTK feature” Optional Features” on page 204 on page 204 Choose one or more features as “Configuring intrusion required.
Port Security Configuration 203 This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management.
CHAPTER 25: PORT SECURITY CONFIGURATION ■ Configuring Port Security Features Voice VLAN Configuring the NTK feature Table 134 Configure the NTK feature Operation Command Remarks Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Configure the NTK feature port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts } Required Be default, NTK is disabled on a port, namely all frames are allowed to be sent.
Port Security Configuration 205 Table 137 Configure a port to ignore the authorization information from the RADIUS server Configuring Security MAC Addresses Operation Command Remarks Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Ignore the authorization information from the RADIUS server port-security authorization Required ignore By default, a port uses the authorization information from the RADIUS server.
CHAPTER 25: PORT SECURITY CONFIGURATION Displaying Port Security Configuration After the above configuration, you can use the display command in any view to display port security information and verify your configuration.
Port Security Configuration Example 207 # Set the maximum number of MAC addresses allowed on the port to 80. [SW7750-GigabitEthernet2/0/1] port-security max-mac-count 80 # Set the port security mode to autolearn. [SW7750-GigabitEthernet2/0/1] port-security port-mode autolearn [SW7750-GigabitEthernet2/0/1] quit # Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.
CHAPTER 25: PORT SECURITY CONFIGURATION
PORT BINDING CONFIGURATION 26 n Currently, A type modules (3C16860, 3C16860, 3C16861, 3C16861, LS81FS24A, LS81FS24, 3C16858, 3C16858, 3C16859, and 3C16859) do not support the port binding feature. Port Binding Overview Introduction Configuring Port Binding Port binding enables the network administrator to bind the MAC address and IP address of a user with a specific port.
CHAPTER 26: PORT BINDING CONFIGURATION Port Binding Configuration Example Network requirements It is required to bind the MAC and IP addresses of Host A to Ethernet 2/0/1 on switch A, so that Ethernet 2/0/1 can only forward packets coming from or going to Host A. Network diagram Figure 54 Network diagram for port binding configuration Switch A Eth2/0/1 Switch B Host A Host B 10.12.1.1 /24 MAC address: 0001 -0002 -0003 Configuration procedure Configure switch A as follows: # Enter system view.
27 DLDP CONFIGURATION Overview Introduction You may have encountered unidirectional links in networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device. Unidirectional link can cause problems such as spanning tree protocol (STP) loops.
CHAPTER 27: DLDP CONFIGURATION Figure 56 Fiber broken or not connected GE2/0/3 SwitchA GE2/0/4 GE2/0/3 SwitchB GE2/0/4 PC DLDP provides the following features: n ■ As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device. ■ The auto-negotiation mechanism at the physical layer detects physical signals and faults. DLDP identifies peer devices and unidirectional links, and disables unreachable ports.
DLDP Fundamentals 213 Table 142 DLDP packet types DLDP packet type Function Advertisement Notifies the neighbor devices of the existence of the local device. An advertisement packet carries only the local port information, and it does not require response from the peer end. RSY-Advertisement packets (referred to as RSY packets hereafter) Advertisement packet with the RSY flag set to 1.
CHAPTER 27: DLDP CONFIGURATION Table 142 DLDP packet types DLDP packet type Function Recover Echo Recover echo packets are response to recover probe packets in the port auto-recovery mechanism. A link is considered to restore to the bidirectional state if a port on one end sends a recover probe packet, receives a recover echo packet, and the neighbor information contained in the recover echo packet is consistent with that of the local port.
DLDP Fundamentals 215 Table 145 Processing procedure when no echo packet is received from the neighbor No echo packet received from the neighbor Processing procedure In normal mode, no echo packet is received when DLDP switches to the disable state, the echo waiting timer expires. outputs log and tracking information, and sends flush packets.
CHAPTER 27: DLDP CONFIGURATION Table 147 DLDP timers Timer Description Echo waiting timer It is enabled when DLDP enters the probe state. The echo waiting timer length is 10 seconds. If no echo packet is received from the neighbor when the Echo waiting timer expires, the state of the local end is set to unidirectional link (one-way audio) and the state machine turns into the disable state. DLDP outputs log and tracking information, sends flush packets.
DLDP Fundamentals 217 Table 147 DLDP timers Timer Description DelayDown timer When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first. When a device changes to the delaydown state, the related DLDP neighbor information remains, and the DelayDown timer is triggered.
CHAPTER 27: DLDP CONFIGURATION Link Auto-recovery Mechanism If the shutdown mode of a port is set to auto shutdown, the port is set to the DLDP down state when DLDP detects the link connecting to the port is a unidirectional link. A port in DLDP down state does not forward service packets or receive/send protocol packets except DLDPDUs. A port in the DLDP down state recovers when the corresponding link recovers. A port in the DLDP down state sends recover probe packets periodically.
DLDP Configuration 219 Table 150 DLDP configuration tasks Descriptio n Operation Command Set the authentication mode and password dldp authentication-mode { none | simple simple-password | md5 md5-password } Optional Set the interval of sending DLDP packets dldp interval value Optional. By default, the interval of sending DLDP packets is 5 seconds. Set the delaydown timer dldp delaydown-timer Optional delaydown-time By default, the delaydown timer expires after 1 second it is triggered.
CHAPTER 27: DLDP CONFIGURATION Table 150 DLDP configuration tasks Operation Command Descriptio n Force the duplex attribute duplex full Required If you want to use DLDP to detect which fiber of the two fibers is not connected or fails, you must configure the ports to work in the mandatory full duplex mode.
DLDP Configuration 221 Table 151 Reset DLDP status Operation Reset the status of DLDP c Precautions During DLDP Configuration Enter system view Command Description system-view - Reset the status of DLDP globally dldp reset Optional Reset the status of DLDP on a port Enter Ethernet port view interface interface-type interface-number - Reset the status of DLDP on 100 M Ethernet ports dldp reset Optional Reset the status of DLDP on Gigabit Ethernet ports dldp reset CAUTION: ■ This command
CHAPTER 27: DLDP CONFIGURATION For XGbus products, pay attention to the following points: DLDP Network Example ■ When interface modules are hot swapped, if the plugged interface module is of the same type as the pulled interface module, DLDP restores automatically. ■ When active/standby switchover is performed on an Fabric, the standby Fabric detects unidirectional links instead of the Fabric. DLDP parameters remain the same and unidirectional links are detected again on each port.
DLDP Network Example 223 # Set the interval of sending DLDP packets to 15 seconds [SW7750A] dldp interval 15 # Configure DLDP to work in enhanced mode [SW7750A] dldp work-mode enhance # Set the DLDP handling mode to auto after unidirectional links are detected [SW7750A] dldp unidirectional-shutdown auto # Display the DLDP status [SW7750A] display dldp n If the fibers are correctly connected between the two switches, the system displays the connections with the neighbor as bidirectional links.
CHAPTER 27: DLDP CONFIGURATION
MAC ADDRESS TABLE MANAGEMENT 28 n This chapter describes the management of static and dynamic MAC address entries. For information on the management of multicast MAC address entries, refer to “Multicast Overview” on page 413. Overview Introduction to MAC Address Learning An Ethernet switch maintains a MAC address table to forward packets quickly. A MAC address table is a port-based Layer 2 address table. It is the base for Ethernet switch to perform Layer 2 packet forwarding.
CHAPTER 28: MAC ADDRESS TABLE MANAGEMENT Figure 58 Packets forwarded by using a MAC address table. MAC address Port MAC A 1 MAC B 1 MAC C 2 MAC D 2 MAC A MAC C MAC B MAC D Port 1 Port 2 After learning the source address of the packet, the switch searches the MAC address table for the destination MAC address of the received packet: ■ If it finds a match, it directly forwards the packet.
Configuring MAC Address Table Management 227 ■ Static MAC address entry: Also known as permanent MAC address entry. This type of MAC address entries are added/removed manually and can not age out by themselves. Using static MAC address entries can reduce broadcast packets remarkably and are suitable for networks where network devices seldom change. ■ Dynamic MAC address entry: This type of MAC address entries age out after the configured aging time.
CHAPTER 28: MAC ADDRESS TABLE MANAGEMENT Table 154 Add a MAC address entry c Setting the Aging Time for MAC Address Entries Operation Command Description Enter system view system-view - Add a MAC address entry mac-address { static | dynamic } mac-address interface interface-type interface-number vlan vlan-id Required CAUTION: For a MAC address entry to be added, the port specified by the interface keyword must belong to the VLAN specified by the vlan keyword in the command.
Configuring MAC Address Table Management 229 Table 156 Set the maximum number of MAC addresses a port can learn Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - mac-address max-mac-count Set the maximum number of MAC count addresses the port can learn Disabling MAC Address Learning Required By default, the number of the MAC addresses a port can learn is not limited.
CHAPTER 28: MAC ADDRESS TABLE MANAGEMENT HiGig ports are special ports on modules for connecting the modules to the backplane. HiGig ports can also learn and synchronize MAC addresses.
Configuration Example 231 Table 161 Display and maintain MAC address table configuration Operation Command Description Display information about the MAC address table display mac-address [ display-option ] You can use the display command in any view.
CHAPTER 28: MAC ADDRESS TABLE MANAGEMENT
CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION 29 n Centralized MAC Address Authentication Overview Currently, 3C16860, 3C16861, LS81FS24A, 3C16859, and 3C16858 I/O Modules of 3Com Switch 7750 Ethernet switches do not support the centralized MAC address authentication. Centralized MAC address authentication is port- and MAC address-based authentication used to control user permissions to access a network. Centralized MAC address authentication can be performed without client-side software.
CHAPTER 29: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC Address Authentication Configuration The following are centralized MAC address authentication configuration tasks: c Enabling Centralized MAC Address Authentication Globally Enabling Centralized MAC Address Authentication for a Port ■ “Enabling Centralized MAC Address Authentication Globally” on page 234 ■ “Enabling Centralized MAC Address Authentication for a Port” on page 234 ■ “Configuring Centralized MAC Add
Centralized MAC Address Authentication Configuration 235 Table 163 Enable centralized MAC address authentication for a port in system view Operation Command Description Enter system view system-view - Enable centralized MAC address authentication for specified ports mac-authentication interface interface-list Required By default, centralized MAC address authentication is disabled on a port.
CHAPTER 29: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Table 166 Configure the ISP domain for centralized MAC address authentication users Configuring the Timers Used in Centralized MAC Address Authentication Operation Command Description Configure the ISP domain for MAC address authentication users mac-authentication domain isp-name Required By default, the “default domain” is used as the ISP domain.
Displaying and Debugging Centralized MAC Address Authentication 237 Table 168 Configure the centralized MAC address re-authentication function n Displaying and Debugging Centralized MAC Address Authentication Operation Command Description Enter system view system-view - Enable the MAC address regular re-authentication function mac-authentication re-authenticate enable Optional Configure to re-authenticate a specified MAC address mac-authentication re-authenticate mac-address mac-address Opti
CHAPTER 29: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION ■ In MAC address mode, MAC address of user authenticated by RADIUS server need to be configured as both user name and password on the RADIUS server. Network requirement As shown in the following figure, a user workstation (Supplicant) is connected with Ethernet 2/0/1 of the Ethernet device (Authenticator).
Centralized MAC Address Authentication Configuration Example 239 [SW7750] mac-authentication timer offline-detect 180 [SW7750] mac-authentication timer quiet 30 For domain-related configuration, refer to the “802.1x Configuration Example” on page 404.
CHAPTER 29: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION
30 MSTP Overview MSTP CONFIGURATION Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or the port is an edge port. This slows down the spanning tree convergence of STP.
CHAPTER 30: MSTP CONFIGURATION Figure 60 Basic MSTP terminologies Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST A BPDU BPDU CST B C D Region D0 VLAN 1 mapped to instance 1, B as regional root bridge VLAN 2 mapped to instance 2, C as regional root bridge Other VLANs mapped to CIST BPDU Region B0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other
MSTP Overview 243 IST An internal spanning tree (IST) is a spanning tree in an MST region. ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it belongs to an MST region and is a branch of CIST. In Figure 60, each MST region has an IST, which is a branch of the CIST. CST A CST is the spanning tree in a switched network that connects all MST regions in the network.
CHAPTER 30: MSTP CONFIGURATION form a loop. Port 3 and port 4 on switch D connect downstream to other MST regions. This figure shows the roles these ports play. n ■ A port can play different roles in different MSTIs. ■ The role a region edge port plays is consistent with the role it plays in the CIST. For example, port 1 on switch A in Figure 61 is a region edge port, and it is a master port in the CIST. So it is a master port in all MSTIs in the region.
MSTP Overview Implementation of MSTP 245 MSTP divides a network into multiple MST regions at Layer 2. The CST is generated between these MST regions, and multiple spanning trees (or, MSTIs) can be generated in each MST region. As well as RSTP, MSTP uses configuration BPDUs to generate spanning trees. The only difference is that the configuration BPDUs for MSTP carry the MSTP configuration information on the switches.
CHAPTER 30: MSTP CONFIGURATION For each switch in a network, the port through which the configuration BPDU with the highest priority is received is chosen as the root port of the switch.
Root Bridge Configuration 247 Table 171 Root bridge configuration Operation Remarks Related section Bridge priority configuration Optional “Bridge Priority Configuration” on page 250 MSTP operation mode configuration Optional The priority of a switch cannot be changed after the switch is specified as the root bridge or a secondary root bridge.
CHAPTER 30: MSTP CONFIGURATION Table 172 Configure an MST region Operation Command Description Configure the MSTP revision level for the MST region revision-level level Required Activate the configuration of the MST region manually active region-configuration Required Display the configuration of the current MST region check region-configuration Optional Display the currently valid configuration of the MST region Display stp region-configuration You can execute this command in any view.
Root Bridge Configuration Root Bridge/Secondary Root Bridge Configuration 249 MSTP can automatically choose a switch as a root bridge. You can also manually specify the current switch as a root bridge by using the corresponding commands.
CHAPTER 30: MSTP CONFIGURATION spanning tree instance on two or more switches using the stp root secondary command. ■ You can also configure the current switch as the root bridge by setting the priority of the switch to 0. Note that once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified. Configuration example # Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning tree instance 2.
Root Bridge Configuration 251 RSTP-enabled switches, you can configure the current MSTP-enabled switch to operate in this mode by using the stp mode rstp command. ■ MSTP mode: In this mode, the protocol packets sent out of the ports of the switch are MSTP packets, or STP packets if the ports have STP-enabled switches connected. But multiple spanning tree function is only enabled for MSTP packets.
CHAPTER 30: MSTP CONFIGURATION Configuration example # Configure the maximum hops of the MST region to be 30 (assuming that the current switch operates as the region root). system-view [SW7750] stp max-hops 30 Network Diameter Configuration In a switched network, any two switches can communicate with each other through a path, on which there may be some other switches.
Root Bridge Configuration ■ 253 The Hello time parameter is for link testing. A switch regularly sends hello packets to other switches in the interval specified by the Hello time parameter to test the links. ■ The Max age parameter is used to judge whether or not a configuration BPDU is obsolete. Obsolete configuration BPDUs will be discarded.
CHAPTER 30: MSTP CONFIGURATION As for the configuration of these three time-related parameters (that is, the Hello time, Forward delay, and Max age parameters), the following formulas must be met to prevent network jitter. 2 x (Forward delay - 1 second) >= Max age Max age >= 2 x (Hello time + 1 second) You are recommended to specify the network diameter of the switched network and the Hello time by using the stp root primary or stp root secondary command.
Root Bridge Configuration 255 parameter. It depends on the physical state of the port and network structure. You can configure this parameter according to the network.
CHAPTER 30: MSTP CONFIGURATION Configuration procedure (in system view) Table 183 Configure a port as an edge port (in system view) Operation Command Description Enter system view system-view - Configure the stp interface interface-list specified ports as edge edged-port enable ports Required By default, all the Ethernet ports of a switch are non-edge ports.
Root Bridge Configuration 257 Configuration procedure (in system view) Table 185 Specify whether or not the links connected to the specified ports are point-to-point links (in system view) Operation Command Description Enter system view system-view - Specify whether or not the links connected to the specified ports are point-to-point links stp interface interface-list point-to-point { forcetrue | force-false | auto } Required The auto keyword is adopted by default.
CHAPTER 30: MSTP CONFIGURATION Configuration example # Configure the link connected to port Ethernet1/0/1 as a point-to-point link. 1 Configure in system view. system-view [SW7750] stp interface ethernet1/0/1 point-to-point force-true 2 Configure in Ethernet port view.
Leaf Node Configuration 259 Configuration example # Enable MSTP on the switch and disable MSTP on Ethernet1/0/1 port. 1 Configure in system view. system-view [SW7750] stp enable [SW7750] stp interface ethernet1/0/1 disable 2 Configure in Ethernet port view. system-view [SW7750] stp enable [SW7750] interface ethernet1/0/1 [SW7750-Ethernet1/0/1] stp disable Leaf Node Configuration Table 189 lists MSTP-related configurations about leaf nodes.
CHAPTER 30: MSTP CONFIGURATION MST Region Configuration MSTP Operation Mode Configuration Timeout Time Factor Configuration Maximum Transmitting Speed Configuration Refer to “MST Region Configuration” on page 247. Refer to “MSTP Operation Mode Configuration” on page 250. Refer to “Timeout Time Factor Configuration” on page 254. Refer to “Maximum Transmitting Speed Configuration” on page 254. Edge Port Configuration Refer to “Edge Port Configuration” on page 255.
Leaf Node Configuration 261 Table 191 Transmission speeds and the corresponding path costs Transmis sion speed Operation mode (half-/full-duplex) 802.1D-1998 IEEE 802.
CHAPTER 30: MSTP CONFIGURATION Table 193 Configure the path cost for a port in Ethernet port view Operation Command Description Configure the path cost for the port stp [ instance instance-id ] cost cost Required A MSTP-enabled switch can calculate path costs for all its ports automatically. Changing the path cost of a port may change the role of the port and put it in state transition.
The mCheck Configuration 263 Configuring port priority in Ethernet port view Table 195 Configure port priority for a specified port in Ethernet port view Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Configure port priority stp [ instance instance-id ] port for the port priority priority Required. The default port priority is 128.
CHAPTER 30: MSTP CONFIGURATION MSTP-enabled switch, the port cannot automatically transit to the MSTP operation mode. It remains in the STP-compatible mode. In this case, you can force the port to transit to the MSTP mode by performing the mCheck operation on the port. Prerequisites Configuration Procedure MSTP runs normally on the switch. You can perform the mCheck operation in the following two ways.
Protection Function Configuration 265 Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this type of attacks by utilizing the BPDU protection function. With this function enabled on a switch, the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator.
CHAPTER 30: MSTP CONFIGURATION MAC address tables frequently and negative effects to STP calculation and network stability. You can use the stp tc-protection threshold command to set a threshold for the times of removing MAC address tables in a period. If the number of received TC-BPDUs is less than the specified upper threshold, the switch removes its MAC address table upon receiving a TC-BPDU.
Protection Function Configuration 267 Table 200 Enable the root guard function in Ethernet port view Operation Command Description Enter system view system-view - Enter Ethernet port view Interface interface-type interface-number - Enable the root guard function on current port stp root-protection Required The root guard function is disabled by default. Configuration example # Enable the root guard function on Ethernet1/0/1 port. 1 Configure in system view.
CHAPTER 30: MSTP CONFIGURATION system-view [SW7750] interface ethernet1/0/1 [SW7750-Ethernet1/0/1] stp loop-protection TC-BPDU Attack Prevention Configuration Configuration prerequisites MSTP is enabled on the current switch.
Rapid Transition Configuration 269 the BPDUs to be send to the partner’s switch. In this way, the Switch 7750s can interwork with the partners’ switches in the same MST region. Digest Snooping Configuration Configure the digest snooping feature on a switch to enable it to interwork with other switches that adopt proprietary protocols to calculate configuration digests in the same MST region through MSTIs.
CHAPTER 30: MSTP CONFIGURATION ■ Proposal packets: Packets sent by designated ports to request rapid transition ■ Agreement packets: Packets used to acknowledge rapid transition requests Both RSTP and MSTP switches can perform rapid transition operation on a designated port only when the port receives an agreement packet from the downstream switch.
Rapid Transition Configuration 271 on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch. As a result, the designated port of the upstream switch fails to transit rapidly and can only change to the Forwarding state after a period twice the Forward Delay. Some partners’ switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ports.
CHAPTER 30: MSTP CONFIGURATION Configuration procedure 1 Configure the rapid transition feature in system view. Table 205 Configure the rapid transition feature in system view Operation Command Description Enter system view system-view - Enable the rapid transition feature stp interface interface-type interface-number no-agreement-check Required By default, the rapid transition feature is disabled on a port. 2 Configure in Ethernet port view.
BPDU Tunnel Configuration 273 Figure 65 BPDU Tunnel network hierarchy Service provider network Packet input/output device Packet input/output device Network Customer networks Network A BPDU Tunnel Configuration Network B Configuration prerequisites MSTP is enabled on the current switch.
CHAPTER 30: MSTP CONFIGURATION STP Maintenance Configuration Introduction Enabling Log/Trap Output for Ports of MSTP Instance Configuration Example In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently. In this case, maintenance personnel may expect that log/trap information is output to the log host when particular ports fail, so that they can check the status changes of those ports through alarm information.
MSTP Implementation Example MSTP Implementation Example 275 Network requirements Implement MSTP in the network shown in Figure 66 to enable packets of different VLANs to be forwarded along different spanning tree instances. The detailed configurations are as follows: ■ All switches in the network belong to the same MST region. ■ Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along spanning tree instance 1, instance 3, instance 4, and instance 0 respectively.
CHAPTER 30: MSTP CONFIGURATION # Specify Switch A as the root bridge of spanning tree instance 1. [SW7750] stp instance 1 root primary 2 Configure Switch B. # Enter MST region view. system-view [SW7750] stp region-configuration # Configure the MST region. [SW7750-mst-region] [SW7750-mst-region] [SW7750-mst-region] [SW7750-mst-region] [SW7750-mst-region] region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 revision-level 0 # Activate the settings of the MST region.
BPDU Tunnel Configuration Example [SW7750-mst-region] [SW7750-mst-region] [SW7750-mst-region] [SW7750-mst-region] [SW7750-mst-region] 277 region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 revision-level 0 # Activate the settings of the MST region. [SW7750-mst-region] active region-configuration BPDU Tunnel Configuration Example Network requirements ■ Switch 7750s operate as the access devices of the operator’s network, that is, Switch C and Switch D in the network diagram.
CHAPTER 30: MSTP CONFIGURATION system-view [SW7750] stp enable # Add port Ethernet1/0/1 to VLAN 10. [SW7750] vlan 10 [SW7750-Vlan10] port Ethernet 1/0/1 3 Configure Switch C. # Enable MSTP. system-view [SW7750] stp enable # Enable the BPDU Tunnel function. [SW7750] vlan-vpn tunnel # Add port Ethernet1/0/1 to VLAN 10. [SW7750] vlan 10 [SW7750-Vlan10] port Ethernet 1/0/1 [SW7750-Vlan10] quit # Disable STP on port Ethernet1/0/1 and then enable the VLAN-VPN function on it.
BPDU Tunnel Configuration Example 279 # Disable STP on port Ethernet1/0/2 and then enable the VLAN-VPN function on it. [SW7750] interface Ethernet 1/0/2 [SW7750-Ethernet1/0/2] port access vlan 10 [SW7750-Ethernet1/0/2] stp disable [SW7750-Ethernet1/0/2] vlan-vpn enable [SW7750-Ethernet1/0/2] quit # Configure port Ethernet1/0/1 as a trunk port. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] port link-type trunk # Add the trunk port to all VLANs.
CHAPTER 30: MSTP CONFIGURATION
IP ROUTING PROTOCOL OVERVIEW 31 n When running a routing protocol, the Ethernet switch also functions as a router. The word “router” and the router icons covered in the following text represent routers in common sense and Ethernet switches running a routing protocol. To improve readability, this will not be mentioned again in this manual. Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet.
CHAPTER 31: IP ROUTING PROTOCOL OVERVIEW routes. The one with the highest preference (the smallest numerical value) will be selected as the current optimal route. According to different destinations, routes fall into the following categories: ■ Subnet route: The destination is a subnet. ■ Host route: The destination is a host.
Routing Management Policy Destination Network Nexthop Interface 11.0.0.0 14.0.0.1 3 12.0.0.0 14.0.0.1 3 13.0.0.0 16.0.0.1 2 14.0.0.0 14.0.0.3 3 15.0.0.0 17.0.0.2 1 16.0.0.0 16.0.0.2 2 17.0.0.0 17.0.0.1 1 283 The Switch 7750 Ethernet Switches (hereinafter referred to as the Switch 7750) support the configuration of static routes as well as a series of dynamic routing protocols such as RIP, OSPF and BGP.
CHAPTER 31: IP ROUTING PROTOCOL OVERVIEW Except for direct routing, you can manually configure the preferences of various dynamic routing protocols as required. In addition, you can configure different preferences for different static routes. Traffic Sharing and Route Backup Traffic sharing The Switch 7750 support multi-route mode, allowing the configuration of multiple routes that reach the same destination and have the same preference.
STATIC ROUTE CONFIGURATION 32 Introduction to Static Route Static Route Static routes are special routes. They are manually configured by the administrator. By configuring static routes, you can build an interconnecting network. The problem for such configuration is when a fault occurs on the network, a static route cannot change automatically to steer away from the fault point without the help of the administrator.
CHAPTER 32: STATIC ROUTE CONFIGURATION the packet; in this case, if there is no default route, the packet will be discarded, and an Internet control message protocol (ICMP) packet will be returned to inform the source host that the destination host or network is unreachable.
Static Route Configuration Example 287 Table 212 Display the routing table Operation Command Display routing table summary display ip routing-table You can execute the display command in any display ip routing-table view.
CHAPTER 32: STATIC ROUTE CONFIGURATION Configuration procedure n Before the following configuration, make sure that the Ethernet link layer works normally and the IP addresses of the VLAN interfaces have been configured correctly. # Configure static routes on Switch A. system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Configure static routes on Switch B.
33 RIP Overview Basic Concepts RIP CONFIGURATION Routing information protocol (RIP) is a simple interior gateway protocol (IGP) suitable for small-sized networks. RIP RIP is a distance-vector (D-V) algorithm-based protocol. It exchanges routing information via UDP packets. RIP uses hop count (also called routing cost) to measure the distance to a destination address.
CHAPTER 33: RIP CONFIGURATION ■ RIP Startup and Operation Garbage-collection timer: An unreachable route will be completely deleted from the routing table if no update packet for the route is received from the neighbor before this timer times out. The whole process of RIP startup and operation is as follows: ■ Once RIP is enabled on a router, the router broadcasts or multicasts a request packet to its neighbors.
Basic RIP Configuration 291 Table 213 RIP configuration tasks Configuration Task Configuring RIP Route Control RIP Network Adjustment and Optimization Description Related section Setting the additional routing metrics of an interface Optional “Setting the additional routing metrics of an interface” on page 293 Configuring RIP route summary Optional “Configuring RIP route summary” on page 294 Disabling the receiving of host routes Optional “Disabling the receiving of host routes” on page 294 C
CHAPTER 33: RIP CONFIGURATION ■ Configuring Basic RIP Functions Configuring the network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer Enabling RIP globally and on the interface of a specified network segment Table 214 Enable RIP globally and on the interface of a specified network segment Operation Command Description Enter system view system-view - Enable RIP globally and enter RIP view rip - Enable RIP on the interface of network ne
RIP Route Control 293 Table 216 Specify the RIP version on an interface RIP Route Control Configuration Prerequisites Configuring RIP Route Control Operation Command Description Specify RIP version on the interface rip version { 1 | 2 [ broadcast | multicast ] } Optional By default, the RIP version on an interface is RIP-1, and the interface can receive RIP-1 and RIP-2 broadcast packets but send only RIP-1 packets.
CHAPTER 33: RIP CONFIGURATION Table 217 Set additional routing metric n Operation Command Description Set the additional routing metric to be added for incoming RIP routes on this interface rip metricin value Optional Set the additional routing metric to be added for outgoing RIP routes on this interface rip metricout value By default, the additional routing metric added for incoming routes on an interface is 0.
RIP Route Control 295 Configuring RIP to filter or advertise the received routes The route filtering function provided by a router enables you to configure inbound/outbound filter policy by specifying an ACL or address prefix list to make RIP filter incoming/outgoing routes. Besides, you can configure RIP to receive only the RIP packets from a specific neighbor.
CHAPTER 33: RIP CONFIGURATION Table 222 Enable RIP traffic sharing across interfaces Operation Command Description Enable RIP traffic sharing across interfaces traffic-share-across-interface Optional By default, RIP traffic sharing across interfaces is disabled.
RIP Network Adjustment and Optimization Configuration Tasks 297 Configuring RIP timers Table 224 Configure RIP timers n Operation Command Description Enter system view system-view - Enter RIP view rip - Set the values of RIP timers timers { update update-timer | Optional timeout timeout-timer } * By default, Update timer value is 30 seconds and Timeout timer value is 180 seconds.
CHAPTER 33: RIP CONFIGURATION Simple authentication cannot provide complete security, because the authentication keys sent along with packets are not unencrypted. Therefore, simple authentication cannot be applied where high security is required.
RIP Configuration Example RIP Configuration Example 299 Network requirements As shown in Figure 70, SwitchC is connected to subnet 117.102.0.0 through an Ethernet port. SwitchA and SwitchB are connected to networks 155.10.1.0 and 196.38.165.0 respectively through Ethernet ports. SwitchC, SwitchA and SwitchB are interconnected through Ethernet 110.11.2.0. It is required to configure RIP correctly to ensure the interworking between the networks connected to SwitchC, SwitchA and SwitchB.
CHAPTER 33: RIP CONFIGURATION # Configure RIP. system-view [SwitchC] rip [SwitchC-rip] network 117.102.0.0 [SwitchC-rip] network 110.11.2.0 Troubleshooting RIP Configuration Symptom: The layer 3 switch cannot receive any RIP update packet when the physical connection between the switch and the peer routing device is normal. Solution: ■ Use the display current-configuration configuration rip command to verify RIP is enabled on the interface with the network command.
34 OSPF CONFIGURATION OSPF Overview Introduction to OSPF OSPF Route Calculation Open shortest path first (OSPF) is a link state-based interior gateway protocol developed by IETF. At present, OSPF version 2 (RFC 2328) is used, which has the following features: ■ High applicability: OSPF supports networks of various sizes and can support up to several hundred routers.
CHAPTER 34: OSPF CONFIGURATION topology of the whole network. Obviously, all routers get exactly the same map. ■ A router uses the shortest path first (SPF) algorithm to calculate the shortest path tree with itself as the root. The tree shows the routes to the nodes in the autonomous system. External routes are leaf nodes, which are marked with the routers from which they are advertised to record information outside the AS. Obviously, the routing tables obtained by different routers are different.
OSPF Overview 303 some non-backbone areas on the edge of the AS, you can configure these areas as stub areas. A stub area cannot import any external route. For this reason the concept NSSA area (not-so-stubby area) is introduced. In an NSSA area, type 7 LSAs are allowed to be propagated. A type 7 LSA is generated by an ASBR (autonomous system boundary router) in a NSSA area. A type 7 LSA reaching an ABR in the NSSA area is transformed into an AS-external LSA, which is then advertised to other areas.
CHAPTER 34: OSPF CONFIGURATION ■ Non-broadcast multi-access (NBMA): If Frame Relay, ATM, or X.25 is adopted, OSPF defaults the network type to NBMA. In an NBMA network, protocol packets are sent in unicast. ■ Point-to-multipoint (P2MP): OSPF will not default the network type of any link layer protocol to P2MP. A P2MP network must be compulsorily changed from another network type. The common practice is to change an NBMA network into a P2MP network.
OSPF Overview 305 In fact, a BDR provides backup for a DR. DR and BDR are elected at the same time. Adjacencies are also established between the BDR and all the other routers on the segment, and routing information is also exchanged between them. Once the DR becomes invalid, the BDR becomes a DR. Since no re-election is needed and the adjacencies already exist, the switchover process is very short. Now, a new BDR should be elected.
CHAPTER 34: OSPF CONFIGURATION ■ OSPF Packets The DR on a network segment is not necessarily the router with the highest priority. Likewise, the BDR is not necessarily the router with the second-highest priority. OSPF uses five types of packets: Hello packet Hello packets are most commonly used OSPF packets, which are periodically sent by a router to its neighbors. A Hello packet contains the values of some timers, the DR, the BDR and the known peers.
Introduction to OSPF Configuration Tasks ■ 307 AS-external-LSA: Type-5 LSA, also called ASE LSA, generated by ASBRs to describe the routes to other ASs and advertised to the whole AS (excluding stub areas). The default AS route can also be described by AS-external-LSAs. Type-7 LSAs In RFC 1587 (OSPF NSSA Option), Type-7 LSA, a new LSA type, is added.
CHAPTER 34: OSPF CONFIGURATION Table 230 OSPF configuration tasks Configuration Task Description OSPF Network Type Configuration Configuring the Optional Network Type of an OSPF Interface OSPF Route Control Related section “Configuring the Network Type of an OSPF Interface” on page 312 Setting an NBMA Neighbor Optional “Setting an NBMA Neighbor” on page 313 Setting the DR Priority on an OSPF Interface Optional “Setting the DR Priority on an OSPF Interface” on page 313 Configuring OSPF Route
Basic OSPF Configuration 309 Table 230 OSPF configuration tasks Configuration Task OSPF Network Adjustment and Optimization Basic OSPF Configuration Configuration Prerequisites Basic OSPF Configuration Description Configuring OSPF Timers Optional Related section “Configuring OSPF Timers” on page 317 Configuring the LSA Optional transmission delay “Configuring the LSA transmission delay” on page 318 Configuring the SPF Optional Calculation Interval “Configuring the SPF Calculation Interval” on pag
CHAPTER 34: OSPF CONFIGURATION configure router IDs manually, make sure each router ID is uniquely used by one router in the AS. A common practice is to set the router ID to the IP address of an interface on the router. ■ Enabling OSPF The Switch 7750 supports multiple OSPF processes. To enable multiple OSPF processes on a router, you need to specify different process IDs. OSPF process ID is only locally significant; it does not affect the packet exchange between an OSPF process and other routers.
OSPF Area Attribute Configuration OSPF Area Attribute Configuration 311 ■ The ID of an OSPF process is unique. ■ One segment can belong to only one area and you must specify each OSPF interface to belong to a particular area. Area partition in OSPF reduces the number of LSAs in the network and enhances OSPF scalability. To further reduce routing table size and the number of LSAs in some non-backbone areas on the edge of the AS, you can configure these areas as stub areas.
CHAPTER 34: OSPF CONFIGURATION Table 232 Configure OSPF area attributes n OSPF Network Type Configuration Operation Command Description Create and configure a virtual link vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ]* Optional For a virtual link to take effect, you need to use this command at both ends of the virtual link and ensure consistent configurations of the hello, dead, and other parameters at both end
OSPF Route Control n Setting an NBMA Neighbor 313 ■ After an interface has been configured with a new network type, the original network type of the interface is removed automatically. ■ Note that, neighboring relationship can be established between two interfaces configured as broadcast, NBMA, or P2MP only if the interfaces are on the same network segment. Some special configurations need to be done on an NBMA network.
CHAPTER 34: OSPF CONFIGURATION Configuration Prerequisites Configuring OSPF Route Summary Before configuring OSPF route control, perform the following tasks: ■ Configuring the network layer addresses of interfaces so that the adjacent nodes are reachable to each other at the network layer ■ Completing basic OSPF configuration ■ Configuring filter list to filter routing information The configuration of OSPF route summary includes: ■ Configuring ABR route summary, ■ Configuring ASBR route sum
OSPF Route Control 315 fact, the filter-policy import command filters the routes calculated by OSPF; only the routes passing the filter can be added to the routing table.
CHAPTER 34: OSPF CONFIGURATION Table 241 Configure OSPF route redistribution n OSPF Network Adjustment and Optimization Operation Command Description Enable OSPF to redistribute a default route default-route-advertise [ always | cost value | type type-value | route-policy route-policy-name ]* Optional Configure the default cost for redistributed routes default cost value Optional Configure the default maximum number of external routes imported by OSPF per unit time default limit routes C
OSPF Network Adjustment and Optimization Configuration Prerequisites Configuring OSPF Timers 317 Before adjusting and optimizing an OSPF network, perform the following tasks: ■ Configuring the network layer addresses of interfaces so that the adjacent nodes are reachable to each other at the network layer ■ Configuring basic OSPF functions The Hello intervals for OSPF neighbors must be consistent. The value of Hello interval is in inverse proportion to route convergence speed and network load.
CHAPTER 34: OSPF CONFIGURATION Configuring the LSA transmission delay Table 243 Configure the LSA transmission delay Operation Command Description Enter system view system-view - Enter interface view interface interface-type interface-number - Configure the LSA transmission delay ospf trans-delay seconds Optional By default, the LSA transmission delay is one second. n The transmission of OSPF packets on a link also takes time.
OSPF Network Adjustment and Optimization ■ Configuring OSPF Authentication n Configuring to Fill the MTU Field When an Interface Transmits DD Packets 319 After an OSPF interface is set to be in silent status, the interface can still advertise its direct route. However, the Hello packets from the interface will be blocked, and no neighboring relationship can be established on the interface. This enhances OSPF networking adaptability, thus reducing the consumption of system resources.
CHAPTER 34: OSPF CONFIGURATION Enabling OSPF Logging Configuring OSPF Network Management System (NMS) Table 248 Enable OSPF logging Operation Command Description Enter system view system-view - Enter OSPF view ospf [ process-id [ router-id router-id ] ] - Enable the logging of neighbor status changes log-peer-change Optional Log neighbor status changes.
OSPF Configuration Example 321 Table 250 Display configuration Operation Command Description Display brief information about one or all OSPF processes display ospf [ process-id ] brief Display OSPF statistics display ospf [ process-id ] cumulative You can execute the display command in any view.
CHAPTER 34: OSPF CONFIGURATION Network diagram Figure 73 DR election based on OSPF priority Switch D Switch A DR Vlan- int1 Vlan -int1 Vlan- int1 Vlan-int1 BDR Switch B Device Interface Switch C IP address Router ID Interface DR priority Switch A Vlan-int1 196.1.1.1/24 1.1.1.1 100 Switch B Vlan-int1 196.1.1.2/24 2.2.2.2 0 Switch C Vlan-int1 196.1.1.3/24 3.3.3.3 2 Switch D Vlan-int1 196.1.1.4/24 4.4.4.4 1 Configuration procedure # Configure SwitchA.
OSPF Configuration Example 323 # Configure SwitchD. system-view [SwitchD] interface Vlan-interface 1 [SwitchD-Vlan-interface1] ip address 196.1.1.4 255.255.255.0 [SwitchD] router id 4.4.4.4 [SwitchD] ospf [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 On SwitchA, run the display ospf peer command to display its OSPF peers. Note that SwitchA has three peers. The state of each peer is full, which means that adjacency is established between SwitchA and each peer.
CHAPTER 34: OSPF CONFIGURATION Network diagram Figure 74 OSPF virtual link configuration Switch A Vlan-int1 Area 0 Vlan-int1 Vlan-int2 Switch B Area 1 Virtual link Vlan-int2 Switch C Vlan-int1 Area 2 Device Interface IP address Router ID Switch A Vlan-int1 196.1.1.1/24 1.1.1.1 Switch B Vlan-int1 196.1.1.2/24 2.2.2.2 Vlan-int2 197.1.1.2/24 Switch C Vlan-int1 152.1.1.1/24 Vlan-int2 197.1.1.1/24 3.3.3.3 Configuration procedure # Configure SwitchA.
Troubleshooting OSPF Configuration 325 [SwitchB-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 # Configure SwitchC. system-view [SwitchC] interface Vlan-interface 1 [SwitchC-Vlan-interface1] ip address 152.1.1.1 255.255.255.0 [SwitchC-Vlan-interface1] quit [SwitchC] interface Vlan-interface 2 [SwitchC-Vlan-interface2] ip address 197.1.1.1 255.255.255.0 [SwitchC-Vlan-interface2] quit [SwitchC] router id 3.3.3.
CHAPTER 34: OSPF CONFIGURATION ■ If the network type is broadcast or NBMA, ensure that there is at least one interface with a priority greater than zero. ■ If an area is set to a stub area, ensure that the area is set to a stub area for all the routers connected to this area. ■ Ensure that the interface types of two neighboring routers are consistent. ■ If two or more areas are configured, ensure that at least one area is configured as the backbone area; that is, the area ID of an area is 0.
35 IS-IS Overview IS-IS CONFIGURATION The intermediate system-to-intermediate system (IS-IS) is a dynamic routing protocol standardized by the International Organization for Standardization (ISO) to operate on connectionless network protocol (CLNP). The IS-IS routing protocol has been adopted in RFC 1195 by the International Engineer Task Force (IETF) to be applied in both TCP/IP and OSI reference models, and this form is called Integrated IS-IS or Dual IS-IS.
CHAPTER 35: IS-IS CONFIGURATION IS-IS network types IS-IS supports two network types: ■ Broadcast networks, such as Ethernet and Token-Ring ■ Point-to-point networks, such as PPP and HDLC For non-broadcast multi-access (NBMA) network, such as ATM, you need to configure point-to-point or broadcast network on its sub-interfaces. IS-IS does not run on point to multipoint (P2MP) links.
IS-IS Overview 329 Figure 76 IS-IS topology I Area 3 Area 2 L1/L2 L1/L2 L1 L2 L2 Area 1 L2 L2 Area 5 L1/L2 Area 4 L1 L1/L2 L1 L1 L1 L1 Figure 77 shows another IS-IS network topology. The Level-1-2 routers connect the Level-1 and Level-2 routers, and form the IS-IS backbone together with the Level-2 routers. There is no area defined as the backbone in this topology. The backbone is composed of all contiguous Level-2 and Level-1-2 routers which can reside in different areas.
CHAPTER 35: IS-IS CONFIGURATION IS-IS Address Structure Address structure 1 NSAP As shown in Figure 78, an NSAP address consists of the initial domain part (IDP) and the domain specific part (DSP). The IDP is equal to the network id field in the IP address, and the DSP is equal to the subnet and host id field. The IDP, defined by ISO, includes the authority and format identifier (AFI) and the initial domain identifier (IDI).
IS-IS Overview 331 The NSAP Selector (SEL), sometimes present in N-SEL, is used as the protocol identifier in IP. Different transmission protocols use different SELs. All SELs in IP are 00. Because the area is explicitly defined in the address structure, the Level-1 router can easily recognize the packets sent out of the area. Those packets are forwarded to the Level-2 router. The Level-1 router makes routing decisions based on the system ID.
CHAPTER 35: IS-IS CONFIGURATION Introduction to IS-IS Configuration Table 251 IS-IS configuration tasks Configuration Task Description Related section Integrated IS-IS Enable IS-IS.
IS-IS Basic Configuration 333 Table 251 IS-IS configuration tasks Configuration Task IS-IS Basic Configuration Description Related section Configure overload tag Optional “Configuring Overload Tag” on page 342 Configure to discard LSPs with incorrect checksum Optional “Configuring to Discard LSPs with Incorrect Checksum” on page 342 Configure to log peer changes Optional “Configuring to Log Peer Changes” on page 342 Assign an LSP refresh time Optional “Assigning an LSP Refresh Time” on page
CHAPTER 35: IS-IS CONFIGURATION ■ Configuring routing cost type ■ Configuring link state routing cost ■ Configuring LSP parameters ■ Configuring SPF parameters 4 Networking configuration ■ Configuring authentication ■ Configuring overload tag ■ Configuring adjacency state output ■ Configuring mesh group for an interface ■ Disabling the sending of IS-IS packets 5 Some operation commands Enabling IS-IS ■ Clearing IS-IS data structure ■ Clearing IS-IS specific neighbor IS-IS can b
IS-IS Basic Configuration 335 higher priority a DIS has, the more likely it is to be chosen. If two or more routers with the highest priorities exist on the broadcast network, the router that has the greatest MAC address will be chosen. For adjacent routers that have the same priority of 0, the router that has the greatest MAC address will still be chosen. Level-1 DIS and Level-2 DIS are selected respectively. You can set different priorities for DISs at different levels to be selected.
CHAPTER 35: IS-IS CONFIGURATION Table 258 Configure route redistribution Operation Command Description Enter system view system-view - Enter IS-IS view isis [ tag ] Required Enable route import-route protocol [ allow-ibgp ] [ cost Optional redistribution from value | type { external | internal } | [ level-1 | By default, no another routing protocol level-1-2 | level-2 ] | route-policy route route-policy-name ]* redistribution is configured.
IS-IS Basic Configuration Configuring Route Leaking 337 Through route leaking, a Level-2 router can send the Level-1 area routing information and Level-2 area routing information that it knows to a Level-1 router.
CHAPTER 35: IS-IS CONFIGURATION Table 264 Configure protocol priority Configuring a Cost Style Operation Command Description Configure protocol priority preference [ value | clns | ip ] value Optional The default priority of IS-IS routes is 15. In IS-IS routing protocol, routing cost of a link can be expressed in one of the following two modes: ■ Narrow: In this mode, routing cost ranges from 1 to 63. ■ Wide: In this mode, routing cost ranges from 1 to 224-1, namely, 1 to 16777215.
IS-IS Basic Configuration 339 Table 267 Configure the Hello interval Operation Command Description Define the Hello packet sending interval, in seconds isis timer hello seconds [ level-1 | level-2 ] Optional The default Hello packets sending interval is 10 seconds. Configuring the CSNP packets sending interval CSNP packets are the packets sent with the synchronous LSDB by the DIS on a broadcast network. CSNP packets are broadcast periodically on a broadcast network.
CHAPTER 35: IS-IS CONFIGURATION Configuring the number of Hello packets expected from the remote router before it is considered dead In IS-IS, Hello packets are sent and received to maintain router neighbor relationships. If a router does not receive any Hello packet from a neighboring router in a certain period of time (Holddown time in IS-IS), the neighbor is considered dead.
IS-IS Basic Configuration 341 predefined. If domain authentication is also required on other routers at the backbone layer (Level-2), the authentication works normally only if the authentication mode and password of these routers are the same as those of the neighboring routers.
CHAPTER 35: IS-IS CONFIGURATION Table 275 Add an interface to a mesh group Configuring Overload Tag Operation Command Description Add an interface to a mesh group isis Optional mesh-group { mesh-group-numbe By default, LSPs are flooded on r | mesh-blocked } interfaces normally. A failure of a router in an IS-IS domain will cause errors in the routing of the whole domain. To avoid this, you can configure the overload for the routers.
IS-IS Basic Configuration 343 Table 279 Assign an LSP refresh time Assigning an LSP Maximum Aging Time Operation Command Description Enter system view system-view - Enter IS-IS view isis [ tag ] Required Assign an LSP refresh time timer lsp-refresh seconds Optional By default, LSPs are refreshed every 900 seconds, namely, 15 minutes. An LSP is given a maximum aging value when it is generated by the router. When the LSP is sent to other routers, its maximum aging value goes down gradually.
CHAPTER 35: IS-IS CONFIGURATION Table 282 Configure SPF calculation durations Operation Command Description Enter IS-IS view isis [ tag ] Required Configure SPF calculation duration spf-slice-size seconds Optional By default, SPF calculation is not sliced. Configuring SPF to release CPU resources automatically In IS-IS, SPF calculation may occupy system resources for a long time and slow down console response.
Displaying Integrated IS-IS Configuration Resetting Configuration Data of an IS-IS Peer Displaying Integrated IS-IS Configuration 345 Table 286 Reset configuration data of the IS-IS peer Operation Command Description Enter system view system-view - Reset configuration data of an IS-IS peer reset isis peer system-id Optional By default, configuration data of an IS-IS peer is not reset.
CHAPTER 35: IS-IS CONFIGURATION Network diagram Figure 79 Network diagram for IS-IS basic configuration Switch A Vlan-int102 100.20.0.1 /24 Vlan- int101 100.0.0.1 /24 Vlan -int100 1 00.10.0 .1/24 Vlan-int102 200.0.0.1 /24 Vlan-int100 100.10.0.2/24 Vlan -int100 10 0.30 .0.1/24 Vlan -int101 200 .10 .0 .1/24 Vlan -int101 200 .10 .0.2/24 Vlan -int102 100 .20 .0.2/24 Switch D Switch B Vlan -int100 200 .20 .0.1/24 Switch C Configuration procedure # Configure Switch A.
Integrated IS-IS Configuration Example [SwitchC-Vlan-interface101] isis enable [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] ip address 200.20.0.1 255.255.255.0 [SwitchC-Vlan-interface100] isis enable # Configure Switch D. [SwitchD] isis [SwitchD-isis] network-entity 86.0001.0000.0000.0008.00 [SwitchD] interface vlan-interface 102 [SwitchD-Vlan-interface102] ip address 100.20.0.2 255.255.255.
CHAPTER 35: IS-IS CONFIGURATION
BGP CONFIGURATION 36 BGP Overview Introduction to BGP Border gateway protocol (BGP) is a dynamic routing protocol designed to be used between autonomous systems (AS). An AS is a group of routers that adopt the same routing policy and belong to the same technical management department. Four versions of BGP exist: BGP-1 (described in RFC1105), BGP-2 (described in RFC1163), BGP-3 (described in RFC1267), and BGP-4 (described in RFC1771).
CHAPTER 36: BGP CONFIGURATION ■ IBGP (Internal BGP) ■ EBGP (External BGP) When BGP runs inside an AS, it is called interior BGP (IBGP); when BGP runs among different ASs, it is called exterior BGP (EBGP). BGP Message Type Format of a BGP packet header BGP is message-driven. There are five types of BGP packets: Open, Update, Notification, Keepalive, and Route-refresh. They share the same packet header, the format of which is shown by Figure 80.
BGP Overview 351 ■ Version: BGP version. As for BGP-4, the value is 4. ■ My Autonomous System: Local AS number. By comparing this filed of both sides, a router can determine whether the connection between itself and the BGP peer is of EBGP or IBGP. ■ Hold time: Hold time is to be determined when two BGP speakers negotiate for the connection between them. The Hold times of two BGP peers are the same.
CHAPTER 36: BGP CONFIGURATION Notification When BGP detects error state, it sends the Notification message to peers and then tear down the BGP connection. Figure 83 shows the format of an Notification message. Figure 83 BGP Notification message format 0 7 Error Code 15 Error SubCode 31 Data The fields of a Notification message are described as follows. ■ Error Code: Error code used to identify the error type.
BGP Overview 353 ■ A BGP speaker advertises the routes obtained from EBGP to all its BGP peers (including both EBGP and IBGP peers); ■ A BGP speaker does not advertise the routes obtained from IBGP to its IBGP peers; ■ A BGP speaker advertises the routes obtained from IBGP to its EBGP peers (in Switch 7750, BGP and IGP does not synchronize with each other); ■ Once a BGP speaker sets up a connection to a new peer, it advertises all its BGP routes to the new peer.
CHAPTER 36: BGP CONFIGURATION BGP Configuration Tasks Table 288 BGP configuration tasks Configuration task Description Related section Basic BGP configuration Required “Basic BGP Configuration” on page 355 Importing routes Optional “Importing Routes” on page 357 Configuring route aggregation Optional “Configuring BGP Route Aggregation” on page 357 Sending default routes Optional “Enabling Default Route Advertising” on page 358 Configuring advertising policy for BGP routing information
Basic BGP Configuration 355 Basic BGP Configuration Configuration Prerequisites Before performing basic BGP configuration, you need to ensure: ■ Network layer connectivity between adjacent nodes. Before performing basic BGP configuration, make sure the following are available. Configuring BGP Multicast Address Family ■ Local AS number and router ID ■ IPv4 address and AS number of the peers ■ Source interface of update packets.
CHAPTER 36: BGP CONFIGURATION Table 290 Configure basic BGP functions Operation Command Description Specify the source interface for peer { group-name | route update packets ip-address } connect-interface interface-type interface-number Optional Allow routers that belong to non-directly connected networks to establish EBGP connections. Optional peer group-name ebgp-max-hop [hop-count ] By default, the source interface of the optimal route update packets is used.
Configuring the Way to Advertise/Receive Routing Information Importing Routes 357 With BGP employed, an AS can send its interior routing information to its neighbor ASs. However, the interior routing information is not generated by BGP, it is obtained by importing IGP routing information to BGP routing table. Once IGP routing information is imported to BGP routing table, it is advertised to BGP peers.
CHAPTER 36: BGP CONFIGURATION Table 292 Configure BGP route aggregation Operation Command Description Enter system view system-view - Enable BGP, and enter BGP view bgp as-number Required By default, BGP is disabled.
Configuring the Way to Advertise/Receive Routing Information 359 Table 294 Configure the BGP route advertising policy Operation Filter the routing information to be advertised to a peer group Specify an ACL-based BGP route filtering policy for a peer group Command Description peer group-name filter-policy acl-number export Required Specify an AS peer group-name path as-path-acl acl-number ACL-based export BGP filtering policy for a peer group IP prefix-based BGP route filtering policy for a peer gro
CHAPTER 36: BGP CONFIGURATION Table 295 Configure BGP route receiving policy Operation Filter the routing information received from a peer/peer group Specify an ACL-based BGP route filtering policy for a peer/peer group Command Description peer { group-name | ip-address } filter-policy acl-number import Required Specify an AS peer { group-name | ip-address } as-path-acl path acl-number import ACL-based BGP route filtering policy for a peer/peer group Specify an IP prefix list-based BGP route fil
Configuring BGP Route Attributes 361 Table 297 Configure BGP route dampening Configuring BGP Load Balance Operation Command Description Enter system view system-view - Enable BGP, and enter BGP view bgp as-number Configure BGP route dampening-related parameters dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling ] [ route-policy route-policy-name ] Required By default, BGP is disabled. Optional By default, route dampening is disabled.
CHAPTER 36: BGP CONFIGURATION Table 299 Configure BGP route attributes Operation Command Description Configur Configure the default local e the MED value MED attribute default med med-value Optional Permit to compare the MED values of the routes coming from the neighbor routers in different ASs. c By default, the med-value argument is 0. compare-different-as- Optional med By default, the compare of MED values of the routes coming from the neighbor routers in different ASs is disabled.
Adjusting and Optimizing a BGP Network Adjusting and Optimizing a BGP Network 363 Adjusting and optimizing BGP network involves the following aspects: 1 BGP clock BGP peers send Keepalive messages to each other periodically through the connections between them to make sure the connections operate properly.
CHAPTER 36: BGP CONFIGURATION Adjusting and Optimizing a BGP Network ■ Value of BGP timer ■ Interval for sending the update packets ■ MD5 authentication password Table 300 Adjust and optimize a BGP network Operation Command Description Enter system view system-view - Enable BGP, and enter BGP view bgp as-number Required By default, BGP is disabled. Configure BGP timer timer keepalive Configure the Keepalive time keepalive-interval hold and Holdtime of holdtime-interval BGP.
Configuring a Large-Scale BGP Network ■ Configuring a Large-Scale BGP Network 365 BGP soft reset can refresh the BGP routing table and apply a new routing policy without breaking the NGP connections. In large-scale network, there are large quantities of peers. Configuring and maintaining the peer becomes a big problem. Using peer group can ease the management and improve the routes sending efficiency.
CHAPTER 36: BGP CONFIGURATION Table 301 Configure BGP peer group Operation Create an IBGP peer group Command Description Create an IBGP peer group group group-name [ internal ] Optional Add a peer to a peer group peer ip-address group group-name [ as-number as-number ] Create an Create an EBGP peer EBGP peer group group Configure the AS number of a peer group c Configuring BGP Community group group-name external peer group-name as-number as-number If the command is executed without the int
Configuring a Large-Scale BGP Network Configuring BGP RR 367 Table 303 Configure BGP RR Operation Command Description Enter system view system-view - Enable BGP, and enter BGP view bgp as-number Required By default, the system does not operate BGP.
CHAPTER 36: BGP CONFIGURATION ■ If the confederation implementation mechanism of other routers is different from the RFC standardization, you can configure related command to make the confederation compatible with the non-standard routers. Displaying and maintaining BGP Displaying BGP After the above configuration, you can use the display command in any view to display the BGP configuration and thus verify the configuration effect.
Configuration Example BGP Connection Reset 369 When a BGP routing policy or protocol changes, if you need to make the new configuration effective through resetting the BGP connection, perform the following configuration in user view.
CHAPTER 36: BGP CONFIGURATION Switch A Vlan-int 10 172.68.10.1/24 Switch B Vlan-int 10 172.68.10.2/24 Switch C Vlan-int 10 172.68.10.3/24 Vlan-int 20 172.68.1.1/24 Vlan-int 30 156.10.1.1/24 Switch D Vlan-int 20 172.68.1.2/24 Switch E Vlan-int 30 156.10.1.2/24 100 200 Configuration procedure # Configure SwitchA.
Configuration Example Network diagram Figure 85 Diagram for configuring a BGP RR Router Reflector VLAN-int100 Switch C Switch A VLAN -int4 VLAN -int3 VLAN-int2 AS 100 Switch B AS 200 Switch D Device Interface IP address AS Switch A Vlan-int 100 1.1.1.1/8 100 Vlan-int 2 192.1.1.1/24 Switch B Vlan-int 2 192.1.1.2/24 Vlan-int 3 193.1.1.2/24 Switch C Vlan-int 3 193.1.1.1/24 Vlan-int 4 194.1.1.1/24 Switch D Vlan-int 4 194.1.1.2/24 200 Configuration procedure 1 Configure SwitchA.
CHAPTER 36: BGP CONFIGURATION [SwitchB-bgp] group in internal [SwitchB-bgp] peer 193.1.1.1 group in 3 Configure SwitchC. # Configure VLAN3. [SwitchC] interface Vlan-interface 3 [SwitchC-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 # Configure VLAN4. [SwitchC] interface vlan-Interface 4 [SwitchC-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 # Configure BGP peers and RR.
Configuration Example Network diagram Figure 86 Diagram for BGP routing AS 200 AS 100 VLAN- int4 Switch B Vlan -int101 VLAN -int2 VLAN-int2 VLAN-int5 Switch D VLAN -int3 VLAN -int3 Switch A Switch C Device Interface IP address AS Switch A Vlan-int 101 1.1.1.1/8 100 Vlan-int 2 192.1.1.1/24 Vlan-int 3 193.1.1.1/24 Vlan-int 2 192.1.1.2/24 Vlan-int 4 194.1.1.2/24 Vlan-int 3 193.1.1.2/24 Vlan-int 5 195.1.1.2/24 Vlan-int 4 194.1.1.1/24 Vlan-int 5 195.1.1.
CHAPTER 36: BGP CONFIGURATION Create an access control list to permit routing information sourced from the network 1.0.0.0. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule deny source any Define two routing policies, named apply_med_50 and apply_med_100 respectively. The first routing policy apply_med_50 configures the MED attribute as 50 for network 1.0.0.
Configuration Example [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] 375 group ex external peer 193.1.1.1 group ex as-number 100 group in internal peer 195.1.1.1 group in peer 194.1.1.2 group in 4 Configure Switch D. [SwitchD] interface vlan-interface 4 [SwitchD-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 [SwitchD] interface vlan-interface 5 [SwitchD-Vlan-interface5] ip address 195.1.1.1 255.255.255.0 [SwitchD] ospf [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0.0.0.
CHAPTER 36: BGP CONFIGURATION (Switch B does not configure the local preference attribute, the default value is 100), Switch D still chooses the route 1.0.0.0 coming from Switch C first. BGP Error Configuration Example BGP Peer Connection Establishment Error Symptom 1: A BGP neighbor relationship cannot be established, that is the connection with the opposite peer cannot be established.
IP ROUTING POLICY CONFIGURATION 37 IP Routing Policy Overview When a router distributes or receives routing information, it may need to implement some policies to filter the routing information, so as to receive or distribute only the routing information meeting given conditions. A routing protocol (RIP, for example) may need to import the routing information discovered by other protocols to enrich its routing knowledge.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION destination network segment addresses or next-hop addresses of routing information. If an advanced ACL is used, the specified range of source addresses will be used for matching. ip-prefix ip-prefix plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When ip-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information.
IP Routing Policy Configuration n 379 Refer to “ACL Configuration” on page 637. 2 You can have routing policy applied in the following cases: Configuring a Route-Policy ■ When routes are imported ■ When routes are advertised/received A route-policy can comprise multiple nodes. Each node is a unit for matching test, and the nodes will be matched in the order of their sequence numbers. Each node comprises a set of if-match and apply clauses. ■ The if-match clauses define the matching rules.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION Defining if-match Clauses for a Route-Policy Node An if-match clause defines a matching rule, that is, a filtering condition that the routing information should satisfy for passing the current route-policy node. The matching objects are some attributes of routing information.
IP Routing Policy Configuration 381 Table 310 Define apply clauses Operation Command Description Define an action to set the community attribute of BGP routing information apply community { none | [ aa:nn ] &<1-13> [ no-export-subconfed | no-export | no-advertise ]* [ additive ] } Optional Define a action to set the next-hop address of routing information apply ip next-hop ip-address Optional Define an action to import routing information into the IS-IS area(s) at specified level(s) apply isis [
CHAPTER 37: IP ROUTING POLICY CONFIGURATION n AS Path List Configuration Among the items defined in an IP prefix list, at least one item should be in permit mode. The items in deny mode can be used to quickly filter out undesired routing information. But if all the items are in deny mode, no route will pass the filter of the IP prefix list. You can define an item permit 0.0.0.0 0 greater-equal 0 less-equal 32 after the deny-mode items to permit all other routes to pass through.
Displaying IP Routing Policy 383 routing costs of the source routing protocol, you should specify a routing cost for the imported routes. n The import-route command (used to import routes) is somewhat different in form in different routing protocol views. Refer to the import-route command description under the required routing protocol in the command manual.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION Network diagram Figure 87 Filter routing information received Static 20 .0.0.0/8 30.0.0.0 /8 40.0.0.0 /8 Area 0 Vlan -Int 200 12.0.0.1 /8 10.0.0.1 /8 10.0.0 .2/8 Vlan-Int 100 Switch A Router ID:1 .1.1.1 Switch B Router ID:2 .2.2.2 Configuration procedure 1 Configure SwitchA: # Configure the IP addresses of the interfaces. system-view [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.0.0.1 255.0.0.
Troubleshooting IP Routing Policy 385 # Apply route policy when the static routes are imported. [SwitchA] ospf [SwitchA-ospf-1] import-route static route-policy ospf 2 Configure SwitchB: # Configure the IP address of the interface. system-view [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 10.0.0.2 255.0.0.0 [SwitchB-Vlan-interface100] quit # Enable the OSPF protocol and specify the ID of the area to which the interface belongs. [SwitchB] router id 2.2.2.
CHAPTER 37: IP ROUTING POLICY CONFIGURATION the condition. However, if all the items are in the deny mode, no route will pass the ip-prefix filtering. You can define the item “permit 0.0.0.0 0 less-equal 32” after multiple items in the deny mode for all other routes to pass the filtering (if less-equal 32 is not specified, only the default route will be matched).
ROUTE CAPACITY CONFIGURATION 38 Route Capacity Configuration Overview Introduction In actual networking applications, there are a large number of routes, especially OSPF routes and BGP routes, in the routing table. If the routing table occupies too much memory, the switch performance will decline.
CHAPTER 38: ROUTE CAPACITY CONFIGURATION Table 315 Set the lower limit and the safety value of switch memory n Enabling/Disabling Automatic Protocol Connection Recovery c Displaying Route Capacity Configuration Operation Command Description Enter system view system-view - Set the lower limit and the safety value of switch memory memory { safety safety-value | limit limit-value }* Optional safety-value defaults to 40 and limit-value defaults to 30.
39 Introduction to 802.1x 802.1X CONFIGURATION The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems. 802.1x is a port-based network access control protocol. It authenticates and controls devices requesting for access in terms of the ports of LAN access control devices. With the 802.
CHAPTER 39: 802.1X CONFIGURATION the authentication server system serves to perform AAA (authentication, authorization, and accounting). It also stores user information, such as user name, password, the VLAN a user belongs to, priority, and the ACLs (access control list) applied. Following are the four basic concept related with the above three entities, namely the PAE, controlled port and uncontrolled port, the valid direction of a controlled port and the way a port is controlled.
Introduction to 802.1x The Mechanism of an 802.1x Authentication System 391 IEEE 802.1x authentication system uses extensible authentication protocol (EAP) to exchange information between the supplicant system and the authentication server. Figure 89 The mechanism of an 802.
CHAPTER 39: 802.1X CONFIGURATION 02: Indicates that the packet is an EAPoL-logoff packet, which sends logging off requests. 03: Indicates that the packet is an EAPoL-key packet, which carries key information packets. 04: Indicates that the packet is an EAPoL-encapsulated-ASF-Alert packet, which is used to support the alerting messages of ASF (alerting standards forum). ■ The Length field indicates the size of the Packet body field. A value of 0 indicates that the Packet Body field does not exist.
Introduction to 802.1x 393 Figure 92 Data fields 7 0 Type N Type data ■ The Type field specifies the EAP authentication type. A Type value of 1 indicates Identity and that the packet is used to query the identity of the peer. A type value of 4 represents MD5-Challenge (similar to PPP CHAP) and indicates that the packet includes query information. ■ The Type Date field differs according to different types of Request and Response packets.
CHAPTER 39: 802.1X CONFIGURATION Three authentication ways, EAP-MD5, EAP-TLS (transport layer security), and PEAP (protected extensible authentication protocol), are available for the EAP relay mode. ■ EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys (contained in EAP-request/MD5 challenge packets) to the supplicant system, which in turn encrypts the passwords using the MD5 keys.
Introduction to 802.1x n 395 ■ Upon receiving the authentication request packet, the switch sends an EAP-request/identity packet to ask the 802.1x client for the user name. ■ The 802.1x program responds by sending an EAP-response/identity packet to the switch with the user name included. The switch then encapsulates the packet in a RADIUS Access-Request packet and forwards it to the RADIUS server.
CHAPTER 39: 802.1X CONFIGURATION Figure 96 802.
Introduction to 802.1x 802.1x Implementation on the Switch 7750 397 ■ Supplicant system timer (supp-timeout): This timer sets the supp-timeout period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant system. The switch sends another request/challenge packet to the supplicant system if the supplicant system fails to respond when this timer times out. ■ RADIUS server timer (server-timeout): This timer sets the server-timeout period.
CHAPTER 39: 802.1X CONFIGURATION ■ The 802.1x clients are capable of detecting multi-network adapter, proxies, and IE proxies. ■ CAMS is configured to disable the use of multiple network adapters, proxies, or IE proxies. By default, an 802.1x client program allows use of multiple network adapters, a proxy server, and an IE proxy server. If CAMS is configured to disable use of multiple network adapters, proxies, or IE proxies, it prompts the 802.
802.1x Configuration 802.1x Configuration 399 802.1x provides a solution for authenticating users. To implement this solution, you need to execute 802.1x-related commands. You also need to configure AAA schemes on switches and to specify the authentication scheme (RADIUS authentication scheme or local authentication scheme). Figure 97 802.1x configuration Local authentication authentication 802.1x 802.
CHAPTER 39: 802.1X CONFIGURATION Table 318 Configure basic 802.1x functions Operation Command Description Enable 802.1x for specified ports Use the following command in system view: Required dot1x [ interface interface-list ] By default, 802.1x is disabled for all ports. Use the following command in port view: dot1x Set port access control mode for specified ports Optional dot1x port-control { authorized-force By default, an 802.
802.1x-Related Parameter Configuration 802.1x-Related Parameter Configuration 401 Table 319 Configure 802.1x timers and the maximum number of users Operation Command Description Enter system view system-view - Configure the maximum number of concurrent on-line users for specified ports In system view: Optional dot1x max-user user-number [ interface interface-list ] By default, up to 1,024 concurrent on-line users are allowed on each port.
CHAPTER 39: 802.1X CONFIGURATION Prerequisites Configuring Proxy Checking Configuration of basic 802.1x This function needs the support of 802.1x client program and CAMS, as listed below. ■ The 802.1x clients must be able to check whether multiple network modules, proxy servers, or IE proxy servers are used on the user devices. ■ On CAMS, enable the function that forbids clients from using multiple network modules, a proxy server, or an IE proxy.
Displaying and Debugging 802.1x 403 Table 321 Configure client version checking n Enabling DHCP-triggered Authentication Operation Command Description Configure the client-version-checkin g period timer dot1x timer ver-period ver-period-value Optional The default ver-period-value is 30 seconds As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also use this command in port view.
CHAPTER 39: 802.1X CONFIGURATION Table 324 Display and debug 802.1x Operation Command Description Display the configuration, session, and statistics information about 802.1x display dot1x [ sessions | statistics ] [ interface interface-list ] You can execute the display command in any view Clear 802.1x-related statistics information reset dot1x statistics [ interface interface-list ] You can execute the reset command in user view Configuration Example 802.
Configuration Example 405 Configure the number of times that a switch resends packets to the RADIUS server to be 5. Configure the switch to send real-time counting packets to the RADIUS server every 15 minutes with the domain names removed from the user name beforehand. ■ The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively. The idle disconnecting function is enabled.
CHAPTER 39: 802.1X CONFIGURATION # Assign IP addresses to the secondary authentication and accounting RADIUS server. [SW7750-radius-radius1] secondary authentication 10.1.1.2 [SW7750-radius-radius1] secondary accounting 10.1.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [SW7750 -radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages.
Configuration Example # Create a local access user account.
CHAPTER 39: 802.
40 Introduction to HABP HABP CONFIGURATION With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. If ports connected to the switch are not authenticated and authorized by 802.1x, their received packets will be filtered. This means that users can no longer manage the attached switches. To address this problem, 3Com authentication bypass protocol (HABP) has been developed.
CHAPTER 40: HABP CONFIGURATION Table 325 Configure an HABP server HABP Client Configuration Operation Command Description Configure the current switch to be an HABP server habp server vlan vlan-id Required Configure the interval to send HABP request packets. habp timer interval Optional By default, a switch operates as an HABP client after you enable HABP on the switch, and if you want to use the switch as a management switch, you must configure the switch to be an HABP server.
HABP Configuration Example Network diagram Figure 99 Network diagram for HABP configuration GE2 /0/1 GE2/0/2 Switch A Switch B Configuration procedure 1 Configure Switch B. # Enable HABP globally. system-view [SW7750]habp enable # Configure the HABP server. [SW7750]habp server vlan 2 # Enable the 802.1x globally. [SW7750]dot1x 802.1x is enabled globally. # Enable the 802.1x on GigabitEthernet2/0/2. [SW7750]interface GigabitEthernet 2/0/2 [SW7750-GigabitEthernet2/0/2]dot1x 802.
CHAPTER 40: HABP CONFIGURATION
MULTICAST OVERVIEW 41 n Multicast Overview “Router” or a router icon in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. This will not be otherwise described in this manual. With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks.
CHAPTER 41: MULTICAST OVERVIEW transmitted traffic over the network is proportional to the number of users that receive this information, when a large number of users need this information, the server must send many pieces of information with the same content to the users. Therefore, the limited bandwidth becomes the bottleneck in information transmission. This shows that unicast is not good for the transmission of a great deal of information.
Multicast Overview 415 Multicast solves this problem. When some users on a network require specified information, the multicast information sender (namely, the multicast source) sends the information only once.
CHAPTER 41: MULTICAST OVERVIEW c ■ Each receiver receiving multicast information is a multicast group member. ■ A router providing multicast routing is a multicast router. The multicast router can be a member of one or multiple multicast groups, and it can also manage members of the multicast groups. CAUTION: A multicast source does not necessarily belong to a multicast group. A multicast source sends packets to a multicast group, and it is not necessarily a receiver.
Multicast Architecture ■ 417 Multicast routing: How is information transported? IP multicast is a kind of peer-to-peer service. Based on the protocol layer sequence from bottom to top, the multicast mechanism contains addressing mechanism, host registration, multicast routing, and multicast application: Multicast Address ■ Addressing mechanism: Information is sent from a multicast source to a group of receivers through multicast addresses.
CHAPTER 41: MULTICAST OVERVIEW ■ A multicast group whose addresses are assigned by IANA is a permanent multicast group. It is also called reserved multicast group. Note that: ■ The IP addresses of a permanent multicast group keep unchanged, while the members of the group can be changed. ■ There can be any number of, or even zero, members in a permanent multicast group. ■ Those IP multicast addresses not assigned to permanent multicast groups can be used by temporary multicast groups.
Multicast Architecture 419 Table 329 Reserved IP multicast addresses n Class D address range Description 224.0.0.16 The specified subnetwork bandwidth management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual router redundancy protocol (VRRP) 224.0.0.19- 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the network segments ranging from 239.0.0.0 to 239.255.255.255 for multicast.
CHAPTER 41: MULTICAST OVERVIEW Figure 104 Positions of protocols related to multicast AS 1 Receiver IGMP IGMP PIM AS 2 Receiver PIM MSDP IGMP Source Receiver Multicast group management protocol Internet group management protocol (IGMP) is adopted between a host and its directly-connected multicast routers. This protocol defines the mechanism of establishing and maintaining multicast group membership between hosts and multicast routers.
Forwarding Mechanism of Multicast Packets 421 In order to guarantee the transmission of multicast packets in the network, multicast packets must be forwarded based on unicast routing tables or those specially provided to multicast (such as an MBGP multicast routing table). In addition, to prevent the interfaces from receiving the same information from different peers, routers must check the receiving interfaces.
CHAPTER 41: MULTICAST OVERVIEW
42 GMRP Overview GMRP CONFIGURATION GMRP (GARP Multicast Registration Protocol), based on GARP, is used for maintaining multicast registration information of the switch. All GMRP-capable switches can receive multicast registration information from other switches, dynamically update local multicast registration information, and send their own local multicast registration information to other switches.
CHAPTER 42: GMRP CONFIGURATION Displaying and Maintaining GMRP After the above-described configuration, execute the display command in any view to display the running of the GMRP configuration, and to verify the effect of the configuration.
GMRP Configuration Example [SW7750] interface Ethernet 2/0/1 [SW7750-Ethernet2/0/1] gmrp GMRP is enabled on port Ethernet 2/0/1.
CHAPTER 42: GMRP CONFIGURATION
43 IGMP SNOOPING CONFIGURATION Overview IGMP Snooping Fundamentals Internet group management protocol snooping (IGMP Snooping) is a multicast control mechanism running on Layer 2 switch. It is used to manage and control multicast groups. When the IGMP messages transferred from the hosts to the router pass through the Layer 2 switch, the switch uses IGMP Snooping to analyze and process the IGMP messages, as shown in Table 333.
CHAPTER 43: IGMP SNOOPING CONFIGURATION IGMP Snooping Implementation IGMP Snooping terminologies ■ Router port: the switch port directly connected to the multicast router. ■ Multicast member port: a switch port connected to a multicast group member (a host in a multicast group). ■ MAC multicast group: a multicast group identified by a MAC multicast address and maintained by the switch.
Overview 429 Table 335 IGMP Snooping messages Message Sender Receiver Purpose Action of the multicast member switch IGMP general query message Multicas t router and multicas t switch Multicast member switch and host Query if the multicast groups contain any member Check if the message comes from the original router port IGMP group-sp ecific query message Multicas t router and multicas t switch Multicast member switch and host Query if a Send an IGMP group-specific query message to the IP multic
CHAPTER 43: IGMP SNOOPING CONFIGURATION Table 335 IGMP Snooping messages Message Sender Receiver Purpose IGMP leave message Multicast router and multicast switch Host Notify the multicast router and multicast switch that the host is leaving its multicast group.
IGMP Snooping Configuration 431 Table 336 IGMP Snooping configuration tasks Enabling IGMP Snooping Operation Description Related section Configure timers Optional “Configuring Timers” on page 432 Enable IGMP fast leave Optional “Enabling IGMP Fast Leave for a Port or All Ports” on page 432 Configure IGMP Snooping filter Optional “Configuring IGMP Snooping Filtering ACLs” on page 433 Configure to limit the number Optional of multicast groups on a port “Configuring to Limit Number of Multicas
CHAPTER 43: IGMP SNOOPING CONFIGURATION Table 338 Configure the version of IGMP Snooping Operation Command Description Enter system view system-view - Enter VLAN view vlan vlan-id - Configure the version of IGMP igmp-snooping version Snooping version-number c Configuring Timers Optional The default IGMP Snooping version is version 2. CAUTION: ■ Before configuring the IGMP Snooping version, you must enable IGMP Snooping in the VLAN.
IGMP Snooping Configuration 433 If the IGMP fast leave feature is enabled, when receiving an IGMP Leave message, the switch immediately removes the port from the multicast group. When a port has only one user, enabling the IGMP fast leave feature on the port can save bandwidth.
CHAPTER 43: IGMP SNOOPING CONFIGURATION Table 342 Configure IGMP Snooping filtering ACLs globally Operation Command Description Enable IGMP Snooping filter in system view igmp-snooping Required group-policy acl-number ■ You can configure the ACL to filter the IP [ vlan vlan-list ] addresses of corresponding multicast group. ■ By default, the multicast filtering feature is disabled.
IGMP Snooping Configuration 435 However, a Layer 2 multicast switch does not support IGMP, and therefore does have an IGMP querier to send general queries by default. By enabling IGMP Snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer-2 switched only and no multicast routers are present, the Layer 2 switch will act as a querier to send IGMP general queries, thus allowing multicast forwarding entries to be established and maintained at the data link layer.
CHAPTER 43: IGMP SNOOPING CONFIGURATION Configuring IGMP Snooping Simulated Joining Generally, hosts running IGMP respond to the IGMP query messages of the IGMP querier. If hosts fail to respond for some reason, the multicast router may consider that there is no member of the multicast group on the local subnet and remove the corresponding path. To avoid this from happening, you can configure a port of the IGMP-enabled VLAN interface as a multicast group member.
Displaying and Maintaining IGMP Snooping Configuring Multicast VLAN 437 ■ If you configure IGMP Snooping simulated joining in Ethernet port view, the Ethernet port must belong to the specified VLAN; otherwise the configuration does not take effect. ■ You can use the source-ip source-address command to specify a multicast source address that the port will join as a simulated host. This configuration takes effect only when IMGPv3 Snooping is enabled in the VLAN.
CHAPTER 43: IGMP SNOOPING CONFIGURATION Table 350 Display information about IGMP Snooping Operation Command Description Display the current IGMP Snooping configuration display igmp-snooping configuration You can execute the display commands in any view.
IGMP Snooping Configuration Example Configure Multicast VLAN 439 Network requirements Table 351 lists all the devices in the network. Assume that port type configuration, VLAN division configuration, and IP address configuration for the interface are completed.
CHAPTER 43: IGMP SNOOPING CONFIGURATION Configuration procedure # Configure Router A. system-view [Router-A] multicast routing-enable [Router-A] interface GigabitEthernet0/0/0 [Router-A-GigabitEthernet0/0/0] pim sm [Router-A-GigabitEthernet0/0/0] igmp enable [Router-A-GigabitEthernet0/0/0] quit # Configure Switch B.
44 Overview COMMON MULTICAST CONFIGURATION Common multicast configuration tasks are the common contents of multicast group management protocol and multicast routing protocol. You must enable the common multicast configuration on the switch before enabling the two protocols.
CHAPTER 44: COMMON MULTICAST CONFIGURATION Enabling Multicast Routing and Configuring Limit on the Number of Multicast Route Entries Table 353 Enable multicast routing and configure limit on the number of multicast route entries Operation Command Description Enter system view system-view - Enable multicast routing multicast routing-enable Required Multicast routing must be enabled before the multicast group management protocol and the multicast routing protocol are configured.
Common Multicast Configuration Tasks 443 to the forwarding entry. If the packet is not received on the right ingress of the forwarding entry, the packet is regarded as a wrongif packet. The wrongif packet will be reported to the CPU for processing. In some network, many wrongif packets will be reported to the CPU of the switch for processing, thus aggravating the workload of the switch.
CHAPTER 44: COMMON MULTICAST CONFIGURATION ■ Enable IGMP snooping globally ■ Enable multicast routing globally ■ Allocate an Ethernet port to the corresponding VLAN ■ Configure an IP address for the VLAN ■ Enable the multicast routing protocol on the VLAN interface ■ Bring the Ethernet port to the up state Configuring static router ports in Ethernet port view Table 357 Configure static router ports Operation Command Description Enter system view system-view - Enter Ethernet port view
Displaying Common Multicast Configuration Displaying Common Multicast Configuration 445 After the configuration above, you can execute the display command to verify the configuration by checking the displayed information. The multicast forwarding table is mainly used for debugging. Generally, you can get the required information by checking the core multicast routing table.
CHAPTER 44: COMMON MULTICAST CONFIGURATION Table 359 Display common multicast configuration Operation Command Description Display the information about the multicast routing table You can execute the display display multicast commanding any view.
STATIC MULTICAST MAC ADDRESS TABLE CONFIGURATION 45 Overview In Layer 2 multicast, the system can add multicast forwarding entries dynamically through Layer 2 multicast protocol. However, you can also statically bind a port to a multicast address entry by configuring a multicast MAC address entry manually. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch will broadcast the packet in the VLAN to which the port belongs.
CHAPTER 45: STATIC MULTICAST MAC ADDRESS TABLE CONFIGURATION Table 361 Display the multicast MAC addresses Operation Command Description Display the static multicast MAC addresses display mac-address multicast [ count ] You can use the display command in any view.
46 IGMP CONFIGURATION Overview Introduction to IGMP Internet group management protocol (IGMP) is responsible for the management of IP multicast members. It is used to establish and maintain membership between IP hosts and their directly connected neighboring routers. The IGMP feature does not transmit and maintain the membership information among multicast routers. This task is completed by multicast routing protocols. All the hosts participating in multicast must support the IGMP feature.
CHAPTER 46: IGMP CONFIGURATION In IGMP Version 1, the multicast routing protocol selects the querier. In IGMP Version 2, it is defined that the multicast router with the lowest IP address is selected as the querier when there are multiple multicast routers in a network segment. Leave group mechanism In IGMP Version 1, hosts leave the multicast group quietly without informing any multicast router. Only when a query message times out can the multicast router know that a host has left the group.
Overview 451 Figure 110 Working mechanism of IGMPv1 DR Router A Router B Ethernet Host A (G2) Host B (G1) Host C (G1) Query Report A host joins in the multicast group in the following procedure: ■ The IGMP querier (such as DR) periodically multicasts IGMP general group query messages to all the hosts in the shared network segment whose address is 224.0.0.1. ■ All hosts in the network receive the query messages.
CHAPTER 46: IGMP CONFIGURATION Enhancements Provided by IGMPv2 Compared with IGMPv1, IGMPv2 provides the querier election mechanism and Leave Group mechanism. ■ Querier election mechanism In IGMPv1, the DR elected by the Layer 3 multicast routing protocol (such as PIM) serves as the querier among multiple routers on the same subnet. In IGMPv2, an independent querier election mechanism is introduced.
Overview 453 3 switch in the leaf network (Switch B in the figure). The Layer 3 switch will then forward IGMP join or IGMP leave messages sent by the connected hosts. After the configuration of IGMP Proxy, the leaf switch is no longer a PIM neighbor but a host for the external network. Only when the Layer 3 switch has directly connected members, can it receive the multicast data of corresponding groups. Figure 111 Diagram for IGMP Proxy S w itchA V LA N-in t 1 33.33.33.
CHAPTER 46: IGMP CONFIGURATION IGMP Configuration Tasks Configuring IGMP Version Table 362 Configuration task overview Operation Description Related section Configure IGMP version Optional “Configuring IGMP Version” on page 454 Configure IGMP query messages Optional “Configuring IGMP Query Packets” on page 454 Optional Configure IGMP multicast groups on the interface “Configuring IGMP Multicast Groups on the Interface” on page 456 Configure IGMP simulated joining Optional “Configuring I
IGMP Configuration Tasks 455 IGMP group-specific query messages The query router (querier for short) maintains the IGMP join messages on the interface on the shared network. After the related features are configured, the IGMP querier will send IGMP group-specific query messages at the user-defined interval for the user-defined times when it receives the IGMP leave messages from the hosts. Suppose a host in a multicast group decides to leave the multicast group.
CHAPTER 46: IGMP CONFIGURATION Table 364 Configure IGMP query messages Operation Command Description Enable the multicast routing protocol multicast routing-enable Required Enter VLAN interface view interface Vlan-interface interface-number - Enable IGMP on the current interface igmp enable Required Configure the query interval igmp timer query seconds By default, if the IP multicast routing protocol is enabled globally, IGMP is enabled on all the layer-3 interfaces automatically.
IGMP Configuration Tasks 457 interface of the switch may fail when plenty of multicast groups join in the routing interface. You can configure limit on the number of IGMP multicast groups on the interface of the switch. Thus, when users are ordering the programs of multicast groups, the network bandwidth can be controlled because the number of multicast groups is limited.
CHAPTER 46: IGMP CONFIGURATION Table 365 Configure IGMP multicast groups on the interface c Configuring IGMP Simulated Joining Operation Command Description Limit the range of multicast groups that the interface serves igmp group-policy acl-number vlan vlan-id Optional ■ By default, the filter is not configured, that is, any multicast group is permitted on the port. ■ The port must belong to the IGMP-enabled VLAN specified in the command. Otherwise, the command does not take effect.
IGMP Configuration Tasks ■ Configuring IGMP Proxy 459 If you configure IGMP simulated joining in Ethernet port view, the port to be configured must belong to the specified VLAN; otherwise the configuration does not take effect. Configuring IGMP proxy You can configure IGMP proxy to reduce the workload of configuration and management of leaf networks without affecting the multicast connections of the leaf network.
CHAPTER 46: IGMP CONFIGURATION multicast group and drop the other IGMP host report messages from the multicast group. Table 369 Configure suppression on IGMP host report messages Removing the Joined IGMP Groups from the Interface Operation Command Description Enter system view system-view - Configure suppression on IGMP host report messages igmp report-aggregation Required By default, the suppression on IGMP host report messages is disabled.
47 PIM Overview PIM CONFIGURATION Protocol independent multicast (PIM) means that the unicast routing protocols providing routes for the multicast could be static routes, RIP, OSPF, IS-IS, or BGP. The multicast routing protocol is independent of unicast routing protocols only if unicast routing protocols can generate route entries. With the help of the reverse path forwarding, PIM can transmit multicast information in the network.
CHAPTER 47: PIM CONFIGURATION ■ RPF check ■ Assert mechanism Neighbor discovery In PIM-DM network, the multicast router needs to use Hello messages to perform neighbor discovery and maintain the neighbor relation when it is started. All routers keep in touch with each other through sending Hello messages periodically, and thus SPT is established and maintained. SPT establishment The procedure of establishing SPT is also called Flooding&Prune.
PIM Overview 463 Figure 112 Diagram for SPT establishment in PIM-DM Host A Source Receiver Server Host B Receiver SPT Prune message Multicast packets Host C The process above is called “Flooding and Pruning”. Every pruned node also provides timeout mechanism. If pruning behavior times out, the router will initiate another flooding and pruning process. This process is performed periodically for PIM-DM.
CHAPTER 47: PIM CONFIGURATION Assert mechanism In the shared network such as Ethernet, the same packets may be sent repeatedly. For example, the LAN network segments contains many multicast routers, A, B, C, and D. They each have their own receiving path to the multicast source S.
PIM Overview 465 In the receiving end, the router connected to the information receiver sends join messages to the RP corresponding to the multicast group. The join message reaches the root (namely, RP) after passing each router. The passed paths become the branches of the rendezvous point tree (RPT). If the sending end wants to send data to a multicast group, the first hop router will send registration information to RP.
CHAPTER 47: PIM CONFIGURATION DR DR Ethernet Figure 114 Diagram for DR election Ethernet 466 Receiver RP Source Receiver Hello message Register message Join message Each router on the shared network sends Hello messages with the DR priority option to each other. The router with the highest DR priority is elected as the DR in the network. If the priority is the same, the router with the highest IP address is elected as the DR. When DR fails, the received Hello messages will time out.
PIM Overview 467 One or more candidate BSRs must be configured in a PIM domain. Through the auto-election, the candidate BSRs elect a BSR which is responsible for collecting and advertising RP information. The auto-election among candidate BSRs is described in the following section: ■ Specify a PIM-SM-enabled interface when configuring a router as a candidate BSR.
CHAPTER 47: PIM CONFIGURATION Figure 116 Diagram for RPT building in PIM-SM Host A Source RP Server DR Receiver Host B DR RPT Receiver Join message Multicast packets Host C Each router on the path from the leaf router to RP will generate (*, G) entries in the forwarding table. The routers on the path forms a branch of RPT. A (*, G) entry represents the information from any source to the multicast group G. RP is the root of RPT and the receivers are leaves of RPT.
Common PIM Configuration 469 Figure 117 Diagram for multicast source registration Host A Source DR Receiver RP Host B Server SPT Receiver Join message Register message Multicast packets Host C When RP receives the registration information from S, it will decapsulate the registration information and forward the multicast information to the receiver along RPT, and on the other hand, it will send (S, G) join messages to S hop by hop. The passed routers constitute a branch of SPT.
CHAPTER 47: PIM CONFIGURATION Table 372 Configuration tasks Enabling PIM-DM (PIM-SM) on the Interface Configuring the Interval of Sending Hello Packets Operation Description Related section Enable PIM-DM (PIM-SM) on the interface Required “Enabling PIM-DM (PIM-SM) on the Interface” on page 470 Configure the interval of sending Hello packets Optional “Configuring the Interval of Sending Hello Packets” on page 470 Configure PIM neighbors Optional “Configuring PIM Neighbors” on page 471 Cl
Common PIM Configuration Configuring PIM Neighbors 471 In order to prevent plenty of PIM neighbors from using out the memory of the router, which may result in router failure, you can limit the number of PIM neighbors on the router interface. However, the total number of PIM neighbors of a router is defined by the system, and you cannot modify it through commands. You can configure basic ACL 2000 to 2999 (refer to “ACL Configuration” on page 637).
CHAPTER 47: PIM CONFIGURATION PIM-DM Configuration Configuring Filtering Policies for Multicast Source/Group Perform the following configuration to configure PIM-DM. When the router runs in PIM-DM domain, you are recommended to enable PIM-DM on all the interfaces of non-boarder routers.
PIM-SM Configuration 473 Table 379 Configure BSR/RP Operation Command Description Configure candidate BSRs c-bsr interface-type interface-number hash-mask-len [ priority ] Optional c-rp interface-type interface-number [ group-policy acl-number | priority priority ]* Optional Configure candidate RPs Configure static RPs Limit the range of valid BSRs Limit the range of valid C-RPs c static-rp rp-address [ acl-number ] [ preferred ] bsr-policy acl-number crp-policy acl-number By default, cand
CHAPTER 47: PIM CONFIGURATION Configuring PIM-SM Domain Boundary ■ If both a dynamic RP and a static RP exist simultaneously, and if you have configured the keyword preferred, the static RP has the priority over the dynamic RP. ■ The PIM protocol need not be enabled on the interface of static RPs. ■ The limit on the range of valid BSRs is to prevent the valid BSRs in the network being replaced maliciously.
Displaying and Debugging PIM 475 Table 381 Filter the registration packets from RP to DR c Configuring the Threshold for RPT-to-SPT Switchover Operation Command Description Quit VLAN view quit - Enter PIM view pim - Configure to filter the registration packets from RP to DR register-policy acl-number Required ■ You can configure to filter the IP addresses of some multicast groups in ACL. ■ By default, the switch does not filter the registration packets from DR.
CHAPTER 47: PIM CONFIGURATION Table 383 Display and maintain PIM Configuration Command Description Display PIM multicast routing tables You can execute the display display pim routing-table command in any view.
PIM Configuration Examples 477 Configuration procedure 1 Configure unicast routing Configure the OSPF protocol for interoperation among the switches in the PIM-DM domain. Ensure the network-layer interoperation among the switches in the PIM-DM domain. Detailed configuration steps are omitted here. 2 Enable IP multicast routing, and enable PIM-DM on each interface # Enable multicast routing on Lanswitch 1, and enable PIM-DM on each interface.
CHAPTER 47: PIM CONFIGURATION Network diagram Figure 119 Network diagram for PIM-SM configuration HostA LS_A VLAN10 HostB VLAN11 VLAN 12 LS_C VLAN 12 VL 10 AN VL A AN 1 1 0 N1 N1 1 A VL VL 478 LS_B VLAN 12 LS_D Configuration procedure 1 Configure unicast routing Configure the OSPF protocol for interoperation among the switches in the PIM-SM domain. Ensure the network-layer interoperation among the switches in the PIM-SM domain. Detailed configuration steps are omitted here.
Troubleshooting PIM 479 [SW7750-Vlan-interface10] pim sm [SW7750-Vlan-interface10] quit [SW7750] interface Vlan-interface 11 [SW7750-Vlan-interface11] pim sm [SW7750-Vlan-interface11] quit [SW7750] interface Vlan-interface 12 [SW7750-Vlan-interface12] pim sm [SW7750-Vlan-interface12] quit # Configure candidate BSRs. [SW7750] pim [SW7750-pim] c-bsr Vlan-interface 10 30 # Configure candidate RPs. [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule permit source 225.0.0.0 0.255.255.
CHAPTER 47: PIM CONFIGURATION
MSDP CONFIGURATION 48 MSDP Overview Introduction to MSDP Multicast Source Discovery Protocol (MSDP) is an inter-domain multicast solution developed to address the interconnection of Protocol Independent Multicast sparse mode (PIM-SM) domains. It is used to discover multicast source information in other PIM-SM domains. In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain, and the multicast source information of a domain is isolated from that of another domain.
CHAPTER 48: MSDP CONFIGURATION Figure 120 Where MSDP peers are in the network PIM-SM 1 PIM-SM 2 Router A Router B Source RP 2 RP 1 PIM-SM 3 MSDP peers Receiver RP 3 As shown in Figure 120, an MSDP peer can be created on any PIM-SM router. MSDP peers created on PIM-SM routers that assume different roles function differently. 1 MSDP peers on RPs ■ Source-side MSDP peer: the MSDP peer nearest to the multicast source (Source), typically the source-side RP, like RP 1.
MSDP Overview 483 Implementing inter-domain multicast delivery by leveraging MSDP peers As shown in Figure 121, an active source (Source) exists in the domain PIM-SM 1, and RP 1 has learned the existence of Source through multicast source registration.
CHAPTER 48: MSDP CONFIGURATION 5 Upon receiving the SA message created by RP 1, RP 2 in PIM-SM 2 checks whether there are any receivers for the multicast group in the domain. n ■ If so, the RPT for the multicast group G is maintained between RP 2 and the receivers. RP 2 creates an (S, G) entry, and sends an (S, G) join message hop by hop towards DR 1 at the multicast source side, so that it can directly join the SPT rooted at the source over other PIM-SM domains.
MSDP Overview 485 As illustrated in Figure 122, these MSDP peers dispose of SA messages according to the following RPF check rules: 1 When RP 2 receives an SA message from RP 1 Because the source-side RP address carried in the SA message is the same as the MSDP peer address, which means that the MSDP peer where the SA is from is the RP that has created the SA message, RP 2 accepts the SA message and forwards it to its other MSDP peer (RP 3).
CHAPTER 48: MSDP CONFIGURATION As shown in Figure 123, within a PIM-SM domain, a multicast source sends multicast data to multicast group G, and Receiver is a member of the multicast group. To implement Anycast RP, configure the same IP address (known as anycast RP address, typically a private address) on Router A and Router B, configure these interfaces as C-RPs, and establish an MSDP peering relationship between Router A and Router B.
Configuring MSDP Basic Functions ■ c Protocols and Standards Configuring MSDP Basic Functions 487 Redundancy backup between RPs: When an RP fails, the multicast source previously registered with it or the receivers previous joined it will register with or join another nearest RP, thus achieving redundancy backup between RPs. CAUTION: ■ Be sure to configure a 32-bit subnet mask (255.255.255.255) for the Anycast RP address, namely configure the Anycast RP address into a host address.
CHAPTER 48: MSDP CONFIGURATION whose connection is in the UP state will be selected as the active static RPF peer.
Configuring Connection between MSDP Peers 489 BGP or MBGP between MSDP peers, thus simplifying the RPF checking mechanism. The sessions between MSDP peers can be terminated and reactivated sessions as required. When a session between MSDP peers is terminated, the TCP connection is closed, and there will be no reconnection attempts. However, the configuration information is kept.
CHAPTER 48: MSDP CONFIGURATION Table 387 Configure an MSDP mesh group Operation Command Description Enter system view system-view - Enter MSDP view msdp - Add an MSDP peer to a mesh peer peer-address group mesh-group name n Configuring MSDP Peer Connection Control Required This command must be configured on all the peers; therefore, you need to configure this command for multiple times.
Configuring SA Message Transmission 491 among MSDP peers. For forwarded SA messages, you can also configure a Time-to-Live (TTL) threshold to control the range where SA messages carrying encapsulated data are transmitted. To reduce the delay in obtaining the multicast source information, you can cache SA messages on the router. The number of SA messages cached must not exceed the system limit. The more messages are cached, the more router memory is occupied.
CHAPTER 48: MSDP CONFIGURATION Table 389 Configure the transmission and filtering of SA request messages Configuring a Rule for Filtering the Multicast Sources of SA Messages Operation Command Description Configure to filter the SA messages received by an MSDP peer peer peer-address sa-request-policy [ acl acl-number ] Optional By default, a router receives all SA request messages from the MSDP peer.
Displaying and Debugging MSDP Configuration 493 Table 391 Configure a rule for filtering received and forwarded SA messages Configuring SA Message Cache Operation Command Description Configure to filter SA messages to be received or forwarded peer peer-address sa-policy { import | export } [ acl acl-number ] Optional Configure the minimum TTL for the multicast packets sent to the specified MSDP peer peer peer-address minimum-ttl ttl-value Optional By default, no filtering is imposed on SA messa
CHAPTER 48: MSDP CONFIGURATION Table 393 Display and debug MSDP configuration Operation Command Display the (S, G) state learned from MSDP peers display msdp sa-cache [ group-address | [ source-address ] ] [autonomous-system-number ] Display the number of sources and groups in the MSDP cache display msdp sa-count [autonomous-system-number ] Reset the TCP connection with the specified MSDP peer reset msdp peer peer-address Clear the cached SA messages reset msdp sa-cache [ group-address ] Cle
MSDP Configuration Example 495 Network diagram Figure 124 Network diagram for MSDP configuration AS 100 AS 200 Receiver Receiver Loop 0 Switch G Switch F Switch B Vlan -int400 Vlan -int102 Switch A PIM-SM 3 Source 1 V Vlan -int200 la nin t1 00 Receiver Vlan -int102 Vlan -int101 Vlan -int101 Vlan -int300 Switch D Switch C Source 2 Switch E Loop 0 Loop 0 PIM-SM 2 PIM-SM 1 MSDP peers Device Interface IP address Device Interface IP address Switch C Vlan-int100 10.110.1.
CHAPTER 48: MSDP CONFIGURATION system-view [SwitchC] multicast routing-enable [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] pim sm [SwitchC-Vlan-interface100] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] pim sm [SwitchC-Vlan-interface200] quit [SwitchC] interface vlan-interface 101 [SwitchC-Vlan-interface101] pim sm [SwitchC] interface loopback 0 [SwitchC-LoopBack0] pim sm [SwitchC-LoopBack0] quit # Configure the PIM domain boundary on Switch
MSDP Configuration Example 497 # Configure IBGP on Switch F, and import OSPF routes. [SwitchF] router id 3.3.3.3 [SwitchF] bgp 200 [SwitchF-bgp] group as200 [SwitchF-bgp] peer as200 as-number 200 [SwitchF-bgp] peer 192.168.3.1 group as200 [SwitchF-bgp] import-route ospf [SwitchF-bgp] quit # Carry out the display bgp peer command to view the BGP peering relationships between the switches.
CHAPTER 48: MSDP CONFIGURATION [SwitchF] msdp [SwitchF-msdp] peer 192.168.3.2 connect-interface Vlan-interface101 [SwitchF-msdp] quit # Configure MSDP peers on Switch D. [SwitchD] msdp [SwitchD-msdp] peer 192.168.1.1 connect-interface Vlan-interface110 [SwitchD-msdp] peer 192.168.3.1 connect-interface Vlan-interface101 [SwitchD-msdp] quit When the multicast source S1 in PIM-SM1 sends multicast information, receivers in PIM-SM2 and PIM-SM3 can receive the multicast data.
MSDP Configuration Example Network requirements Each PIM-SM network is a single-BSR administrative domain, with multiple multicast sources (S) and receivers. With Anycast RP configured in each PIM-SM domain, when a new member joins the multicast group, the switch directly connected to the receiver can send a Join message to the nearest RP on the topology. The PIM-SM network implements OSPF to provide unicast routes and establish MSDP peering relationship between Switch C and Switch D.
CHAPTER 48: MSDP CONFIGURATION # Enable multicast on SwitchC and enable PIM-SM on all interfaces. The configuration procedures on other switches are similar to that on SwitchC. The details are omitted here.
MSDP Configuration Example 501 # Configure an MSDP peer on Loopback0 on SwitchC. [SwitchC] msdp [SwitchC-msdp] originating-rp loopback0 [SwitchC-msdp] peer 2.2.2.2 connect-interface loopback0 [SwitchC-msdp] quit # Configure an MSDP peer on Loopback0 on SwitchD. [SwitchD] msdp [SwitchD-msdp] originating-rp loopback0 [SwitchD-msdp] peer 1.1.1.1 connect-interface loopback0 [SwitchD-msdp] quit # Carry out the display msdp brief command to view the MSDP peering relationship established between switches.
CHAPTER 48: MSDP CONFIGURATION Network diagram Figure 126 Network diagram for static RPF peer configuration AS 100 AS 200 Loop 0 2.2.2.2 /32 Receiver Receiver Switch G V 1 6 la 8 . n- i 0. nt 3 . 12 1/ 0 24 Source 1 19 2. Switch A V 19 lan 2 . -i n 1 6 t1 8. 20 3. 2/ 24 502 Switch B PIM-SM 3 Source 2 Receiver Vlan- int110 192.168 .1.1/24 Switch C Switch D Switch F Switch E Vlan -int110 192 .168.1.2 /24 Loop 0 1.1.1.1 /32 PIM-SM 1 Loop 0 3.3.3.
MSDP Configuration Example 503 [SwitchC] interface vlan-interface 110 [SwitchC-Vlan-interface110] pim sm [SwitchC-Vlan-interface110] quit [SwitchC] interface Vlan-interface 101 [SwitchC-Vlan-interface101] pim sm [SwitchC-Vlan-interface101] quit [SwitchC] interface loopback 0 [SwitchC-LoopBack0] pim sm [SwitchC-LoopBack0] quit # Configure BSR administrative boundaries on Switch C, Switch D, and Switch F.
CHAPTER 48: MSDP CONFIGURATION That no information is output after you carry out the display bgp peer command means that the BGP peering relationships are not established between the switches. When the multicast source S1 in PIM-SM1 sends multicast information, receivers in PIM-SM2 and PIM-SM3 can receive the multicast data. You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches.
Troubleshooting MSDP Configuration 505 keyword is optional. If you do not use this keyword, all (S, G) entries will be filtered out by default, that is, none of the (S, G) entries in the local multicast domain will be advertised. Before the import-source command is executed, the system will send all (S, G) entries in the local multicast domain. If the MSDP fails to send the (S, G) entries of the local multicast domain through SA messages, verify that the import-source command is configured correctly.
CHAPTER 48: MSDP CONFIGURATION
49 AAA & RADIUS & HWTACACS CONFIGURATION Overview Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure the three security functions to implement the network security management. The network security mentioned here mainly refers to access control.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Accounting AAA supports the following accounting methods: ■ None accounting: No accounting is performed for users. ■ Remote accounting: User accounting is performed on the remote RADIUS server or TACACS server. Generally, AAA adopts the client/server structure, where the client acts as the managed resource and the server stores user information. This structure has good scalability and facilitates the centralized management of user information.
Overview 509 ■ Users: This database stores information about users (such as user name, password, adopted protocol and IP address). ■ Clients: This database stores the information about RADIUS clients (such as shared keys). ■ Dictionary: This database stores the information used to interpret the attributes and attribute values of the RADIUS protocol.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION The basic message exchange procedure of RADIUS is as follows: 1 The user enters the user name and password. 2 The RADIUS client receives the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. 3 The RADIUS server compares the received user information with that in the Users database to authenticate the user.
Overview 511 Figure 129 RADIUS packet structure 0 7 Code 15 31 7 Length Identifier Authenticator Attribute 1 The Code field decides the type of the RADIUS packet, as shown in Table 395. Table 395 Description on major values of the Code field Code Packet type 1 Access-Request Packet description Direction: client->server. The client transmits this packet to the server to determine if the user can access the network. This packet carries user information.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION 4 The Authenticator field (16 bytes) is used to verify the packet returned from the RADIUS server; it is also used in the password hiding algorithm. There are two kinds of authenticators: Request and Response. 5 The Attribute field contains special authentication, authorization, and accounting information to provide the configuration details of a request or response packet.
Overview 513 customized sub-attributes (containing Type, Length and Value) to obtain extended RADIUS implementation. Figure 130 Part of the RADIUS packet containing extended attribute 0 7 Code 15 3 7 Length Identifier Authenticator Attribute Introduction to HWTACACS What is HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC1492).
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Figure 131 Network diagram for a typical HWTACACS application HWTACACS server Host HWTACACS client HWTACACS server Basic message exchange procedure in HWTACACS For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user.
Overview 515 The basic message exchange procedure is as follows: 1 A user requests access to the switch; the TACACS client sends an authentication start request packet to TACACS server upon receipt of the request. 2 The TACACS server sends back an authentication response requesting for the username; the TACACS client asks the user for the username upon receipt of the response. 3 The TACACS client sends an authentication continuance packet carrying the username after receiving the username from the user.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Configuration Tasks Table 398 Configuration tasks Operation AAA configuration Create an ISP domain Description Related section Required “Creating an ISP Domain” on page 518 Configure the Optional attributes of the ISP domain “Configuring the Attributes of an ISP Domain” on page 519 Configure an AAA scheme for the ISP domain “Configuring an AAA Scheme for an ISP Domain” on page 520.
Configuration Tasks 517 Table 398 Configuration tasks Operation RADIUS configuration Create a RADIUS scheme Description Related section Required “Creating a RADIUS Scheme” on page 525 Required Configure RADIUS authentication/auth orization servers “Configuring RADIUS Authentication/Authorizati on Servers” on page 525 Configure RADIUS accounting servers Required “Configuring RADIUS Accounting Servers” on page 526 Configure shared keys for RADIUS packets Optional “Configuring Shared Keys for RA
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Table 398 Configuration tasks Operation HWTACACS configuration AAA Configuration Configuration Prerequisites Creating an ISP Domain Description Related section Create a HWTACACS scheme Required “Creating a HWTACACS Scheme” on page 532 Configure HWTACACS authentication servers Required “Configuring HWTACACS Authentication Servers” on page 532 Configure HWTACACS authorization servers Required “Configuring HWTACACS Authorization Servers” on
AAA Configuration Configuring the Attributes of an ISP Domain Table 400 Configure the attributes of an ISP domain Operation Command Description Enter system view system-view - Create an ISP domain or enter the view of an existing ISP domain domain isp-name Required Activate/deactivate the ISP domain state { active | block } Optional Set the maximum number of access users that can be contained in the ISP domain access-limit { disable | enable max-user-number } Optional Set the user idle-cut
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION n Configuring an AAA Scheme for an ISP Domain 3Com’s CAMS Server is a service management system used to manage networks and secure networks and user information. Cooperating with other network devices (such as switches) in a network, the CAMS Server implements the AAA (authentication, authorization and accounting) services and rights management.
AAA Configuration 521 Configuring separate AAA schemes You can use the authentication, authorization, and accounting commands to specify a scheme for each of the three AAA functions (authentication, authorization and accounting) respectively. The following gives the implementations of this separate way for the services supported by AAA. ■ For terminal users Authentication: RADIUS, local, HWTACACS, or none. Authorization: none or HWTACACS Accounting: RADIUS, HWTACACS or none.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION authentication and authorization configuration for a domain: if the scheme radius-scheme or scheme local command is executed, the authorization none command is executed, while the authentication command is not executed, the authorization information returned from the RADIUS or local scheme still takes effect.
AAA Configuration 523 Table 404 Configure dynamic VLAN assignment Operation Command Create an ISP domain domain isp-name and enter its view - Set the VLAN assignment mode vlan-assignment-mode { inte ger | string } Optional Create a VLAN and enter its view vlan vlan-id - Set a VLAN name for name string VLAN assignment c Configuring the Attributes of a Local User Description By default, the VLAN assignment mode is integer.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Table 405 Configure the attributes of a local user Operation Command Authorize the user to access the specified type(s) of service(s) service-type { ftp | Required lan-access | { telnet | ssh | By default, the system does not terminal }* [ level level ] } authorize the user to access any service. Set the priority level of the user level level Description Optional By default, the priority level of the user is 0.
RADIUS Configuration RADIUS Configuration 525 The RADIUS protocol configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Table 408 Configure RADIUS authentication/authorization server c Configuring RADIUS Accounting Servers Operation Command Description Set the IP address and port number of the secondary RADIUS authentication/authorization server secondary authentication ip-address [ port-number ] Optional By default, the IP address and UDP port number of the secondary server are 0.0.0.0 and 1812 respectively.
RADIUS Configuration c Configuring Shared Keys for RADIUS Packets 527 CAUTION: ■ In an actual network environment, you can either specify two RADIUS servers as the primary and secondary accounting servers respectively, or specify only one server as both the primary and secondary accounting servers.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Configuring the Maximum Number of Transmission Attempts of RADIUS Requests The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires.
RADIUS Configuration 529 Table 413 Set the status of RADIUS servers Operation Command Description Enter system view system-view - Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Required Set the status of the state primary primary RADIUS authentication { block | authentication/authori active } zation server Set the status of the primary RADIUS accounting server By default, a RADIUS scheme named “system” has already been created in the system.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the user names sent to the RADIUS server. Configuring a Local RADIUS Authentication Server c Configuring the Timers of RADIUS Servers ■ For a RADIUS scheme, if you have specified that no ISP domain names are carried in the user names, you should not adopt this RADIUS scheme in more than one ISP domain.
RADIUS Configuration 531 instead of communicating with the secondary server, and at the same time restores the primary server to the active state while keeping the state of the secondary server unchanged. To charge the users in real time, you should set the interval of real-time accounting. After the setting, the switch sends the accounting information of online users to the RADIUS server at regular intervals.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION the information contained in this packet (NAS-ID, NAS-IP address and session ID), and ends the accounting of the users based on the last accounting update packet. 4 Once the switch receives the response from the CAMS, it stops sending other Accounting-On packets.
HWTACACS Configuration 533 Table 419 Configure HWTACACS authentication servers c Configuring HWTACACS Authorization Servers c Configuring HWTACACS Accounting Servers Operation Command Description Set the IP address and port number of the primary TACACS authentication server primary authentication ip-address [ port ] Required Set the IP address and port number of the secondary TACACS authentication server secondary authentication ip-address [ port ] Required By default, the IP address of the
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Table 421 Configure HWTACACS accounting servers c Configuring Shared Keys for RADIUS Packets Operation Command Description Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs-scheme-name Required Set the IP address and port number of the primary TACACS accounting server primary accounting ip-address [ port ] Required Set the IP address and port number of the secondary TACACS accounting server secondary accounting ip-addres
HWTACACS Configuration Configuring the Attributes for Data to be Sent to TACACS Servers 535 Table 423 Configure the attributes for data to be sent to TACACS servers Operation Command Description Enter system view system-view - Create a hwtacacs scheme HWTACACS hwtacacs-scheme-name scheme and enter its view Required By default, no HWTACACS scheme exists.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION information of online users to the TACACS accounting server at intervals of this value. Even if the server does not respond, the device does not cut down the online user. Displaying and Maintaining AAA & RADIUS & HWTACACS Information ■ The interval must be a multiple of 3. ■ The setting of real-time accounting interval somewhat depends on the performance of the device and the TACACS server: A shorter interval requires higher device performance.
AAA & RADIUS & HWTACACS Configuration Example 537 Table 426 Display and maintain RADIUS protocol information Operation Command Description You can execute the reset reset Delete the buffered no-response stop-accounting stop-accounting-buffer { radiu command in user view s-scheme radius-scheme-name | request packets session-id session-id | time-range start-time stop-time | user-name user-name } Clear the statistics about the RADIUS protocol reset radius statistics Table 427 Display and maintain HWTACA
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION ■ A RADIUS server with IP address 10.1.1.1 is connected to the switch. This server will be used as the authentication server. ■ On the switch, set the shared key that is used to exchange packets with the authentication RADIUS server to “expert”. You can use a CAMS server as the RADIUS server. If you use a third-party RADIUS server, you can select standard or extended as the server type in the RADIUS scheme.
AAA & RADIUS & HWTACACS Configuration Example [SW7750-radius-cams] [SW7750-radius-cams] [SW7750-radius-cams] [SW7750-radius-cams] 539 key authentication expert server-type Extended user-name-format with-domain quit # Associate the ISP domain with the RADIUS scheme.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION [SW7750] domain system [SW7750-isp-system] scheme local A Telnet user logging into the switch with the name telnet@system belongs to the system domain and will be authenticated according to the configuration of the system domain. Method 2: using a local RADIUS server This method is similar to the remote authentication method described in “Remote RADIUS Authentication of Telnet/SSH Users” on page 537.
Troubleshooting AAA & RADIUS & HWTACACS Configuration [SW7750-hwtacacs-hwtac] [SW7750-hwtacacs-hwtac] [SW7750-hwtacacs-hwtac] [SW7750-hwtacacs-hwtac] [SW7750-hwtacacs-hwtac] [SW7750-hwtacacs-hwtac] [SW7750-hwtacacs-hwtac] 541 primary authentication 10.1.1.1 49 primary authorization 10.1.1.1 49 key accounting expert key authentication expert key authorization expert user-name-format without-domain quit # Configure the domain name of the HWTACACS scheme to hwtac.
CHAPTER 49: AAA & RADIUS & HWTACACS CONFIGURATION Symptom 3: The user passes the authentication and gets authorized, but the accounting information cannot be transmitted to the RADIUS server. Possible reasons and solutions: Troubleshooting the HWTACACS Protocol ■ The accounting port number is not properly set - Be sure to set a correct port number for RADIUS accounting.
50 Introduction to EAD EAD CONFIGURATION Endpoint admission defense (EAD) is an attack defense solution that monitors endpoint admission. This enhances the active defense ability of endpoints, and prevents viruses and worms from spreading on the network.
CHAPTER 50: EAD CONFIGURATION software and install system patches. Figure 137 shows the typical network application of EAD. Figure 137 Typical network application of EAD The security client (software installed on PC) checks the security status of a client that just passes the authentication, and interacts with the security policy server.
EAD Configuration Example 545 Table 428 EAD configuration Operation Command Description Enter RADIUS scheme view radius scheme radius-scheme-name - Configure the RADIUS server type to extended server-type extended Optional Configure the IP address for security-policy-server the security policy server ip-address EAD Configuration Example By default, for a new RADIUS scheme, the server type is standard; The type of RADIUS server in the default RADIUS scheme “system” is extended.
CHAPTER 50: EAD CONFIGURATION Network diagram Figure 138 EAD configuration example Authentication servers 10 .110 .91.164/16 Eth2/0/1 Internet User Security policy servers Virus patch servers 10.110.91.166 /16 10.110.91.168/16 Configuration procedure # Configure 802.1X on the switch. Refer to the “802.1x Configuration” on page 399 for detailed description. # Configure domain. system-view [SW7750] domain system [SW7750-isp-system] quit # Configure RADIUS scheme.
TRAFFIC ACCOUNTING CONFIGURATION 51 n Introduction to Traffic Accounting Related Concepts of Traffic Accounting Implementation Process of Traffic Accounting The traffic accounting module mentioned in this chapter refers to LS81VSNP I/O Module (line processing unit). Some accounting servers, such as CAMS, can perform accounting for successfully authenticated 802.1x users based on time or traffic.
CHAPTER 51: TRAFFIC ACCOUNTING CONFIGURATION Figure 139 Implementation process of traffic accounting S7500 series switch Inferface card Layer 3 traffic mirroring CAMS LS81VSNP LPU Traffic statistics information SRPU Standard RADIUS protocol The following details the traffic accounting procedure: 1 After a user passes the 802.1x authentication, the user goes online successfully. 2 The authenticator device acquires the online IP address of the user and starts to account for the traffic of the user.
Displaying Traffic Accounting 549 Table 429 Configure the traffic accounting function Operation Command Description Configure the traffic accounting slot traffic-accounting accounting-slot slot-num Required ■ The traffic accounting slot you specified must be the slot where the traffic accounting module resides. ■ You will enter the traffic accounting view directly after the configuration succeeds. ■ By default, no traffic accounting slot is specified.
CHAPTER 51: TRAFFIC ACCOUNTING CONFIGURATION Table 432 Display traffic accounting Traffic Accounting Configuration Example Operation Command Description Display traffic group information display traffic-accounting You can execute the display traffic-group [ group-name ] command in any view.
Traffic Accounting Configuration Example 551 [SW7750-isp-aaa] traffic-group somegroup rate 1 [SW7750-isp-aaa] quit # Configure the traffic accounting module, specify the traffic collection module, and enable the traffic accounting function.
CHAPTER 51: TRAFFIC ACCOUNTING CONFIGURATION
52 VRRP Overview VRRP CONFIGURATION Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. As shown in Figure 141, in general, ■ A default route (for example, the next hop address of the default route is 10.100.10.1, as shown in the following figure) is configured for every host on a network.
CHAPTER 52: VRRP CONFIGURATION Figure 142 Virtual router Network Actual IP address Actual IP address 10.100.10.3 10.100.10.2 Backup Master Virtual IP address Virtual IP address Ethernet 10.100 .10.1 10 .100 .10.7 Host 1 10.100.10.8 Host 2 10.100 .10.1 10 .100 .10 .9 Host 3 The switches in a backup group have the following features: ■ This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the backup group).
VRRP Overview 555 ■ The virtual router IP address and the IP addresses used by the member switches in a backup group must belong to the same network segment. If not, the backup group will be in the initial state (the state before you configure the VRRP on the switches of the group). In this case, VRRP does not take effect. ■ A backup group is removed if all its virtual router IP addresses are removed. In this case, all the configurations performed for the backup group get ruined.
CHAPTER 52: VRRP CONFIGURATION You can configure a Switch 7750 to operate in preemptive mode. You can also set the delay period. A backup switch waits for a period of time (the delay period) before becoming a master switch. Setting a delay period aims at: In an unstable network, backup switches in a backup group possibly cannot receive packets from the master in time due to network congestions even if the master operates properly. This causes the master of the backup group being determined frequently.
VRRP Configuration 557 if it does not receive a VRRP packet from the master for the period specified by the master-down-interval argument. Configuring the VLAN interfaces/Ethernet ports to be tracked for a backup group The VLAN interface/Ethernet port tracking function expands the backup group function. With this function enabled, the backup group function is provided not only when the interface where the backup group resides fails, but also when other interfaces/Ethernet ports are unavailable.
CHAPTER 52: VRRP CONFIGURATION Table 434 Configure a virtual router IP address Operation Command Description Configure that the virtual IP address can be pinged vrrp ping-enable Optional Map the virtual router IP address to a MAC address vrrp method { real-mac | virtual-mac } Create a VLAN vlan vlan-id By default, the virtual IP address cannot be pinged. Optional By default, the virtual IP address of a backup group is mapped to a virtual router IP address.
Displaying and Maintaining VRRP Displaying and Maintaining VRRP 559 After the above configuration, you can execute the display command in any view to view VRRP configuration and verify the configuration effect. And in user view, you can execute the reset command to clear the VRRP statistics and execute the debugging command to debug the VRRP.
CHAPTER 52: VRRP CONFIGURATION Network diagram Figure 143 Network diagram for single-VRRP backup group configuration Host B 10 .2.3.1 Internet VLAN-Interface3: 10.100.10.2 LSW A LSW B VLAN-Interface2: Virtual IP address VLAN-Interface2: 202.38.160.1 202 .38 .160 .111 202.38.160.2 202 .38 .160 .3 Host A Configuration procedure ■ Configure Switch A. # Configure VLAN 2.
VRRP Configuration Example 561 # Configure the preemptive mode for the backup group. [LSW-A-Vlan-interface2] vrrp vrid 1 preempt-mode ■ Configure Switch B. # Configure VLAN 2. system-view [LSW-B] vlan 2 [LSW-B-Vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit # Enable a backup group to respond to ping operations destined for its virtual router IP address.
CHAPTER 52: VRRP CONFIGURATION Network diagram Figure 144 Network diagram for interface tracking configuration Host B 10 .2.3.1 Internet VLAN-Interface3: 10.100.10.2 LSW A LSW B VLAN-Interface2: Virtual IP address VLAN-Interface2: 202.38.160.1 202 .38 .160 .111 202.38.160.2 202 .38 .160 .3 Host A Configuration procedure ■ Configure Switch A. # Configure VLAN 2.
VRRP Configuration Example 563 # Set the authentication type for the backup group to md5, and the password to abc123. [LSW-A-Vlan-interface2] vrrp vrid 1 authentication-mode md5 abc123 # Configure that the master switch to send VRRP packets once in every 5 seconds. [LSW-A-Vlan-interface2] vrrp vrid 1 timer advertise 5 # Set the tracked VLAN interface. [LSW-A-Vlan-interface2] vrrp vrid 1 track interface Vlan-interface 3 reduced 30 ■ Configure switch B. # Configure VLAN 2.
CHAPTER 52: VRRP CONFIGURATION 2 and a backup switch in backup group 1. Some hosts in the network take virtual router 1 as the gateway, while others take virtual router 2 as the gateway. In this way, both load balancing and mutual backup are implemented. Network diagram Figure 145 Network diagram for multiple-VRRP backup group configuration Host B 10.2.3 .1 Internet VLAN-Interface3: 10.100 .10 .2 Switch A Switch B VLAN-Interface2: VLAN-Interface2: 202.38.160 .1 202 .38 .160 .
Troubleshooting VRRP 565 # Configure VLAN 2. system-view [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/6 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 # Create backup group 1. [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Create backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 # Set the priority for backup group 2.
CHAPTER 52: VRRP CONFIGURATION Symptom 3: VRRP state of a switch changes repeatedly Such problems occur when the backup group timer duration is too short. They can be solved through prolonging the duration or configuring the preemption delay period.
HA CONFIGURATION 53 HA Overview The Switch 7758 supports high availability (HA) feature. This feature is to achieve a high availability of the system and to recover the system as soon as possible in the event of failures so as to shorten the mean time between failures (MTBF) of the system. The functions of HA are mainly implemented by the application running on Fabric module.
CHAPTER 53: HA CONFIGURATION HA Configuration HA Configuration Overview n Setting the Slave Module Restart Manually Table 438 HA configuration tasks overview Configuration Description Related section Set the slave module restart manually Required “Setting the Slave Module Restart Manually” on page 568 Perform the master-slave switchover manually Required “Performing the Master-Slave Switchover Manually” on page 568 Enable automatic synchronization Required “Enabling Automatic Synchroniza
Displaying HA 569 Table 440 Perform the master-slave switchover manually Enabling Automatic Synchronization Operation Command Description Perform the master-slave switchover manually slave switchover Optional The Switch 7758 supports automatic synchronization.
CHAPTER 53: HA CONFIGURATION
54 Introduction to ARP Necessity of ARP ARP Packet Format ARP CONFIGURATION Address Resolution Protocol (ARP) is used to map network layer protocol addresses (IP addresses) to corresponding data link layer hardware addresses (MAC addresses). Network devices can directly identify Layer 2 MAC addresses instead of Layer 3 IP addresses. For a Layer 3 packet to be received by its destination host, it must carry the MAC address of the destination host.
CHAPTER 54: ARP CONFIGURATION Table 444 Field descriptions of an ARP packet Field Description Protocol type Type of the protocol address to be mapped. For IP address, the value of this field is 0x0800.
Introduction to ARP 573 Table 446 Field descriptions of an ARP table ARP Implementation Field Description Type Entry type, which can be: ■ 1: Not any of the following ■ 2: Invalid entry ■ 3: Dynamic entry ■ 4: Static entry The ARP table of a host is empty when the host just starts up. When a dynamic ARP entry has not been used for a specific time period, it is removed from the ARP table. The purpose of this is to save memory space and update the entries in the ARP table.
CHAPTER 54: ARP CONFIGURATION With gratuitous ARP learning enabled on a device, each time the device receives a gratuitous ARP packet, the device updates the ARP entry matching the packet in the cache (if exists) by using the hardware address of the sender carried in the gratuitous ARP packet. Overview of gratuitous ARP update interval When ARP aging timer expires, some hosts in the network directly delete the ARP entries learned dynamically, incapable of updating ARP entries actively.
Configuring ARP Introduction to ARP Packet Rate Limit 575 If an attacker sends a large number of ARP packets to a port of a switch, the CPU will get overloaded, causing other functions to fail, and even the whole device to break down. To guard against such attacks, Switch 7750 Ethernet switches support the ARP packets rate limit function, which can disable the attacked port from receiving any packet temporarily, thus preventing serious impact on the CPU.
CHAPTER 54: ARP CONFIGURATION Configuration Tasks Adding a Static ARP Entry Manually c Configuring the Maximum Number of ARP Entries that Can Be Learnt Table 448 ARP configuration tasks Configuration task Description Related section Add a static ARP entry manually Optional “Adding a Static ARP Entry Manually” on page 576 Configure the maximum number of ARP entries that can be learnt Optional “Configuring the Maximum Number of ARP Entries that Can Be Learnt” on page 576 Configure the aging
Configuring ARP 577 Table 450 Configure the maximum number of ARP entries that can be learnt on a port Configuring the Aging Time for Dynamic ARP Entries Configuring ARP Entry Checking Operation Command Description Enter port view interface interface-type interface-number - Configure the maximum number of dynamic ARP entries that can be learnt by the port arp max-dynamic-entry number Optional Table 451 Configure the aging time for dynamic ARP entries Operation Command Description Enter syst
CHAPTER 54: ARP CONFIGURATION Configuring Gratuitous ARP Configuring Gratuitous ARP Learning Table 454 Enable gratuitous ARP learning Operation Command Description Enter system view system-view - Enable gratuitous ARP learning gratuitous-arp-learning enable Required Disabled by default.
Displaying and Maintaining ARP Configuration 579 Table 457 Configure the ARP packet rate limit function Configuring ARP Source Suppression Operation Command Description Configure the maximum ARP packet receive rate on the port arp rate-limit rate Optional Configure the port state auto-recovery interval arp protective-down recover interval time Optional Configure the port as a trusted port for ARP packet rate limit arp rate-limit trust Optional By default, the maximum ARP packet receive rate
CHAPTER 54: ARP CONFIGURATION Table 459 Display and maintain ARP configuration Operation Command Description Display ARP attack information display arp attack-list You can execute the display command in any view.
ARP Configuration Example ARP Packet Rate Limit Configuration Example 581 Network requirements As shown in Figure 147, Ethernet 2/0/1 of Switch A connects to DHCP Server; Ethernet 2/0/2 connects to Client A, Ethernet 2/0/3 connects to Client B. Ethernet 2/0/1, Ethernet 2/0/2 and Ethernet 2/0/3 belong to VLAN 1. ■ Enable DHCP snooping on Switch A and specify Ethernet 2/0/1 as the trusted port for DHCP snooping and ARP packet rate limit.
CHAPTER 54: ARP CONFIGURATION [SwitchA] arp protective-down recover interval 200
55 Proxy ARP Overview PROXY ARP CONFIGURATION Proxy ARP allows hosts that have IP addresses of the same network segment but reside on different physical networks to communicate with each other through ARP. Figure 148 Work mechanism of proxy ARP Host A Host B 192 .168.1.29/16 00 -00-0 e-14-34 -34 192.168.0.22/16 00-00 -0e-12 -33-34 Switch Vlan -int3 192 .168 .0.27 /24 00-00 -0e-12 -33-33 Host C 192.168.0.23/16 00-00-0 e-12-33 -35 Vlan -int4 192 .168 .1.27 /24 00 -00-0e -14-34 -33 Host D 192 .168.1.
CHAPTER 55: PROXY ARP CONFIGURATION VLAN-interface 3 of the switch, and then the switch routes the packets to Host D, so as to realize the Layer 3 connectivity between Host A and Host D. Proxy ARP is needed in the following cases (hosts have IP addresses of the same network segment). n Configuring Proxy ARP ■ For hosts in different VLANs on a Switch 7750 to communicate, you need to enable proxy ARP on the VLAN interfaces.
Proxy ARP Configuration Example 585 ■ Configure the IP address of VLAN-interface 3 as 192.168.0.27/24, and that of VLAN-interface 4 as 192.168.1.27/24. ■ Enable proxy ARP on VLAN-interface 3 and VLAN-interface 4 to allow Host A and Host D to communicate with each other through ARP. Network diagram Figure 149 Network diagram for proxy ARP Host A Host B 192.168.0.22/16 Switch Vlan -int3 192.168.0.27/24 Vlan- int4 192.168.1.27/24 Host C Host D 192 .168 .1.
CHAPTER 55: PROXY ARP CONFIGURATION ■ Create Sub-VLANs (VLAN 2 and VLAN 3). ■ Ethernet 2/0/2 belongs to VLAN 2 and Ethernet 2/0/3 belongs to VLAN 3. ■ Enable proxy ARP on VLAN-interface 10 to allow Host A (in VLAN 2) and Host B (in VLAN 3) to communicate with each other through ARP. Network diagram Figure 150 Network diagram for ARP in super VLAN Switch Eth2 /0/3 Super VLAN 10 Vlan -int10 192 .168 .10.100 /16 Eth2/0 /2 VLAN 2 Sub VLAN VLAN 3 Sub VLAN Host A Host B 192 .168 .10 .
Proxy ARP Configuration Example ■ 587 Enable proxy ARP on Switch A to allow Host A (in VLAN 2) and Host B (in VLAN 3) to communicate with each other through ARP. Network diagram Figure 151 Network diagram for proxy ARP configuration in isolate-user-vlan Switch A Eth2 /0/1 Vlan-int 5 192 .168.0.100/16 Eth2/0/1 VLAN 5 Host A Eth2 /0/2 VLAN 2 192.168.10.99/16 Eth2/0/3 VLAN 3 Switch B Host B 192 .168.10.
CHAPTER 55: PROXY ARP CONFIGURATION [SwitchA-Vlan-interface5] arp proxy enable [SwitchA-Vlan-interface5] arp proxy source-vlan enable [SwitchA-Vlan-interface5] quit
56 Introduction to DHCP DHCP OVERVIEW With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology.
CHAPTER 56: DHCP OVERVIEW ■ Obtaining IP Addresses Dynamically Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address at the expiration of the period. This policy applies to most clients.
DHCP Packet Format 591 of the BOOTP packets. The following table describes the packet format (the number in the brackets indicates the field length, in bytes): Figure 153 Format of DHCP packets 0 7 op (1) 23 15 htype (1) hlen (1) 31 hops (1) xid (4) secs (2) flags (2) ciaddr (4) yiaddr (4) siaddr (4) giaddr (4) chaddr (16) sname (64) file (128) options (variable) The field meanings are illustrated as follows: ■ op: Operation types of DHCP packets: 1 for request packets and 2 for response packets.
CHAPTER 56: DHCP OVERVIEW DHCP Packet Processing Modes After the DHCP server is enabled on a device, the device processes the DHCP packet received from a DHCP client in one of the following three modes depending on your configuration: ■ Global address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients.
57 DHCP SERVER CONFIGURATION Introduction to DHCP Server Usage of DHCP Server DHCP Address Pool Generally, DHCP servers are used in the following networks to assign IP addresses: ■ Large-sized networks, where manual configuration method bears heavy load and is difficult to manage the whole network in a centralized way. ■ Networks where the number of available IP addresses is less than that of the hosts.
CHAPTER 57: DHCP SERVER CONFIGURATION segment or some subnets (such as domain name), you just need to configure them on the network segment or the corresponding subnets. The following is the details of configuration inheritance. 1 A newly created child address pool inherits the configurations of its parent address pool.
Global Address Pool-Based DHCP Server Configuration 595 Table 461 Global address pool-based DHCP server configuration tasks Enabling DHCP Configuration task Description Related section Configure how to Configure to assign IP assign IP addresses addresses by static binding in a global address Configure to assign IP pool addresses dynamically One among these two options is required. Only one mode can be selected for the same global address pool.
CHAPTER 57: DHCP SERVER CONFIGURATION Configuring How to Assign IP Addresses in a Global Address Pool You can specify to bind an IP address in a global address pool statically to a DHCP client or assign IP addresses in the pool dynamically to DHCP clients as needed. In the global address pool, you can bind an IP address statically to a DHCP client and assign other IP addresses in the pool dynamically to DHCP clients.
Global Address Pool-Based DHCP Server Configuration 597 To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those that are not occupied by specific network devices (such as gateways and FTP servers). The lease time can differ with address pools. But that of the IP addresses of the same address pool are the same. Lease time is not inherited, that is to say, the lease time of a child address pool is not affected by the configuration of the parent address pool.
CHAPTER 57: DHCP SERVER CONFIGURATION Table 466 Configure DNS services for the DHCP server Operation Command Description Create a DHCP address pool and enter DHCP address pool view dhcp server ip-pool pool-name Required By default, no global DHCP address pool is created Configure a domain name for domain-name domain-name Required DHCP clients By default, no domain name is configured for DHCP clients Configure DNS server addresses for DHCP clients Configuring NetBIOS Services for the DHCP Server
Global Address Pool-Based DHCP Server Configuration 599 Table 467 Configure NetBIOS services for the DHCP server Operation Command Configure WINS server addresses for DHCP clients nbns-list ip-address&<1-8> Required By default, no WINS server address is configured Configure DHCP clients to be netbios-type { b-node | h-node | m-node | of a specific NetBIOS node p-node } type Customizing DHCP Service Description Optional By default, no NetBIOS node type of the DHCP client is specified and a DHCP clie
CHAPTER 57: DHCP SERVER CONFIGURATION Interface Address Pool-Based DHCP Server Configuration c CAUTION: In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the segment of the interface address pool and assigns them to the DHCP clients.
Interface Address Pool-Based DHCP Server Configuration 601 Table 470 Interface address pool-based DHCP server configuration tasks Enabling DHCP Configuration task Description Related section Customize DHCP service Optional “Customizing DHCP Service” on page 605 You need to enable DHCP before performing DHCP configurations. DHCP-related configurations are valid only when DHCP is enabled.
CHAPTER 57: DHCP SERVER CONFIGURATION Table 473 Configure to assign IP addresses by static binding n Operation Command Description Enter interface view interface interface-type interface-number - Configure static binding dhcp server static-bind ip-address ip-address mac-address mac-address Required By default, static binding is not configured ■ There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface a
Interface Address Pool-Based DHCP Server Configuration 603 Table 474 Configure to assign IP addresses dynamically n Configuring DNS Services for the DHCP Server Operation Command Description Specify the IP addresses that are not dynamically assigned dhcp server forbidden-ip low-ip-address [ high-ip-address ] Optional By default, all IP addresses in a DHCP address pool are available for being dynamically assigned. ■ The dhcp server forbidden-ip command can be executed repeatedly.
CHAPTER 57: DHCP SERVER CONFIGURATION Table 475 Configure DNS services for the DHCP server Operation Configure DNS server addresses for DHCP clients Configure the current interface Command Description interface interface-type interface-number Required By default, no DNS server address is configured.
Interface Address Pool-Based DHCP Server Configuration 605 Table 476 Configure NetBIOS services for the DHCP server Operation Configure the WINS server address for DHCP clients Configure the current interface Command Description interface interface-type interface-number Required dhcp server nbns-list ip-address&<1-8> By default, no WINS server address is configured quit Configure NetBIOS node types for DHCP clients Configure multiple interfaces in system view dhcp server nbns-list ip-address&<1
CHAPTER 57: DHCP SERVER CONFIGURATION DHCP Security Configuration Prerequisites Configuring Private DHCP Server Detecting DHCP security configuration is needed to ensure the security of DHCP service. Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration). A private DHCP server on a network also answers IP address request packets and assigns IP addresses to DHCP clients.
Displaying and Maintaining a DHCP Server Displaying and Maintaining a DHCP Server 607 After the above configuration, execute the display command in any view to display and verify the DHCP server configuration. Execute the reset command in user view to clear DHCP server configuration information.
CHAPTER 57: DHCP SERVER CONFIGURATION The DHCP settings of the 10.1.1.0/25 network segment are as follows: ■ Lease time: 10 days plus 12 hours ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ WINS server: none ■ Gateway: 10.1.1.126 The DHCP settings of the 10.1.1.128/25 network segment are as follows: n ■ Lease time: 5 days ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ WINS server: 10.1.1.4 ■ Gateway: 10.1.1.
Troubleshooting a DHCP Server 609 Configuration procedure 1 Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted). 2 Configure DHCP service. # Enable DHCP. system-view [SW7750] dhcp enable # Configure the IP addresses that are not dynamically assigned. (That is, the IP addresses of the DNS server, WINS server, and gateways.
CHAPTER 57: DHCP SERVER CONFIGURATION Solution ■ Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network, with the conflicting IP address as the destination and an enough timeout time. ■ The IP address is manually configured on a host if you receive a response packet of the ping operation.
58 DHCP RELAY AGENT CONFIGURATION Introduction to DHCP Relay Agent Usage of DHCP Relay Agent Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical. The DHCP relay agent is designed to address this problem.
CHAPTER 58: DHCP RELAY AGENT CONFIGURATION forwarding process of the DHCP relay agent. For the interaction process of the packets, see “Obtaining IP Addresses Dynamically” on page 590. 1 The DHCP client broadcasts the DHCP-DISCOVER packet. 2 After receiving the packets, the network device providing the DHCP relay agent function unicasts the packet to the designated DHCP server based on the configuration.
Configuring DHCP Relay Agent 613 Mechanism of option 82 supporting on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of option 82 supporting on DHCP relay agent. 1 A DHCP client broadcasts a request packet when it initiates.
CHAPTER 58: DHCP RELAY AGENT CONFIGURATION Table 481 DHCP relay agent configuration tasks Enabling DHCP Configuration task Description Related section Configure a DHCP relay agent to broadcast responses to clients Optional “Configuring a DHCP Relay Agent to Broadcast Responses to Clients” on page 615 Specify gateways for DHCP clients Optional “Specifying Gateways for DHCP Clients” on page 615 Specify source IP address of uplink packets Optional “Specifying the Source IP Address of Uplink
Configuring DHCP Relay Agent 615 Table 483 Configure an interface to operate in DHCP relay agent mode Operation Command Description Map an interface to a DHCP server group interface interface-type interface-number Required dhcp-server groupNo n Configuring a DHCP Relay Agent to Broadcast Responses to Clients By default, a VLAN interface is not mapped to any DHCP server group ■ You can configure up to eight external DHCP IP addresses in a DHCP server group.
CHAPTER 58: DHCP RELAY AGENT CONFIGURATION address of the VLAN interface (connecting to the client) into the giaddr field of the message. The DHCP server will assign an IP address in the same network segment as the gateway IP address to the client. Thus, clients connecting to different ports in a VLAN may get IP addresses in different network segments.
Configuring DHCP Relay Agent 617 However, if two equal-cost uplinks to the DHCP server exist, the packets from a client may have different source IP addresses. As a result, some packets may fail to pass the validity check. Switch 7750 Ethernet switches supports specifying the source IP address of uplink packets. With this feature enabled on the relay agent, the source IP address of a client’s packet to be forwarded to the DHCP server is the IP address of the receiving interface.
CHAPTER 58: DHCP RELAY AGENT CONFIGURATION Specifying address checking fields After enabled with the address checking function, Switch 7750 Ethernet switches default to check the IP address, MAC address, VLAN ID, and port number of a DHCP client respectively. The DHCP client can access external networks only after an entry matching all the four fields is found in the client address table. You can disable some fields (MAC address, VLAN ID, or port number) from address checking as needed.
Configuring DHCP Relay Agent 619 This configuration will take effect only after the address checking function of the DHCP relay agent on the VLAN interface is enabled. Configuring whether to allow freely-connected clients to pass DHCP security check A freely-connected client refers to the client whose IP address and MAC address are not in the DHCP security table.
CHAPTER 58: DHCP RELAY AGENT CONFIGURATION Displaying and Maintaining DHCP Relay Agent After the above configuration, execute the display command in any view to display and verify the DHCP relay agent configuration. Execute the reset command in user view to clear the statistics information of the specified DHCP server group.
Troubleshooting DHCP Relay Agent 621 # Enable DHCP. [SW7750] dhcp enable # Create DHCP server group 1 and configure an IP address of 202.38.1.2 for it. [SW7750] dhcp-server 1 ip 202.38.1.2 # Map VLAN-interface 2 to DHCP server group 1. [SW7750] interface Vlan-interface 2 [SW7750-Vlan-interface2] dhcp-server 1 # Configure an IP address for VLAN-interface 2, so that this interface is on the same network segment with the DHCP clients. [SW7750-Vlan-interface2] ip address 10.110.1.1 255.255.0.
CHAPTER 58: DHCP RELAY AGENT CONFIGURATION
59 DHCP SNOOPING CONFIGURATION Configuring DHCP Snooping Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients. ■ Layer 3 switches can track DHCP client IP addresses through a DHCP relay agent.
CHAPTER 59: DHCP SNOOPING CONFIGURATION Figure 157 Typical network diagram for DHCP snooping application DHCP Server DHCP Client DHCP Client Internet Switch A (DHCP Snooping) DHCP Client Switch B (DHCP Relay) DHCP Client Figure 158 illustrates the interaction between a DHCP client and a DHCP server.
Configuring DHCP Snooping 625 ■ sub-option 1 (circuit ID sub-option): Padded with the port index (smaller than the physical port number by 1) and VLAN ID of the port that received the client’s request. ■ sub-option 2 (remote ID sub-option): Padded with the bridge MAC address of the DHCP snooping device that received the client’s request. By default, when Switch 7750s serve as DHCP snooping devices, Option 82 adopts the extended format.
CHAPTER 59: DHCP SNOOPING CONFIGURATION Mechanism of DHCP-snooping Option 82 With DHCP snooping and DHCP-snooping Option 82 support enabled, when the DHCP snooping device receives a DHCP client’s request containing Option 82, it will handle the packet according to the handling policy and the configured contents in sub-options. For details, see Table 495. Table 495 Ways of handling a DHCP packet with Option 82 Handling policy Sub-option configuration The DHCP Snooping device will...
Configuring DHCP Snooping n Introduction to IP Filtering 627 There are two types of DHCP requests from DHCP clients, namely, DHCP_DISCOVER and DHCP_REQUEST messages. Since some DHCP servers process Option 82 in DHCP_DISCOVER messages while others process Option 82 in DHCP_DISCOVER messages, the DHCP snooping device will add Option 82 in both types of DHCP requests.
CHAPTER 59: DHCP SNOOPING CONFIGURATION DHCP Snooping Configuration Configuring DHCP Snooping n Table 497 Configure the DHCP snooping function Operation Command Description Enter system view system-view - Enable the DHCP snooping function dhcp-snooping Required Enter Ethernet port view interface interface-type interface-number - Set the port connected to a DHCP server to a trusted port dhcp-snooping trust Required By default, the DHCP snooping function is disabled By default, all por
DHCP Snooping Configuration 629 Table 498 DHCP-snooping Option 82 support configuration tasks Configuration task Description Related section Configure the circuit ID sub-option Optional “Configuring DHCP Snooping to Support Option 82” on page 628 “Configuring the circuit ID sub-option” on page 630 Configure the remote ID sub-option Optional “Configuring DHCP Snooping to Support Option 82” on page 628 “Configuring the remote ID sub-option” on page 630 Configure the padding format for Option 82 Op
CHAPTER 59: DHCP SNOOPING CONFIGURATION Configuring the storage format of Option 82 The Switch 7750 supports the HEX or ASCII format for the Option 82 field. Table 501 Configure a storage format for the Option 82 field n Operation Command Description Enter system view system-view - Configure a storage format for the Option 82 field dhcp-snooping information Optional format { hex | ascii } By default, the format is hex.
DHCP Snooping Configuration 631 Table 503 Configure the remote ID sub-option in Option 82 n Operation Command Description Enter system view system-view - Configure the remote ID sub-option in system view dhcp-snooping information Optional remote-id { sysname | By default, the remote ID string string } sub-option is the MAC address of the DHCP snooping device that received the DHCP client’s request.
CHAPTER 59: DHCP SNOOPING CONFIGURATION Table 505 Configure IP filtering n Displaying and Maintaining DHCP Snooping Operation Command Description Create a static binding ip source static binding ip-address ip-address [ mac-address mac-address ] Optional By default, no static binding entry is created. ■ Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering. ■ You are not recommended to configure IP filtering on the ports of an aggregation group.
DHCP Snooping Configuration Example 633 Network diagram Figure 163 DHCP-Snooping configuration DHCP Server DHCP Client DHCP Client Internet Eth2/0/2 Eth2/0/1 Switch A (DHCP Snooping) DHCP Client Switch B (DHCP Relay) DHCP Client Configuration procedure Perform the following configuration on the DHCP-Snooping-enabled Switch A. # Enter system view. system-view # Enable the DHCP snooping function. [SW7750] dhcp-snooping # Enable DHCP-Snooping option 82.
CHAPTER 59: DHCP SNOOPING CONFIGURATION Network diagram Figure 164 Network diagram for DHCP-snooping Option 82 support configuration DHCP Server Eth2/0/5 Switch DHCP-Snooping Eth2/0/1 Eth2 /0/3 Eth2/0/2 Client A Client B Client C Configuration procedure # Enable DHCP snooping on the switch. system-view [Switch] dhcp-snooping # Specify Ethernet 2/0/5 as the trusted port.
DHCP Snooping Configuration Example 635 ■ Enable DHCP snooping on the switch, and specify Ethernet 2/0/1 as the DHCP snooping trusted port. ■ Enable IP filtering on Ethernet 2/0/2, Ethernet 2/0/3, and Ethernet 2/0/4 to prevent attacks to the server from clients using fake source IP addresses. ■ Create static binding entries on the switch, so that Host A using a fixed IP address can access external networks.
CHAPTER 59: DHCP SNOOPING CONFIGURATION [Switch] interface Ethernet2/0/2 [Switch-Ethernet2/0/2] ip source static binding ip-address 1.1.1.
ACL CONFIGURATION 60 n ACL Overview Type A I/O Modules refer to the following: 3C16860, 3C16861, LS81FS24A, 3C16858, 3C16859, 3C16860, 3C16861, LS81FS24, 3C16858, and 3C16859. An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered.
CHAPTER 60: ACL CONFIGURATION ACL referenced by the upper-level modules The switch also uses ACLs to filter packets processed by software and implements traffic classification. In this case, there are two types of match orders for the rules in an ACL: config (user-defined match order) and auto (the system performs automatic ordering, namely according “depth-first” order). In this scenario, you can specify the match order for multiple rules in an ACL.
Choosing ACL Mode for Traffic Flows 639 Layer 2 ACL depth-first order With the depth-first rule adopted, the rules of a Layer 2 ACL are matched in the order of the mask length of the source MAC address and destination MAC address. The longer of the mask is, the higher the match priority is. If two mask lengths are the same, the priority of the match rule configured earlier is higher.
CHAPTER 60: ACL CONFIGURATION system-view [SW7750] acl mode link-based [SW7750] display acl mode The current acl mode: link-based. Specifying the Matching Order of ACL Rules Sent to a Port Configuration Procedure The acl match-order { config | auto } command is used to set the matching order of ACL rules when they are referenced by softwares. While the acl order command is used to set the matching order of ACL rules after they are applied to hardware).
Defining Basic ACLs 641 Table 509 Configure a time range Operation Command Display a time range or all the display time-range { all | time ranges time-name } Description Optional This command can be executed in any view. Note that: Configuration Example ■ If only a periodic time section is defined in a time range, the time range is active only within the defined periodic time section.
CHAPTER 60: ACL CONFIGURATION Table 510 Define a basic ACL rule Operation Command Description Create or enter basic ACL view Required acl { number acl-number | name acl-name [ advanced | By the default, the match basic | link | user ] } order is config.
Defining Advanced ACLs Configuration Preparation 643 Before configuring an ACL rule containing time range arguments, you need to configure define the corresponding time ranges. For the configuration of time ranges, refer to “Configuring Time Ranges” on page 640. The values of source and destination IP addresses, the type of the protocols carried by IP, and protocol-specific features in the rule have been defined.
CHAPTER 60: ACL CONFIGURATION Table 512 Rule information n Parameter Type Function Description tos tos Packet precedence ToS priority Value range: 0 to 15 dscp dscp Packet precedence DSCP priority Value range: 0 to 63 fragment Fragment information Specifies that the ACL rule is effective for non-initial fragment packets time-range time-name Time range information Specifies the time range in which the ACL rule is active - sour-wildcard and dest-wildcard represent the wildcard masks
Defining Advanced ACLs 645 Table 514 Description of IP precedence value Keyword IP Precedence value in decimal IP Precedence value in binary routine 0 000 priority 1 001 immediate 2 010 flash 3 011 flash-override 4 100 critical 5 101 internet 6 110 network 7 111 To define the ToS value, you can directly input a value ranging from 0 to 15, or input a keyword listed in the following table.
CHAPTER 60: ACL CONFIGURATION n Only Type A I/O Modules support the “range” operation on the TCP/UDP port.
Defining Layer 2 ACLs ■ 647 The content of a newly created rule must not be identical with the content of any existing rule; otherwise the rule creation will fail, and the system will prompt that the rule already exists. If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically. Configuration Example # Configure ACL 3000 to permit TCP packets to pass.
CHAPTER 60: ACL CONFIGURATION Table 520 Rule information Parameter Type Function Description protocol-type Protocol type Defines the protocol type over Ethernet frames protocol-type: the value can be ip, arp, rarp, ipx, nbx, pppoe-control, or pppoe-data. format-type Link layer encapsulation type Defines the link layer format-type: the value encapsulation type in can be 802.3/802.2, the rule 802.3, ether_ii, or snap.
Defining User-Defined ACLs 649 Table 521 Description of CoS value Keyword CoS value in decimal CoS value in binary video 5 101 voice 6 110 network-management 7 111 In the case that you specify the rule ID when defining a rule: ■ If the rule corresponding to the specified rule ID already exists, you will edit the rule, and the modified part in the rule will replace the original content, while other parts remain unchanged.
CHAPTER 60: ACL CONFIGURATION Table 522 Define a user-defined ACL rule Operation Command Description Create or enter user-defined ACL view Required acl { number acl-number | name acl-name [ advanced | By default, the match order is basic | link | user ] } config.
Applying ACLs on Ports 651 Table 523 Apply an ACL on a port Operation Command Description Enter Ethernet port view interface interface-type interface-number - Enter QoS view qos - Apply an ACL on the port packet-filter { inbound | Required outbound } acl-rule This command is supported [ system-index system-index ] by Type A I/O Modules.
CHAPTER 60: ACL CONFIGURATION Table 526 Parameters description of ACL combinations Parameter Description ip-group { acl-numbe Basic and advanced ACL. r | acl-name } acl-number: ACL number, ranging from 2,000 to 3,999. acl-name: ACL name, up to 32 characters long, beginning with an English letter (a to z or A to Z) without space and quotation mark, case insensitive. link-group { acl-num ber | acl-name } Layer 2 ACL acl-number: ACL number, ranging from 4,000 to 4,999.
ACL Configuration Example 653 ACL Configuration Example Basic ACL Configuration Example Network requirements Through basic ACL configuration, packets from the host with the source IP address of 10.1.1.1 (the host is connected to the switch through Ethernet 2/0/1 port) are to be filtered within the time range from 8:00 to 18:00 everyday. Network diagram Figure 166 Network diagram for basic ACL configuration PC 1 10 .1 .1.
CHAPTER 60: ACL CONFIGURATION Advanced ACL Configuration Example Network requirements Different departments of an enterprise are interconnected on the intranet through the ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of the R&D department are connected to the Ethernet 2/0/1 port of the switch. Apply an ACL to deny requests sourced from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).
ACL Configuration Example 655 filtered within the time range from 8:00 to 18:00 everyday. Apply this ACL on Ethernet 2/0/1 port. Network diagram Figure 168 Network diagram for Layer 2 ACL configuration PC 1 0011-0011 -0011 Eth2/0/1 To the router Switch PC 2 Configuration procedure n Only the commands related to the ACL configuration are listed below. 1 Define the time range # Define the time range ranging from 8:00 to 18:00.
CHAPTER 60: ACL CONFIGURATION Network diagram Figure 169 Network diagram for user-defined ACL configuration PC 1 Eth2 /0/1 To the router Switch PC 2 Configuration procedure n Only the commands related to the ACL configuration are listed below. 1 Define the time range. # Define the time range ranging from 8:00 to 18:00. system-view [SW7750] time-range aaa 8:00 to 18:00 daily 2 Create an ACL rule to filter TCP packets. # Create ACL 5000.
QOS CONFIGURATION 61 n Overview ■ Type-A I/O Modules include 3C16860, 3C16861, LS81FS24A, 3C16858, 3C16859, 3C16860, 3C16861, LS81FS24, 3C16858, and 3C16859. ■ On type-A I/O Modules, the prompt for QoS view is qoss; on non-type-A I/O Modules, the prompt for QoS view is qosb. Quality of Service (QoS) is a concept generally existing in occasions with service supply and demand. It evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to grade precisely.
CHAPTER 61: QOS CONFIGURATION Precedence 1 IP precedence, ToS precedence and differentiated services code point (DSCP) precedence Figure 170 DS fields and TOS bytes Bits: 0 1 2 3 4 5 6 7 DS-Field (for IPv4,ToS octet,and for IPv6,Traffic Class octet ) DSCP Class Selector codepoints CU Bits: 0 1 2 3 4 5 6 7 IPv4 ToS byte Currently Unused Preced ence RFC 1122 Type of Service RFC 1349 M B Z Must Be Zero IP Type of Service (ToS) RFC 791 Differentiated Services Codepoint ( DSCP) RFC 2474 The T
Overview 659 service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; ■ Class selector (CS) class: This class comes from the IP TOS field and includes 8 classes; ■ Best Effort (BE) class: This class is a special class without any assurance in the CS class. The AF class can be degraded to the BE class if it exceeds the limit. Current IP network traffic belongs to this class by default.
CHAPTER 61: QOS CONFIGURATION As shown in the figure above, each host supporting 802.1Q protocol adds a 4-bit 802.1Q tag header after the source address of the former Ethernet frame header when sending packets. The 4-bit 802.1Q tag header contains a 2-bit Tag Protocol Identifier (TPID) whose value is 8100 and a 2-bit Tag Control Information (TCI). TPID is a new class defined by IEEE to indicate a packet with an 802.1Q tag. Figure 172 describes the detailed contents of an 802.1Q tag header.
Overview 661 dropped and the other traffic is permitted. The Ethernet switch adopts a complicated traffic classification rule to filter the packets based on much information and to drop these useless, unreliable, and doubtful packets. Therefore, the network security is enhanced. The two critical steps in the packet filter operation are: Step1: Classify the inbound packets to the port by the set classification rule. Step 2: Perform the filter--drop operation on the classified packets.
CHAPTER 61: QOS CONFIGURATION Figure 173 Evaluate the traffic with the token bucket Packets to be sent through this port Put tokens in the bucket at the set rate Continue to send Packet classification Token bucket Drop 1 Evaluate the traffic with the token bucket The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding.
Overview 663 Two token buckets are used in this evaluation. Their rates of putting tokens into the buckets are CIR and PIR respectively, and their sizes are CBS and EBS respectively (the two buckets are called C bucket and E bucket respectively for short), representing different permitted burst levels.
CHAPTER 61: QOS CONFIGURATION In the following section, strict priority (SP) queues and weighted round robin (WRR) queues are introduced. 1 SP queue Figure 174 Diagram for SP queues Queue 7 High priority Packets to be sent through this port Queue 6 Sent packets Interface ĂĂ Queue 1 Packet classification Queue scheduling Sending queue Queue 0 Low priority SP queue-scheduling algorithm is specially designed for critical service applications.
Overview 665 Figure 175 Diagram for WRR Queue 1 Weight 1 Packets to be sent through this port Queue 2 Weight 2 Sent packets Interface ĂĂ Queue N-1 Weight N-1 Queue scheduling Packet classification Sending queue Queue N Weight N 3 WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. Assume there are 8 priority queues on the port. WRR configures a weight value for each queue, which are w7, w6, w5, w4, w3, w2, w1, and w0.
CHAPTER 61: QOS CONFIGURATION QoS Supported by the Switch 7750 Setting Port Priority ■ When the queue length is bigger than the upper limit, all inbound packets all dropped. ■ When the queue length is in the range of the upper limit and the lower limit, the inbound packets are dropped at random. In this case, a number is assigned to each inbound packet and then compared with the drop probability of the current queue.
Configuring Priority to Be Used When a Packet Enters an Output Queue 667 Table 532 Set to use the port priority Operation Command Description Enter Ethernet port view interface interface-type interface-number - Set the port priority priority priority-level Optional By default, the port priority is 0 Configuration example ■ Set the port priority of Ethernet 2/0/1 to 7.
CHAPTER 61: QOS CONFIGURATION Table 534 The mapping relationship between the local precedence values and queues Local precedence Queue 7 7 Table 535 The mapping relationship between IP precedence values and queues IP precedence Queue 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 Table 536 The mapping relationship between DSCP precedence values and queues Configuring Priority to Be Used When a Packet Enters an Output Queue DSCP precedence value Name of Name of type-A I/O non-type-A I/O Modul
Configuring Priority Remark 669 Configuration example # Configure to use the DSCP precedence when a packet enters an output queue system-view [SW7750] priority-trust dscp Configuring the Mapping Relationship between 802.1p Priority Values and Queues You can modify the mapping relationship between 802.1p priority values and local precedence values to modify the mapping relationship between 802.1p priority values and output queues. Configuration prerequisites The mapping relationship between 802.
CHAPTER 61: QOS CONFIGURATION Configuration Prerequisites Configuration Procedure ■ Through the traffic-priority command. Refer to the following description in this section. ■ ACL rules used for traffic identifying are defined. Refer to “Choosing ACL Mode for Traffic Flows” on page 639 for defining ACL rules.
Configuring Rate Limit on Ports 671 Table 541 Non-type-A I/O Modules’ ways of applying combined ACLs Configuration Example ACL combination Form of the acl-rule argument Apply all the rules in an IP ACL separately ip-group { acl-number | acl-name } Apply a rule in an IP ACL separately ip-group { acl-number | acl-name } rule rule-id Apply all the rules in a Link ACL separately link-group { acl-number | acl-name } Apply a rule in a Link ACL separately link-group { acl-number | acl-name } rule rule
CHAPTER 61: QOS CONFIGURATION n Configuration Example Only non-type-A I/O Modules support port-based rate limit. ■ Set rate limit on GigabitEthernet 2/0/1 of the switch ■ Limit the rate to 10 Mbps. Configuration procedure: system-view [SW7750] interface GigabitEthernet 2/0/1 [SW7750-GigabitEthernet2/0/1] qos [SW7750-qosb-GigabitEthernet2/0/1] line-rate 10 Configuring TP Refer to “TP” on page 661 for the introduction to TP.
Configuring Redirect Configuration Example 673 ■ When a switch is connected to a RADIUS server, if the switch does not support the inbound TP or outbound TP configured on the RADIUS server, the TP configuration will be ignored on the switch. ■ GigabitEthernet 2/0/1 of the switch is accessed to the 10.1.1.1/24 network segment ■ Perform TP on the packets from the 10.1.1.
CHAPTER 61: QOS CONFIGURATION n Configuration Example ■ Only non-type-A I/O Modules support the traffic redirect configuration. ■ The redirect configuration is effective only for the ACL rules whose actions are permit. ■ Packets redirected to CPU will not be forwarded normally. ■ Ethernet 2/0/1 of the switch is accessed into the 10.1.1.1/24 network segment. ■ Redirect all the traffic from the 10.1.1.1/24 network segment to Ethernet 2/0/7.
Configuring Congestion Avoidance n Configuration Example 675 Only non-type-A I/O Modules support the configuration for queue scheduling mode. ■ The switch adopts the WRR queue scheduling algorithm, and the weight values of outbound queues are 10, 5, 10, 10, 5, 10, 5, and 10 respectively; ■ Display the configuration.
CHAPTER 61: QOS CONFIGURATION Configuration Procedure Table 546 Configure RED parameters Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enter QoS view qos - Configure parameters for the RED algorithm traffic-red outbound acl-rule [ system-index system-index ] qstart qstop probability Required Display the parameters for the display qos-interface RED configuration [ interface-type interface-number ] traff
Configuring Traffic Statistics Configuration Procedure of Traffic Statistics 677 Table 547 Configure traffic statistics Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enter QoS view qos - Use the ACL rules in traffic identifying and perform traffic statistics on the packets matching with the ACL rules.
CHAPTER 61: QOS CONFIGURATION [SW7750] interface Ethernet 2/0/1 [SW7750-Ethernet2/0/1] qos [SW7750-qosb-Ethernet2/0/1] traffic-statistic inbound ip-group 2000 Configuring Assured Bandwidth Configuration Prerequisites Configuration Procedure The function of assured bandwidth is to provide the maximum available bandwidth and minimum assured bandwidth for the specified traffic to get the corresponding service. ■ ACL rules used for traffic identifying are defined.
Configuring Bidirectional CAR 679 system-view [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [SW7750-acl-basic-2000] quit [SW7750] interface Ethernet 2/0/1 [SW7750-Ethernet2/0/1] qos [SW7750-qoss-Ethernet2/0/1] traffic-bandwidth outbound ip-group 2000 64 128 50 Configuring Bidirectional CAR You can enable or disable bidirectional CAR. With bidirectional CAR enabled, the switch considers an ACL rule applied to different ports as different rules.
CHAPTER 61: QOS CONFIGURATION selective QinQ function can tag a packet with external VLAN tags according to the ACL rule that the packets matches on the inbound port. The traffic-based selective QinQ function is configured on the hybrid port of the edge device connecting the user device to the carrier’s network. Configuration Prerequisites Configuration Procedure ■ ACL rules used for traffic identifying are defined. Refer to “Choosing ACL Mode for Traffic Flows” on page 639 for defining ACL rules.
QoS Configuration Example Configuration Example 681 ■ Type-A, 3C16863, and 3C16862 I/O Modules do not support the traffic-based selective QinQ function. ■ GigabitEthernet 2/0/1 of the switch is accessed to the 10.1.1.1/24 network segment ■ Tag all the packets from the 10.1.1.
CHAPTER 61: QOS CONFIGURATION Configuration procedure n Only the commands related with QoS/ACL configurations are listed in the following configurations. 1 Define the outbound traffic of the salary query server # Enter ACL 3000 view. system-view [SW7750] acl number 3000 # Define ACL 3000 rules. [SW7750-acl-adv-3000] rule 1 permit ip source 129.110.1.
QoS Configuration Example 683 system-view [SW7750] time-range test 8:00 to 18:00 daily 2 Define the traffic rules of PC packets # Enter number-identification-based basic ACL view identified. [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule 0 permit source 1.0.0.
CHAPTER 61: QOS CONFIGURATION
62 Overview MIRRORING CONFIGURATION Mirroring refers to the process of copying packets that meet the specified rules to a destination port. Generally, a destination port is connected to a data detect device, which you can use to analyze the mirrored packets for monitoring and troubleshooting the network. On the other hand, you can also mirror packets to LS81VSNP and LS82VSNP to perform statistics and accounting about the traffic for the users online.
CHAPTER 62: MIRRORING CONFIGURATION Figure 179 Remote port mirroring application Remote-probe VLAN Source Switch Source Port Destination Switch Intermediate Switch Reflector Port Trunk Port Destination Port There are three types of switches with remote port mirroring enabled. ■ Source switch: The switch to which the monitored port belongs.
Overview 687 Table 552 Ports involved in the mirroring operation Switch Ports involved Function Destination switch Relay port Receive remote mirrored packets. You must set the port as a trunk port and specify the port to permit packets of remote-probe VLANs. Destination port Monitor remote mirrored packets To implement remote port mirroring, you need to define a special VLAN, called remote-probe VLAN, on all the three types of switches.
CHAPTER 62: MIRRORING CONFIGURATION Mirroring Supported by the Switch 7750 Table 553 Mirroring functions supported by the Switch 7750 and related command Function Description Related command Related section Mirroring Support local port mirroring mirroring-group “Configuring Local Port Mirroring” on page 688 mirroring-group mirroring-port mirroring-group monitor-port monitor-port mirroring-port Support remote port mirroring mirroring-group mirroring-group mirroring-port mirroring-group monit
Mirroring Configuration 689 Table 554 Configure port mirroring in Ethernet port view Operation Command Description Create a local port mirroring group mirroring-group group-id local Required Enter Ethernet port view of the destination port interface interface-type interface-number - Define the current port as the mirroring-group group-id destination port monitor-port Required Exit current view quit - Enter Ethernet port view of the source port interface interface-type interface-number - L
CHAPTER 62: MIRRORING CONFIGURATION [SW7750-GigabitEthernet2/0/4] quit [SW7750] interface GigabitEthernet 2/0/1 [SW7750-GigabitEthernet2/0/1] mirroring-group 1 mirroring-port both 2 Configuration procedure 2: [SW7750] [SW7750] [SW7750] Configuring Remote Port Mirroring system-view mirroring-group 1 local mirroring-group 1 monitor-port GigabitEthernet 2/0/4 mirroring-group 1 mirroring-port GigabitEthernet 2/0/1 both Configuration prerequisites ■ The source switch, intermediate switch, and
Mirroring Configuration 691 Table 556 Configure remote port mirroring on the source switch Operation Command Description Configure a remote reflector port mirroring-group group-id reflector-port reflector-port Required The remote reflector port must be of the Access type. LACP and must be disabled on this port and you are recommended to disable STP on this port.
CHAPTER 62: MIRRORING CONFIGURATION Configuring remote port mirroring on the intermediate switch Table 557 Configure remote port mirroring on the intermediate switch n Operation Command Description Enter system view system-view - Create a remote-probe VLAN and enter VLAN view vlan vlan-id vlan-id is the ID of the remote-probe VLAN.
Mirroring Configuration 693 Table 558 Configure remote port mirroring on the destination switch Operation Command Description Enter port view of the relay port through which the destination switch is connected to the source switch or an intermediate switch interface interface-type interface-number - Configure the current port as a trunk port port link-type trunk Required Configure the relay port to permit packets from the remote-probe VLAN to pass port trunk permit vlan remote-probe-vlan-id Req
CHAPTER 62: MIRRORING CONFIGURATION Module. As for the distributed system, you can configure only one reflector port of a remote source mirroring group or one destination port of a local mirroring group for the whole system. Only one mirroring destination I/O Module can be configured for the centralized or distributed system, and can be referenced by only one local mirroring group.
Mirroring Configuration 695 system-view [SW7750] vlan 10 [SW7750-vlan10] remote-probe vlan enable [SW7750-vlan10] quit [SW7750] interface GigabitEthernet 2/0/1 [SW7750-GigabitEthernet2/0/1] port link-type trunk [SW7750-GigabitEthernet2/0/1] port trunk permit vlan 10 [SW7750-GigabitEthernet2/0/1] quit [SW7750] mirroring-group 1 remote-source [SW7750] mirroring-group 1 mirroring-port GigabitEthernet 2/0/2 both [SW7750] mirroring-group 1 reflector-port GigabitEthernet 2/0/3 [SW7750] mirroring-group
CHAPTER 62: MIRRORING CONFIGURATION [SW7750] mirroring-group 1 remote-destination [SW7750] mirroring-group 1 monitor-port GigabitEthernet 2/0/2 [SW7750] mirroring-group 1 remote-probe vlan 10 [SW7750] display mirroring-group remote-destination mirroring-group 1: type: remote-destination status: active monitor port: GigabitEthernet2/0/2 remote-probe vlan: 10 Configuring Local Traffic Mirroring Configuration prerequisites ■ ACLs for identifying traffics have been defined.
Mirroring Configuration 697 Table 560 Combined application of ACLs on I/O Module other than A type.
CHAPTER 62: MIRRORING CONFIGURATION Configuring the source switch Table 561 Configure the source switch Operation Command Description Enter system view system-view - Create a VLAN and enter the VLAN view vlan vlan-id The vlan-id is the ID of the remote-probe VLAN to be defined.
Mirroring Configuration 699 Table 561 Configure the source switch Operation Command Description Display configuration of the remote source mirroring group display mirroring-group remote-source Optional You can execute the display command in any view.
CHAPTER 62: MIRRORING CONFIGURATION Use the remote traffic mirroring function to mirror the packets from the 10.1.1.1/24 network segment to GigabitEthernet 2/0/2, the port of Switch A, so that the data detect device can monitor the traffic: ■ Define VLAN10 as remote-probe VLAN. ■ Define Switch A as the destination switch; configure GigabitEthernet 2/0/2, the port that is connected to the data detect device, as the destination port for remote mirroring.
Mirroring Configuration [SW7750-vlan10] quit [SW7750] interface GigabitEthernet [SW7750-GigabitEthernet2/0/1] port [SW7750-GigabitEthernet2/0/1] port [SW7750-GigabitEthernet2/0/1] quit [SW7750] interface GigabitEthernet [SW7750-GigabitEthernet2/0/1] port [SW7750-GigabitEthernet2/0/2] port 701 2/0/1 link-type trunk trunk permit vlan 10 2/0/2 link-type trunk trunk permit vlan 10 # Configure Switch C system-view [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.
CHAPTER 62: MIRRORING CONFIGURATION Table 562 Configure mirroring to LS81VSNP Operation Command Description Define the mirroring source port or mirroring source I/O Module mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound } You must perform one of the two operations.
63 CLUSTER Cluster Overview Introduction to Switch Clustering V2 A cluster is implemented through Switch Clustering V2. By employing the group management protocol (Switch Clustering V2), a network administrator can manage multiple switches using the public IP address of a switch known as a management device. The switches under the management of the management device are member devices. The management device, along with the member devices, forms a cluster.
CHAPTER 63: CLUSTER a specific member device on the management device instead of logging into it in advance. ■ Functions of topology discovery and display provided, which assist network monitoring and debugging ■ Software upgrading and parameter configuring can be performed simultaneously on multiple switches.
Cluster Overview 705 information is different from the existing one. Otherwise, only the holdtime of the corresponding entry is updated. Introduction to NTDP NTDP is a protocol for network topology information collection. NTDP provides the information about the devices that can be added to clusters and collects the topology information within the specified hops for cluster management.
CHAPTER 63: CLUSTER n You need to enable the cluster function and configure cluster parameters on a management device. However, you only need to enable the cluster function on the member devices and candidate devices. Introduction to function of cluster Cluster provides the function of batch management for the switches in the network. Cluster provides external management and maintenance applications, including SNMP, command line, program and data loading, log report and alarm report.
Cluster Overview 707 Table 563 Switch roles in the cluster Role Configuration Management device ■ Configured with a public IP address.
CHAPTER 63: CLUSTER ■ A member device becomes a candidate device after being removed from the cluster.
Management Device Configuration Enabling NTDP Globally and for Specific Ports 709 Table 567 Enable NTDP globally and for specific ports Operation Command Description Enter system view system-view - Enable NTDP globally ntdp enable Required By default, the NTDP is enabled globally.
CHAPTER 63: CLUSTER as a result cluster handshake messages cannot be properly sent or received and devices will repeatedly join or leave the cluster. ■ If the routing table of the administrative device is full upon establishment of a cluster, all candidate devices will repeatedly join or leave the cluster. ■ If the routing table of the administrative device is full when a candidate device of a cluster joins the cluster, this device will repeatedly join or leave the cluster.
Member Device Configuration 711 Building a cluster automatically Table 571 Enable the cluster function automatically Configuring Interaction for the Cluster Operation Command Description Enter system view system-view - Enter VLAN interface view interface Vlan-interface vlan-id Required Configure the IP address of the VLAN interface ip address ip-address { mask | mask-length } Required Enter cluster view cluster - Configure the rang e of the IP addresses of the cluster ip-pool administrato
CHAPTER 63: CLUSTER Table 573 Member device configuration tasks Enabling NDP Globally and for Specific Ports Operation Description Related section Configure member devices to access FTP/TFTP server of the cluster Optional “Configure Member Devices to Access FTP/TFTP Server of the Cluster” on page 712 Table 574 Enable NDP globally and for specific ports Operation Command Description Enter system view system-view - Enable NDP globally ndp enable Required By default, the NDP is enabled gl
Intra-Cluster Configuration Intra-Cluster Configuration 713 Table 577 Configure a cluster n Displaying and Maintaining a Cluster Operation Command Description Enter system view system-view - Enter cluster view cluster - Add a candidate device to a cluster add-member Optional [ member-number ] mac-address H-H-H [ password password ] Remove a member device from the cluster delete-member member-num Optional Reboot a specified member device reboot member { member-num | mac-address H-H-H } [
CHAPTER 63: CLUSTER Table 578 Display and maintain cluster configurations Operation Command Description Clear the NDP statistics on a port reset ndp statistics [ interface port-list ] - Cluster Configuration Example Cluster Configuration Example Network requirements Three switches form a cluster, in which: ■ The management device is a Switch 7750. ■ The rest are member devices. The Switch 7750 manages the rest two member devices as the management device.
Cluster Configuration Example 715 Configuration procedure 1 Configure the member devices (taking one member as an example) # Enable NDP globally and for Ethernet1/1. system-view [SW7750] ndp enable [SW7750] interface Ethernet 1/1 [SW7750-Ethernet1/1] ndp enable [SW7750-Ethernet1/1] quit # Enable NTDP globally and for Ethernet1/1. [SW7750] ntdp enable [SW7750] interface Ethernet 1/1 [SW7750-Ethernet1/1] ntdp enable [SW7750-Ethernet1/1] quit # Enable the cluster function.
CHAPTER 63: CLUSTER # Configure the hop count to collect topology to be 2. [SW7750] ntdp hop 2 # Configure the delay time for topology-collection request packets to be forwarded on member devices to be 150 ms. [SW7750] ntdp timer hop-delay 150 # Configure the delay time for topology-collection request packets to be forwarded through the ports of member devices to be 15 ms. [SW7750] ntdp timer port-delay 15 # Configure the interval to collect topology information to be 3 minutes.
Cluster Configuration Example 717 Add the devices connected to the management device into the cluster and perform the following configuration on the member device. # Connect the member device to the public remote FTP server of the cluster. ftp cluster # Download the file named aaa.txt from the public TFTP server of the cluster to the member device. tftp cluster get aaa.txt # Upload the file named bbb.txt from the member device to the public TFTP server of the cluster.
CHAPTER 63: CLUSTER
64 POE CONFIGURATION PoE Overview Introduction to PoE Power over Ethernet (PoE) uses 10BaseT, 100Base-TX, and 1000Base-T twisted pairs to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously. Advantages of PoE ■ Reliability: The centralized power supply provides backup convenience, unified management, and safety. ■ Easy connection: Network terminals only require an Ethernet cable, but no external power supply.
CHAPTER 64: POE CONFIGURATION n External PSE2500-A1 Power System ■ The Switch 7750 supply power through the Ethernet electrical ports on the service modules. Each service module can supply power to up to 48 remote devices at the maximum distance of 100 m (328 feet). ■ Each Ethernet port can supply at most a power of 15.4 W to remote PDs. ■ When the Switch 7750 supply power to remote devices, the maximum total power that it can provide is 2,400 W.
PoE Configuration n 721 In auto mode, when the switch is reaching its full load in supplying power, the switch decides whether to supply power to remote PDs on a port based on the port priority. Note that the switch can compare only the priority of ports on the same module.
CHAPTER 64: POE CONFIGURATION Table 581 Configure the PoE feature of a PoE-enabled board n Setting the PoE Feature of a PoE Port Operation Command Description Enable the compatibility detection feature for remote PDs of the board poe legacy enable slot slot-number Optional By default, compatibility detection is disabled for PDs. ■ You can successfully enable PoE on a module only when the remaining power of the switch is not less than the full power of this module.
Displaying PoE Configuration n Upgrading the PSE Processing Software Online 723 ■ The Switch 7750 do not support the spare mode. ■ When a module is almost fully loaded and a new PD is added, the switch will respond to the PD according to the PoE management mode. For details, see “Setting PoE Management Mode” on page 720. ■ In auto mode, when the switch is reaching its full load in supplying power, the switch decides whether to supply power to remote PDs on a port based on the port priority.
CHAPTER 64: POE CONFIGURATION Table 584 Display and maintain PoE Operation Command Display the PoE status of a display poe specific port or all ports of the interface { interface-type switch interface-number | all } Display the PoE power information of a specific port or all ports of the switch display poe interface power { interface-type interface-number | all } Display the PSE parameters display poe powersupply Description You can execute the display command in any view Display the power su
PoE Configuration Example 725 Networking diagram Figure 185 Network diagram for PoE Network S7506 Eth3/0/1~Eth3/0/48 Eth5 /0/1~Eth5/0 /48 AP AP AP AP Configuration procedure # Enter system view. system-view # Online upgrade the PSE processing software of the PoE module in slot 5 of the Switch 7757. [SW7750] poe upgrade refresh 0400_001.S19 # Enable the PoE feature on the modules in slot 3 and slot 5.
CHAPTER 64: POE CONFIGURATION [SW7750]interface Ethernet 3/0/23 [SW7750-Ethernet3/0/23] undo poe enable [SW7750-Ethernet3/0/23] quit [SW7750]interface Ethernet 3/0/24 [SW7750-Ethernet3/0/24] undo poe enable [SW7750-Ethernet3/0/24] quit # Set the priority of Ethernet3/0/48 to critical, so that the devices connected to Ethernet3/0/48 can be provided with power preferentially without interrupting power supply to the current ports.
POE PSU SUPERVISION CONFIGURATION 65 Introduction to PoE PSU Supervision The PoE-enabled Switch 7750 can monitor the external PoE power supply units (PSUs) through Fabrics.
CHAPTER 65: POE PSU SUPERVISION CONFIGURATION Configuration procedure # Enter the system view. system-view # Set the overvoltage alarm threshold of AC input for PoE PSUs to 264.0 V. [SW7750] poe-power input-thresh upper 264.0 # Set the undervoltage alarm threshold of AC input for PoE PSUs to 181.0 V. [SW7750] poe-power input-thresh lower 181.0 # Display the AC input state of the PoE PSUs.
Displaying PoE Supervision Information 729 # Display the DC output state of the PoE PSUs. [SW7750] display poe-power dc-output state # Display the DC output voltage/current values of the PoE PSUs. [SW7750] display poe-power dc-output value Displaying PoE Supervision Information After the above configuration, you can execute the display commands in any view to display the PoE operation of the switch and verify the configuration.
CHAPTER 65: POE PSU SUPERVISION CONFIGURATION Network diagram Figure 186 Network diagram for PoE supervision configuration S7506 Eth3/0/1~Eth3/0/48 Network IP Phone IP Phone IP Phone IP Phone Configuration procedure # Enter the system view. system-view # Enable PoE on the module in slot 3. [SW7750] poe enable slot 3 # Set the overvoltage alarm threshold of AC input for the PoE PSUs to 264.0 V. [SW7750] poe-power input-thresh upper 264.
66 Introduction to PoE Profile POE PROFILE CONFIGURATION On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 7750 Ethernet switches provide the PoE profile features. Features of PoE profile: PoE Profile Configuration Tasks ■ Various PoE profiles can be created. PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles.
CHAPTER 66: POE PROFILE CONFIGURATION Table 589 Configure PoE profile Operation Command Description System view Apply the existing PoE profile to the specifie d In Ethernet port Etherne view: t port apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] Required Enter Ethernet port interface view interface-type interface-number Apply the existing PoE profile to the port n Displaying PoE Profile Configuration Users can decide whether to
PoE Profile Configuration Example 733 ■ The PoE priority for Ethernet2/0/1 through Ethernet2/0/5 is Critical, whereas the PoE priority for Ethernet2/0/6 through Ethernet2/0/10 is High. ■ The maximum power for Ethernet2/0/1 through Ethernet2/0/5 ports is 3,000 mW, whereas the maximum power for Ethernet2/0/6 through Ethernet2/0/10 is 15,400 mW. Based on the above requirements, two PoE profiles are made for users of group A.
CHAPTER 66: POE PROFILE CONFIGURATION poe max-power 3000 poe priority critical # Create Profile2, and enter poe-profile view. [SW7750] poe-profile Profile2 # In Profile2, add the PoE policy configuration applicable to Ethernet2/0/6 through Ethernet2/0/10 ports for users of group A.
UDP-HELPER CONFIGURATION 67 Introduction to UDP-Helper UDP-Helper is designed to relay specified UDP broadcast packets. It enables a device to operate as a UDP packet relay. That is, it can convert UDP broadcast packets into unicast packets and forward them to a specified server. Normally, all the received UDP broadcast packets are passed to the UDP module.
CHAPTER 67: UDP-HELPER CONFIGURATION Table 592 Configure UDP-Helper Operation Command Description Configure a UDP port as a UDP-Helper destination port udp-helper port { port | dns | This operation is unnecessary netbios-ds | netbios-ns | if the port is among the tacacs | tftp | time } default UDP ports listed in Table 591. With UDP-Helper enabled, UDP broadcast packets destined for the ports listed in Table 591 are relayed by default.
UDP-Helper Configuration Example 737 Table 593 Display and Maintain UDP-Helper Operation Command Description Clear the statistics about packets forwarded by UDP-Helper reset udp-helper packet You can use the reset command in user view UDP-Helper Configuration Example Network requirements Network diagram The IP address of VLAN 1 interface is 10.110.1.1/16. The VLAN interface is connected to the network segment 10.110.0.0/16.
CHAPTER 67: UDP-HELPER CONFIGURATION
68 SNMP Overview SNMP CONFIGURATION By far, the simple network management protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network.
CHAPTER 68: SNMP CONFIGURATION MIBs Supported by the Device ■ Define MIB view that a community can access. ■ Set read-only or read-write right to access MIB objects for the community. The read-only community can only query device information, while the read-write community can configure the device. ■ Set the basic ACL specified by the community name. The management variable in the SNMP packet is used to describe management objects of a device.
Configuring SNMP Basic Functions 741 Table 594 Common MIBs MIB attribute MIB content References Private MIB DHCP MIB - DHCP MIB QACL MIB ADBM MIB IGMP Snooping MIB RSTP MIB VLAN MIB Device management Interface management Configuring SNMP Basic Functions QACL MIB - ADBM MIB - RSTP MIB - VLAN MIB - Device management - Interface management - The configuration of SNMP V3 configuration is different from that of SNMP V1 and SNMP V2C, therefore SNMP basic function configurations for different
CHAPTER 68: SNMP CONFIGURATION Table 595 Configure SNMP basic functions for SNMP V1 and SNMP V2C Operation Command Description Required snmp-agent community { read | write } ■ Direct configuration community-name [ acl for SNMP V1 and acl-number | mib-view SNMP V2C is based on view-name ]* community name Indirect Set an snmp-agent group { v1 | ■ Indirect configuration.
Configuring Trap 743 Table 596 Configure SNMP basic functions (SNMP V3) Configuring Trap Configuration Prerequisites Configuration Tasks Operation Command Description Add a new user for an SNMP group Required snmp-agent usm-user v3 user-name group-name [ authentication-mode { md 5 | sha } auth-password [ privacy-mode des56 priv-password ] ] [ acl acl-number ] Set the size of SNMP packet that the Agent can send/receive snmp-agent packet max-size byte-count Optional By default, it is 2,000 bytes.
CHAPTER 68: SNMP CONFIGURATION Table 597 Configure Trap Operation Command Description Set Trap target host address snmp-agent target-host trap address udp-domain { ip-address } [ udp-port port-number ] params securityname security-string [ v1 | v2c | v3 {authentication | privacy } ] Required Set the source address to send Trap packets snmp-agent trap source interface-type interface-number Optional Set the information queue length of Trap packet sent to destination host snmp-agent trap queue-
SNMP Configuration Example 745 Table 598 Display SNMP Operation Command Description Display system information of the current SNMP device display snmp-agent sys-info [ contact | location | version ]* Display SNMP packet statistics information display snmp-agent statistics The display command can be executed in any view Display the switch fabric ID of the current device display snmp-agent { local-switch fabricid | remote-switch fabricid } Display group information about the device display snmp-a
CHAPTER 68: SNMP CONFIGURATION [SW7750] [SW7750] [SW7750] [SW7750] [SW7750] [SW7750] system-view snmp-agent snmp-agent sys-info version all snmp-agent community write public snmp-agent mib-view include internet 1.3.6.1 snmp-agent group v3 managev3group write-view internet snmp-agent usm-user v3 managev3user managev3group # Set the VLAN interface 2 as the interface used by NMS. Add port Ethernet1/0/2 to VLAN 2. This port will be used for network management.
69 Introduction to RMON RMON CONFIGURATION Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF) and is a most important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.
CHAPTER 69: RMON CONFIGURATION Commonly Used RMON Groups Event group The event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used in alarm group and extended alarm group to trigger alarms.
RMON Configuration 749 With the history data management function, you can configure network devices, such as collecting history data, collecting the data of a specific port periodically and saving them. Statistics group Statistics group contains the statistics of each monitored port on a network device. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created.
CHAPTER 69: RMON CONFIGURATION Table 599 Configure RMON n Displaying RMON Operation Command Description Add a statistics entry rmon statistics entry-number Optional [ owner text ] ■ The rmon alarm and rmon prialarm commands take effect on existing nodes only. ■ For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, creation of another entry with a different index for the same port will not succeed.
RMON Configuration Example Configuration procedures # Configure RMON. system-view [SW7750] interface Ethernet2/0/1 [SW7750-Ethernet2/0/1] rmon statistics 1 owner user1-rmon # View RMON configuration. [SW7750-Ethernet2/0/1] display rmon statistics Ethernet2/0/1 Statistics entry 1 owned by user1-rmon is VALID. Interface : Ethernet2/0/1
CHAPTER 69: RMON CONFIGURATION
NTP CONFIGURATION 70 Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined by RFC1305. It is used for time synchronization among a set of distributed time servers and clients. NTP transmits packets through UDP port 123. NTP is intended for time synchronization of all devices that have clocks in a network, so that the clocks of all devices can keep consistent. This enables the applications that require unified time.
CHAPTER 70: NTP CONFIGURATION with the increasing of stratum number. The clocks with the stratum of 16 are in unsynchronized state and cannot serve as reference clocks. Working Principle of NTP Figure 192 shows the implementation principle of NTP. Ethernet switch A (Device A) is connected to Ethernet switch B (Device B) through Ethernet ports. Both having their own system clocks, they need to synchronize the clocks of each other through NTP.
Introduction to NTP ■ 755 When receiving a response packet, the local time of Device A is 10:00:03 am (T4). At this time, Device A has enough information to calculate the following two parameters: ■ Delay for an NTP message to make a round trip between Device A and Device B: Delay = (T4 -T1)-(T3 -T2). ■ Time offset of Device A relative to Device B: Offset = ((T2 -T1) + (T3 -T4))/2. Device A can then set its own clock according to the above information to synchronize its clock to that of Device B.
CHAPTER 70: NTP CONFIGURATION In peer mode, the active peer sends clock synchronization packets first, and its peer works as a passive peer automatically. If both of the peers have reference clocks, the one with smaller stratum is adopted.
NTP Implementation Mode Configuration 757 Table 601 NTP implementation modes on a Switch 7750 NTP implementation mode Configuration on Switch 7750 Broadcast mode ■ Configure the Switch 7750 to operate in NTP broadcast server mode. In this case, the Switch 7750 broadcasts NTP packets through the VLAN interface configured on the switch. ■ Configure the Switch 7750 to operate in NTP broadcast client mode.
CHAPTER 70: NTP CONFIGURATION Table 602 Configure NTP implementation modes Operation Command Description Enter VLAN interface view interface interface -type interface-number - Configure to operate in the NTP broadcast client mode ntp-service broadcast-client Optional Configure to operate in the NTP broadcast server mode ntp-service broadcast-server [ authentication-keyid key-id | version number ]* Optional Configure to operate in the NTP multicast client mode ntp-service multicast-client
Access Control Permission Configuration 759 NTP multicast client mode will respond this packet and start the clock synchronization procedure. In this mode, the switch can accommodate up to 1,024 multicast clients. n Access Control Permission Configuration ■ The total number of the servers and peers configured for a switch can be up to 128. ■ After the configuration, the Switch 7750 does not establish connections with the peer if it operates in NTP server mode.
CHAPTER 70: NTP CONFIGURATION Configuring NTP Authentication Configuring NTP authentication on the client Table 604 Configure NTP authentication on the client Operation Command Description Enter system view system-view - Enable NTP authentication globally ntp-service authentication enable Required Configure the NTP authentication key ntp-service authentication-keyid key-id authentication-model md5 value Required Configure the specified key to be a trusted key ntp-service reliable authent
Configuration of Optional NTP Parameters 761 Table 605 Configure NTP authentication on the server Operation Command Description Configure the specified key to be a trusted key ntp-service reliable authentication-keyid key-id Required Enter VLAN interface view interface interface-type interface-number - Associate a specified key with the corresponding NTP server Broadcast server mode: ■ In NTP broadcast server mode and NTP multicast server mode, you need to associate the specified key with the
CHAPTER 70: NTP CONFIGURATION Table 606 Configure optional NTP parameters c Displaying and Debugging NTP Operation Command Description Disable the interface from receiving NTP packets ntp-service in-interface disable Optional By default, a VLAN interface receives NTP packets.
Configuration Example 763 Network diagram Figure 197 Network diagram for the NTP server mode configuration 1. 0. 1. 11/ 24 S7750-1 1 .0. 1. 12/ 24 S7750-2 Configuration procedures Configure S7750-1. # Set the local clock as the NTP master clock, with the stratum being 2. system-view System View: return to User View with Ctrl+Z. [SW7750-1] ntp-service refclock-master 127.127.1.1 2 ? The following configurations are for S7750-2. # View the NTP status of S7750-2 before synchronization.
CHAPTER 70: NTP CONFIGURATION The above output information indicates that S7750-2 is synchronized to S7750-1, and the stratum of its clock is 3, one stratum higher than S7750-1. # View the information about the NTP sessions of S7750-2. You can see that S7750-2 establishes a connection with S7750-1. [SW7750-2]dis ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [12345]1.0.1.11 127.127.1.
Configuration Example 765 system-view [SW77503] # After the local synchronization, set the Switch 7750 to be its peer. [SW77503] ntp-service unicast-peer 3.0.1.32 The Switch 7750 and 3Com3 are configured to be peers with regard to each other. 3Com3 operates in the active peer mode, while the Switch 7750 operates in the passive peer mode. Because the stratum of the local clock of 3Com3 is 1, and that of the Switch 7750 is 3, the Switch 7750 is synchronized to Qudiway3.
CHAPTER 70: NTP CONFIGURATION Network diagram Figure 199 Network diagram for the NTP broadcast mode configuration Vlan -int 2 3. 0. 1.31 /24 3Com 3 Vlan -int 2 1. 0. 1. 31/ 24 Switch 7500 2 3Com 4 Vlan -int 2 3. 0. 1. 32/24 Switch 7500 1 Configuration procedures 1 Configure 3Com3. # Enter system view. system-view [SW77503] # Enter VLAN-interface 2 view.
Configuration Example 767 system-view [s7500-2] # Enter VLAN-interface 2 view. [SW7750-2] interface Vlan-interface 2 [SW7750-2-Vlan-Interface2] # Configure Switch 7750-2 to be a broadcast client. [SW7750-2-Vlan-interface2] ntp-service broadcast-client The above configuration configures Switch 7750-1 and Switch 7750-2 to listen to broadcast packets through their VLAN interface 2, and 3Com3 to send broadcast packets through VLAN interface 2.
CHAPTER 70: NTP CONFIGURATION Network diagram Figure 200 Network diagram for NTP multicast mode configuration Vlan -int 2 3. 0. 1.31 /24 3Com 3 Vlan -int 2 1. 0. 1. 31/ 24 Switch 7500-2 3Com 4 Vlan -int 2 3. 0. 1. 32/24 Switch 7500-1 Configuration procedures 1 Configure 3Com3. # Enter system view. system-view [SW77503] # Enter VLAN-interface 2 view. [SW77503] interface Vlan-interface 2 # Configure 3Com3 to be a multicast server.
Configuration Example 769 # Enter VLAN-interface 2 view. [[SW7750-2] interface Vlan-interface 2 # Configure Switch 7750-2 to be a multicast client. [SW7750-2-Vlan-Interface2] ntp-service multicast-client The above configuration configures Switch 7750-1 and Switch 7750-2 to listen to multicast packets through their VLAN interface 2, and 3Com3 to advertise multicast packets through VLAN interface 2.
CHAPTER 70: NTP CONFIGURATION Network diagram Figure 201 Network diagram for NTP server mode with authentication configuration 1.0.1.11/24 1 .0.1.12/24 S7500-1 S7500-2 Configuration procedures 1 Configure Switch 7750-2. # Enter system view. system-view [SW7750-2] # Configure Switch 7750-1 to be the time server. [SW7750-2] ntp-service unicast-server 1.0.1.11 # Enable NTP authentication.
Configuration Example 771 [SW7750-2] display ntp-service status Service status: enabled Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequence: 250.0000 Hz Actual frequence: 249.9992 Hz Clock precision: 2^19 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 6 2001 (BF422AE4.
CHAPTER 70: NTP CONFIGURATION
71 SSH TERMINAL SERVICES SSH Terminal Services Introduction to SSH Secure Shell (SSH) can provide information security and powerful authentication to prevent such attacks as IP address spoofing, plain-text password interception when users log on to the Switch remotely through an insecure network. As an SSH server, a switch can connect to multiple SSH clients; as an SSH client, a switch can establish SSH connections with switches or UNIX hosts that support SSH server.
CHAPTER 71: SSH TERMINAL SERVICES ■ Password authentication works as follows: The client sends a password authentication request carrying the encrypted username and password to the server. The server decrypts the request to obtain the username and password in plain text, and matches the username and password against those configured on itself. Then, it returns the authentication result according to the matching result.
SSH Terminal Services 775 Table 609 Configure supported protocols c Operation Command Description Enter one or multiple user interface views user-interface [ type-keyword ] number [ ending-number ] Required Configure the protocols supported in the user interface view(s) protocol inbound { all |ssh | Optional telnet } By default, the system supports both Telnet and SSH CAUTION: ■ When SSH protocol is specified, to ensure a successful login, you must configure the AAA authentication using the aut
CHAPTER 71: SSH TERMINAL SERVICES ■ You just need to execute the command once, with no further action required even after the system is rebooted. ■ If you use this command to generate an RSA key provided an old one exits, the system will prompt you whether to replace the previous one or not. Creating an SSH user This configuration task is used to configure an SSH user.
SSH Terminal Services 777 ■ For the password-publickey authentication type: SSH1 client users can access the switch as long as they pass one of the two authentications. SSH2.0 client users can access the switch only when they pass both the authentications. ■ For the password authentication, username should be consistent with the effective username defined in AAA; for the RSA authentication, username is the SSH local username, so that there is no need to configure a local user in AAA.
CHAPTER 71: SSH TERMINAL SERVICES Table 614 Configure client public keys Operation Command Description Enter public key edit view public-key-code begin You can key in a blank space between characters, since the system can remove the blank space automatically. But the public key should be composed of hexadecimal characters.
SSH Terminal Services 779 Table 616 Configure a device as an SSH client Operation Command Description Enter system view system-view - Disable the SSH client from performing first-time authentication for the SSH server to be accessed undo ssh client first-time Optional Configure the public key of the server on the client Refer to “Configuring a Client Required if first-time Public Key” on page 777 authentication is not configured on the client By default, the SSH client performs first-time authe
CHAPTER 71: SSH TERMINAL SERVICES Network diagram Figure 202 Network diagram for SSH server configuration SSH client SSH server Host Switch Configuration procedure 1 Generate a local RSA key pair. system-view [SW7750] rsa local-key-pair create n If the local RSA key pair has been generated in previous operations, skip this step here. 2 Set authentication type.
SSH Terminal Services 781 [SW7750-ui-vty0-4] protocol inbound ssh # Configure the login protocol for user client002 as SSH and authentication type as RSA public key. [SW7750] ssh user client002 authentication-type rsa # Generate randomly RSA key pairs on the SSH2.0 client and send the corresponding public keys to the server. # Configure client public keys on the server, with their name as 3Com002.
CHAPTER 71: SSH TERMINAL SERVICES [SW7750-Vlan-interface1] ip address 10.1.1.3 255.255.255.0 [SW7750-Vlan-interface1] quit c CAUTION: Generating server RSA key pair is a must for SSH login. # Generate an RSA key pair. [SW7750] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA. [SW7750] user-interface vty 0 4 [SW7750-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
SSH Terminal Services 783 [SW7750] display rsa local-key-pair public ===================================================== Time of Key pair created: 09:04:41 2000/04/04 Key name: 3Com_Host Key type: RSA encryption Key ===================================================== Key code: 308188 028180 C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86 FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9 E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420 024ECF2C 28A6A454 C27449E0 46EB1EA
CHAPTER 71: SSH TERMINAL SERVICES n After generating a key pair on a client, you need to configure the public key on the server and have the configuration on the server done before continuing configuration of the client. # Disable first-time authentication. [SW7750] undo ssh client first-time n If the first-time authentication is not configured, it is required to manually configure the RSA host public key of the server on the client.
SFTP Service 785 provide secured data transfer. As an SFTP client, it allows you to securely log onto another device to transfer files.
CHAPTER 71: SSH TERMINAL SERVICES Table 620 Configure SFTP client Command Key word View Description Rename a file or directory on the SFTP server rename SFTP client view Optional Download a file from the remote SFTP server get SFTP client view Optional Operation SFTP file-related operations Upload a local put file to the remote SFTP server Display the list of dir the files in a ls directory Delete a file from delete the SFTP server remove Get help information about SFTP client commands he
SFTP Service 787 Operating with SFTP directories SFTP directory-related operations include: changing or displaying the current directory, creating or deleting a directory, displaying files or information of a specific directory.
CHAPTER 71: SSH TERMINAL SERVICES Table 625 Display help information about SFTP client commands SFTP Configuration Example Operation Command Description Enter SFTP client view sftp { host-ip | host-name } - Display help information about SFTP client commands help [ all | command-name ] Optional Network requirements As shown in Figure 204. ■ An SSH connection is present between Switch A and Switch B. ■ Switch B serves as an SFTP server, with IP address 10.111.27.91/24.
SFTP Service 789 The following files will be deleted: /z Are you sure to delete it?(Y/N):y This operation may take a long time.Please wait... Received status: Success File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup drwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup Received status: End of file Received status: Success 1759 225 283 0 225 Aug Aug Aug Sep Sep 23 24 24 01 01 06:52 08:01 07:39 06:22 06:55 config.
CHAPTER 71: SSH TERMINAL SERVICES sftp-client> put pu puk This operation may take a long time, please wait...
FILE SYSTEM MANAGEMENT 72 n You can provide the directory argument in the following two ways in this chapter. ■ In the form of [drive] [path]. In this case, the argument can be a string containing 1 to 64 characters. ■ By specifying the name of a storage device, such as flash:/ and cf:/. You can provide the file-url argument in the following two ways in this chapter. ■ In the form of [drive] [path] [file name]. In this case, the argument can be a string containing 1 to 64 characters.
CHAPTER 72: FILE SYSTEM MANAGEMENT Table 626 CF Module Configuration n Operation Command Description Enter the root directory of a CF card cd cf: Required Disable a CF card umount cf: Required Currently, only the 96Gbps Switch Fabric supports the CF module. The operations listed in Table 627 are available in the directories on a CF module.
File System Configuration 793 Table 629 File-related operations Operation Command Description Delete a file delete [ /unreserved ] file-url Optional A deleted file can be restored if you delete it by executing the delete command with the /unreserved keyword not specified. You can use the undelete command to restore a deleted file of this kind. Restore a deleted file undelete file-url Optional This operation can only restore the files deleted with the /unreserved keyword not specified.
CHAPTER 72: FILE SYSTEM MANAGEMENT Table 630 Storage device-related operations Prompt Mode Configuration Operation Command Description Format a storage device format device Required Restore a storage device fixdisk device Optional You can set the file system prompt mode to be alert or quiet. When in the alert mode, the file system prompts for confirmation when you perform irreversible operations (such as deleting a file completely or overwriting a file).
File System Configuration 0 1 2 3 4 5 6 7 8 9 -rw-rw-rw-rwdrwdrw-rw-rw-rwdrw- 4 16215134 483 3980 11779 19307 66 - Mar 09 2006 13:59:19 Apr 04 2006 16:36:20 Apr 20 2006 14:50:54 Apr 21 2006 15:08:29 Apr 16 2006 11:18:17 Apr 10 2005 19:07:59 Apr 05 2006 10:23:03 Apr 16 2006 11:15:55 Apr 05 2006 11:32:28 Apr 25 2006 16:27:46 snmpboots S7750.app diaginfo.txt config.cfg hj dd test.bak 1.
CHAPTER 72: FILE SYSTEM MANAGEMENT
73 Introduction to BIMS Basic Principles and Functions of BIMS BIMS CONFIGURATION To manage a network device through SNMP or Telnet, you need to know its IP address. This is difficult however when the device obtains address through DHCP or when the device resides behind a NAT device. Branch intelligent management system (BIMS) was thus developed, delivering automatic configuration file and application update. BIMS comprises the BIMS center side and the device side.
CHAPTER 73: BIMS CONFIGURATION 6 The device verifies the device software obtained from the BIMS center and updates it to the local. Then the device sends an acknowledgement to the BIMS center. 7 Upon receipt of the acknowledgement, the BIMS center logs the event and sends back a response. BIMS Device Configuration Tasks c Basic Configuration of BIMS Device BIMS is a convenient management tool. It provides an intelligent function for upgrading the configuration file and applications.
Configuring BIMS Access Mode 799 Configuring BIMS Access Mode Enabling BIMS Device to Access BIMS Center upon Power-on After you make the following configuration, the BIMS device can access the BIMS center after it is powered on and initialized.
CHAPTER 73: BIMS CONFIGURATION Accessing the BIMS Center as Driven by the Command Execute the following command in system view to enable the BIMS device access the BIMS center immediately.
BIMS Configuration Example 801 [SW7750] bims sharekey simple 1122334455667788 # Configure the IP address of the BIMS. The default port 80 is used. [SW7750] bims ip address 10.153.21.97 # Configure the interval for accessing the BIMS center. [SW7750] bims interval 2880 Configuring the BIMS Device to Access the BIMS Center Periodically within a Specified Period Network requirements The BIMS device will access the BIMS center at 12:10 on May 1, 2005.
CHAPTER 73: BIMS CONFIGURATION
74 FTP AND TFTP CONFIGURATION FTP Configuration Introduction to FTP FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP. At present, although E-mail and Web are the usual methods for file transmission, FTP still has its strongholds. As an application layer protocol, FTP is used for file transfer between remote server and local host.
CHAPTER 74: FTP AND TFTP CONFIGURATION Table 637 Configurations needed when a switch operates as an FTP server c Device Configuration Default PC Log into a switch operating as an FTP server through an FTP client application. Description - CAUTION: The FTP-related functions require that the route between a FTP client and the FTP server is reachable. ■ FTP client A switch can operate as an FTP client, through which you can access files on FTP servers.
FTP Configuration 805 Configuration procedure Table 639 Configure an FTP server Operation Command Description Enter system view system-view - Enable the FTP server function ftp server enable Required By default, the FTP server function is disabled. Set the connection idle time ftp timeout minutes Optional The default connection idle time is 30 minutes. n ■ Only one user can access a Switch 7750 at a given time when the latter operates as an FTP server.
CHAPTER 74: FTP AND TFTP CONFIGURATION Configuration Example: A Switch Operating as an FTP Server Network requirements A switch operates as an FTP server and a remote PC as an FTP client. ■ Create a user account on the FTP server with the user name “switch” and password “hello”. The work directory assigned for FTP clients is the root directory of the flash. ■ Configure the IP address 1.1.1.1 for a VLAN interface on the switch, and 2.2.2.2 for the PC. Ensure the route between the two is reachable.
FTP Configuration 807 # Access the Ethernet switch through FTP. Input the user name “switch” and password “hello” to log in and enter FTP view. C:\> ftp 1.1.1.1 Connected to 1.1.1.1. 220 FTP service ready. User (1.1.1.1:(none)): switch 331 Password required for switch. Password: 230 User logged in. ftp> # Upload the switch.app file. ftp> put switch.app 200 Port command okay. 150 Opening ASCII mode data connection for switch.app. 226 Transfer complete. # Download the config.cfg file. ftp> get config.
CHAPTER 74: FTP AND TFTP CONFIGURATION operating as an FTP client. Table 641 lists the operations that can be performed on an FTP client.
FTP Configuration 809 Table 641 Basic FTP client configuration Operation Command Description Display the on-line help on a specified command concerning FTP remotehelp [ protocol-command ] Optional Enable debugging for FTP debugging Optional Enable the verbose function verbose Optional The verbose function is enabled by default. Configuration Example: A Switch Operating as an FTP Client Network requirements A switch operates as an FTP client and a remote PC as an FTP server.
CHAPTER 74: FTP AND TFTP CONFIGURATION # Connect to the FTP server using the ftp command. You need to provide the IP address of the FTP server, the user name and the password as well. ftp 2.2.2.2 Trying ... Press CTRL+K to abort Connected. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(none):switch 331 Give me your password, please Password: 230 Logged in successfully [ftp] # Run the put command to upload the configuration file named config.cfg to the FTP server.
TFTP Configuration n 811 ■ Before performing TFTP-related configurations, you need to configure IP addresses for the TFPT client and the TFTP server, and make sure the route between the two is reachable. ■ A switch can only operate as a TFTP client. Figure 208 Network diagram for TFTP configuration IP network Host Switch Table 642 describes the operations needed when a switch operates as a TFTP client.
CHAPTER 74: FTP AND TFTP CONFIGURATION Table 643 Basic TFTP configurations TFTP Configuration Example Operation Command Description Specify the ACL adopted when a switch attempts to connect a TFTP server tftp-server acl acl-number Optional Network requirements A switch operates as a TFTP client and a PC as the TFTP server. ■ The TFTP work directory is configured on the TFTP server. ■ The IP address of a VLAN interface on the switch is 1.1.1.1.
TFTP Configuration 813 boot boot-loader switch.app reboot n For information about the boot boot-loader command and how to specify the startup file for a switch, refer to “Specifying the APP to be Adopted at Reboot” on page 863.
CHAPTER 74: FTP AND TFTP CONFIGURATION
75 Information Center Overview INFORMATION CENTER Information center is an indispensable part of Ethernet switches and exists as an information hub of system software modules. The information center manages most information outputs; it sorts information carefully, and hence can screen information in an efficient way. Combined with the debugging program (debugging commands), it provides powerful support for network administrators and developers in network operation monitoring and fault diagnosis.
CHAPTER 75: INFORMATION CENTER hh:mm:ss” is the local time, where “hh” is in the 24-hour format, ranging from 00 to 23, both “mm” and “ss” range from 00 to 59. yyyy” is the year. Note that a space separates the time stamp and host name. 3 Host name It refers to the system name of the host, which is “3Com” by default. You can modify the host name with the sysname command. Refer to “Setting the System Name of the Switch” on page 853. Note that a space separates the host name and module name.
Information Center Overview Table 644 Modules generating information Module name Description HA High availability module HABP 3Com authentication bypass protocol module HWCM 3Com Configuration Management private MIB module HWP NQA module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module IPX IPX protocol module ISIS Intermediate system-to-intermediate system intra-domain routing information exchange protocol module L2INF Layer 2 interface management
CHAPTER 75: INFORMATION CENTER Table 644 Modules generating information Module name Description SYSM System management module SYSMIB System MIB module TAC Terminal access controller module TELNET Telnet module TFTPC TFTP client module TUNNEL Packets transparent transmission module UDPH UDP helper module USERLOG User log module VFS Virtual file system module VLAN Virtual local area network module VRRP VRRP (virtual router redundancy protocol) module VTY VTY (virtual type termin
Information Center Configuration 819 7 Information text Information text contains the detail of system information. n Information Center Configuration The above section describes the log information format sent to a log server by a switch. Some log server software will resolve the received information as well as its format, so that you may see the log format displayed on the log server is different from the one described in this manual.
CHAPTER 75: INFORMATION CENTER Table 647 Enable information output to a log host Operation Command Description Enable information output to a log host info-center loghost host-ip-addr [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ] * Required By default, the switch does not output information to the log host. After you configure the switch to output information to the log host, the switch uses information channel 2 by default.
Information Center Configuration 821 Table 648 Enable information output to the console Operation Command Description Set the format of time stamp info-center timestamp { log Optional | trap | debugging } { boot | date | none } To view debugging/log/trap output information on the console, you should also enable the corresponding debugging/log/trap information terminal display on the switch.
CHAPTER 75: INFORMATION CENTER Table 650 Enable information output to a monitor terminal Operation Command Description Define an information source Required info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug } { level severity | state state } ]* Set the format of time stamp info-center timestamp { log Optional | trap | debugging } { boot | This is to set the time stamp date | none } format for log/debugging/trap information output.
Information Center Configuration 823 Table 651 Enable debugging/log/trap terminal display Enabling Information Output to the Log Buffer Operation Command Description Enable trap information terminal display function terminal trapping Optional By default, trap information terminal display is enabled for terminal users. Table 652 lists the related configurations on the switch.
CHAPTER 75: INFORMATION CENTER Table 653 Enable information output to the trap buffer Operation Command Description Enable information output to the trap buffer info-center trapbuffer [channel { channel-number | channel-name } | size buffersize]* Optional Define an information source Required info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug } { level severity | state state } ]* Set the format of time stamp info-center timestamp { log
Displaying and Debugging Information Center Configuration n Displaying and Debugging Information Center Configuration 825 ■ To view debug information of specific modules, you need to set the information type as debug in the info-center source command, and enable debugging on corresponding modules with the debugging command as well. ■ To send information to remote SNMP workstation properly, related configurations are required on both the switch and the SNMP workstation.
CHAPTER 75: INFORMATION CENTER Network diagram Figure 210 Network diagram for log output to a Unix log host Network Switch Unix loghost 202.38.1.10 Configuration procedure 1 Configure the switch: # Enable the information center. system-view [SW7750] info-center enable # Disable for all modules the function of outputting information to log host channels. [SW7750] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host.
Information Center Configuration Examples 827 configured in the commands info-center loghost and info-center source. Otherwise, log information may not be output to the log host normally. Step 3: After the log file “information” is created and the file “/etc/syslog.conf” is modified, run the following command to send a HUP signal to the system daemon “syslogd”, so that it reads its new configuration file “/etc/syslog.conf”.
CHAPTER 75: INFORMATION CENTER Step 2: Edit the file “/etc/syslog.conf” as the superuser (root user) to add the following selector/action pair. # 3Com configuration messages local7.info /var/log/3Com/information n Note the following items when you edit file “/etc/syslog.conf”. ■ A note must start in a new line following a “#” sign. ■ In each pair, a tab should be used as a separator instead of a space. ■ No space is permitted at the end of the file name.
Information Center Configuration Examples 829 # Disable for all modules the function of outputting information to the console channels. [SW7750] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output information with severity level higher than informational to the console.
CHAPTER 75: INFORMATION CENTER
76 DNS Overview DNS CONFIGURATION Domain name system (DNS) is a distributed database system that provides domain name-to-IP address mappings for TCP/IP applications. With DNS, users using IP applications can directly use meaningful easy-to-remember domain names, which will be resolved and mapped to corresponding IP addresses by DNS servers. There are two types of DNS resolution, “Static DNS Resolution” on page 831 and “Dynamic DNS Resolution” on page 831.
CHAPTER 76: DNS CONFIGURATION Figure 213 Dynamic DNS resolution User program Request Resolver Request Response Response DNS server Read Save Cache DNS client Figure 213 shows the relationship between the user program, DNS Client and DNS Server. The resolver and cache compose the DNS Client. The user program runs on the same machine as the DNS client, while the DNS Server and the DNS Client must run on different machines.
Configuring Static DNS Resolution Configuring Static DNS Resolution 833 Table 656 Configure static DNS resolution n Operation Command Description Enter system view system-view - Add a hostname-to-address mapping entry ip host hostname ip-address Required There is no entry in the static DNS list by default. As one hostname can mapped to only one IP address, when you add multiple hostname-to-address mapping entries with the same hostname, only the last one will be valid.
CHAPTER 76: DNS CONFIGURATION Network diagram Figure 214 Network diagram for dynamic DNS resolution IP network 2.1.1.2 /16 2.1.1.1/16 DNS server 1.1.1.1 /16 3.1.1 .1/16 host.com Switch DNS client Host Configuration procedure n Before doing the following configuration, suppose the route between Switch and Host is reachable, the DNS server works normally, and a mapping entry from Host to IP address 3.1.1.1/16 exists on the DNS server. # Enable dynamic DNS resolution.
Troubleshooting DNS Configuration 835 Table 658 Display and maintain DNS Operation Command Description Display static DNS list information display ip host You can execute the display command in any view. Display DNS server information display dns server [ dynamic ] Display DNS suffix list information display dns domain Display dynamic DNS cache information display dns dynamic-host Clear the dynamic DNS cache.
CHAPTER 76: DNS CONFIGURATION
BOOTROM AND HOST SOFTWARE LOADING 77 Traditionally, the loading of switch software is accomplished through a serial port. This approach is slow, inconvenient, and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port. This chapter introduces how to load BootROM and host software to a switch locally and how to do this remotely.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING * * ****************************************** Copyright(c) 2004-2007 3Com Corporation Creation date : Apr 15 2007, 14:48:52 CPU type : MPC8245 CPU Clock Speed : 300Mhz BUS Clock Speed : 33Mhz BOOT_FLASH type : AMD29LV040B Flash Size : 32MB Memory Size : 256MB S7757 main board self testing................................ SDRAM Data lines Selftest.................................OK! SDRAM Address lines Selftest..............................
Local Software Loading 839 The XMODEM transmission procedure is completed by a receiving program and a sending program: The receiving program sends negotiation characters to negotiate a packet checking method. After the negotiation, the sending program starts to transmit data packets. When receiving a complete packet, the receiving program checks the packet using the agreed method.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING proceed to Step 6 directly. In this case, the system will not display the above information. Following are configurations on PC. Take the Hyperterminal using Windows operating system as example. Step 4: Choose [File/Properties] in HyperTerminal, click in the pop-up dialog box, and then select the baud rate of 115200 bps in the Console port configuration dialog box that appears, as shown in Figure 215, Figure 216.
Local Software Loading 841 Figure 216 Console port configuration dialog box Step 5: Click the button to disconnect the HyperTerminal from the switch and then click the button to reconnect the HyperTerminal to the switch, as shown in Figure 217. Figure 217 Connect and disconnect buttons n The new baud rate takes effect only after you disconnect and reconnect the HyperTerminal program. Step 6: Press to start downloading the program.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING Figure 218 Send file dialog box Step 8: Click . The system displays the page, as shown in Figure 219. Figure 219 Sending file page Step 9: After the download completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baud rate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted. The system will display the following information when it completes the loading.
Local Software Loading 843 Loading host software Follow these steps to load the host software: Step 1: Select <1> in Boot Menu and press . The system displays the following information: 1. 2. 3. 0. Set TFTP protocol parameter Set FTP protocol parameter Set XMODEM protocol parameter Return to boot menu Enter your choice(0-3): Step 2: Enter 3 in the above menu to download the host software using XMODEM.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 1 to in the above menu to download the BootROM software using TFTP. Then set the following TFTP-related parameters as required: Load File name Switch IP address Server IP address :S7750.btm :1.1.1.2 :1.1.1.1 Step 5: Press .
Local Software Loading 845 Loading Process Using FTP Client ■ Loading BootROM software Figure 221 Local loading using FTP client Switch Console port Ethernet port PC FTP Client FTP Server Step 1: As shown in Figure 221, connect the switch through an Ethernet port to the FTP server, and connect the switch through the Console port to the configuration PC. n You can use one computer as both configuration device and FTP server.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING Follow these steps to load the host software: Step 1: Select <1> in Boot Menu and press . The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Enter 2 in the above menu to download the host software using FTP.
Remote Software Loading 847 FTP: 1177900 byte(s) received in 4.594 second(s) 256.39K byte(s)/sec. [ftp] bye n When using different FTP server software on PC, different information will be output to the switch. Step 2: Update the BootROM program on Fabric of the switch. boot bootrom s7500.btm slot 0 This will update BootRom file on board 0 . Continue? [Y/N] y Board 0 upgrading BOOTROM, please wait... Upgrade board 0 BOOTROM succeeded! Step 3: Restart the switch.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING Step 2: Configure the IP address of VLAN1 on the switch to 192.168.0.65, and subnet mask to 255.255.255.0. n You can configure the IP address for any VLAN on the switch for FTP transmission. However, before configuring the IP address for a VLAN interface, you have to make sure whether the IP addresses of this VLAN and PC are routable. system-view System View: return to User View with Ctrl+Z.
Remote Software Loading 849 Figure 225 Switch to BootROM Step 6: Enter “ftp 192.168.0.65" and enter the user name test, password pass, as shown in Figure 226, to log on the FTP server. Figure 226 Log on the FTP server Step 7: Use the put command to upload the file s7500.btm to the switch, as shown in Figure 227.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING Figure 227 Upload file s7500.btm to the switch Step 8: Configure s7500.btm to be the BootROM at reboot, and then restart the switch. boot bootrom s7500.btm slot 0 This will update BootRom file on board 0 . Continue? [Y/N] y Board 0 upgrading BOOTROM, please wait... Upgrade board 0 BOOTROM succeeded! reboot When rebooting the switch, use the file s7500.btm as BootROM to finish BootROM loading.
Remote Software Loading 851 ■ Fabric software and I/O Module (line processing unit) software must be identical. Otherwise the Switch 7750 cannot work normally. ■ To keep the software of Fabric and I/O Module identical, you need to restart the I/O Module after you upgrade the host software of the Fabric of the Switch 7750 Ethernet switches. ■ The Switch 7758 features the double Fabrics and active-standby switchover function.
CHAPTER 77: BOOTROM AND HOST SOFTWARE LOADING
78 BASIC SYSTEM CONFIGURATION & DEBUGGING Basic System Configuration Basic System Configuration Tasks Entering System View from User View Table 659 Basic system configuration tasks Operation Description Related section Enter system view from user view - “Entering System View from User View” on page 853 Set the system name of the switch Optional “Setting the System Name of the Switch” on page 853 Set the date and time of the system Optional “Setting the Date and Time of the System” on page 854
CHAPTER 78: BASIC SYSTEM CONFIGURATION & DEBUGGING Setting the Date and Time of the System Table 662 Set the date and time of the system Operation Command Description Set the current date clock datetime HH:MM:SS and time of the system YYYY/MM/DD Setting the Local Time Zone Optional This configuration task is to set the name of the local time zone and the difference between the local time zone and the standard UTC (universal time coordinated) time.
Displaying the System Status Returning from Current View to Lower Level View Table 666 Return from current view to lower level view Operation Command Return from current quit view to lower level view Returning from Current View to User View Displaying the System Status 855 Description This operation will result in exiting the system if current view is user view.
CHAPTER 78: BASIC SYSTEM CONFIGURATION & DEBUGGING 3 1 Debugging information 2 Figure 228 Debugging information output Protocol debugging switches ON 1 1 3 OFF 3 ON Terminal display switches ON 3 1 OFF You can use the following commands to operate the two kinds of switches. Perform the following operations in user view.
System Debugging Displaying Operating Information about Modules in System 857 When your Ethernet switch is in trouble, you may need to view a lot of operating information to locate the problem. Each functional module has its own operating information display command(s). You can use the command here to display the current operating information about the modules (settled when this command is designed) in the system for troubleshooting your system. Perform the following operation in any view.
CHAPTER 78: BASIC SYSTEM CONFIGURATION & DEBUGGING
NETWORK CONNECTIVITY TEST 79 Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host.
CHAPTER 79: NETWORK CONNECTIVITY TEST Table 673 The tracert command Operation Command Support IP protocol tracert [ -a source-ip | -f first-TTL | -m max-TTL | -p port | -q num-packet | -w timeout ] * host Support CLNS protocol tracert clns [ -m max-TTL | -n num-packet | -t timeout | -v ]* nsap-address
DEVICE MANAGEMENT 80 n When different switch fabrics work together with a chassis, note that: If the 96Gbps Switch Fabric switch works with the Switch 7708 chassis without the XGbus silkscreen, the four SFP interfaces on the switch fabric do not work. If a 96Gbps Switch Fabric is installed in a Switch 7758 XGbus chassis, the four SFP interfaces on the switch fabric all work normally.
CHAPTER 80: DEVICE MANAGEMENT Table 674 Device management configuration tasks Restarting the Ethernet Switch Operation Description Related section Update the BootROM Optional “Updating the BootROM” on page 863 Upgrade BootROM along with Optional the upgrade of ARP “Upgrading BootROM along with the Upgrade of ARP” on page 863 Set module temperature threshold Optional “Setting Module Temperature Threshold” on page 864 Enable/disable RDRAM Optional “Enabling/Disabling RDRAM” on page 864 E
Device Management Configuration 863 Table 677 Schedule a reboot on the switch n Specifying the APP to be Adopted at Reboot Operation Command Description Schedule a reboot on the switch, and set the reboot waiting delay schedule reboot delay { hhh:mm | mmm } Optional There is at most one minute defer for scheduled reboot, that is, the switch will reboot within one minute after reaching the specified reboot date and time. APP is the host software of the switch.
CHAPTER 80: DEVICE MANAGEMENT Table 680 Configure to upgrade BootROM c Setting Module Temperature Threshold Operation Command Description Use the current boot file to upgrade BootROM boot bootrom default [ slot Optional slot-list ] CAUTION: ■ If you do not specify the slot number to upgrade in the boot bootrom command, the system will upgrade all the modules working normally by default.
Device Management Configuration Identifying and Diagnosing Pluggable Transceivers 865 Introduction to pluggable transceivers At present, four types of pluggable transceivers are commonly used, and they can be divided into optical transceivers and electrical transceivers based on transmission media as shown in Table 684.
CHAPTER 80: DEVICE MANAGEMENT Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers. Optical transceivers customized by 3Com also support the digital diagnosis function, which enables a transceiver to monitor the main parameters such as temperature, voltage, laser bias current, TX power, and RX power. When these parameters are abnormal, you can take corresponding measures to prevent transceiver faults.
Configuring Layer 3 Connectivity Detection 867 [SW7750] pause-protection enable slot 7 Configuring Layer 3 Connectivity Detection Introduction to layer 3 connectivity detection n The function that detects layer 3 connectivity is implemented as follows. Local devices send ARP request packets continuously to the IP addresses of the devices to be detected. Users can then locate, solve, and log link problems by monitoring the peer devices through the received ARP response packets.
CHAPTER 80: DEVICE MANAGEMENT [SW7750-Ethernet4/0/1] uplink monitor ip 1.1.1.1 Configuring Queue Traffic Monitoring Upon enabling queue traffic monitoring on a switch, the switch monitors the queue traffic and relieves blocks in the output queue of its interfaces. The criterion used to distinguish a block is that the queue is full, and the traffic of the corresponding interface is less than the specified threshold.
Displaying the Device Management Configuration 869 Table 688 Configure error packets monitoring Operation Command Description Enter the system view system-view - Set the interval for detecting error packets qe monitor errpkt check-time Optional interval Defaults to 5 seconds. Enter Ethernet interface view interface interface-type interface-number Enable error packets monitoring qe monitor errpkt { all | none | Required.
CHAPTER 80: DEVICE MANAGEMENT Table 689 Display the operating status of the device management Operation Command Description Display the APP to be adopted at reboot display boot-loader Display the module type and operating status of each board display device [ detail | [ shelf shelf-no ] [ frame frame-no ] [ slot slot-number ] ] You can execute the display command in any view.
Remote Switch Update Configuration Example 871 working directory of the user as Switch. The detailed configuration is omitted here. 2 Configure the switch as follows: # On the switch, configure a level 3 telnet user with the username and password as user and hello respectively. Authentication by user name and password is required for the user. n Refer to “Controlling Telnet Users” on page 77. # Execute the telnet command on the PC to log into the switch.
CHAPTER 80: DEVICE MANAGEMENT boot boot-loader primary switch.app The specified file will be booted next time on unit 1! display boot-loader The primary app to boot of board 0 at the next time is: flash:/switch.app The backup app to boot of board 0 at the next time is: flash:/old.app The app to boot of board 0 at this time is: flash:/old.
81 REMOTE-PING CONFIGURATION Remote-ping Overview Introduction to Remote-ping Remote-ping is a network diagnostic tool. It is used to test the performance of various protocols running in networks. Remote-ping provides more functions than the ping command. ■ The ping command can only use the ICMP protocol to test the round trip time (RTT) between this end and a specified destination end for the user to judge whether the destination end is reachable.
CHAPTER 81: REMOTE-PING CONFIGURATION Test Types Supported by Remote-ping Among the test types supported by remote-ping, only the ICMP test can be performed when IRF fabric is enabled; all other test types cannot be performed when IRF fabric is enabled. Table 690 Test types supported by remote-ping Supported test types Description ICMP test For these types of tests, you need to configure the remote-ping client and the corresponding servers.
Remote-ping Overview 875 Table 691 Remote-ping test parameters Test parameter Description Source address (source-ip) For remote-ping tests other than DHCP test, you can specify a source IP address for test packets, which will be used by the server as the destination address of response packets.
CHAPTER 81: REMOTE-PING CONFIGURATION Table 691 Remote-ping test parameters Remote-ping Configuration Configuration on a Remote-ping Server Test parameter Description HTTP operation string and version (http-string) This parameter is used to set the HTTP operation string and version in an HTTP test. FTP operation type (ftp-operation) This parameter is used to set the type of FTP interaction operation between remote-ping client and FTP server.
Remote-ping Configuration 877 Remote-ping server configuration tasks Table 692 Remote-ping server configuration tasks Item Description Related section Enable the remote-ping server The remote-ping server function function is needed only for jitter, TCP, and UDP tests.
CHAPTER 81: REMOTE-PING CONFIGURATION but for non ICMP tests, the remote-ping tests you configured cannot be executed until fabric is disabled. 1 Configuring an ICMP test on remote-ping client Table 694 Configure ICMP test on remote-ping client Operation Command Description Enter system view system-view - Enable the remote-ping client remote-ping-agent enable function Required By default, the remote-ping client function is disabled.
Remote-ping Configuration 879 Table 695 Configure DHCP test on remote-ping client Operation Command Description Enter system view system-view - Enable the remote-ping client remote-ping-agent enable function Required By default, the remote-ping client function is disabled.
CHAPTER 81: REMOTE-PING CONFIGURATION Table 696 Configure an FTP test on a remote-ping client Operation Command Description Configure the source IP address source-ip ip-address Required Configure the source port source-port port-number By default, no source IP address is configured. Optional By default, no source port is configured. Configure the number of probes per test count times Optional By default, each test makes one probe.
Remote-ping Configuration 881 Table 697 Configure an HTTP test on a remote-ping client Operation Command Enable the remote-ping client remote-ping-agent enable function Description Required By default, the remote-ping client function is disabled. Create a remote-ping test group and enter its view remote-ping administrator-name operation-tag Required Configure the destination IP address destination-ip ip-address Required By default, no test group is configured.
CHAPTER 81: REMOTE-PING CONFIGURATION Table 697 Configure an HTTP test on a remote-ping client Operation Command Description Configure the type of HTTP operation http-operation { get | post } Optional By default, the type of HTTP operation is get, that is, the HTTP operation will get data from the HTTP server.
Remote-ping Configuration 883 Table 698 Configure jitter test on remote-ping client Operation Command Description Configure the number of probes per test count times Optional By default, each test makes one probe. history-records number Configure the maximum number of history records that can be saved Figure 236 Optional Configure the packet size Optional datasize size By default, the maximum number is 50. By default, the packet size is 68 bytes.
CHAPTER 81: REMOTE-PING CONFIGURATION Table 699 Configure SNMP test on remote-ping client Operation Command Description Configure the destination IP address destination-ip ip-address Required Configure the source IP address source-ip ip-address Configure the source port source-port port-number By default, no destination address is configured. Optional By default, no source IP address is configured. Optional By default, no source port is configured.
Remote-ping Configuration 885 Table 700 Configure TCP test on remote-ping client Operation Command Description Configure the destination address destination-ip ip-address Required This IP address and the one configured on the remote-ping server for listening services must be the same. By default, no destination address is configured. Configure the destination port destination-port Required in a Tcpprivate test port-number A Tcppublic test is a TCP connection test on port 7.
CHAPTER 81: REMOTE-PING CONFIGURATION Table 700 Configure TCP test on remote-ping client Operation Command Description Display test results display remote-ping results [ admin-name operation-tag ] Required The display command can be executed in any view.
Remote-ping Configuration 887 Table 701 Configure UDP test on remote-ping client Operation Command Description Configure the number of probes per test count times Optional By default, one probe is made per test.
CHAPTER 81: REMOTE-PING CONFIGURATION Table 702 Configure DNS test on remote-ping client Operation Command Description Configure the maximum history-records number number of history records that can be saved Figure 240 Optional Configure the automatic test interval frequency interval Optional Configure the probe timeout time timeout time Configure the type of service tos value By default, the maximum number is 50.
Remote-ping Configuration Example 889 Table 703 Configure the remote-ping client to send Trap messages Operation Command Description Configure the number of consecutive unsuccessful remote-ping probes before Trap output probe-failtimes times Optional By default, Trap messages are sent each time a probe fails. Displaying Remote-ping Configuration After the above-mentioned configuration, you can use the display commands to view the results of the latest test and history information.
CHAPTER 81: REMOTE-PING CONFIGURATION [7750-remote-ping-administrator-icmp] test-type icmp # Configure the destination IP address as 10.2.2.2. [7750-remote-ping-administrator-icmp] destination-ip 10.2.2.2 # Configure to make 10 probes per test. [7750-remote-ping-administrator-icmp] count 10 # Set the probe timeout time to 5 seconds. [7750-remote-ping-administrator-icmp] timeout 5 # Start the test.
Remote-ping Configuration Example 891 Configuration procedure ■ Configure DHCP Server(Switch B): Configure DHCP server on Switch B. For specific configuration of DHCP server, refer to “DHCP Server Configuration” on page 593. ■ Configure remote-ping Client (Switch A): # Enable the remote-ping client. <7750> system-view [7750] remote-ping-agent enable # Create a remote-ping test group, setting the administrator name to administrator and test tag to DHCP.
CHAPTER 81: REMOTE-PING CONFIGURATION For detailed output description, see the corresponding command manual. n FTP Test You can perform a remote-ping DHCP test only when no DHCP client is enabled on any interface. Otherwise, the DHCP Server sends the response to an interface enabled with the DHCP Client rather than to the source interface, thus resulting in remote-ping DHCP test failure. Network requirements Both the remote-ping client and the FTP server are Switch 7750s.
Remote-ping Configuration Example 893 [7750-remote-ping-administrator-ftp] filename cmdtree.txt # Configure to make 10 probes per test. [7750-remote-ping-administrator-ftp] count 10 # Set the probe timeout time to 30 seconds. [7750-remote-ping-administrator-ftp] timeout 30 # Configure the source IP address [7750-remote-ping-administrator-ftp] source-ip 10.1.1.1 # Start the test.
CHAPTER 81: REMOTE-PING CONFIGURATION Network diagram Figure 244 Network diagram for the HTTP test remote- ping Client 10.1.1.1/8 HTTP Server IP network 10.2.2.2/8 Switch A Configuration procedure ■ Configure the HTTP Server. Use a Windows 2003 Server as the HTTP server and follow the instructions in your Windows 2003 Server documentation. ■ Configure remote-ping Client (Switch A): # Enable the remote-ping client.
Remote-ping Configuration Example 895 DNS Resolve Timeout Times: 0 HTTP Transmission Timeout Times: 0 TCP Connect Time: 73 HTTP Operation Min Time: 27 TCP Connect Min Time: 5 HTTP Operation Max Time: 80 TCP Connect Max Time: 20 TCP Connect Timeout Times: 0 [7750-remote-ping-administrator-http] display remote-ping history administrator h ttp Remote-ping entry(admin administrator, tag http) history record: Index Response Status LastRC Time 1 13 1 0 2000-04-02 15:15:52.5 2 9 1 0 2000-04-02 15:15:52.
CHAPTER 81: REMOTE-PING CONFIGURATION [7750] remote-ping administrator Jitter # Configure the test type as jitter [7750-remote-ping-administrator-Jitter] test-type Jitter # Configure the IP address of the remote-ping server as 10.2.2.2. [7750-remote-ping-administrator-Jitter] destination-ip 10.2.2.2 # Configure the destination port on the remote-ping server. [7750-remote-ping-administrator-Jitter] destination-port 9000 # Configure to make 10 probes per test.
Remote-ping Configuration Example 897 For detailed output description, see the corresponding command manual. SNMP Test Network requirements Both the remote-ping client and the SNMP Agent are Switch 7750s. Perform remote-ping SNMP tests between the two switches to test the time required from Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B. Network diagram Figure 246 Network diagram for the SNMP test remote- ping Client 10.1.1.
CHAPTER 81: REMOTE-PING CONFIGURATION [7750-remote-ping-administrator-snmp] timeout 30 # Start the test. [7750-remote-ping-administrator-snmp] test-enable # Display test results [7750-remote-ping-administrator-snmp] display remote-ping results administrator s nmp Remote-ping entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.
Remote-ping Configuration Example 899 <7750> system-view [7750] remote-ping-server enable [7750] remote-ping-server tcpconnect 10.2.2.2 8000 ■ Configure remote-ping Client (Switch A): # Enable the remote-ping client. <7750> system-view [7750] remote-ping-agent enable # Create a remote-ping test group, setting the administrator name to administrator and test tag to tcpprivate. [7750] Remote-ping administrator tcpprivate # Configure the test type as tcpprivate.
CHAPTER 81: REMOTE-PING CONFIGURATION For detailed output description, see the corresponding command manual. UDP Test (Udpprivate Test) on the Specified Ports Network requirements Both the remote-ping client and the remote-ping server are Switch 7750s. Perform a remote-ping Udpprivate test on the specified ports between the two switches to test the RTT of UDP packets between this end (remote-ping client) and the specified destination end (remote-ping server).
Remote-ping Configuration Example 901 # Display test results. [7750-remote-ping-administrator-udpprivate] display remote-ping results administr ator udpprivate Remote-ping entry(admin administrator, tag udpprivate) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 10/12/10 Square-Sum of Round Trip Time: 1170 Last complete test time: 2000-4-2 8:29:45.
CHAPTER 81: REMOTE-PING CONFIGURATION # Create a remote-ping test group, setting the administrator name to administrator and test tag to dns. [7750] remote-ping administrator dns # Configure the test type as dns. [7750-remote-ping-administrator-dns] test-type dns # Configure the IP address of the DNS server as 10.2.2.2. [7750-remote-ping-administrator-dns] dns-server 10.2.2.2 # Configure to resolve the domain name www.test.com. [7750-remote-ping-administrator-dns] dns resolve-target www.test.
RRPP CONFIGURATION 82 n RRPP Overview This board is supported if you have the special order modules listed in “RRPP on 3Com Switch 7750 Family” on page 908. The rapid ring protection protocol (RRPP) is a link layer protocol designed for Ethernet rings. RRPP can prevent broadcast storm caused by data loops when the Ethernet rings are healthy, and restore rapidly the communication paths between nodes after a link is disconnected on the Ethernet ring network.
CHAPTER 82: RRPP CONFIGURATION Ethernet ring An Ethernet ring is a ring-shaped Ethernet topology, on which a RRPP domain is based. An RRPP domain consists of a primary ring and one or more subrings. In configuration, the level of the primary ring is level 0, and that of the subrings is level 1. As shown in Figure 250, RRPP domain 1 consists of ring 1 and ring 2. If their levels are set to level 0 and level 1 respectively, ring 1 is the primary ring and ring 2 is the subring.
RRPP Overview 905 The primary port of the master node transmits the loop detection packet, and the secondary port of the master node receives the loop detection packet. When an Ethernet ring is in the healthy state, the secondary port of the master node allows only RRPP packets to pass, but logically blocks data packets in data VLANs. When the Ethernet ring is in the broken state, the secondary port of the master node stops blocking the data VLAN and begins to forwards data packets in data VLANs.
CHAPTER 82: RRPP CONFIGURATION ■ RRPP Message Type Fail timer: Defines the timeout time for the secondary port of the master node to receive health detection packets. The value of Fail timer must be greater than or equal to three times the Hello timer value. The following table describes RRPP message types. Table 705 RRPP messages Message Description HEALTH (HELLO)t The master node sends the HELLO message to detect whether the ring network is complete.
RRPP Overview 907 To avoid temporary data loops, when detecting the port through which it connects to the ring network becomes UP again, a transit node blocks the port temporarily (only control VLAN packets are permitted to pass), and keeps the port blocked until it receives the Complete Flush packet from the master node.
CHAPTER 82: RRPP CONFIGURATION Tangent ring networking Figure 252 Tangent ring networking Master node Switch E Domain 2 Transit node Master node Ring22 Ring Switch B Switch F Switch A Ring 1 Transit node Domain 1 Switch C Switch D Transit node Transit node There are two or more rings in the network topology and only one common node exists between each pair of rings. In this case, one RRPP domain must be defined for each ring.
Master Node Configuration 909 ■ For 3Com Switches 7754, 7757, and 7758, BootROM version 527 must be used. ■ The CPLD version of the I/O Modules is not lower than 005. Ports that support RRPP are: n ■ The four Gigabit SFP ports on the 96Gbps Switch Fabric. ■ Gigabit SFP ports/10 Gigabit ports on LS81T12PE, LS81P12TE, LS81GP8UB, LS81TGX2, LS81TGX4, LS81T32P, LS81T16P, and LS81GP48 I/O Modules.
CHAPTER 82: RRPP CONFIGURATION Table 706 Configure the master node c Master Node Configuration Example Operation Command Description Return to system view quit - Enable the RRPP protocol rrpp enable Required Display the brief information of all RRPP domains configured on the switch display rrpp brief Optional.
Transit Node Configuration 911 system-view [SW7750] rrpp domain 1 [SW7750-rrpp-domain-1] control-vlan 4092 [SW7750-rrpp-domain-1] ring 1 node-mode master primary-port GigabitE thernet2/0/1 secondary-port GigabitEthernet2/0/2 level 0 [SW7750-rrpp-domain-1] timer hello-timer 2 fail-timer 7 [SW7750-rrpp-domain-1] ring 1 enable [SW7750-rrpp-domain-1] quit [SW7750] rrpp enable [SW7750] display rrpp brief [SW7750] display rrpp verbose domain 1 [SW7750] display rrpp statistics domain 1 Transit Node Con
CHAPTER 82: RRPP CONFIGURATION c Transit Node Configuration Example CAUTION: ■ The control VLAN of an RRPP domain cannot be a static VLAN already created on the switch. If you configure a dynamic VLAN as the control VLAN of an RRPP domain, the VLAN becomes a static VLAN automatically. ■ You are not recommended to configure a VLAN as both an RRPP control VLAN and a remote-probe VLAN. (Refer to “Mirroring Configuration” on page 685 for information about remote-probe VLAN.
Edge Node Configuration Edge Node Configuration Tasks 913 The following table describes the edge node configuration tasks. Table 708 Configure an edge node Operation Command Description Enter system view system-view - Create an RRPP domain, and enter RRPP domain view rrpp domain domain-id Required.
CHAPTER 82: RRPP CONFIGURATION Edge Node Configuration Example ■ Before creating an RRPP ring, you must create a control VLAN. ■ RRPP and loopback test functions are mutually exclusive. You must disenable the loopback test on the primary/secondary port of the master/transit node and the common/edge port of the edge node. ■ When deleting an RRPP domain by using the undo rrpp domain command, make sure no RRPP ring exists in the RRPP domain. ■ The ring ID must be unique in the same RRPP domain.
Assistant Edge Node Configuration 915 Table 709 Configure an assistant edge node Operation Command Description Enter system view system-view - Create an RRPP domain, rrpp domain domain-id and enter RRPP domain view Required. The command prompt of RRPP domain view depends on the domain-id you input.
CHAPTER 82: RRPP CONFIGURATION Assistant Edge Node Configuration Example ■ Before creating an RRPP ring, you must create a control VLAN. ■ RRPP and loopback test functions are mutually exclusive. You must disenable the loopback test on the primary/secondary port of the master/transit node and the common/edge port of the edge node. ■ When deleting an RRPP domain by using the undo rrpp domain command, make sure no RRPP ring exists in the RRPP domain.
Configuration Example 917 ■ Switch B, Switch C and Switch D are transit nodes of the primary ring.
CHAPTER 82: RRPP CONFIGURATION Ethernet2/0/1 secondary-port GigabitEthernet2/0/2 level 0 [SW7750-rrpp-domain-1] ring 1 enable [SW7750-rrpp-domain-1] quit [SW7750] rrpp enable ■ Configure Switch D system-view [SW7750] rrpp domain 1 [SW7750-rrpp-domain-1] control-vlan 4092 [SW7750-rrpp-domain-1] ring 1 node-mode transit primary-port Gigabit Ethernet2/0/1 secondary-port GigabitEthernet2/0/2 level 0 [SW7750-rrpp-domain-1] ring 1 enable [SW7750-rrpp-domain-1] quit [SW7750] rrpp enable After the
Configuration Example 919 Network diagram Figure 255 Network diagram for intersectant ring topology Domain 1 Switch A Switch B Edge node GE 2/0 /1 GE 2/0/1 Master node GE2/0/2 GE 2/0/3 GE2/0/2 Master node GE2/0/1 Ring 2 Ring 1 GE 2/0/2 Transit node Switch E GE2/0/2 GE 2/0/1 GE 2/0/2 GE2 /0/1 GE 2/0/3 Switch C Switch D Assistant edge node Configuration procedure c CAUTION: Make sure that the switch ports connecting the Ethernet rings have been configured as trunk ports.
CHAPTER 82: RRPP CONFIGURATION igabitEthernet 0/1 edge-port GigabitEthernet 2/0/3 [SW7750-rrpp-domain-1] ring 1 enable [SW7750-rrpp-domain-1] ring 2 enable [SW7750-rrpp-domain-1] quit [SW7750] rrpp enable ■ Configure Switch D system-view [SW7750] rrpp domain 1 [SW7750-rrpp-domain-1] control-vlan 4092 [SW7750-rrpp-domain-1] ring 1 node-mode transit primary-port Gigabit Ethernet2/0/1 secondary-port GigabitEthernet2/0/2 level 0 [SW7750-rrpp-domain-1] ring 1 enable [SW7750-rrpp-domain-1] quit [
TELNET PROTECTION CONFIGURATION 83 Introduction The Telnet protection function is used to protect Telnet packets, SNMP packets, and ICMP packets from the specific source IP addresses in the case of attacks against the network or high CPU utilization. Telnet protection comes in global Telnet protection, special ARP Telnet protection, and default-route Telnet protection.
CHAPTER 83: TELNET PROTECTION CONFIGURATION Table 710 Configure Telnet protection Operation Command Enable global Telnet attack-protection protection or special [ ip-address ] ARP Telnet protection Configuring SNMP Protection If you use this command with the ip-address parameter, you can protect the specified Layer-3 interfaces.
84 Smart Link Overview SMART LINK CONFIGURATION As shown in Figure 256, dual-uplink networking is widely applied currently. Usually, spanning tree protocol (STP) is used to implement link redundancy backup in the network. However, STP is not suitable for users with a high demand for convergence time. Smart Link can achieve active/standby link redundancy backup and fast convergence to meet the user demand.
CHAPTER 84: SMART LINK CONFIGURATION Slave port The slave port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure Ethernet2/0/2 of switch A in Figure 256 as the slave port through the command line. Flush message When a forwarding link fails, the device will switch the traffic to the blocked standby link.
Configuring Smart Link 925 As shown in Figure 257, Ethernet2/0/1 on Switch A is active and Ethernet2/0/2 on Switch A is blocked. When the link connected to Ethernet2/0/1 fails, Ethernet2/0/1 is blocked automatically, and the state of Ethernet2/0/2 turns to active state. ■ When link switching occurs in the Smart Link group, MAC forwarding entries and ARP entries of each device in the network may be out of date.
CHAPTER 84: SMART LINK CONFIGURATION Table 715 Configure Smart Link (with ports as the members of the Smart Link group) Operation Command Remarks Enter system view system-view - Create a Smart Link group and enter Smart Link group view smart-link group group-id Required flush enable control-vlan Enable the function of sending flush messages in the vlan-id specified control VLAN Required Configure a port as a Smart Link group member Required Smart Link group view port interface-type inter
Configuring Smart Link 927 Table 717 Enable the specified port to process flush messages received from the specified control VLAN Operation Enter system view Enable the specified port(s) to process flush messages received from the control VLAN System view Ethernet port view Command Remarks system-view - smart-link flush enable control-vlan vlan-id port interface-type interface-number [ to interface-type interface-number ] Required, use either approach.
CHAPTER 84: SMART LINK CONFIGURATION Displaying and Debugging Smart Link After the above-mentioned configuration, you can use the following display commands in any view to view the Smart Link group information and the statistics information of flush messages received and processed by current device, so as to verify the configuration. Use the reset command in user view to clear flush message statistics.
Smart Link Configuration Example 929 Configuration procedure 1 Configure a Smart Link group on Switch A and configure member ports for it. Enable the function of sending flush messages in Control VLAN 1. # Enter system view. system-view # Enter Ethernet port view. Disable STP on Ethernet2/0/1 and Ethernet2/0/2.
CHAPTER 84: SMART LINK CONFIGURATION 4 Enable the function of processing flush messages received from VLAN 1 on Switch E. # Enter system view. system-view # Enable the function of processing flush messages received from VLAN 1 on Ethernet 2/0/2 and Ethernet 2/0/3.
85 Introduction to Monitor Link MONITOR LINK CONFIGURATION Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link. A monitor Link consists of an uplink port and one or multiple downlink ports. When the link for the uplink port of a Monitor Link group fails, all the downlink ports in the Monitor Link group are forced down.
CHAPTER 85: MONITOR LINK CONFIGURATION How Monitor Link Works Figure 260 Network diagram for a Monitor Link group implementation Eth2 /0/ 12 Eth2 /0/ 11 Switch E Switch C Eth2/ 0/ 3 Eth2/ 0/ 1 Eth2 /0/ 1 Eth2/ 0/ 2 Eth1/ 0/ 2 Eth2/ 0/ 1 Switch D BLOCK Eth2/0/ 2 Switch A Switch B As shown in Figure 260, the devices Switch C and Switch D are connected to the uplink device Switch E.
Configuring Monitor Link 933 and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a Smart Link group. The downlink ports can be manually-configured link aggregation groups or static LACP link aggregation groups, or Ethernet ports.
CHAPTER 85: MONITOR LINK CONFIGURATION Table 722 Configure a downlink port Operation Command Remarks Configure a Configure the specified link downlink port for aggregation group as a downlink port the Monitor Link of the Monitor Link group group Monitor Link group Configure the view specified Ethernet port as a downlink port of Ethernet port view the Monitor Link group link-aggregation group group-id downlink Required Use either approach port interface-type interface-number downlink quit interfa
Monitor Link Configuration Example 935 Network diagram Figure 261 Network diagram for Monitor Link configuration Internet Server Eth1/0/10 Eth1 /0/11 Switch E Switch C Eth1/0/3 Eth1/0/1 Eth1 /0/1 Eth1/0/2 Eth1 /0/2 Eth1/0/1 BLOCK Eth1/0/2 Eth1/0/3 Eth1/0/1 Eth1 /0/2 Switch A PC 1 Switch D Switch B PC 2 PC 3 PC 4 Configuration procedure 1 Enable Smart Link on Switch A and Switch B to implement link redundancy backup. Perform the following configuration on Switch A.
CHAPTER 85: MONITOR LINK CONFIGURATION # Configure Ethernet2/0/1 as the master port of the Smart Link group and Ethernet2/0/2 as the slave port. [SwitchA-smlk-group1] port Ethernet 2/0/1 master [SwitchA-smlk-group1] port Ethernet 2/0/2 slave # Configure to send flush messages in VLAN 1. [SwitchA-smlk-group1] flush enable control-vlan 1 2 Enable Monitor Link on Switch C and Switch D and enable the function of processing flush messages received from VLAN 1.
CONFIGURING HARDWARE-DEPENDENT SOFTWARE 86 Configuring Boot ROM Upgrade with App File By enabling Boot ROM to upgrade together with the app file, you can ensure that the Boot ROM versions of the current Fabric and service modules can match the version of the current app file, thus avoiding invalid feature implementation caused by mismatching.
CHAPTER 86: CONFIGURING HARDWARE-DEPENDENT SOFTWARE boot bootrom default # Use the specified App file (abcd.app) to upgrade the Boot ROMs of slot 1 I/O Module modules in position. boot bootrom abcd.app # Specify the App file abcd.app as the primary startup file for next booting. boot boot-loader primary abcd.
Configuring Internal Channel Monitoring 939 Configuring Internal Channel Monitoring Introduction An internal channel refers to the interface channel between the Fabric and the service modules. The Fabric sends handshake packets to each service module every second. After receiving the handshake packets, the service modules reports the result to the Fabric. In this case, the Fabric knows that the service modules are operating normally.
CHAPTER 86: CONFIGURING HARDWARE-DEPENDENT SOFTWARE Switch Chip Auto-reset Configuration Table 727 Configure switch chip auto-reset Operation Command Description Enter system view system-view - Enable the function of monitoring internal channels monitor inner-channel Required Enable switch chip auto-reset monitor slot slot-id enable Required Disable switch chip auto-reset monitor slot slot-id disable Optional By default, switch chips cannot be reset automatically when the internal chan
