3Com® Switch 8800 Family Configuration Guide Switch 8807 Switch 8810 Switch 8814 www.3Com.com Part No. 10015594, Rev.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 15 Related Documentation 1 PRODUCT OVERVIEW Product Overview Function Features 2 16 17 18 COMMAND LINE INTERFACE Command Line Interface 21 Command Line View 21 Features and Functions of Command Line 3 29 LOGGING IN TO SWITCH Setting Up Configuration Environment through the Console Port 33 Setting up Configuration Environment through Telnet 34 Setting Up Configuration Environment through Modem Dial-up 37 4 USER INTERFACE CONFIGURATION User Interface Overview
Configure the CPU Port in an VLAN 58 Displaying and Debugging a VLAN 59 VLAN Configuration Example 59 8 SUPER VLAN CONFIGURATION Super VLAN Overview 61 Configuring a Super VLAN 61 9 ISOLATE-USER-VLAN CONFIGURATION Isolate-user-VLAN Overview 65 Isolate-use-vlan Configuration Task 65 Displaying and Debugging an isolate-user-VLAN Isolate-user-VLAN Configuration Example 68 10 IP ADDRESS CONFIGURATION Introduction to IP Addresses 71 Configuring IP Address 73 Displaying IP Address 76 IP Address Configuratio
15 PORT ISOLATION CONFIGURATION Port Isolation Overview 111 Configuration Tasks 111 Port Isolation Configuration Example 16 113 MAC ADDRESS TABLE MANAGEMENT MAC Address Table Management Overview 115 MAC Address Table Management Configuration 116 Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Configuration 117 Configuring Max Number of MAC Addresses that can be Learned in a VLAN 118 Displaying and Debugging MAC Address Tables 119 Resetting MAC Addresses 119 MAC Address Table Ma
QoS Configuration Example 23 202 LOGON USER ACL CONTROL CONFIGURATION Overview 209 Configuring ACL for Telnet/SSH Users 209 Configuring ACL for SNMP Users 212 24 VLAN-ACL CONFIGURATION VLAN-ACL Overview 215 VLAN-ACL Configuration 215 25 802.1X CONFIGURATION 802.1x Overview 221 802.1x Configuration 223 Displaying and Debugging 802.1x 229 Packet Attack Prevention Configuration 230 802.
30 RIP CONFIGURATION Introduction to RIP 291 Configuring RIP 292 Displaying and Debugging RIP 300 Typical RIP Configuration Example 300 Troubleshooting RIP Faults 301 31 OSPF CONFIGURATION OSPF Overview 303 OSPF GR Overview 307 Configuring OSPF 311 Displaying and Debugging OSPF 330 Typical OSPF Configuration Example 331 Troubleshooting OSPF Faults 336 32 INTEGRATED IS-IS CONFIGURATION Introduction to Integrated IS-IS 339 Configuring Integrated IS-IS 343 Displaying and Debugging Integrated IS-IS 358 Typ
Implementation of IP Multicast 411 RPF Mechanism for IP Multicast Packets 38 414 STATIC MULTICAST MAC ADDRESS CONFIGURATION Static Multicast MAC Address Overview 417 Configuring a Static Multicast MAC Address 417 Displaying and Maintaining Static Multicast MAC Address Configuration 39 IGMP SNOOPING CONFIGURATION IGMP Snooping Overview 419 IGMP Snooping Configuration 422 Multicast Static Routing Port Configuration 426 Displaying and Maintaining IGMP Snooping 427 IGMP Snooping Configuration Example 427 T
PIM-SM Configuration Example 45 469 MSDP CONFIGURATION MSDP Overview 473 MSDP Configuration 476 Displaying and Debugging MSDP 482 MSDP Configuration Examples 483 46 MBGP MULTICAST EXTENSION CONFIGURATION MBGP Multicast Extension Overview 493 MBGP Multicast Extension Configuration 494 Displaying and Debugging MBGP Configuration 501 MBGP Multicast Extension Configuration Example 501 47 MPLS ARCHITECTURE MPLS Overview 507 MPLS Basic Concepts 507 MPLS Architecture 510 48 MPLS BASIC CAPABILITY CONFIGURA
Kompella MPLS L2VPN Configuration 625 Displaying and Debugging MPLS L2VPN 629 Troubleshooting MPLS L2VPN 630 52 VPLS CONFIGURATION VPLS Overview 633 Basic VPLS Network Architectures 634 VPLS Operational Principle 635 Concepts Related to VPLS 637 VPLS Basic Configuration 638 Displaying and Debugging VPLS 646 VPLS Basic Configuration Example 646 Troubleshooting VPLS 650 53 VRRP CONFIGURATION Introduction to VRRP 653 Configuring VRRP 654 Displaying and debugging VRRP 659 VRRP Configuration Example 660 Trou
58 DNS CONFIGURATION Introduction to DNS 709 Configuring Static Domain Name Resolution 710 Configuring Dynamic Domain Name Resolution 710 Displaying and Debugging Domain Name Resolution 711 DNS Configuration Example 711 Troubleshooting Domain Name Resolution Configuration 712 59 NETSTREAM CONFIGURATION Netstream Overview 713 Netstream Configuration 714 Netstream Configuration Examples 60 716 NDP CONFIGURATION Introduction to NDP 719 Introduction to NDP Configuration Tasks NDP Configuration Example 721
65 RMON CONFIGURATION RMON Overview 747 Configuring RMON 747 Displaying and Debugging RMON 750 RMON Configuration Example 751 66 NTP CONFIGURATION Brief Introduction to NTP 753 NTP Configuration 755 Displaying and Debugging NTP 760 NTP Configuration Example 761 67 SSH TERMINAL SERVICE SSH Terminal Service SFTP Service 781 68 769 FILE SYSTEM MANAGEMENT File System Configuration 69 789 DEVICE MANAGEMENT Device Management Overview 793 Device Management Configuration 793 Displaying and Debugging Devi
74 PACKET STATISTICS CONFIGURATION Introduction to Egress Packet Statistics 75 843 ETHERNET PORT LOOPBACK DETECTION Ethernet Port Loopback Detection Function 845 Configuring the Loopback Detection Function 845 Displaying and Maintaining the Loopback Detection Function 76 QINQ CONFIGURATION QinQ Overview 847 VLAN VPN Configuration 849 VLAN VPN Configuration 849 Traffic Classification-Based Nested VLAN Configuration Adjusting TPID Values for QinQ Packets 853 VLAN-VPN Tunnel Configuration 855 77 NQA CO
Conventions 15 ABOUT THIS GUIDE This guide describes the 3Com® Switch 8800 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch. This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches.
ABOUT THIS GUIDE Table 2 Text Conventions Convention Description Words in italics Italics are used to: Emphasize a point. Denote a new term at the place where it is defined in the text. Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents. Click OK. Words in bold Related Documentation Boldface type is used to highlight command names. For example, “Use the display user-interface command to...
1 Product Overview PRODUCT OVERVIEW The 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to as Switch 8800 Family series) are a series of large capacity, modularized L2/L3 switches. They are mainly designed for broadband MAN, backbone, switching core and convergence center of large-sized enterprise network and campus network. They provide diverse services and can be used in constructing stable and high-performance IP network.
CHAPTER 1: PRODUCT OVERVIEW Function Features Table 1 Function features Features Implementation VLAN compliant with IEEE 802.1Q Standard Port-based, protocol-based, and IP subnet-based VLAN GARP VLAN registration protocol (GVRP) VLAN Super VLAN VLAN isolation Guest VLAN Dynamic VLAN STP protocol Flow control Broadcast storm control spanning tree protocol (STP)/rapid spanning tree protocol (RSTP)/multiple spanning tree protocol (MSTP), compliant with IEEE 802.1D/IEEE 802.1w/IEEE 802.
Function Features 19 Table 1 Function features Features MPLS Implementation L3 multiprotocol label switching (MPLS) VPN (option1/2/3), embedded MPLS VPN, hierarchical PE (HoPE), CE dual homing, MCE, and multi-role host VLL, including Martini, Kompella and CCC modes VPLS Supports different types of traffic classification, including port-based, VLAN-based, COS priority-based, IP address-based, TOS priority-based, DSCP priority-based, TCP/UDP port-based, protocol type-based, and class of service (CoS)-base
CHAPTER 1: PRODUCT OVERVIEW Table 1 Function features Features Implementation Command line interface configuration Local configuration through the Console port and the AUX port Local and remote configuration through Telnet on an Ethernet port Remote configuration through modem dialup through the AUX port.
2 Command Line Interface Command Line View COMMAND LINE INTERFACE 3Com series switches provide a series of configuration commands and command line interfaces for configuring and managing the switch. The command line interface has the following characteristics: ■ Local configuration via the Console port and AUX port. ■ Local or remote configuration via Telnet. ■ Remote configuration through dialing with modem via the AUX port.
CHAPTER 2: COMMAND LINE INTERFACE ■ Configuration level: Service configuration commands, including routing command and commands on each network layer, are used to provide direct network service to the user. ■ Management level: They are commands that influence basis operation of the system and system support module, which plays a support role on service.
Command Line View ■ OSPF area view ■ BGP view ■ IS-IS view ■ Route policy view ■ Basic ACL view ■ Advanced ACL view ■ Layer-2 ACL view ■ Conform-level view ■ WRED index view ■ RADIUS server group view ■ ISP domain view ■ MPLS view ■ VPNv4 sub-address family view ■ VPN-instance sub-address family view ■ BGP-VPNv4 sub-address family view ■ MPLS L2VPN view ■ L2VPN address family view ■ Route-Policy view ■ vpn-instance view ■ OSPF protocol view ■ Remote-peer view ■ VS
CHAPTER 2: COMMAND LINE INTERFACE Table 2 Function feature of command view Command view Function Prompt Command to enter Command to exit 100M Ethernet port view [3Com-Ethernet2/1/1 Key in interface ] ethernet 2/1/1 in system view Ethernet port view: Port view Configure Ethernet port parameters GigabitEthernet port view [3Com-GigabitEther net2/1/1] [3Com-GigabitEther net2/1/1] VLAN view Configure VLAN parameters Configure IP interface VLAN interface parameters for a view VLAN or a VLAN aggr
Command Line View 25 Table 2 Function feature of command view Command view SFTP Client view MST region view PIM view Function Configure SFTP Client parameters Configure MST region parameters Configure PIM parameters MSDP view Configure MSDP parameters IPv4 multicast sub-address family view Enter the IPv4 multicast sub-address family view to configure MBGP multicast extension parameters RIP view OSPF view OSPF area view Configure RIP parameters Configure OSPF parameters Configure OSPF area
CHAPTER 2: COMMAND LINE INTERFACE Table 2 Function feature of command view Command view BGP view IS-IS view Route policy view Basic ACL view Function Configure BGP parameters Configure IS-IS parameters Prompt [3Com-bgp] [3Com-isis] Configure route [3Com-route-policy] policy parameters Define the rule of [3Com-aclbasic ACL basic-2000] Command to enter Key in bgp 100 in system view Key in isis in system view Key in route-policy policy1 permit node 10 in system view Command to exit Use qu
Command Line View 27 Table 2 Function feature of command view Command view WRED index view RADIUS server group view ISP domain view MPLS view Function Prompt Configure WRED [3Com-wred-0] parameters Configure radius parameters Configure ISP domain parameters Configure MPLS parameters [3Com-radius-1] Use quit to return to system Key in wred 0 in view system view Use return to return to user view Key in radius scheme 1 in system view Use quit to return to system view Use return to return to use
CHAPTER 2: COMMAND LINE INTERFACE Table 2 Function feature of command view Command view Route-Policy view vpn-instance view OSPF protocol view Remote-peer view VSI-LDP view Function Prompt Command to enter Command to exit Key in route-policy route-policy-nam e { permit | deny } node node-number in system view Use quit to return to system view Configure Route-Policy service parameters [3Com-route-policy] Configure vpn-instance parameters Key in ip vpn-instance [3Com-vpn-vpn-insta vpn-inst
Features and Functions of Command Line 29 Features and Functions of Command Line Online Help of Command Line The command line interface provides the following online help modes. ■ Full help ■ Partial help You can get the help information through these online help commands, which are described as follows. 1 Input "?" in any view to get all the commands in it and corresponding descriptions.
CHAPTER 2: COMMAND LINE INTERFACE 7 To switch to the Chinese display for the above information, perform the language-mode command. Displaying Characteristics of Command Line Command line interface provides the following display characteristics: ■ For users’ convenience, the instruction and help information can be displayed in both English and Chinese. ■ For the information to be displayed exceeding one screen, pausing function is provided.
Features and Functions of Command Line 31 Table 5 Common command line error messages Editing Characteristics of Command Line Error messages Causes Incomplete command The input command is incomplete. Too many parameters Enter too many parameters. Ambiguous command The parameters entered are not specific. Command line interface provides the basic command editing function and supports to edit multiple lines. A command cannot longer than 256 characters. See the table below.
CHAPTER 2: COMMAND LINE INTERFACE
3 Setting Up Configuration Environment through the Console Port LOGGING IN TO SWITCH Step 1: As shown in the figure below, to set up the local configuration environment, connect the serial port of a PC (or a terminal) to the Console port of the switch with the Console cable.
CHAPTER 3: LOGGING IN TO SWITCH Figure 3 Configure the port for connection Figure 4 Set communication parameters Step 3: The switch is powered on. Display self-test information of the switch and prompt you to press Enter to show the command line prompt such as . Step 4: Input a command to configure the switch or view the operation state. Input a "?" for help. For details of specific commands, refer to the following chapters.
Setting up Configuration Environment through Telnet 35 Step 1: Before logging into the switch through telnet, you need to configure the Telnet user name and password on the switch through the console port. n By default, the password is required for authenticating the Telnet user to log in to the switch. If a user logs in via the Telnet without password, he will see the prompt "Login password has not been set !". system-view Enter system view , return user view with Ctrl+Z.
CHAPTER 3: LOGGING IN TO SWITCH n Accessing a Switch through another Switch via Telnet ■ When configuring the switch via Telnet, do not modify the IP address of it unless necessary, for the modification might cut the Telnet connection. ■ By default, when a Telnet user passes the password authentication to log on to the switch, he can access the commands at Level 0. After a user has logged in to a switch, he or she can configure another switch through the switch via Telnet.
Setting Up Configuration Environment through Modem Dial-up Setting Up Configuration Environment through Modem Dial-up n 37 Step 1: The modem user is authenticated via the Console port of the switch before he or she logs in to the switch through a dial-up Modem. By default, the password is required for authenticating the Modem user to log in to the switch. If a user logs in via the Modem without password, he or she will see the prompt "Login password has not been set !.".
CHAPTER 3: LOGGING IN TO SWITCH Figure 10 Dial on the remote PC Step 4: Enter the preset login password on the remote terminal emulator and wait for the prompt such as . Then you can configure and manage the switch. Enter "?" to get the immediate help. For details of specific commands, refer to the following chapters. n By default, when a Modem user logs in, he can access the commands at Level 0.
4 User Interface Overview USER INTERFACE CONFIGURATION To facilitate system management, the switches support user interface based configuration for the configuration and management of port attributes. Presently, the Switch 8800 Family series switches support the following user interface based configuration methods: ■ Local configuration via the Console port and AUX port ■ Local and remote configuration through Telnet on Ethernet port ■ Remote configuration through dialing with modem via the AUX port.
CHAPTER 4: USER INTERFACE CONFIGURATION ■ AUX user interface is numbered as the second interface designated as user interface 1. ■ VTY is numbered after AUX user interface. The absolute number of the first VTY is incremented by 1 than the AUX user interface number. Relative number The relative number is in the format of "user interface type" + "number". The "number" refers to the internal number for each user interface type.
User Interface Configuration 41 Table 8 Configure the login header. Operation Command Configure the login header header [ shell | incoming | login ] text Remove the login header configured undo header [ shell | incoming | login ] Note that if you press after typing any of the three keywords shell, login and incoming in the command, then what you type after the word header is the contents of the login information, instead of identifying header type.
CHAPTER 4: USER INTERFACE CONFIGURATION By default, an asynchronous port supports 1 stop bit. Note that setting 1.5 stop bits is not available on Switch 8800 Family series at present. Configuring the data bit Table 13 Configure the data bit Operation Command Configure the data bit databits { 7 | 8 } Restore the default data bit undo databits By default, an asynchronous port supports 8 data bits.
User Interface Configuration 43 By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. That is, the user interface will be disconnected automatically after 10 minutes without any operation. idle-timeout 0 means disabling idle-timeout. Locking user interface This configuration is to lock the current user interface and prompt the user to enter the password. This makes it impossible for others to operate in the interface after the user leaves.
CHAPTER 4: USER INTERFACE CONFIGURATION Configuring the authentication method The following command is used for configuring the user login authentication method to deny the access of an unauthorized user. Perform the following configuration in user interface view.
User Interface Configuration 45 # Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and 3Com respectively.
CHAPTER 4: USER INTERFACE CONFIGURATION n When a user logs in the switch, the command level that it can access depends on two points. One is the command level that the user itself can access, the other is the set command level of this user interface. If the two levels are different, the former will be taken.
User Interface Configuration 47 Table 25 Configure Modem attributes Configuring Redirection Operation Command Configure to permit call-in and call-out. modem both Configure to disable call-in and call-out undo modem both Send command The following command can be used for sending messages between user interfaces. Perform the following configuration in user view. Table 26 Configure to send messages between different user interfaces.
CHAPTER 4: USER INTERFACE CONFIGURATION Displaying and Debugging User Interface After the above configuration, execute display command in any view to display the running of the user interface configuration, and to verify the effect of the configuration. Execute free command in user view to release the user interface connection.
MANAGEMENT INTERFACE CONFIGURATION 5 Management Interface Overview Switch 8800 Family series provides a 10/100Base-TX management interface on the Fabric. The management interface can connect a background PC for software loading and system debugging, or a remote network management station for remote system management. Management Interface Configuration The following sections describe management interface configuration tasks.
CHAPTER 5: MANAGEMENT INTERFACE CONFIGURATION
6 CONFIGURATION FILE MANAGEMENT Configuration File Management Configuration File Management Overview The management module of configuration file provides a user-friendly operation interface. It saves the configuration of the switch in the text format of command line to record the whole configuration process. Thus you can view the configuration information conveniently. The format of configuration file includes: ■ It is saved in the command format.
CHAPTER 6: CONFIGURATION FILE MANAGEMENT Table 29 Display the configurations of the switch n Modifying and Saving the Current-Configuration Operation Command Display the saved-configuration information of the switch display saved-configuration Display the current-configuration information of the Ethernet switch display current-configuration [ controller | interface interface-type interface-number | configuration [ configuration ] ] [ | { begin | exclude | include } regular-expression ] Display
Configuration File Management 53 Table 32 Configure the name of the configuration file used for the next startup Operation Command Configure the name of the configuration file used for the next startup startup saved-configuration cfgfile cfgfile is the name of the configuration file and its extension name can be ".cfg". The file is stored in the root directory of the storage devices.
CHAPTER 6: CONFIGURATION FILE MANAGEMENT
7 VLAN Overview VLAN CONFIGURATION Virtual local area network (VLAN) groups the devices in a LAN logically, not physically, into segments to form virtual workgroups. IEEE issued the IEEE 802.1Q in 1999 to standardize the VLAN implementations. The VLAN technology allows network administrators to logically divide a physical LAN into different broadcast domains or the so-called virtual LANs. Every VLAN contains a group of workstations with the same demands.
CHAPTER 7: VLAN CONFIGURATION c Specifying a Description Character String for a VLAN or VLAN interface CAUTION: ■ VLAN 1 is the system-default VLAN and cannot be removed. ■ VLANs with their ports being VLAN VPN-enabled cannot be removed. ■ Guest VLANs cannot be deleted. ■ Protocol-enabled VLANs cannot be deleted. You can use the following commands to specify a description character string for a VLAN or VLAN interface. Perform the following configuration in VLAN view or VLAN interface view.
Configuring Protocol-Based VLAN Configuring Port-Based VLAN 57 You can use the following commands to specify Ethernet ports for a VLAN. Perform the following configuration in VLAN view. Table 38 Specify Ethernet ports for a VLAN Operation Command Add Ethernet ports to a VLAN port interface-list Remove Ethernet ports from a VLAN undo port interface-list By default, the system adds all the ports to a default VLAN whose ID is 1.
CHAPTER 7: VLAN CONFIGURATION Configuring IP Subnet-Based VLAN Associating/Dissociating a Specified Port with/from an IP Subnet-Based VLAN ■ You cannot delete a protocol-based VLAN that has ports associated with. ■ You cannot delete a protocol-based VLAN on a port while the port is associated with the VLAN.
Displaying and Debugging a VLAN 59 You can also move the CPU ports out of/into all the VLANs at a time. Perform the following configuration in system view.
CHAPTER 7: VLAN CONFIGURATION Configuration procedure # Create VLAN 2 and enter its view. [SW8800] vlan 2 # Add Ethernet3/1/1 and Ethernet4/1/1 to VLAN 2. [3Com-vlan2] port ethernet3/1/1 ethernet4/1/1 # Create VLAN 3 and enters its view. [3Com-vlan2] vlan 3 # Add Ethernet3/1/2 and Ethernet4/1/2 to VLAN 3.
SUPER VLAN CONFIGURATION 8 Super VLAN Overview Super VLAN is also called VLAN aggregation. The following is the fundamental principle: A super VLAN contains multiple sub VLANs. A super VLAN can be configured with an IP address of the virtual port, while a sub VLAN cannot be configured with the IP address of the virtual port. Each sub VLAN is a broadcast domain. Different sub VLANs are isolated at Layer 2.
CHAPTER 8: SUPER VLAN CONFIGURATION Table 46 Configure a super VLAN c Super VLAN Configuration Example Operation Command Description Set the VLAN type to super VLAN supervlan Required. The VLAN-ID is the configured VLAN ID in the range 1 to 4094.
Configuring a Super VLAN These sub VLANs are isolated at Layer 2. It is required that these sub VLANs communicate with one another at Layer 3. Network diagram Omitted Configuration procedure system-view System View: return to User View with Ctrl+Z.
CHAPTER 8: SUPER VLAN CONFIGURATION
9 Isolate-user-VLAN Overview ISOLATE-USER-VLAN CONFIGURATION Isolate-user-VLAN can save the VLAN resource in a network. It adopts the two-level VLAN architecture. One level is isolate-user-VLAN level, and the other is Secondary VLAN level, as shown in Figure 12. ■ An isolate-user-VLAN corresponds to multiple Secondary VLANs. It contains all the ports and upstream ports of the corresponding Secondary VLANs.
CHAPTER 9: ISOLATE-USER-VLAN CONFIGURATION Configuring an isolate-user-VLAN Table 48 Configure an isolate-user-VLAN Operation Command Description Enter system view system-view - Create a VLAN vlan vlan-id Required Configure the VLAN as an isolate-user-VLAN isolate-user-vlan enable Required You cannot configure VLAN 1 as an isolate-user-VLAN Optional Add ports to the isolate-user-VLAN Configuring a Secondary VLAN port interface-list An isolate-user-VLAN can contain multiple ports, includ
Displaying and Debugging an isolate-user-VLAN 67 Note the following when mapping an isolate-user-vlan to Secondary VLANs 1 If the isolate-user-VLAN contains ports ■ For hybrid ports, if the default port VLAN ID is the same as the isolate-user-VLAN ID, and the port joins the isolate-user-VLAN in the Untagged mode, all the hybrid ports meeting the requirements will join the Secondary VLAN in the Untagged mode simultaneously. For those not meeting the requirements, no other processing will be made.
CHAPTER 9: ISOLATE-USER-VLAN CONFIGURATION Isolate-user-VLAN Configuration Example Network requirements Switch A is connected to Switch B and Switch C in the downstream. 1 On Switch B VLAN 5 is an isolate-user-VLAN, including an upstream port (Ethernet2/1/1 port) and two Secondary VLANs, VLAN2 and VLAN3. VLAN 2 includes Ethernet2/1/2 port and VLAN 3 includes Ethernet2/1/3 port.
Isolate-user-VLAN Configuration Example 69 # Configure the mapping relationship between the isolate-user-VLAN and the Secondary VLANs. [3Com-vlan2] quit [SW8800] isolate-user-vlan 5 secondary 2 to 3 2 Configuration on Switch C # Configure an isolate-user-VLAN. system-view [SW8800] vlan 6 [3Com-vlan6] isolate-user-vlan enable [3Com-vlan6] port ethernet2/1/1 # Configure Secondary VLANs.
CHAPTER 9: ISOLATE-USER-VLAN CONFIGURATION
10 IP ADDRESS CONFIGURATION Introduction to IP Addresses IP Address Classification and Representation An IP address is a 32-bit address allocated to a device that accesses the Internet. It consists of two fields: net-id field and host-id field. IP addresses are allocated by Network Information Center (NIC) of American Defense Data Network (DDN). To manage IP addresses conveniently, IP addresses are classified into five types. See the following figure.
CHAPTER 10: IP ADDRESS CONFIGURATION Table 52 IP address classes and ranges Network class Address range IP network range available Note Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, that is, broadcast to all hosts on the network. A 0.0.0.0 to 127.255.255. 255 1.0.0.0 to 126.0.0.0 IP address 0.0.0.
Configuring IP Address 73 A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when you design a mask. The mask divides the IP address into two parts: subnet address and host address. The part of IP address that corresponds to the bits 1s in the mask indicates the subnet address and the other part of IP address indicate the host address.
CHAPTER 10: IP ADDRESS CONFIGURATION Table 53 Configure the host name and the corresponding IP address Operation Command Configure the host name and the corresponding IP address ip host hostname ip-address Cancel the host name and the corresponding IP address undo ip host hostname [ ip-address ] By default, there is no host name associated to any host IP address. Configuring the IP Address of the VLAN Interface You can configure an IP address for every VLAN interface of the switch.
Configuring IP Address 75 configure static ARP entries that have only IP addresses. The switch will automatically fill the MAC address in the ARP mapping entries so that only users configured with static ARP entries can have access to the network.
CHAPTER 10: IP ADDRESS CONFIGURATION Table 56 Configure whether the switch sends unreachable packets Displaying IP Address Operation Command Description Configure that the switch sends an unreachable packet to the sending end when the switch receives an IP packet whose TTL is less than or equal to 1 undo ip icmp-time-exceed enable - After the above configuration, execute the display command in any view to display the IP addresses configured on interfaces of the network device, and to verify the
Troubleshooting IP Address Configuration Troubleshooting IP Address Configuration 77 Fault 1: The switch cannot ping through a certain host in the LAN. Troubleshooting can be performed as follows: 1 Check the configuration of the switch. Use the display arp command to view the ARP entry table that the switch maintains. 2 Check which VLAN includes the port of the switch used to connect to the host. Check whether the VLAN has been configured with a VLAN interface.
CHAPTER 10: IP ADDRESS CONFIGURATION
11 Configuring IP Performance Configuring TCP Attributes IP PERFORMANCE CONFIGURATION IP performance configuration includes: ■ “Configuring TCP Attributes” TCP attributes that can be configured include: ■ synwait timer: When sending the syn packets, TCP starts the synwait timer. If response packets are not received before synwait timeout, the TCP connection is terminated. The timeout of synwait timer ranges from 2 to 600 seconds and it is 75 seconds by default.
CHAPTER 11: IP PERFORMANCE CONFIGURATION Table 59 Display IP performance Operation Command Display TCP connection statistics data display tcp statistics Display UDP statistics information display udp statistics Display IP statistics information display ip statistics Display ICMP statistics information display icmp statistics Display the current socket information of the system display ip socket [ socktype sock-type ] [ task-id socket-id ] Display the summary of the Forwarding Information Ba
Troubleshooting IP Performance Troubleshooting IP Performance 81 Fault: IP layer protocol works normally but TCP and UDP cannot work normally. Troubleshoot: In the event of such a fault, you can enable the corresponding debugging information output to view the debugging information. ■ Use the display command to view the running information of IP performance and make sure that the PCs used by the user is running normally.
CHAPTER 11: IP PERFORMANCE CONFIGURATION flag = ACK window = 16079
12 GARP&GVRP CONFIGURATION Configuring GARP GARP Overview Generic attribute registration protocol (GARP) offers a mechanism that is used by the members in the same switching network to distribute, propagate and register such information as VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP (GARP VLAN registration protocol) and GMRP.
CHAPTER 12: GARP&GVRP CONFIGURATION n Setting the GARP Timer ■ The value of GARP timer will be used in all the GARP applications, including GVRP and GMRP, running in one switched network. ■ In one switched network, the GARP timers on all the switching devices should be set to the same value. Otherwise, GARP application cannot work normally. GARP timers include Hold timer, Join timer, Leave timer and LeaveAll timer.
Configuring GVRP Displaying and Debugging GARP 85 ■ The lower limit of Hold timer is 10 centiseconds. You can change its upper limit by changing the value of Join timer. ■ You can change the lower limit and upper limit of Join timer by changing the value of Hold timer and Leave timer respectively. ■ You can change the lower limit and upper limit of Leave timer by changing the value of Join timer and LeaveAll timer respectively. ■ The upper limit of LeaveAll timer is 32765 centiseconds.
CHAPTER 12: GARP&GVRP CONFIGURATION In the above-mentioned configuration tasks, GVRP should be enabled globally before it is enabled on the port. Configuration of GVRP registration type can only take effect after the port GVRP is enabled. Besides, GVRP must be configured on the Trunk port. n Enabling/Disabling Global GVRP ■ When you configure an aggregation group, the GVRP feature configured on the master port is unchanged, but that on the slave port is disabled.
Configuring GVRP 87 ■ When a Trunk port is set as fixed, the port is not allowed to dynamically register/deregister a VLAN, it only propagates information about static VLANs that are manually configured instead of that of dynamic VLANs. That is, a Trunk port that is of fixed type only permits manually configured VLANs even you configure it to permit all VLANs.
CHAPTER 12: GARP&GVRP CONFIGURATION [SW8800] gvrp # Set Ethernet3/1/1 as a Trunk port and allows all the VLANs to pass through. [SW8800] interface ethernet3/1/1 [3Com-Ethernet3/1/1] port link-type trunk [3Com-Ethernet3/1/1] port trunk permit vlan all # Enable GVRP on the Trunk port. [3Com-Ethernet3/1/1] gvrp Configure Switch B: # Enable GVRP globally. [SW8800] gvrp # Set Ethernet4/1/1 as a Trunk port and allows all the VLANs to pass through.
13 ETHERNET PORT CONFIGURATION Ethernet Port Overview Switch 8800 Family series can provide conventional Ethernet ports, fast Ethernet ports, 1000 Mbps Ethernet ports and 10 Gbps Ethernet ports. The configurations of these Ethernet ports are basically the same, which will be described in the following sections.
CHAPTER 13: ETHERNET PORT CONFIGURATION Enabling/Disabling an Ethernet Port After configuring the related parameters and protocol of the port, you can use undo shutdown command to enable the port. If you do not want a port to forward data any more, use shutdown command to disable it. Perform the following configuration in Ethernet port view.
Ethernet Port Configuration Setting Speed on the Ethernet Port 91 You can use the following command to set the speed on the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate about the port speed. Perform the following configuration in Ethernet port view.
CHAPTER 13: ETHERNET PORT CONFIGURATION Perform the following configuration in Ethernet port view. Table 73 Enabling/disabling flow control for the Ethernet port Operation Command Enable Ethernet port flow control flow-control Disable Ethernet port flow control undo flow-control By default, Ethernet port flow control is disabled. Setting the Interval of Performing Statistics on Ports Use the following configuration tasks to set the interval of performing statistics on ports.
Setting the Interval of Performing Statistics on Ports 93 effective Jumbo frame value for the 1536-1552 section is 1552, that for the 1553-9022 section is 9022, that for the 9023-9192 section is 9192, and that for the 9193-10240 section is 10240. Setting Broadcast/Multicast Suppression on Ethernet Port To prevent port congestion resulting from broadcast/multicast packet flooding, the switch supports broadcast/multicast suppression.
CHAPTER 13: ETHERNET PORT CONFIGURATION By default, Ethernet ports works in LAN mode. 10GE Ethernet ports support WAN mode. Setting the Link Type for the Ethernet Port Ethernet port can operate in three different link types, access, hybrid, and trunk types. The access port carries one VLAN only, used for connecting to the user’s computer. The trunk port can belong to more than one VLAN and receive/send the packets on multiple VLANs, used for connection between the switches.
Setting the Interval of Performing Statistics on Ports 95 Note that the access port shall be added to an existing VLAN other than VLAN 1. The VLAN to which Hybrid port is added must have been existed. After adding the Ethernet port to specified VLANs, the local port can forward packets of these VLANs. The hybrid and trunk ports can be added to multiple VLANs, thereby implementing the VLAN intercommunication between peers.
CHAPTER 13: ETHERNET PORT CONFIGURATION already carries a VLAN Tag, the packet will get two Tags; if the part receives an untagged packet, the packet will be given a default VLAN Tag of the port. Perform the following configuration in Ethernet port view. Table 81 Setting the port VLAN VPN feature Operation Command Enable the port VLAN VPN feature vlan-vpn enable Disable the port VLAN VPN feature undo vlan-vpn Note that if any of GVRP, STP, and 802.
Setting the Interval of Performing Statistics on Ports 97 Table 82 Configurations that can be copied n Attribute Detailed Setting LACP Enable/disable LACP on the port ■ Using copy configuration command will clear protocol VLAN attributes of the destination port, but it can not copy protocol VLAN attributes of source port to the destination port. ■ Using the copy configuration command, you can only copy the configurations of Ethernet ports, Gigabit Ethernet ports and aggregation groups.
CHAPTER 13: ETHERNET PORT CONFIGURATION Displaying and Debugging Ethernet Port After the above configuration, execute display command in any view to display the running of the Ethernet port configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics information of the port.
Ethernet Port Troubleshooting 99 [SW8800] interface gigabitethernet2/1/1 # Set the GigabitEthernet2/1/1 as a trunk port and allows VLANs 2, 6 through 50, and 100 to pass. [3Com-GigabitEthernet2/1/1] port link-type trunk [3Com-GigabitEthernet2/1/1] port trunk permit vlan 2 6 to 50 100 # Create the VLAN 100. [SW8800] vlan 100 # Configure the default VLAN ID of GigabitEthernet2/1/1 as 100.
CHAPTER 13: ETHERNET PORT CONFIGURATION
LINK AGGREGATION CONFIGURATION 14 Overview Introduction to Link Aggregation Link aggregation means aggregating several ports together to implement the outgoing/incoming payload balance among the member ports and enhance the connection reliability. Link aggregation may be manual aggregation, dynamic LACP aggregation or static LACP aggregation. For the member ports in an aggregation group, their basic configurations must be the same.
CHAPTER 14: LINK AGGREGATION CONFIGURATION aggregation port is the same as the aggregation group ID. In a dynamic aggregation group, the member ports must have the same operation key. In manual and static aggregation groups, the active ports have the same operation key. Aggregation Types Port aggregation can be divided into manual aggregation, dynamic LACP aggregation and static LACP aggregation.
Overview 103 ■ The system sets to inactive state the ports which cannot be aggregated with the port, due to hardware limit (for example, trans-module aggregation is forbidden). ■ The system sets to inactive state the ports with basic configurations different from the active port.
CHAPTER 14: LINK AGGREGATION CONFIGURATION ■ Aggregation groups of special ports with hardware aggregation resources included, such as non-limited-speed 10GE ports ■ Aggregation groups that probably reach the maximum potential rate after the resources are allocated to them ■ Aggregation groups with the minimum master port numbers if they reach the equal rate with other groups after the resources are allocated to them ■ Manual aggregation has a higher priority level than static aggregation, and
Link Aggregation Configuration n 105 ■ “Configuring/Deleting Aggregation Group Description” ■ “Configuring System Priority” ■ “Configuring Port Priority” ■ The active state and inactive state correspond to selected and standby respectively. ■ When configuring an aggregation group, the status of GVRP feature configured on the master port is reserved, but that on the slave port is disabled. ■ When adding a port to an existing aggregation group, the GVRP feature on the port is disabled.
CHAPTER 14: LINK AGGREGATION CONFIGURATION Table 88 Creating/deleting an aggregation group Operation Command Create an aggregation group link-aggregation group agg-id mode { manual | static } Delete an aggregation group undo link-aggregation group agg-id During creating an aggregation group, if it already exists in the system but contains no member port, it changes to the new type.
Link Aggregation Configuration ■ Configuring/Deleting Aggregation Group Description 107 When a port is added into an aggregation group, the original ARP information of the port will be lost. You can use the following command to create/delete aggregation group description (for manual aggregation and static link aggregation). Perform the following configuration in system view.
CHAPTER 14: LINK AGGREGATION CONFIGURATION Table 92 Configuring port priority Operation Command Configure port priority lacp port-priority port-priority-value Restore the default port priority undo lacp port-priority By default, port priority is 32,768. Displaying and Debugging Link Aggregation After the above configuration, execute the display command in any view to display the running of the link aggregation configuration, and to verify the effect of the configuration.
Link Aggregation Configuration Example 109 Network diagram Figure 19 Network diagram for link aggregation configuration Switch A Link aggregation Switch B Configuration procedure The following only lists the configuration for switch A, and that on switch B is similar. 1 Manual aggregation # Create aggregation group 1. [SW8800] link-aggregation group 1 mode manual # Add Ethernet ports Ethernet2/1/1 to Ethernet2/1/3 into aggregation group 1.
CHAPTER 14: LINK AGGREGATION CONFIGURATION [3Com-Ethernet2/1/2] interface ethernet2/1/3 [3Com-Ethernet2/1/3] lacp enable You must set basic configuration, rate and duplex attribute consistent at both ends to aggregate successfully the LACP-enabled ports into a dynamic aggregation group and achieve load sharing.
PORT ISOLATION CONFIGURATION 15 Port Isolation Overview Using the port isolation feature, you can place different user ports into the same VLAN. As these users cannot communicate with each other, network security improved, a flexible networking scheme is provided, and VLAN resources are conserved.
CHAPTER 15: PORT ISOLATION CONFIGURATION Table 96 Configuring an uplink port in the isolated group Operation Command Description Required Configure the upstream port in the isolated group Query isolation information Configuring Isolated Ports for an Isolated Group port-isolate uplink-port group isolate-group-id ■ You can configure the uplink port for the isolated group only after you create the isolated group ■ The upstream port can only be an Ethernet port ■ You can configure only one ups
Port Isolation Configuration Example Port Isolation Configuration Example 113 Network requirements Users in a community connect to a switch. The switch communicates with the external network through port Ethernt2/1/1. These users are in VLAN 1 and cannot communicate with each other. Network diagram Figure 20 Network diagram for port isolation External network 㒰 㔥 䚼 Ethernet2/1/1 Configuration procedure # Create isolated group 1.
CHAPTER 15: PORT ISOLATION CONFIGURATION
16 MAC Address Table Management Overview MAC ADDRESS TABLE MANAGEMENT A switch maintains a MAC address table for fast forwarding packets. A table entry includes the MAC address of a device and the port ID of the switch connected to the device. The dynamic entries (not configured manually) are learned by the switch.
CHAPTER 16: MAC ADDRESS TABLE MANAGEMENT You can configure (add or modify) the MAC address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones. MAC Address Table Management Configuration Setting MAC Address Table Entries The following sections describe the MAC address table management configuration tasks.
Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Configuration 117 Table 99 Set the MAC address aging time for the system Operation Command Set the dynamic MAC address aging time mac-address timer { aging age | no-aging } Restore the default MAC address aging time undo mac-address timer aging In addition, this command takes effect on all the ports. However the address aging only functions on the dynamic addresses (the learned or configured as age entries by the user).
CHAPTER 16: MAC ADDRESS TABLE MANAGEMENT Configuring Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Example Network requirements ■ Set the maximum number of MAC addresses learned by Ethernet port Ethernet3/1/3 to 600 ■ Set the switch to drop the packets whose source MAC addresses are not learned by the port when the number of MAC addresses learned exceeds 600 Configuration procedure 1 Enter system view. system-view [SW8800] 2 Enter Ethernet port view.
Displaying and Debugging MAC Address Tables Displaying and Debugging MAC Address Tables 119 After the above configuration, execute the display command in any view to display the running of the MAC address table configuration, and to verify the effect of the configuration.
CHAPTER 16: MAC ADDRESS TABLE MANAGEMENT Network diagram Figure 22 Network diagram for address table management configuration Internet Network Port Console Port Switch Configuration procedure # Enter the system view of the switch. system-view # Add a MAC address (specify the native VLAN, port and state). [SW8800] mac-address static 00e0-fc35-dc71 interface ethernet2/1/2 vlan 1 # Set the address aging time to 500s.
17 Introduction to MSTP MSTP REGION-CONFIGURATION MSTP stands for Multiple Spanning Tree Protocol, which is compatible with Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). STP is not fast in state transition. Even on a point-to-point link or an edge port, it has to take an interval twice as long as forward delay before the port transits to the forwarding state.
CHAPTER 17: MSTP REGION-CONFIGURATION Figure 23 Basic MSTP concepts CIST: common and internal spanning tree Area A0 VLAN 1 mapped to Instance 1 VLAN 2 mapped to Instance 2 Other VLANs mapped to CIST MSTI: multiple spanning tree instance BPDU BPDU A B D Area D0 VLAN 1 mapped to Instance 1, domain root as B VLAN 2 mapped to Instance 2, domain root as C Other VLANs mapped to CIST C CST: common spanning tree BPDU Area B0 VLAN 1 mapped to Instance 1 VLAN 2 mapped to Instance 2 Other VLANs mapped to C
Introduction to MSTP 123 CST Common Spanning Tree (CST): a LAN has only one CST. CST connects the spanning trees of all MST regions. Regard every MST region as a "switch", and the CST is generated by the computing of "switches" through STP/RSTP. For example, the red line in Figure 23 indicates the CST. CIST Common and Internal Spanning Tree (CIST): A single spanning tree made up of ISTs and CST. It connects all switches in a switching network.
CHAPTER 17: MSTP REGION-CONFIGURATION A port can play different roles in different spanning tree instances. The following figure illustrates the earlier-mentioned concepts for your better understanding. In this figure, the switch A, B, C, and D make up a MST region. Port 1 and 2 on switch A connects to the common root bridge; port 5 and 6 on switch C forms a loop; port 3 and 4 on switch D connects to other MST regions in the downstream direction.
Introduction to MSTP 125 Figure 25 BPDU packet format Figure 26 MSTI information format of the last part in BPDU packets Besides field root bridge priority, root path cost, local bridge priority and port priority, the field flags which takes one byte in an instance is also used for role selection.
CHAPTER 17: MSTP REGION-CONFIGURATION Figure 27 Meaning of 1-byte Flags in BPDU packets 7 TcAck 6 Agreement 5 4 Forwarding Learning 3 2 1 0 Proposal Tc The second and third bits together indicate MSTP port role. 2 TC packet A TC packet is also an MSTP BPDU packet, but the lowest bit of its flags field is set to 1, which endows the TC packet with special meaning. So the TC packet has its special meaning.
Introduction to MSTP 127 Figure 28 Designated bridge and designated port Switch A AP1 AP2 CP1 BP1 Switch C Switch B CP2 BP2 LAN For a switch, the designated bridge is a switch in charge of forwarding BPDU to the local switch via a port called the designated port accordingly. For a LAN, the designated bridge is a switch that is in charge of forwarding BPDU to the network segment via a port called the designated port accordingly.
CHAPTER 17: MSTP REGION-CONFIGURATION Figure 29 Ethernet switch networking Switch A with priority 0 AP1 AP2 5 10 BP1 Switch B with priority 1 BP2 CP1 4 CP2 Switch C with priority 2 To facilitate the descriptions, only the first four parts of the configuration BPDU are described in the example. They are root ID (expressed as Ethernet switch priority), path cost to the root, designated bridge ID (expressed as Ethernet switch priority) and the designated port ID (expressed as the port number).
Introduction to MSTP 129 the message and keep the local BPDU unchanged. When the port receives a higher-priority configuration BPDU, the switch uses the content in the received configuration BPDU to change the content of the local BPDU of this port. Then the switch compare the configuration BPDU of this port to those of other ports on it to elect the optimum configuration BPDU. The comparison rules are: ■ The configuration BPDU with a smaller root ID has a higher priority.
CHAPTER 17: MSTP REGION-CONFIGURATION Switch B: BP1 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one, so it updates its configuration BPDU. BP2 receives the configuration BPDU from Switch C and finds that the local BPDU priority is higher than that of the received one, so it discards the received BPDU.
Introduction to MSTP 131 For example, the link from Switch B to Switch C is down or the port receives any better configuration BPDU Thus, the spanning tree is stabilized. The tree with the root bridge A is illustrated in the Figure 30. Figure 30 The final stabilized spanning tree Switch A priority level as 0 AP1 5 BP1 Switch B BP2 priority level as 1 4 CP2 Switch C priority level as 2 To facilitate the descriptions, the description of the example is simplified.
CHAPTER 17: MSTP REGION-CONFIGURATION designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state. And thus, the packets of a VLAN will be forwarded along the following path: in the MST region, the packets will be forwarded along the corresponding MSTI; among the regions, the packets will be forwarded along the CST.
Configuring MSTP 133 display commands. For detailed information, refer to the "Display and Debug MSTP" section. n When GVRP and MSTP start on the switch simultaneously, GVRP packets will propagate along CIST which is a spanning tree instance. In this case, if you want to issue a certain VLAN through GVRP on the network, you should make sure that the VLAN is mapped to CIST when configuring the VLAN mapping table of MSTP. CIST is spanning tree instance 0.
CHAPTER 17: MSTP REGION-CONFIGURATION By default, the MST region name is the switch MAC address, all the VLANs in the MST region are mapped to the STI 0, and the MSTP region revision level is 0. You can restore the default settings of MST region, using the undo stp region-configuration command in system view.
Configuring MSTP 135 Perform the following configuration in system view.
CHAPTER 17: MSTP REGION-CONFIGURATION the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch provides multiple spanning tree function. You can use the following command to configure MSTP running mode. MSTP can intercommunicate with STP. If there is a STP switch in the switching network, you may use the command to configure the current MSTP to run in STP-compatible mode. Otherwise, configure it to run in MSTP mode. Perform the following configuration in system view.
Configuring MSTP 137 each time when it is forwarded by a switch, the max hops is reduced by 1. The switch discards the configuration BPDU with 0 hops left. This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation, thereby limiting the scale of the MST region. You can use the following command to configure the max hops in an MST region. Perform the following configuration in system view.
CHAPTER 17: MSTP REGION-CONFIGURATION Configuring the Time Parameters of a Switch The switch has three time parameters, Forward Delay, Hello Time, and Max Age. Forward Delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. However, the configuration BPDU recalculated cannot be immediately propagated throughout the network.
Configuring MSTP 139 Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as a link fault. However, if the Max Age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which will weaken the auto-adaptation capacity of the network. The default value is recommended.
CHAPTER 17: MSTP REGION-CONFIGURATION Configuration in system view Perform the following configuration in system view. Table 115 Configure the max transmission speed on a port Operation Command Configure the max transmission speed on a port stp interface interface-list transmit-limit packetnum Restore the default max transmission speed on a port undo stp interface interface-list transmit-limit Configuration in Ethernet port view Perform the following configuration in Ethernet port view.
Configuring MSTP 141 Table 118 Configure a port as an edge port or a non-edge port Operation Command Configure a port as an edge port stp edged-port enable Configure a port as a non-edge port stp edged-port disable Restore the default setting of the port as a non-edge port undo stp edged-port You can configure a port as an edge port or a non-edge port with either of the earlier-mentioned measures.
CHAPTER 17: MSTP REGION-CONFIGURATION Table 120 Configure the path cost of a port Operation Command Configure the path cost of a port stp [ instance instance-id ] cost cost Restore the default path cost of a port undo stp [ instance instance-id ] cost You can configure the path cost of a port with either of the earlier-mentioned measures. Upon the change of path cost of a port, MSTP will recalculate the port role and transit the state.
Configuring MSTP 143 The actual rate counts. 2 Calculating the path cost Table 121 details the correspondence between the rate range and the path cost values of the ports.
CHAPTER 17: MSTP REGION-CONFIGURATION Table 123 Specifying the standard to be followed in path cost calculation Operation Command Specify the standard to be adopted when the stp pathcost-standard { dot1d-1998 | dot1t switch calculates the default path cost for the legacy} connected link Restore the default standard to be used undo stp pathcost-standard By default, the switch calculates the default path cost of a port by the legacy standard.
Configuring MSTP 145 Configuration in system view Perform the following configuration in system view.
CHAPTER 17: MSTP REGION-CONFIGURATION Configuring the mCheck Variable of a Port The port of an MSTP switch operates in either STP-compatible or MSTP mode. Suppose a port of an MSTP switch on a switching network is connected to an STP switch, the port will automatically transit to operate in STP-compatible mode. However, the port stays in STP-compatible mode and cannot automatically transit back to MSTP mode when the STP switch is removed.
Configuring MSTP 147 clearing dynamic ARP entries in port view, the function takes effect only on the specified port. Configuring the Switch Protection Function An MSTP switch provides BPDU protection, Root protection functions, loop protection and TC-protection. BPDU protection For an access device, the access port is generally directly connected to the user terminal (for example, PC) or a file server, and the access port is set to an edge port to implement fast transition.
CHAPTER 17: MSTP REGION-CONFIGURATION operation till the specified interval is reached. This can avoid frequent delete operations on the MAC address table and ARP table. You can use the following command to configure the protection functions of the switch. Perform the following configuration in corresponding configuration modes.
Configuring MSTP 149 upstream port, some instances of the upstream port will be congested for a long time. By default, only the protection from TC-BPDU packet attack is enabled on the switch. BPDU protection, Root protection and loop protection are disabled. After configured with BPDU protection, the switch will disable the edge port through MSTP which receives a BPDU, and notify the network manager at same time. These ports can be resumed by the network manager only.
CHAPTER 17: MSTP REGION-CONFIGURATION MSTP can be enabled/disabled on a port through the following ways. Configuration in system view Perform the following configuration in system view. Table 133 Enable/Disable MSTP on a port Operation Command Enable MSTP on a port stp interface interface-list enable Disable MSTP on a port stp interface interface-list disable Configuration in Ethernet port view Perform the following configuration in Ethernet port view.
Displaying and Debugging MSTP 151 Table 136 Display and debug MSTP Operation Command Display the MSTP information about the display stp current switch Display the configuration information about the current port and the switch display stp [ instance instance-id ] [ interface interface-list | slot slot-num ] [ brief ] Display the current configurations of the display stp slot number [ brief ] specified service module Display the configuration information about the region display stp region-configurati
CHAPTER 17: MSTP REGION-CONFIGURATION Table 136 Display and debug MSTP Operation Command Enable debugging of the state machine for port state transition undo debugging stp state-machine pst Enable debugging of the topology change state machine debugging stp state-machine tcm Disable debugging of the topology change state machine undo debugging stp state-machine tcm Enable debugging of the state machine for port protocol transition debugging stp state-machine ppm Disable debugging of the stat
Typical MSTP Configuration Example Configuration procedure 1 Configurations on Switch A # MST region system-view [SW8800] stp region-configuration [3Com-mst-region] region-name example [3Com-mst-region] instance 1 vlan 10 [3Com-mst-region] instance 3 vlan 30 [3Com-mst-region] instance 4 vlan 40 [3Com-mst-region] revision-level 0 # Manually activate MST region configuration.
CHAPTER 17: MSTP REGION-CONFIGURATION 4 Configurations on Switch D # MST region [SW8800] stp region-configuration [3Com-mst-region] region-name example [3Com-mst-region] instance 1 vlan 10 [3Com-mst-region] instance 3 vlan 30 [3Com-mst-region] instance 4 vlan 40 [3Com-mst-region] revision-level 0 # Manually activate MST region configuration.
18 Introduction to Digest Snooping DIGEST SNOOPING CONFIGURATION According to IEEE 802.1s, two connected switches can communicate with each other through multiple spanning tree instances (MSTIs) in a multiple spanning tree protocol (MSTP) region only when they are configured with the same region settings. With MSTP employed, interconnected switches determine whether or not they are in the same region by checking the configuration IDs of the bridge protocol data units (BPDUs) between them.
CHAPTER 18: DIGEST SNOOPING CONFIGURATION Prerequisites Configuration Procedure Switches of different manufacturers are interconnected in a network and have MSTP employed. The network operates properly. Table 137 Configure digest snooping Configuration step Command Description Enter system view system-view - Enter Ethernet interface view interface interface-type interface-number interface-type: Interface type interface-number: Interface number Required.
Digest Snooping Configuration 157 Network diagram Figure 32 Network diagram for digest snooping configuration A GE2/0/2 GE2/0/1 GE1/1 GE1/2 H3C B E0/3 E0/1 E1/1 H3C C E0/2 E1/1 H3C D E1/1 H3C E Configuration procedure # 3Com B is directly connected to A through GE 1/1 and GE 1/2 ports. Enable digest snooping on these two ports by executing the following command: system-view System View: return to User View with Ctrl+Z.
CHAPTER 18: DIGEST SNOOPING CONFIGURATION
19 Introduction FAST TRANSITION The designated port fast transition mechanism of RSTP and MSTP uses two types of protocol packets: ■ proposal packet: Requests for fast transition. ■ agreement packet: Permits the opposite end to perform fast state transition. RSTP and MSTP request that a designated port of the upstream switch can perform fast transition after receiving the agreement packet from the downstream switch.
CHAPTER 19: FAST TRANSITION Figure 34 Designated port fast transition mechanism of MSTP Upstream switch Send the proposal message to request for fast transition Send the agreement message Send the agreement message The designated port enters the forwarding state Downstream switch The root port congests other non-edge ports.
Configuring Fast transition 161 Figure 35 Network diagram Switch from another vendor port 1 port 2 Switthc 8800 Configuration Tasks Configuring fast transition in system view Table 138 Configure fast transition in system view Operation Command Description Enter system view system-view - stp interface interface-type interface-number no-agreement-check Required Enable fast transition By default, port fast transition is disabled.
CHAPTER 19: FAST TRANSITION
20 BPDU Tunnel Overview BPDU TUNNEL CONFIGURATION BPDU Tunnel enables geographically segmented user networks to transmit BPDU packets transparently over the specified VLAN VPN on the operator’s network. This allows the user network to participate in a uniform spanning tree calculation while maintaining a separate spanning tree from the operator network. As shown in Figure 36, the operator’s network comprises packet ingress/egress devices, and the user network has networks A and B.
CHAPTER 20: BPDU TUNNEL CONFIGURATION Table 141 Enable/disable BPDU Tunnel in system view Operation Command Enable BPDU Tunnel vlan-vpn tunnel Disable BPDU Tunnel undo vlan-vpn tunnel By default, BPDU Tunnel is disabled. Enabling/disabling VLAN VPN on Ethernet port Perform the following configuration in Ethernet port view.
BPDU Tunnel Configuration Example 165 Configuration procedure 1 Configure Switch A # Enable rapid spanning tree protocol (RSTP) on the device. [Switch_A] stp enable # Set the port Ethernet 0/1 as a trunk port and configure it to permit VLAN 10 to pass through. [Switch_A] vlan 10 [Switch_A- Ethernet 0/1] port link-type trunk [Switch_A- Ethernet 0/1]port trunk permit vlan 10 2 Configure Switch B # Enable RSTP on the device.
CHAPTER 20: BPDU TUNNEL CONFIGURATION # Enable MSTP on the device. [Switch_D] stp enable # Enable BPDU Tunnel on the device. [Switch_D] vlan-vpn tunnel # Add the port Ethernet 3/1/2 into VLAN 20. [Switch_D] vlan 20 [Switch_D- Vlan 20 ]port Ethernet 3/1/2 # First disable the STP protocol and then enable VLAN VPN on the port Ethernet 3/1/2.
ACL CONFIGURATION 21 ACL Overview Introduction to ACL A series match rules must be configured to recognize the packets before they are filtered. Only when packets are identified, can the network take corresponding actions, allowing or prohibiting them to pass, according to the preset policies. Access control list (ACL) is targeted to achieve these functions. ACLs classify packets using a series of matching rules, which can be source addresses, destination addresses and port IDs.
CHAPTER 21: ACL CONFIGURATION configured with any are put to the end and other rules follow config order; for advanced ACL rules, first compare the wildcards of source addresses, then the wildcards of destination addresses if those of source addresses are equal, then the port IDs if the wildcards of destination addresses are still equal. Follow config order if port IDs are also equal. n The user-defined ACL matching order takes effect only when multiple rules of one ACL are applied at the same time.
ACL Configuration Tasks 169 Table 144 Max ACL rules that can be activated on different interface cards Interface card suppfix MPLS support Max number of ACL rules supported for each card/interface MPLS not supported 1024 MPLS supported 1023 3C17511 3C17512 3C17513 3C17514 3C17516 3C17526 3C17532 3C17532 3C17525 3C17527 3C17530 3C17531 A maximum of 12288 ACL rules can be activated on the whole service processor card.
CHAPTER 21: ACL CONFIGURATION Table 145 ACL configuration tasks on interface cards Item Command Description Activate the ACL packet-filter inbound Required The following table describes the configuration tasks for service processor cards.
ACL Configuration Tasks 171 Table 147 Configure/Delete time range Operation Command Delete time range undo time-range { time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ] | all } start-time and end-time days-of-the-week define periodic time range together. start-time start-date and end-time end-date define absolute time range together.
CHAPTER 21: ACL CONFIGURATION TCP ports, and then only those traffic rules including all these elements can be sent to target hardware and referenced for such QoS functions as packet filtering, traffic policing, priority re-labeling. Otherwise, the rules cannot be activated on the hardware and referenced. Perform the following configurations in system view.
ACL Configuration Tasks 173 Table 149 Length of template elements n Name Description Length in template vlanid Vlan ID that the switch assigns to the packet 2 bytes vpn The flow template pre-defined for MPLS2VPN 2 bytes ■ The numbers listed in the table are not the actual length of these elements in IP packets, but their length in flow template. DSCP field is one byte in flow template, but six bits in IP packets.
CHAPTER 21: ACL CONFIGURATION ■ If the time-range keyword is not selected, the ACL will be effective at any time after being activated. ■ You can define multiple sub rules for the ACL by using the rule command several times.
ACL Configuration Tasks 175 Table 152 Define advanced ACL c Operation Command Delete an ACL rule (advanced ACL view) undo rule rule-id [ source | destination | source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | bt-flag | time-range | vpn-instance ]* Delete an ACL or all ACLs (system view) undo acl { number acl-number | name acl-name | all } CAUTION: ■ The port1 and port2 parameters in the command listed in Table 152 should be TCP/UDP ports for higher-layer applicati
CHAPTER 21: ACL CONFIGURATION Table 154 Activate ACL Operation Command Deactivate IP group ACL undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ] Activate IP group ACL and link group ACL at same time packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } undo packet-filter inbound ip-group { acl-number Deactivate IP group ACL and link
ACL Configuration Example 177 Table 156 Display and debug ACL configurations Operation Command Clear ACL statistics reset acl counter { all | acl-number | acl-name } The display acl config command only displays the ACL matching information processed by the CPU. See the corresponding Command Manual for description of parameters. ACL Configuration Example Advanced ACL Configuration Example Network requirements The departments in the intranet are connected through 100 Mbps ports of the switches.
CHAPTER 21: ACL CONFIGURATION 2 Define inbound traffic to the wage server. # Create a name-based advanced ACL "traffic-of-payserver" and enter it. [SW8800] acl name traffic-of-payserver advanced # Define ACL rule for the wage server. [3Com-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range 3Com 3 Activate the ACL. # Activate the ACL "traffic-of-payserver".
ACL Configuration Example 179 [3Com-Ethernet2/1/1] packet-filter inbound ip-group traffic-of-host Layer 2 ACL Configuration Example Network requirements With proper Layer 2 ACL configuration, during the time range from 8:00 to 18:00 everyday the switch filters the packets with source MAC 00e0-fc01-0101 and destination MAC 00e0-fc01-0303 (configuring at the port Ethernet2/1/1 to the switch.
CHAPTER 21: ACL CONFIGURATION [3Com-Ethernet2/1/1] packet-filter inbound link-group traffic-of-link Example of BT Traffic Control Configuration Network requirements BitTorrent (BT) is a kind of shared software for file download. Its feature is as follows: The more people are using it to download a file, the faster the file downloads. While BT download greatly reduces the burden of the download server, it also brings dramatic increase of download traffic on the internet.
22 QoS Overview QOS CONFIGURATION Conventional packet network treats all packets equally. Each switch/router processes all packets in First-in-First-out (FIFO) mode and then transfers them to the destination in the best effort, but it provides no commitment and guarantee to such transmission performance as delay and jitter. With fast growth of computer networks, more and more data like voice and video that are sensitive to bandwidth, delay and jitter are transmitted over the network.
CHAPTER 22: QOS CONFIGURATION Step 2: Run filtering operation (deny or permit) to the identified traffic. By default, permit operation is selected. Traffic policing QoS can police traffic at the ingress port, to provide better services with the limited network resources. Redirection You can re-specify forwarding direction for packets, based on QoS policy. Traffic priority Ethernet switches can provide priority tags, including ToS, DSCP, 802.1p, and so on, for specific packets.
QoS Overview 183 The 802.1Q tag header contains a 2-byte TPID (Tag protocol Identifier, with the value 8100) and a 2-byte TCI (tag control information). TPID is newly defined by IEEE to represent a packet with 802.1Q tag added. The contents of 802.1Q tag header are shown in Figure 44. Figure 44 802.1Q tag header In the figure, the priority field in TCI stands for 802.1p priority, which consists of three bits.
CHAPTER 22: QOS CONFIGURATION sent can those in lower priority queue be sent. This manner of putting key-service packets into high priority queue and non-key service packets into low priority queue does ensure that key-service packets are sent first, while non-key service packets are sent during the interval when no key-service packets needs to be processed. SP algorithm also has its disadvantages: If high priority queues are full, then packets from the low priority queues may not be forwarded.
Introduction to QoS Configuration Based on Port Groups 185 Table 157 Configure QoS based on port groups Configuration procedure Command Description Enter system view system-view - Enable descriptor share on the share descriptors slotid specified card This function is disabled by default. Required Enter port group view port-group index index: Port group number. The port group number of a common interface card ranges from 1 to 128.
CHAPTER 22: QOS CONFIGURATION Table 157 Configure QoS based on port groups Configuration procedure Command Configure the drop mode on a port drop-mode { tail-drop | wred } [ wred-index ] Description Optional See “Configuring WRED Parameters” “Configuring WRED Parameters” Optional Configure traffic mirroring mirrored-to inbound See “Configuring Traffic Mirroring” “Configuring Traffic Mirroring” Optional Configure traffic statistics traffic-statistic inbound See “Configuring Traffic Statistics
Introduction to QoS Configuration Based on Port Groups Configuration Example 187 ■ The XP4 card does not support inter-group port mirroring. A port group can have an inbound and an outbound monitoring port. There is only one monitoring port in other types of interface cards. ■ The XP4 card does not support queue scheduling. Network requirements Set the next-hop address of the packets forwarded by GE7/1/1 and GE7/1/2 from 8:00 to 18:00 to 3.0.0.1.
CHAPTER 22: QOS CONFIGURATION [3Com-port-group1] port GigabitEthernet 7/1/1 GigabitEthernet 7/1/2 4 Redirect the packet forwarded to the port group. # Set the next hop of the packet forwarded to the port in port group 1 to 3.0.0.1. [3Com-port-group1] traffic-redirect inbound ip-group 2000 rule 0 next-hop 3.0.0.1 QoS Configuration The following sections describe QoS configuration tasks.
QoS Configuration 189 Table 158 QoS terms Configuring Service Parameter Allocation Rule Term Description Conform-Level The result calculated from the user-defined CIR, CBS, EBS, PIR and actual traffic when the switch runs traffic policing, in the range of 0 to 2. The parameter is used to select the remark service parameters, such as remark-cos and remark-drop, in traffic policing by means of the traffic-limit command. The packets with different conform-levels query different mapping tables.
CHAPTER 22: QOS CONFIGURATION Table 159 Configure mapping tables Operation Command Configure the CoS -> Local-precedence mapping table qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec Restore the default values of CoS -> Local-precedence mapping table undo qos cos-local-precedence-map By default, the switch obtains local precedence and drop precedence accord
QoS Configuration 191 Table 162 Configure mapping table Operation Command Restore the default values of the DSCP + Conform-Level -> Service parameters mapping table (conform level view) undo dscp dscp-list Configure the EXP + Conform-Level -> Service exp exp-list : dscp-value exp-value cos-value parameters mapping table (conform level local-precedence-value drop-precedence view) Restore the default values of the EXP + Conform-Level -> Service parameters mapping table (conform level view) undo exp exp
CHAPTER 22: QOS CONFIGURATION Table 164 Configure traffic policing Operation Command Configure traffic policing which applies IP group ACL and link group ACL at same time traffic-limit inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward
QoS Configuration 193 retrieval. You can also assign a system index for it when delivering an ACL rule with this command, but the index value may change while the system is running. However, you are not recommended to assign a system index if not urgently necessary. tc-index index here is traffic policing index. If you configure the same index for different ACL rules during setting traffic policing, then the sum of traffic shall be limited by the traffic policing-related parameters predefined.
CHAPTER 22: QOS CONFIGURATION Table 167 Configure traffic priority Operation Command traffic-priority inbound ip-group { acl-number | acl-name } [ Configure traffic priority rule rule [ system-index index ] ] { auto | which only applies IP group remark-policed-service { trust-dscp | dscp dscp-value | ACL untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } } Remove traffic priority setting which only applies IP group ACL undo traffic-priority inbound
QoS Configuration 195 However, you are not recommended to assign a system index if not urgently necessary. n ■ For MPLS packets, other than that the dscp-value stands for their DSCP priority value, the dscp-value is also mapped to the EXP. You set the EXP value when defining the dscp-value.
CHAPTER 22: QOS CONFIGURATION Table 169 Configure traffic redirection Operation Command Remove traffic redirection setting which only applies link group ACL undo traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule ] For service processor cards, perform the following configurations in VLAN view. Table 170 Configure traffic redirection Operation Command Configure traffic redirection on packets matching Layer 3 ACL rule.
QoS Configuration 197 Different outbound queues at the port may use different algorithms. The switch supports three scheduling modes: 1 All-SP scheduling mode 2 All-WRR mode: A queue is selected from each of the two WRR groups during scheduling, and then the two queues are compared for priority. The queue with higher priority will be scheduled.
CHAPTER 22: QOS CONFIGURATION Configuring WRED parameters The switch provides four sets of default WRED parameters, respectively numbered as 0 to 3. Each set includes 80 parameters, 10 parameters for each of the eight queues. The ten parameters are green-min-threshold, yellow-min-threshold, red-min-threshold, green-max-threshold, yellow-max-threshold, red-max-threshold, green-max-prob, yellow-max-prob, red-max-prob and exponent.
QoS Configuration Configuring Traffic Mirroring 199 Traffic mirroring duplicates the traffic that matches ACL rules to the CPU or the designated destination port, for traffic analysis and monitoring. Perform the following configurations in Ethernet port view.
CHAPTER 22: QOS CONFIGURATION Perform the following configurations in system view. Table 175 Configure port mirroring Operation Command Configure port mirroring mirroring-group groupid { inbound | outbound } mirroring-port-list mirrored-to monitor-port Remove port mirroring setting undo mirroring-group groupid You can implement port mirroring configuration by setting mirroring groups at the port.
QoS Configuration 201 Perform the following configurations in Ethernet port.
CHAPTER 22: QOS CONFIGURATION Table 177 Display and debug QoS configurations Operation Command Display QoS configurations of all ports or the specified port display qos-interface [ interface-type interface-number ] all Display the drop mode of the port outbound queue display qos-interface [ interface-type interface-number ] drop-mode Display traffic limit configuration of a port display qos-interface [ interface-type interface-number ] traffic-limit Display queue scheduling configuration of a
QoS Configuration Example 203 Network diagram Figure 47 Network diagram for QoS configuration Configuration procedure # Enter Ethernet port view. [SW8800] interface GigabitEthernet 7/1/8 [3Com-GigabitEthernet7/1/8] # Set traffic shaping for the outbound queue 2 at the port: maximum rate 650 Kbps, burst size 12 KB. [3Com-GigabitEthernet7/1/8] traffic-shape queue 2 650 12 Port Mirroring Configuration Example Network requirements Use one server to monitor the packets of two ports.
CHAPTER 22: QOS CONFIGURATION Traffic Priority Configuration Example Network requirements Re-allocate service parameters according to the mapping table for DSCP 63 for the packets from PC1 (IP 1.0.0.1) during the time range 8:00 to 18:00 everyday. Network diagram Figure 49 Network diagram for priority configuration GE7/1/8 GE7/1/1 VLAN2, 1.0.0.1/8 GE7/1/2 PC1 VLAN3, 2.0.0.1/8 PC2 Configuration procedure 1 Define the time range. # Define the time range from 8:00 to 18:00.
QoS Configuration Example 205 Table 178 Modified CoS-> Conform-Level mapping table CoS Value Drop-precedence 6 0 7 0 4 Define the DSCP + Conform-Level -> Service parameter mapping table. # Define the DSCP + Conform-Level -> Service parameter mapping table. Allocate a set of service parameters for the packets from PC1 according the mapping table for DSCP 63.
CHAPTER 22: QOS CONFIGURATION [SW8800] time-range 3Com 8:00 to 18:00 daily 2 Define the traffic from PC1. # Create a number-based basic ACL 2000 and enter it. [SW8800] acl number 2000 # Define ACL rule for the traffic from PC1. [3Com-acl-basic-2000] rule 0 permit source 1.0.0.1 0 time-range 3Com 3 Modify the next hop for the packets from PC1. # Define the next hop for the packets from PC1 as 2.0.0.1. [3Com-GigabitEthernet7/1/1] traffic-redirect inbound ip-group 2000 rule 0 next-hop 2.0.0.
QoS Configuration Example 207 Configuration procedure # Re-specify the mapping between 802.1p priority and local precedence. [SW8800] qos cos-local-precedence-map 7 6 5 4 3 2 1 0 # Use WRR algorithm for the queues 0 to 5. Set the queues 0, 1 and 2 into WRR queue 1, with weight respectively as 20, 20 and 30; set the queues 3, 4 and 5 into WRR queue 2, with weight respectively as 20, 20 and 40. Use SP algorithm for the queues 6 and 7.
CHAPTER 22: QOS CONFIGURATION 2 Set drop algorithm and thresholds. # Define the port GE7/1/1 in WRED drop mode, set the parameters of WRED 0. [3Com-GigabitEthernet7/1/1] drop-mode wred 0 Traffic Statistics Configuration Example Network requirements Suppose the IP address of PC1 is 1.0.0.1 and that of PC2 is 2.0.0.1. The switch is up-linked through the port GE7/1/8. Count the packets sent from the switch to PC1 during the time range from 8:00 to 18:00 every day.
23 Overview LOGON USER ACL CONTROL CONFIGURATION Currently, an Switch 8800 Family series switch provides the following three measures for remote access: ■ Telnet ■ Security shell (SSH) ■ Simple network management protocol (SNMP) An Switch 8800 Family series switch provides security control for these three access measures to prevent unauthorized users from logging in/and accessing it. There are two levels of security controls.
CHAPTER 23: LOGON USER ACL CONTROL CONFIGURATION Table 181 Configuration tasks Configuration procedure Command Basic ACL view rule [ rule-id ] { permit | deny } [ source { source-addr wildcard | any } | fragment | time-range name | vpn-instance instance-name ]* Advanced ACL view rule [ rule-id ] { permit | deny } protocol [ source { source-addr wildcard | any } ] [ destination { dest-addr wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ i
Configuring ACL for Telnet/SSH Users n Layer 2 ACL Control Configuration Example 211 ■ You can only use number-based ACLs to implement the ACL control to Telnet or SSH users. ■ When you use the basic or advanced ACL to implement the ACL control to Telnet or SSH users, the incoming/outgoing requests are restricted based on the source or destination IP addresses.
CHAPTER 23: LOGON USER ACL CONTROL CONFIGURATION [SW8800] user-interface vty 0 4 # Apply the Layer 2 ACL to restrict incoming requests. [3Com-user-interface-vty0-4] acl 4000 inbound Basic ACL Control Configuration Example Network requirements Only the Telnet users with IP addresses of 10.110.100.52 and 10.110.100.46 can access the switch. Network diagram Figure 55 Network diagram for source IP control over Telnet users Internet Switch Configuration procedure # Define a basic ACL.
Configuring ACL for SNMP Users Configuration Tasks 213 Table 182 Configuration tasks Configuration procedure Command Description Enter system view system-view - Define an ACL and enter ACL view acl number acl-number [ match-order { config | auto } ] Required. This command can only define a number-based basic ACL. The acl-number parameter ranges from 2,000 to 2,999.
CHAPTER 23: LOGON USER ACL CONTROL CONFIGURATION ACL Control over SNMP Users Configuration Example Network requirements Only SNMP users from 10.110.100.52 and 10.110.100.46 can access the switch. Network diagram Figure 56 Network diagram for ACL control over SNMP users Internet Switch Configuration procedure # Define a basic ACL and the rules. system-view System View: return to User View with Ctrl+Z.
24 VLAN-ACL Overview VLAN-ACL CONFIGURATION VLAN-ACL is VLAN-based ACL. You can configure QACL for a VLAN to control accesses made to all ports in the VLAN. VLAN-ACL enables you to manage a network in an easier way. After you configure QACL for a VLAN, the system synchronizes the configuration to all member ports in the VLAN automatically. Therefore you need not to configure QACL for every port.
CHAPTER 24: VLAN-ACL CONFIGURATION Table 183 Configure a VLAN-ACL Configuration step Command Tag priority for packets Description traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp Optional dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } } Optional When executed in VLAN view, the traffic-redirect command only redirects packets to the nex
VLAN-ACL Configuration 217 newly added one. However, if the port delete the self-defined flow template, the system will apply QACL rules in the VLAN to the new port automatically. ■ You will fail to change the flow template applied to a port with a VLAN-ACL already applied to a customized flow template. 2 If both a VLAN and one of its ports have QACL rules applied, only those applied to the port work.
CHAPTER 24: VLAN-ACL CONFIGURATION # Define traffic classification rules for packets , and allow packets to pass during the specified time period. [3Com-acl-basic-2000] rule 0 permit source any time-range 3Com [3Com-acl-basic-2000] quit 3 Configure packet redirection in VLAN 2. # Set the next hop IP addresses of all the packets forwarded on ports in VLAN 2 to 3.0.0.1. [SW8800] vlan 2 [3Com-vlan2] traffic-redirect inbound ip-group 2000 rule 0 next-hop 3.0.0.1 4 View configuration.
CHAPTER 24: VLAN-ACL CONFIGURATION
25 802.1X CONFIGURATION 802.1x Overview 802.1x Standard Overview IEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access control protocol that is used as the standard for LAN user access authentication. In the LANs complying with the IEEE 802 standards, the user can access the devices and share the resources in the LAN through connecting the LAN access control device like the LAN Switch.
CHAPTER 25: 802.1X CONFIGURATION There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the ports. The Controlled Port will be in connecting state only after the user passes the authentication. Then the user is allowed to access the network resources. Figure 58 802.
802.1x Configuration Implementing 802.1x on Ethernet Switches 223 3Com Series Ethernet Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way: ■ Support to connect several End Stations in the downstream via a physical port. ■ The access control (or the user authentication method) can be based on port or MAC address. In this way, the system becomes much securer and easier to manage. 802.
CHAPTER 25: 802.1X CONFIGURATION Table 184 Enable/Disable 802.1x Operation Command Enable the 802.1x dot1x [ interface interface-list ] Disable the 802.1x undo dot1x [ interface interface-list ] By default, 802.1x authentication has not been enabled globally and on any port. You cannot enable 802.1x on a port before you enable it globally. And you must disable 802.1x on each port before you disable 802,1x globally.
802.1x Configuration 225 Table 186 Set port access control method Operation Command Set port access control method dot1x port-method { macbased | portbased } [ interface interface-list ] Restore the default port access control method undo dot1x port-method [ interface interface-list ] The macbased keyword specifies to authenticate each user accessing through the port. And disconnection of a user does not affect other users.
CHAPTER 25: 802.1X CONFIGURATION Table 188 Setting maximum number of users via specified port Operation Command Restore the maximum number of users on the undo dot1x max-user [ interface port to the default value interface-list ] By default, 802.1x allows up to 1024 supplicants on each port for 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to as Switch 8800 Family series), and an Switch 8800 Family series routing switch can accommodate total of 2048 supplicants.
802.1x Configuration 227 VLAN when the maximum number of re-authentications is reached. Users in a Guest VLAN can utilize resources in the Guest VLAN without undergoing the 802.1x authentication, but they can utilize the resources outside the Guest VLAN only when they have passed the 802.1x authentication. In this way, unauthenticated users can still perform operations such as accessing some resources with the 802.1x client not installed, and upgrading 802.1x client.
CHAPTER 25: 802.1X CONFIGURATION Table 193 Configure 802.
Displaying and Debugging 802.1x ■ 229 Specifies the interval of multicasting 802.1x request packets periodically. In order to be compatible with clients who do not send EAPoL-Start frames actively, Switch 8800 Family switches will multicast 802.1x request packets periodically. The clients will respond after receiving these packets. tx-period specifies the period of multicasting 802.1x request packets. tx-period-value: Specifies how long the duration of the transmission timeout timer is.
CHAPTER 25: 802.1X CONFIGURATION Table 195 Display and debug 802.1x Packet Attack Prevention Configuration Operation Command Enable the error/event/packet/all debugging of 802.1x debugging dot1x { error | event | packet | all } Disable the error/event/packet/all debugging of 802.1x. undo debugging dot1x { error | event | packet | all } With the expansion of Internet scale and the increase of Internet users, the possibility that networking equipment gets attacked is increasing.
802.1x Configuration Example 231 when the user is accessed, the domain name does not follow the user name. Normally, if the user’s traffic is less than 2000 Byte/s consistently over 20 minutes, he will be disconnected. A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/secondary-accounting server. The latter one acts as the secondary-authentication/primary-accounting server.
CHAPTER 25: 802.1X CONFIGURATION # Enable the 802.1x performance on the specified port Ethernet 3/1/1. [SW8800] dot1x interface Ethernet 3/1/1 # Set the access control mode. (This command could not be configured, when it is configured as MAC-based by default.) [SW8800] dot1x port-method macbased interface Ethernet 3/1/1 # Create the RADIUS scheme radius1 and enters its configuration mode. [SW8800] radius scheme radius1 # Set IP address of the primary authentication/accounting RADIUS servers.
802.1x Configuration Example [3Com-isp-3Com163.net] radius-scheme radius1 # Set a limit of 30 users to the domain 3Com163.net. [3Com-isp-3Com163.net] access-limit enable 30 # Enable idle cut function for the user and set the idle cut parameter in the domain 3Com163.net. [3Com-isp-3Com163.net] idle-cut enable 20 2000 # Add a local supplicant and sets its parameter.
CHAPTER 25: 802.
26 AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION AAA and RADIUS/HWTACACS Protocol Overview AAA Overview Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION request to the RADIUS server. RADIUS server has a user database recording all the information of user authentication and network service access. When receiving user’s request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS.
AAA and RADIUS/HWTACACS Protocol Overview 237 Figure 60 Network diagram for HWTACACS Terminal User TACACS Server 129.7.66.66 User TACACS Client TACACS Server 129.7.66.67 Basic message exchange procedures in HWTACACS For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Figure 61 illustrates the basic message exchange procedures.
AAA Configuration 239 Figure 62 Network diagram for using RADIUS to authenticate Authentication Server PC user1 PC user2 Switch 8800 ISP1 Accounting Server1 S3000 series PC user3 PC user4 Switch 8800 Internet ISP2 S2000 series AAA Configuration The following sections describe AAA configuration tasks.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION For 3Com Series Switches, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain. Perform the following configuration in system view.
AAA Configuration 241 Table 199 Configure relevant attributes of an ISP domain Operation Command Configure the AAA scheme used by an ISP domain scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none } Restore the default AAA scheme used by an ISP domain undo scheme { radius-scheme | hwtacacs-scheme | none } Configure the RADIUS scheme used by an ISP radius-scheme radius-scheme-name domain Delete the specified RADIUS scheme undo radius sch
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Table 200 Configure the self-service server URL Operation Command Configure self-service server URL and configure the URL address used to change the self-service-url enable url-string user password on the self-service server Remove the configuration of self-service server URL self-service-url disable By default, self-service server URL is not configured on the switch.
AAA Configuration 243 following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text. Setting/Removing the attributes of a local user Perform the following configuration in local user view.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Configuring Dynamic VLAN Delivering Dynamic VLAN delivering aims to control the network resources available to a user. With this function enabled, a switch adds the ports connecting to authenticated users to specified VLANs according to the attribute values delivered by the RADIUS server. In actual use, ports are usually set to operate in port-based mode in order to work together with Guest VLAN.
Configuring RADIUS Protocol 245 By default, the integer mode is used. That is, the switch supports the RADIUS server delivering VLAN IDs in integer form. Configuring name of a delivered VLAN Perform the following configuration in VLAN view. Table 206 Configure the name of a delivered VLAN Operation Command Configure the name of a delivered VLAN name string Remove the configured VLAN name and restore it to the default name undo name By default, the delivered VLAN does not have a name.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION ■ “Setting the Username Format Transmitted to RADIUS Server” ■ “Setting the Unit of Data Flow that Transmitted to RADIUS Server” ■ “Configuring the Source Address Used by NAS in RADIUS Packets” ■ “Setting the Port State of RADIUS Client” ■ “Configuring a Local RADIUS Authentication Server” Among the above tasks, creating RADIUS scheme and setting IP address of RADIUS server are required, while other takes are optional and can be perf
Configuring RADIUS Protocol 247 Table 208 Set IP Address and Port Number of RADIUS Server Operation Command Set IP address and port number of primary RADIUS accounting server. primary accounting ip-address [ port-number ] Restore IP address and port number of primary RADIUS accounting server or server to undo primary accounting the default values. Set IP address and port number of secondary RADIUS authentication/authorization server.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION authentication/authorization and accounting packets, you shall set two different ports accordingly. Suggested by RFC2138/2139, authentication/authorization port number is 1812 and accounting port number is 1813. However, you may use values other than the suggested ones. (Especially for some earlier RADIUS/HWTACACS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.
Configuring RADIUS Protocol 249 Table 210 Configure the VPN of the RADIUS Server Operation Command Restore the VPN attribute of RADIUS Server to the default value undo vpn-instance The RADIUS Server does not belong to any VPN by default. Setting the Port State of the Local RADIUS Server The local RADIUS server uses the switch itself as the RADIUS server, with port 1645 as authentication port and port 1646 as accounting port.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Perform the following configuration in RADIUS scheme view. Table 213 Set RADIUS server response timeout timer Operation Command Set the response timeout timer of RADIUS server timer response-timeout seconds Restore the default value of the response timeout timer of RADIUS server undo timer response-timeout The default value of the response timeout timer of a RADIUS server is 3 seconds.
Configuring RADIUS Protocol 251 Perform the following configuration in RADIUS scheme view. Table 216 Enable the selection of RADIUS accounting option Operation Command Enable the selection of RADIUS accounting option accounting optional Disable the selection of RADIUS accounting option undo accounting optional By default, selection of RADIUS accounting option is disabled.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION You can use the following command to set the maximum times of real-time accounting request failing to be responded. Perform the following configuration in RADIUS scheme view.
Configuring RADIUS Protocol 253 Table 221 Set the maximum retransmitting times of stopping accounting request Operation Command Set the maximum retransmitting times of stopping accounting request retry stop-accounting retry-times Restore the maximum retransmitting times of stopping accounting request to the default value undo retry stop-accounting By default, the stopping accounting request can be retransmitted for up to 500 times.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Table 223 Set RADIUS server state Operation Command Set the state of secondary RADIUS sever state secondary{ accounting | authentication } { block | active } By default, the state of each server in RADIUS scheme server group is active. Setting the Username Format Transmitted to RADIUS Server As mentioned above, the supplicants are generally named in userid@isp-name format. The part following "@" is the ISP domain name.
Configuring RADIUS Protocol Configuring the Source Address Used by NAS in RADIUS Packets 255 Perform the following configuration in the corresponding view.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Table 228 Create/Delete a local RADIUS authentication server Operation Command Create a local RADIUS authentication server local-server nas-ip ip-address key password Delete a local RADIUS authentication server undo local-server nas-ip ip-address By default, the IP address of local RADIUS authentication server group is 127.0.0.1 and the password is 3Com.
Configuring HWTACACS Protocol 257 Table 229 Create a HWTACACS scheme Operation Command Create a HWTACACS scheme and enter HWTACACS view hwtacacs scheme hwtacacs-scheme-name Delete a HWTACACS scheme undo hwtacacs scheme hwtacacs-scheme-name By default, no HWTACACS scheme exists. If the HWTACACS scheme you specify does not exist, the system creates it and enters HWTACACS view. In HWTACACS view, you can configure the HWTACACS scheme specifically. The system supports up to 16 HWTACACS schemes.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION n If only authentication and accounting servers are configured and no authorization server is configured, both authentication and accounting can be performed normally for the FTP, Telnet, and SSH users, but the priority of these users is 0 (that is, the lowest privilege level) by default, The primary and secondary authorization servers cannot use the same IP address. The default port number is 49.
Configuring HWTACACS Protocol Configuring the Source Address for HWTACACS Packets Sent by NAS 259 Perform the following configuration in the corresponding view.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Setting the Unit of Data Flows Destined for the TACACS Server Perform the following configuration in HWTACACS view.
Displaying and Debugging AAA and RADIUS Protocol 261 Table 240 Set a real-time accounting interval Operation Command Set a real-time accounting interval timer realtime-accounting minute Restore the default real-time accounting interval undo timer realtime-accounting The interval is in minutes and must be a multiple of 3. The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION Table 242 Display and debug AAA and RADIUS/HWTACACS protocol Operation Command Display all global NAS-IP information configured in system display radius nas-ip view Display the statistics of RADIUS packets display radius statistics Display the stop-accounting requests saved in buffer without response display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user
AAA and RADIUS/HWTACACS Protocol Configuration Examples 263 Configuring Authentication at Remote RADIUS Server n Configuring Telnet user authentication at the remote server is similar to configuring FTP users. The following description is based on Telnet users. Network Requirements In the environment as illustrated in the following figure, it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION # Associate the domain with RADIUS. [3Com-radius-cams] quit [SW8800] domain cams [3Com-isp-cams] radius-scheme cams Configuring Authentication at Local RADIUS Authentication Server n Configuring Authentication at Remote TACACS Server Local RADIUS authentication of Telnet/FTP users is similar to the remote RADIUS authentication described in section “Configuring Authentication at Remote RADIUS Server” .
Troubleshooting AAA and RADIUS/HWTACACS n 265 The configuration of the FTP and Telnet users can refer to User Interface Configuration of Getting Started Operation part in Switch 8800 Family Series Routing Switches Operation Manual. # Configure a HWTACACS scheme. [SW8800] hwtacacs scheme hwtac [3Com-hwtacacs-hwtac] primary authentication 10.110.91.164 [3Com-hwtacacs-hwtac] primary authorization 10.110.91.
CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION ■ Ports of authentication/authorization and accounting services may not be set properly. So make sure they are consistent with the ports provided by RADIUS/HWTACACS server. Symptom: After being authenticated and authorized, the user cannot send charging bill to the RADIUS/HWTACACS server. Solution: ■ The accounting port number may be set improperly. Please set a proper number.
27 PORTAL CONFIGURATION Portal Overview Introduction Portal is also known as portal website, and Portal authentication is also known as the Web authentication. Its major advantages are: ■ Users need not install any client software; ■ It is powerful in its ability to support new services. With the help of Portal authentication, the operators can provide services such as information query, online shopping based on Portal.
CHAPTER 27: PORTAL CONFIGURATION Portal Authentication Procedure ■ Portal server is a Web server. Users can access it by using standard WWW browsers. The portal server provides free portal service and Web-authentication-based interface. The access device exchanges the authentication information of the authentication client with the Portal server. Internet content provider (ICP) can provide related information about its own website to users through this website.
Portal Overview 269 accesses. That is to say, Layer-3-protocol-enabled network devices cannot exist between the user and the access devices. ■ Portal Authentication-free Users and Free IP Addresses The Layer 3 Portal authentication method does not check MAC addresses of the user, so the security performance is reduced. . You are not recommended to use the Layer 3 Portal authentication method in occasions requiring high security performance.
CHAPTER 27: PORTAL CONFIGURATION Basic Portal Configuration Configuration Prerequisites n Basic Portal Configuration Procedure ■ A valid IP address has been configured for this portal-enabled VLAN interface. ■ 802.1x is not enabled on the switch. ■ The Portal server has been installed and configured. Refer to CAMS Portal Service Components User’s Guide for details about installation and configuration.
Basic Portal Configuration 271 Table 244 Basic Portal configuration procedure Operation Command Description Enable Portal authentication on a VLAN interface portal server-name Required Display the statistics about the state machines about display portal { acm | server authentication, connection | tcp-cheat } statistics and management display portal [ Display the information about auth-network [ auth-vlan-id Portal authentication network ] | free-ip | free-user | server [ server-name ] | vlan [ vlan-
CHAPTER 27: PORTAL CONFIGURATION Network diagram Figure 66 Network diagram for Portal Direct authentication method Internet vlan -interface 2 192.168.1.160/16 Ethernet2/1/10 Ethernet2/1/1 VL AN 2 Ethernet2/1/3 Vlan -interface 3 172.21.1.1/16 User PC 172.21.1.2/16 Switch Portal server 192.168.1.200/16 Ethernet2/1/2 Gateway address: 172.21.1.1 RADIUS authentication/accounting server 192.168.1.100/16 Configuration procedure n Only the configurations on switches are listed below.
Basic Portal Configuration 273 3 Configure Portal authentication # Configure the portal server. Its name is newp, IP address is 192.168.1.200, key is 3Com, port is 50100, and URL is http://192.168.1.200:81/portal/index_page.jsp [SW8800] portal server newp ip 192.168.1.200 key 3Com port 50100 url http://192.168.1.200/portal/index_default.
CHAPTER 27: PORTAL CONFIGURATION ■ When the Portal ReDHCP authentication method is adopted, the switch must be configured as DHCP Relay instead of DHCP Server. Additionally, the master IP address ( public address ) and the slave IP address (private IP address) must be configured on the Portal-enabled VLAN interface. # Set the Portal to run in the ReDHCP authentication method. [SW8800] portal method redhcp # Configure the DHCP server.
Basic Portal Configuration 275 Network diagram Figure 67 Network diagram for Layer 3 Portal authentication method Vlan-interface 2 192.168.1.160/16 Portal 192.168.1.200/16 Switch VLAN 2 User PC1 Vlan-interface 100 Ethernet2/1/6 162.21.1.1/16 Ethernet 1/0 162.21.1.2/16 RADIUS 192.168.1.100/16 Ethernet 0/0 162.31.1.1/16 IP address:162.31.1.2/16 User PC2Gateway address :162.31.1.1 Configuration procedure n Only the configurations related to the Layer 3 Portal authentication method are listed below.
CHAPTER 27: PORTAL CONFIGURATION Portal Authentication-free User and Free IP Address Configuration Configuration Prerequisites Portal Authentication-free User and Free IP Address Configuration Procedure The prerequisite of Portal authentication-free user and free IP address configuration-the basic Portal configuration has been finished. Portal authentication-free user and free IP address configuration is optional.
Portal Authentication-free User and Free IP Address Configuration ■ 277 Server2 can access Internet without passing the authentication. Network diagram Figure 68 Network diagram for authentication-free user and free IP address configuration Vlan-interface 2 192.168.1.160/16 Portal 192.168.1.200/16 Switch VLAN 2 Ethernet2/1/5 User PC RADIUS authentication/accounting server 192.168.1.100/16 Ethernet2/1/4 Vlan-interface 4 192.166.1.1/16 Server2 192.166.1.
CHAPTER 27: PORTAL CONFIGURATION Portal Rate Limit Function Configuration Portal Rate Limit Function Configuration Procedure Table 246 Portal rate limit function configuration procedure Operation Command Description Enter system view system-view - Enter interface view interface Ethernet X/X/X - Configure the Portal rate limit portal upload interface function on upload interfaces Portal Rate Limit Function Configuration Example By default, the Portal rate limit function is disabled.
IP ROUTING PROTOCOL OVERVIEW 28 n A router that is referred to in the following or its icon represents a generalized router or an Switch 8800 Family series routing switch running routing protocols. To improve readability, this will not be described in the other parts of the manual. For the configuration of VPN instance, refer to the MPLS module in 3Com Switch 8800 Family Series Routing Switches Operation Manual.
CHAPTER 28: IP ROUTING PROTOCOL OVERVIEW Figure 69 The concept of route segment A R R A Route segment R R R C B As the networks may have different sizes, the segment lengths connected between two different pairs of routers are also different. The number of route segments multiplies a weighted coefficient can serve as a weighted measurement for the actual length of the signal transmission path.
Introduction to IP Route and Routing Table 281 ■ Next hop address: It indicates the IP address of the next router that an IP packet will pass through. ■ Priority added to the IP routing table for a route: There may be different next hops to the same destination. These routes may be discovered by different routing protocols, or they can just be the static routes configured manually. The one with the highest priority (the smallest numerical value) will be selected as the current optimal route.
CHAPTER 28: IP ROUTING PROTOCOL OVERVIEW addition, the running switch will automatically obtain some direct routes according to the port state and user configuration. Routing Management Policy Routing Protocols and the Preferences of the Corresponding Routes For Switch 8800 Family series, you can configure manually the static route to a specific destination, and configure dynamic routing protocol to interact with other routers on the network.
Routing Management Policy 283 precedence, the multiple routes will be adopted. Thus, the router will forward the packets to the destination through these paths according to a certain algorithm so as to implement load sharing. For the same destination, a specified routing protocol may find multiple different routes with the same precedence and different next hops.
CHAPTER 28: IP ROUTING PROTOCOL OVERVIEW
STATIC ROUTE CONFIGURATION 29 Introduction to Static Route Static Route A static route is a special route configured manually by an administrator. You can set up an interconnecting network with the static route configuration. The problem for such configuration is when a fault occurs to the network, the static route cannot change automatically to steer away from the node causing the fault, if without the help of an administrator.
CHAPTER 29: STATIC ROUTE CONFIGURATION this packet will be discarded, and an internet control message protocol (ICMP) packet will be sent to the originating host to inform that the destination host or network is unreachable. Configuring Static Route Configuring a Static Route Static Route Configuration includes: ■ “Configuring a Static Route” ■ “Configuring a Default Route” ■ “Deleting All the Static Routes” Perform the following configurations in system view.
Displaying and Debugging Static Route ■ 287 Other parameters The attributes reject and blackhole respectively indicate the unreachable route and the blackhole route. Configuring a Default Route Perform the following configurations in system view. Table 250 Configure a default route Operation Command Configure a default route ip route-static 0.0.0.0 { 0.0.0.
CHAPTER 29: STATIC ROUTE CONFIGURATION Table 252 Display and debug the routing table Operation Command Display the statistics of the routing table display ip routing-table statistics Display the routing information about the VPN display ip routing-table vpn-instance instance vpn-instance-name Typical Static Route Configuration Example Network requirements As shown in Figure 71, the masks of all the IP addresses are 255.255.255.0.
Troubleshooting Static Route Faults 289 Then, all the hosts or switches in the figure can be interconnected in pairs. Troubleshooting Static Route Faults Symptom: The switch is configured with the static routing protocol and both the physical status and the link layer protocol status of the interface is Up, but the IP packets cannot be forwarded normally. Solution: ■ Use the display ip routing-table protocol static command to view whether the configured static route is correct and in effect.
CHAPTER 29: STATIC ROUTE CONFIGURATION
30 Introduction to RIP RIP CONFIGURATION Routing Information Protocol (RIP) is a relatively simple interior gateway protocol (IGP), which is mainly applied to small scale networks. It is easy to implement RIP. You can configure and maintain RIP more easily than OSPF and IS-IS, so RIP still has a wide application in actual networking. RIP Operation Mechanism RIP basic concepts RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges routing information via UDP packets.
CHAPTER 30: RIP CONFIGURATION RIP Enabling and Running ■ If the RIP route is not updated (a router receives the update packets from the neighbor) when the Timeout timer expires, this route is regarded as unreachable. The cost is set to 16. ■ If the Garbage-Collection timer expires, and the unreachable route receives no update packet from the same neighbor, the route will be completely deleted from the routing table.
Configuring RIP 293 You can make the following configurations for RIP to advertise and receive routing information: ■ Setting additional routing metric ■ Configuring RIP to import routers of other protocols ■ Configuring RIP route filtering ■ Enabling/disabling host route receiving by the router ■ Configuring RIP-2 route summary 3 RIP configuration ■ Configuring the RIP precedence ■ Configuring RIP timers ■ Configuring zero field check for RIP-1 packets ■ Specifying RIP version of the int
CHAPTER 30: RIP CONFIGURATION When a command network is used for an address, you can enable the network address of the port, which also includes the subnet addresses. For example, for network 129.102.1.1, you can see network 129.102.0.0 either using display current-configuration or using display rip command. By default, RIP is disabled on all the interfaces after it is started up. Configuring Unicast of the Packets Usually, RIP sends packets using broadcast or multicast addresses.
Configuring RIP 295 Table 257 Set additional routing metric Operation Command Disable the additional routing metric of the route when the interface undo rip metricout sends an RIP packet By default, the additional routing metric added to the route when RIP sends a packet is 1. The additional routing metric when RIP receives the packet is 0 by default.
CHAPTER 30: RIP CONFIGURATION Table 259 Configure RIP to filter the received routes Operation Command Configure RIP to filter the received global routing information filter-policy { acl-number | ip-prefix ip-prefix-name } import Cancel filtering the received global routing information undo filter-policy { acl-number | ip-prefix ip-prefix-name } import Configuring RIP to filter the routes advertised by RIP Table 260 Configure RIP to filter the advertised routes Operation Command Configure RIP t
Configuring RIP 297 RIP-1 only sends the route with natural mask, that is, it always sends routes in the route summary form. RIP-2 supports subnet mask and classless interdomain routing. To advertise all the subnet routes, the route summary function of RIP-2 can be disabled. Perform the following configuration in RIP view.
CHAPTER 30: RIP CONFIGURATION By default, the interface receives and sends the RIP-1 packets. It will transmit packets in multicast mode when the interface RIP version is set to RIP-2. Configuring RIP Timers As mentioned previously, RIP has three timers: Period update, Timeout and Garbage-collection. Modification of these timers affects RIP convergence speed. Perform the following configuration in RIP view.
Configuring RIP Specifying the Operating State of the Interface 299 In interface view, you can specify the operating state of RIP on the interface. For example, whether RIP operates on the interface, namely, whether RIP update packets are sent and received on the interface. In addition, whether an interface sends or receives RIP update packets can be specified separately. Perform the following configuration in interface view.
CHAPTER 30: RIP CONFIGURATION Table 268 Set RIP-2 packet authentication Operation Command Disable RIP-2 packet authentication undo rip authentication-mode Before configuring MD5 authentication, you must configure MD5 type. The usual packet format follows RFC1723 and the nonstandard follows RFC2082. Displaying and Debugging RIP After the above configuration, execute the display command in any view to display the running of the RIP configuration, and to verify the effect of the configuration.
Troubleshooting RIP Faults 301 Network diagram Figure 72 Network diagram for RIP configuration Network address: 155.10.1.0/24 Interface address: 155.10.1.1/24 SwitchA Interface address: 110.11.2.1/24 Ethernet Interface address: 110.11.2.3/24 Interface address: 110.11.2.2/24 SwitchC SwitchB Interface address: 117.102.0.1/16 Interface address: 196.38.165.1/24 Network address: 196.38.165.0/24 Network address: 117.102.0.
CHAPTER 30: RIP CONFIGURATION Solution: RIP does not operate on the corresponding interface (for example, the undo rip work command is executed) or this interface is not enabled through the network command. The peer routing device is configured to be in the multicast mode (for example, the rip version 2 multicast command is executed) but the multicast mode has not been configured on the corresponding interface of the local switch.
31 OSPF CONFIGURATION OSPF Overview Introduction to OSPF Process of OSPF Route Calculation Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. At present, OSPF version 2 (RFC2328) is used, which is available with the following features: ■ Applicable scope: It can support networks in various sizes and can support several hundreds of routers at maximum.
CHAPTER 31: OSPF CONFIGURATION autonomous system. Obviously, the routing tables obtained by different routers are different. Furthermore, to enable individual routers to broadcast their local state information to the entire AS, any two routers in the environment should establish adjacency between them. In this case, however, the changes that any router takes will result in multiple transmissions, which are not only unnecessary but also waste the precious bandwidth resources.
OSPF Overview 305 ■ Router-LSAs: Type-1. Each router generates Router-LSAs, which describe the link state and cost of the local router. Router-LSAs are broadcast within the area where the router is located. ■ Network-LSAs: Type-2. DRs on the broadcast network generate Network-LSAs, which describe the link state of the local network. Network-LSAs are broadcast within the area where a DR is located. ■ Summary-LSAs: Include Type-3 and Type-4. Area border routers (ABRs) generate Summary-LSAs.
CHAPTER 31: OSPF CONFIGURATION ■ Backup Designated Router (BDR) If the DR fails for some faults, a new DR must be elected and synchronized with other routers on the segment. This process will take a relatively long time, during which, the route calculation is incorrect. To shorten the process, BDR is brought forth in OSPF. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime.
OSPF GR Overview 307 Figure 73 Area and route summary 19.1.1.0/24 Area 12 Area 19 Virtual Link Area 0 19.1.3.0/24 RTA 19.1.2.0/24 Area 8 OSPF Features Supported by Switch 8800 Family Series OSPF GR Overview The Switch 8800 Family series support the following OSPF features: ■ Support stub areas: OSPF defines stub areas to decrease the overhead when the routers within the area receive ASE routes. ■ Support NSSA: OSPF defines NSSA areas, surmounting the restriction of stub areas on topology.
CHAPTER 31: OSPF CONFIGURATION Working Mechanism of OSPF GR 1. Implementation standard of OSPF GR RFC3623:Graceful OSPF Restart IETF drafts: draft-nguyen-ospf-lls-05; draft-nguyen-ospf-oob-resync-05; draft-nguyen-ospf-restart-05; Work mechanism of RFC3623 RFC3623 defines two main principles for GR: the network topology must remain stable and the forwarding tables can be kept when a router is being restarted. During the GR process, the behaviors of restarters and helpers are defined.
OSPF GR Overview 309 The neighbor will keep the neighbor relationship and set the Restartstat-flag after receiving HELLO packets of the RS_bit set. When both neighbors exit from the OOB process, the standard OSPF algorithm is performed. n Packet Format of OSPF GR The GR method on both OSPF neighbors must be the same. Different GR methods cannot perform the GR process successfully. A OSPF process can use only one GR method. Format of Grace LSA This LSA is an Opaque-LSA generated by the Restarter.
CHAPTER 31: OSPF CONFIGURATION Figure 77 Format of LLS data TLV structure: EO_TLV and CA_TLV 1 Format of EO_TLV Figure 78 Format of EO_TLV The meaning of each field in EO_TLV: The type field refers to the type of TLV, and the type of EO_TLV is 1; The Length field refers to the length of TLV, and the length of EO_TLV is 4; The Extend Options field is the extend options of OSPF. RS_bit and LR_bit are set in this Option field in OSPF GR.
Configuring OSPF 311 The AuthLen field refers to the length of CA_TLV, and the length of CA_TLV is 20; The Sequence number and AuthData fields are determined by the OSPF check information. n LLS data can be included in only HELLO packets and DD packets. Only one LLS data can be included in a packet. EO_TLV must be included in LLS data. Additionally, CA_TLV must be included in LLS data is OSPF is configured with MD5 check.
CHAPTER 31: OSPF CONFIGURATION OSPF configuration includes: 1 OSPF basic configuration ■ “Configuring Router ID” ■ “Enabling OSPF” ■ “Entering OSPF Area View” ■ “Specifying an Interface to Run OSPF” 2 Configuration related to OSPF route ■ “Configuring OSPF to Import Routes of Other Protocols” ■ “Configuring OSPF to Import Default Routes” ■ “Configuring OSPF Route Filtering” ■ “Configuring the Route Summary of OSPF” 3 Some OSPF configurations ■ “Setting OSPF Route Preference” ■ “Sett
Configuring OSPF 313 Perform the following configuration in system view. Table 270 Configure router ID Operation Command Configure router ID router id router-id Remove the router ID undo router id To ensure stability of OSPF, the user should determine the division of router IDs and manually configure them when planning the network. Enabling OSPF Perform the following configuration in system view.
CHAPTER 31: OSPF CONFIGURATION Perform the following configuration in OSPF area view. Table 273 Specifying an interface to run OSPF Operation Command Specify an interface to run OSPF network ip-address ip-mask Disable OSPF on the interface undo network ip-address ip-mask The ip-mask argument is IP address wildcard shielded text (similar to the complement of the IP address mask).
Configuring OSPF 315 Table 274 Configure OSPF to import external routes Operation Command Configure OSPF to import routes of other protocols import-route protocol [ cost value | type value | tag value | route-policy route-policy-name ]* Cancel importing routing information of other undo import-route protocol protocols By default, OSPF will not import the routing information of other protocols. For an imported route, type is 2, cost is 1, and tag is 1 by default.
CHAPTER 31: OSPF CONFIGURATION Table 276 Configure parameters for OSPF to import external routes Operation Command Restore the default tag for the OSPF to import undo default tag external routes Configure the default type of external routes that OSPF will import default type { 1 | 2 } Restore the default type of the external routes undo default type imported by OSPF By default, the type of imported route is type-2, the cost is 1 and the tag is 1 for a imported route.
Configuring OSPF 317 ■ For an ASBR, the system generates the corresponding Type-5 LSA or Type-7 LSA by default when a default route existed in the routing table. ■ For an ABR, the system will generate a Type-5 LSA or Type-7 LSA no matter whether there is a default route in the routing table. ■ The broadcasting scope of Type-5 LSA or Type-7 LSA advertising the default route is the same as that of the common Type-5 LSA or Type-7 LSA. Perform the following configuration in OSPF view.
CHAPTER 31: OSPF CONFIGURATION Table 280 Enable OSPF to filter the imported routes of other routing protocols Operation Command Enable OSPF to filter the routes advertised by other routing protocols filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] Disable OSPF to filter the advertised routes by undo filter-policy { acl-number | ip-prefix other routing protocols ip-prefix-name } export [ routing-protocol ] By default, OSPF does not receive the routes advertised b
Configuring OSPF Configuring the Route Summary of OSPF 319 Configuring the route summary of OSPF area Route summary means that ABR can aggregate information of the routes of the same prefix and advertise only one route to other areas. An area can be configured with multiple aggregate segments, thereby OSPF can summarize them. When the ABR transmits routing information to other areas, it will generate Sum_net_Lsa (type-3 LSA) per network.
CHAPTER 31: OSPF CONFIGURATION If the local router works as an area border router (ABR) and a router in the NSSA, this command summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the router in the NSSA, the summarization is disabled. Setting OSPF Route Preference Since maybe multiple dynamic routing protocols are running on one router concurrently, the problem of route sharing and selection between various routing protocols occurs.
Configuring OSPF 321 Table 287 Set a dead timer for the neighboring routers Operation Command Configure a dead timer for the neighboring routers ospf timer dead seconds Restore the default dead interval of the neighboring routers undo ospf timer dead By default, the dead interval for the neighboring routers of p2p or broadcast interfaces is 40 seconds and that for the neighboring routers of p2mp interfaces is 120 seconds.
CHAPTER 31: OSPF CONFIGURATION Note: 3Com supports the broadcast domain only. By default, OSPF determines the network type based on the link layer type. After the interface has been configured with a new network type, the original network type of the interface is removed automatically. Setting the Interface Priority for DR Election On a broadcast network, a designated router (DR) and a backup designated router (BDR) must be elected.
Configuring OSPF 323 Use the ospf dr-priority and peer commands to set priorities with different usages: Configuring an Interval Required for Sending LSU Packets ■ Use the ospf dr-priority command to set priority for DR selection. ■ The priority you use the peer command to set indicates whether the adjacent router is eligible for election.
CHAPTER 31: OSPF CONFIGURATION Table 293 Configure whether the MTU field will be filled in when an interface transmits DD packets Operation Command Enable an interface to fill in the MTU field when transmitting DD packets ospf mtu-enable Disable the interface to fill the MTU field when transmitting DD packets undo ospf mtu-enable By default, the interface does not fill in the MTU field when transmitting DD packets. In other words, MTU in the DD packets is 0.
Configuring OSPF Configuring OSPF Authentication 325 Configuring the OSPF Area to Support Packet Authentication All the routers in one area must use the same authentication mode (no authentication, simple text authentication or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key. To configure a simple text authentication key, use the authentication-mode simple command.
CHAPTER 31: OSPF CONFIGURATION two ABRs. Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configured. The virtual link is identified by the ID of the remote router. The area, which provides the ends of the virtual link with a non-backbone area internal route, is called the transit area. The ID of the transit area should be specified during configuration.
Configuring OSPF ■ 327 No ASBR can exist in a stub area. In other words, the external routes of the AS cannot be propagated in the stub area. Perform the following configuration in OSPF area view.
CHAPTER 31: OSPF CONFIGURATION Table 300 Configure NSSA of OSPF Operation Command Configure an area to be the NSSA area nssa [ default-route-advertise | no-import-route | no-summary ]* Cancel the configured NSSA undo nssa Configure the default cost value of the route to the NSSA default-cost cost Restore the default cost value of the route to the NSSA area undo default-cost All the routers connected to the NSSA should use the nssa command to configure the area with the NSSA attribute.
Configuring OSPF 329 Perform the following configuration in system view. Table 302 Configure OSPF MIB binding Operation Command Configure OSPF MIB binding ospf mib-binding process-id Restore the default OSPF MIB binding undo ospf mib-binding By default, MIB is bound to the first enabled OSPF process. Configuring OSPF TRAP The OSPF Trap function enables the switch to send multiple types of SNMP Trap packets in case of OSPF process exceptions.
CHAPTER 31: OSPF CONFIGURATION Configuring GR method as IETF drafts Table 305 Configure OSPF GR Resetting the OSPF Process Operation Command Description Enter system view system-view - Enter OSPF view ospf [ process-id [ [ router-id router-id ] vpn-instance vpn-instance-name ] ] Configure GR graceful-restart compatible Required If the undo ospf command is executed on a router and then the ospf command is used to restart the OSPF process, the previous OSPF configuration will lose.
Typical OSPF Configuration Example 331 Table 307 Display and debug OSPF Operation Command View OSPF inter-area route summarization information display ospf [ process-id ] abr-summary Display the summary information of OSPF imported display ospf [ process-id ] asbr-summary [ ip-address mask ] routes Display OSPF interface information display ospf [ process-id ] interface Display OSPF errors display ospf [ process-id ] error Display OSPF Graceful Restart information display ospf [ process-id ] grac
CHAPTER 31: OSPF CONFIGURATION Network diagram Figure 83 Network diagram for configuring DR election based on OSPF priority 1.1.1.1 Switch A 4.4.4.4 Switch D DR 196.1.1.4/24 196.1.1.1/24 196.1.1.3/24 196.1.1.2/24 BDR Switch B 2.2.2.2 Switch C 3.3.3.3 Configuration procedure # Configure Switch A [Switch [Switch [Switch [Switch [Switch [Switch [Switch A] interface Vlan-interface 1 A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 A-Vlan-interface1] ospf dr-priority 100 A] router id 1.
Typical OSPF Configuration Example 333 On Switch A, execute the display ospf peer command to display the OSPF peers. Note that Switch A has three peers. The state of each peer is full, which means that adjacency is set up between Switch A and each peer. (Switch A and Switch C should set up adjacencies with all the routers on the network for them to be DR and BDR on the network respectively.) Switch A is DR, while Switch C is BDR on the network.
CHAPTER 31: OSPF CONFIGURATION Configuration procedure # Configure Switch A [Switch [Switch [Switch [Switch [Switch [Switch A] interface Vlan-interface 1 A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 A] router id 1.1.1.1 A] ospf A-ospf-1] area 0 A-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch B [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch B] interface vlan-interface 7 B-Vlan-interface7] ip address 196.1.1.2 255.255.
Typical OSPF Configuration Example Network diagram Figure 85 Network diagram Configuration procedure # Configure the switch Switch 8800 FamilyA system-view FamilyA] vlan 192 FamilyA-vlan192] port GigabitEthernet 3/1/1 FamilyA-vlan192] interface vlan 192 FamilyA-Vlan-interface192] ip address 192.168.1.
CHAPTER 31: OSPF CONFIGURATION Troubleshooting OSPF Faults Symptom 1: OSPF has been configured in accordance with the earlier-mentioned steps, but OSPF on the router cannot run normally. Solution: Check according to the following procedure. Local troubleshooting: Check whether the protocol between two directly connected routers is in normal operation. The normal sign is the peer state machine between the two routers reaches the FULL state.
Troubleshooting OSPF Faults 337 Figure 86 OSPF areas RTA area0 RTB area1 RTC area2 RTD ■ The backbone area (Area 0) cannot be configured as the stub area and the virtual link cannot pass through the stub area. That is, if a virtual link has been set up between RTB and RTC, neither Area1 nor Area0 can be configured as a stub area. In the figure above, only Area 2 can be configured as the stub area. ■ Routers in the stub area cannot receive external routes.
CHAPTER 31: OSPF CONFIGURATION
32 Introduction to Integrated IS-IS INTEGRATED IS-IS CONFIGURATION Intermediate System-to-Intermediate System (IS-IS) intra-domain routing information exchange protocol is designed by the international organization for standardization (ISO) for connection-less network protocol (CLNP). This protocol is a dynamic routing protocol. To let this protocol support IP routing, IETF expands and modifies IS-IS in RFC1195, applying the protocol to TCP/IP and OSI.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Two-level Structure of IS-IS Routing Protocol Two-level structure of IS-IS routing protocol Two-level structure of IS-IS routing protocol is adopted in a route area to support large scale route network. A large route area can be divided into one or multiple areas. A Level-1 router manages the intra-area routes. A Level-2 router manages the inter-area routes. Level-1 and Level-2 ■ Level-1 router The Level-1 router is responsible for intra-area route.
Introduction to Integrated IS-IS Figure 87 IS-IS topology IS ES IS IS ES ES IS ES IS ES IS Area 1 IS Area 2 Routing Domain 1 Routing Domain Boundary Routing Domain 2 IS-IS Area Area 3 IS IS ES End system Intermediate system IS ES ES ES Subnetwork Path Interdomain Routing Level 1 IS-IS Routing NSAP Structure of IS-IS Routing Protocol Level 2 IS-IS Routing Address structure Figure 88 NSAP structure IDP AFI DSP IDI High Order DSP Area Address SyStem ID SEL (1 octet) 3
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION OSI adopts the address structure as shown in Figure 88. NSAP includes initial domain part (IDP) and domain specific part (DSP). The IDP is defined by ISO; it consists of authority responsible for assigning the rest of the address and address format. The DSP is allocated by the authority specified in IDP. IDP and DSP are length-variable with a total length of 20 bytes.
Configuring Integrated IS-IS 343 NET Network Entity Title (NET) indicates the network layer information, which contains no transfer layer information (SEL=0). You can regard it as a special NSAP. In general, you can configure a NET for a router. If you will redivide an area (combine multiple areas or divide an area into multiple areas), you can configure multiple NETs to ensure correct routes in the case of reconfiguration.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION IS-IS configuration includes: 1 IS-IS basic configuration ■ Enabling IS-IS and Entering the IS-IS View ■ Setting Network Entity Title ■ Enabling IS-IS on the Specified Interface ■ Setting Priority for DIS Election ■ Setting Router Type ■ Setting Interface Circuit Level 2 Configuration related to IS-IS route ■ Configuring IS-IS to Import Routes of Other Protocols ■ Configuring IS-IS Route Filtering ■ Configuring IS-IS Routing Leak ■ Setting
Configuring Integrated IS-IS 345 Table 308 Enable IS-IS and enter the IS-IS view Operation Command Enable the IS-IS and enter the IS-IS view isis [ tag ] The tag argument identifies the IS-IS process. In the present version, just one IS-IS process is allowed. By default, the IS-IS routing process is disabled. Setting Network Entity Title Network Entity Titles (hereafter referred to as NETs) defines the current IS-IS area address and the system ID of the router.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Table 311 Set priority for DIS election Operation Command Set the priorities for DIS election on the interface isis dis-priority value [ level-1 | level-2 ] Restore the default priorities for DIS election on the interface undo isis dis-priority [ level-1 | level-2 ] By default, the interface priority is 64. If the level-1 or level-2 is not specified, it defaults to setting the priority of Level-1.
Configuring Integrated IS-IS 347 Perform the following configuration in IS-IS view.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Configuring IS-IS Routing Leak ■ The filter-policy export command only takes effect to the routes imported by the import-route command. If you configure the switch with only the filter-policy export command, but without configuring the import-route command to import other external routes, then the filter-policy export command does not take effect.
Configuring Integrated IS-IS 349 The default route generated by this command will only be imported to the router at the same level. Setting the Preference of IS-IS Protocol In a router on which several routing protocols are concurrently operating, there is an issue of sharing and selecting the routing information among all the routing protocols. The system sets a preference for each routing protocol.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Configuring IS-IS Timers Setting the Hello packet broadcast interval The IS-IS periodically sends the Hello packets from the interface and the routers maintain the adjacency through the transmitting/receiving of the Hello packets The Hello packet interval can be modified. Perform the following configuration in interface view. Table 323 Set the Hello packet broadcast interval Operation Command Set Hello packet interval, measured in seconds.
Configuring Integrated IS-IS 351 Table 325 Set the CSNP packet broadcast interval Operation Command Set the CSNP packet broadcast interval isis timer csnp seconds [ level-1 | level-2 ] Restore the default CSNP packet broadcast interval on the interface undo isis timer csnp [ level-1 | level-2 ] If the level is not specified, it defaults to setting CSNP packet broadcast interval for Level-1. By default, the CSNP packet is transmitted via interface every 10 seconds.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Table 328 Set LSP packet retransmission interval Operation Command Set the retransmission interval of the LSP packet over p2p links isis timer retransmit seconds Restore the default retransmission interval of the LSP packet over p2p links undo isis timer retransmit By default, the LSP packet is transmitted every five seconds over the p2p link.
Configuring Integrated IS-IS 353 Setting IS-IS area or IS-IS routing domain authentication password Users can configure the IS-IS area or the IS-IS routing domain with authentication password. If area authentication is needed, the area authentication password will be encapsulated into the level-1 LSP, CSNP and PSNP packets, in the specified mode.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Setting Overload Flag Bit Sometimes, the router in the IS-IS domain may encounter some problems in operation thus errors may occur in the whole routing area. In order to avoid this problem, you can set the overload flag bit for this router. When the overload threshold is set, other routers should not send this router the packets which should be forwarded by it. Perform the following configurations in IS-IS view.
Configuring Integrated IS-IS 355 Table 336 Set LSP refreshment interval Operation Command Set LSP refreshment interval timer lsp-refresh seconds Restore the default LSP refreshment interval undo timer lsp-refresh By default, LSP is refreshed every 900 seconds (15 minutes). Setting Lifetime of LSP When a router generates the LSP of the system, it will fill in the maximum lifetime of this LSP. When other routers receive this LSP, its life time will be reduced continuously as the time goes.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Table 339 Set SPF calculation in slice Operation Command Set the duration of one cycle in second of SPF calculation spf-slice-size seconds Restore the default configuration undo spf-slice-size By default, SPF calculation is not divided into slices but runs to the end once, which can also be implemented by setting the seconds argument to 0. After slice calculation is set, the routes that are not processed once will be calculated in one second.
Configuring Integrated IS-IS 357 interfaces. On a switch, this command can disable/enable the specified VLAN interface to send IS-IS packets. Configuring IS-IS GR The network is interrupted temporarily when an IS-IS router is restarted because the neighbor relationship of this router with other neighbors is removed and LSP packets are flooded. The GR feature of IS-IS can solve this problem.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION Table 343 Reset all the IS-IS data structures Operation Command Reset the IS-IS data structure reset isis all By default, the IS-IS data structure is not cleared. Resetting the Specified IS-IS Peer When it is necessary to connect a specified peer again, perform the following configuration in user view.
Typical Integrated IS-IS Configuration Example Typical Integrated IS-IS Configuration Example 359 Network requirements As is shown in Figure 89, Switches A, B, C and D belong to the same autonomous system. The IS-IS routing protocol is running in these four switches so as to implement route interconnection. In the network design, switches A, B, C and D belong to the same area. Network diagram Figure 89 IS-IS configuration example Switch A Vlan-interface 101 100.0.0.1/24 Vlan-interface 100 100.10.0.
CHAPTER 32: INTEGRATED IS-IS CONFIGURATION # Configure Switch C [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch C] isis C-isis] network-entity 86.0001.0000.0000.0007.00 C] interface vlan-interface 101 C-Vlan-interface101] ip address 200.10.0.2 255.255.255.0 C-Vlan-interface101] isis enable C] interface vlan-interface 100 C-Vlan-interface100] ip address 200.20.0.1 255.255.255.
BGP CONFIGURATION 33 BGP/MBGP Overview Introduction to BGP Border gateway protocol (BGP) is an inter-autonomous system (inter-AS) dynamic route discovery protocol. Three early versions of BGP are BGP-1 (RFC1105), BGP-2 (RFC1163) and BGP-3 (RFC1267). The current version is BGP-4 (RFC1771) that is applied to advertised structures and supports classless inter-domain routing (CIDR). Actually, BGP-4 is becoming the external routing protocol standard of the Internet, which is frequently used between ISPs.
CHAPTER 33: BGP CONFIGURATION The BGP is called IBGP when it runs in an AS and EBGP when it runs among different ASs. BGP Message Types BGP is driven by messages, which include the following types: ■ Type 1, OPEN: The first message sent after the creation of a connection to create association between BGP peers. ■ Type 2, UPDATE: The most important information in BGP system used to exchange routing information between peers.
BGP/MBGP Overview 363 Route selection policy In the implementation of Switch 8800 Family series, these policies are adopted for BGP to select routes: MBGP ■ First discard the routes unreachable to the next hop. ■ First select the routes with the highest local preference. ■ First select the routes rooted from the router itself. ■ First select the routes with the least AS-paths. ■ First select the routes with the lowest origin. ■ First select the routes with the lowest MED value.
CHAPTER 33: BGP CONFIGURATION Switch 8800 Family series provide various MBGP extended applications, including extension of multicast, VPN, and so on. Different extended applications should be configured in their own address family views. For more information about the commands executed in MBGP address family view, see "Multicast Protocol" and "MPLS Configuration" of this manual.
Configuring BGP ■ “Configuring BGP Timer” ■ “Configuring the Local Preference” ■ “Configuring MED for AS” 365 5 BGP application configuration ■ “Comparing the MED Routing Metrics from the Peers in Different ASs” 6 BGP networking configuration ■ “Configuring BGP Route Reflector” ■ “Configuring BGP AS Confederation Attribute” ■ “Configuring BGP Load Balancing” ■ “Setting the Switch for Adjacency State Output” 7 Others Enabling BGP ■ “Clearing BGP Connection” ■ “Refreshing BGP Routes” T
CHAPTER 33: BGP CONFIGURATION create an EBGP peer group and sub-AS peer groups inside a confederation. group-name is locally significant. The default type of BGP peer group is IBGP. Configuring AS number of an EBGP peer group You can specify AS number for an EBGP peer group, but IBGP needs no AS number. When a peer group is specified with an AS number, all its member peers inherit the AS number.
Configuring BGP 367 When exchanging routing information between BGP speakers, the peer group must be enabled first and then the peer should be added to the enabled peer group.
CHAPTER 33: BGP CONFIGURATION Table 354 Configure timer of a peer (group) Operation Command Restore the default value of keep-alive message interval and hold timer of a peer (group) undo peer { group-name | peer-address } timer By default, the Keep-alive message is sent every 60 seconds and the value of the hold timer is 180 seconds.
Configuring BGP 369 Table 357 Configure an IGMP peer group to be a client of a route reflector Operation Command Cancel the configuration of making the peer group as the client of the BGP route reflector undo peer group-name reflect-client This configuration can be applied to IBGP peer groups only. By default, all IBGP peers in the autonomous system must be fully connected. Moreover, neighbors do not notify the learned IBGP routes.
CHAPTER 33: BGP CONFIGURATION is used to configure certain outbound routers to ignore the private AS numbers while transmitting update messages. Perform the following configuration in BGP view.
Configuring BGP 371 interior BGP session can be configured to specify the source interface. This command is usually used on the Loopback interface.
CHAPTER 33: BGP CONFIGURATION Table 365 Configure route policy for a peer (group) Operation Command Remove the egress route policy of a peer group undo peer group-name route-policy route-policy-name export Configuring route filtering policy based on IP ACL for a peer (group) Table 366 Configure route filtering policy based on IP ACL for a peer (group) Operation Command Configure the ingress route filtering policy based on IP ACL for a peer (group) peer { group-name | peer-address } filter-polic
Configuring BGP Configuring Network Routes for BGP Distribution 373 Perform the following configuration in BGP view. Table 369 Configure network routes for BGP distribution Operation Command Configure the local network route for BGP distribution network ip-address address-mask [ route-policy policy-name ] Remove the local network route for BGP distribution undo network ip-address address-mask [ route-policy policy-name ] By default, no network route is configured for BGP distribution.
CHAPTER 33: BGP CONFIGURATION ■ Automatic aggregation (by means of the summary command): The aggregation of IGP subnet routes imported by the BGP. With automatic aggregation enabled, the BGP will not receive subnet routes imported from the IGP, and routes on natural network segments will be aggregated; ■ Manual aggregation (by means of the aggregate command): The aggregation of the BGP local routes. In general, the preference of manual aggregation is higher than that of automatic aggregation.
Configuring BGP 375 Table 374 Configure to filter the routes advertised by other routing protocols Operation Command undo filter-policy Cancel the filtering of the routes advertised by acl-number | ip-prefix ip-prefix-name } other routing protocols export [ routing-protocol ] By default, BGP does not receive the routing information advertised by other routing protocols. n Configuring BGP Route Dampening ■ The filter-policy import command filters BGP route received from the neighbors.
CHAPTER 33: BGP CONFIGURATION Table 376 Clear route dampening information Operation Command Clear route dampening information reset bgp dampening [ network-address [ mask ] ] After you use the reset bgp dampening command, the command will release the suppression of suppressed routes. Configuring BGP Preference Three types of routes may be involved in BGP: routes learned from external peers (EBGP), routes learned from internal peers (IBGP) and local-originated routes.
Configuring BGP 377 Table 379 Configure the local preference Operation Command Configure the local preference default local-preference value Restore the default local preference undo default local-preference The local preference is transmitted only when the IBGP peers exchange the update packets and it will not be transmitted beyond the local AS. By default, the local preference is 100. Configuring MED for AS Multi-Exit Discriminators (MED) attribute is the external metric for a route.
CHAPTER 33: BGP CONFIGURATION Configuring BGP Route Reflector To ensure the interconnection between IBGP peers, it is necessary to establish a fully connected network. If there are many IBGP peers, large overhead is needed to establish a fully connected network. Route reflecting can solve the problem. Route reflector is the centralized point of other routers, and other routers are called the clients. The client is the peer of the route reflector and switching the routing information with it.
Configuring BGP 379 Configuring the route reflection between clients Perform the following configuration in BGP view. Table 383 Configure the route reflection between clients Operation Command Enable route reflection between clients reflect between-clients Disable route reflection between clients undo reflect between-clients By default, the route reflection between clients is allowed.
CHAPTER 33: BGP CONFIGURATION does not need to know the status of internal sub-ASs, and the confederation ID is the AS number identifying the confederation as a whole. Perform the following configuration in BGP view. Table 385 Configure confederation_ID Operation Command Configure confederation_ID confederation id as-number Cancel confederation_ID undo confederation id By default, the confederation_ID is not configured.
Configuring BGP Configuring BGP Load Balancing 381 As BGP is a routing protocol for route selection only, it does not provide a route calculation method. Therefore, it is not possible to determine whether to enable load balancing based on a definite metric value. However, the BGP owns a variety of route selection rules, so it supports conditional load balancing after route selection, namely, by adding load balancing into the BGP route selection rules.
CHAPTER 33: BGP CONFIGURATION n Load balancing is not available for BGP default routes. Perform the following configuration in BGP view. Table 388 Enable/disable BGP load balancing Operation Command Enable BGP load balancing balance balance-number Disable BGP load balancing undo balance By default, the BGP does not implement load balancing.
Displaying and Debugging BGP Displaying and Debugging BGP 383 After the above configuration, execute the display command in any view to display the running of the BGP configuration, and to verify the effect of the configuration. Execute the reset command in user view to clear the statistics of the configuration. Execute the debugging command in user view to debug the configuration. Execute the reset command in user view to reset the statistic information of BGP.
CHAPTER 33: BGP CONFIGURATION Table 392 Display and debug BGP Operation Command Enable/Disable BGP Open debugging [ undo ] debugging bgp open [ receive | send ] [ verbose ] Enable /Disable BGP packet debugging [ undo ] debugging bgp packet [ receive | send ] [ verbose ] Enable/disable BGP Route-Refresh packet debugging [ undo ] debugging bgp route-refresh [ receive | send ] [ verbose ] Enable/Disable information debugging of BGP normal functions.
Typical BGP Configuration Examples [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch A] bgp A-bgp] A-bgp] A-bgp] A-bgp] A-bgp] A-bgp] A-bgp] A-bgp] 385 1001 confederation id 100 confederation peer-as 1002 1003 group confed1002 external peer confed1002 as-number 1002 group confed1003 external peer confed1003 as-number 1003 peer 172.68.10.2 group confed1002 peer 172.68.10.
CHAPTER 33: BGP CONFIGURATION Network diagram Figure 93 Network diagram for BGP route reflector configuration VLAN 3 193.1.1.1/24 Switch C Network 1.0.0.0 Route reflector VLAN 4 194.1.1.1/24 AS200 VLAN 100 1.1.1.1/8 IBGP EBGP VLAN 2 192.1.1.1/24 VLAN 3 193.1.1.2/24 VLAN 2 192.1.1.2/24 Switch B Switch A AS100 IBGP VLAN 4 194.1.1.
Typical BGP Configuration Examples 387 [Switch C] interface vlan-Interface 4 [Switch C-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 # Configure BGP peers and route reflector. [Switch [Switch [Switch [Switch [Switch C] bgp C-bgp] C-bgp] C-bgp] C-bgp] 200 group rr internal peer rr reflect-client peer 193.1.1.2 group rr peer 194.1.1.2 group rr 4 Configure Switch D: # Configure VLAN 4: [Switch D] interface vlan-interface 4 [Switch D-Vlan-interface4] ip address 194.1.1.2 255.255.255.
CHAPTER 33: BGP CONFIGURATION Configuration procedure 1 Configure Switch A: [Switch [Switch [Switch [Switch A] interface Vlan-interface 2 A-Vlan-interface2] ip address 192.1.1.1 255.255.255.0 A] interface Vlan-interface 3 A-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 # Enable BGP [Switch A] bgp 100 # Specify the network that BGP sends to [Switch A-bgp] network 1.0.0.
Typical BGP Configuration Examples [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch 389 B-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 B] ospf B-ospf-1] area 0 B-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 B-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 B] bgp 200 B-bgp] group ex external B-bgp] peer 192.1.1.1 group ex as-number 100 B-bgp] group in internal B-bgp] peer 194.1.1.1 group in B-bgp] peer 195.1.1.
CHAPTER 33: BGP CONFIGURATION [Switch C] acl number 2000 [Switch C-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [Switch C-acl-basic-2000] rule deny source any Define a route policy named Localpref, and set the local preference of routes matching ACL 2000 to 200, and that of routes not matching to 100.
Troubleshooting BGP 391 Symptom 2: BGP route cannot be advertised correctly after route of IGP is imported with the network command. Solution: Route imported by the network command should be same as a route in the current routing table, which should include destination segment and mask. Route covering large network segment cannot be imported. For example, route 10.1.1.0/24 can be imported, while 10.0.0.0/8 may cause error.
CHAPTER 33: BGP CONFIGURATION
IP ROUTING POLICY CONFIGURATION 34 Introduction to IP Routing Policy When a router advertises or receives routing information, it possibly needs to implement some policies to filter the routing information, so as to receive or advertise the routing information which can meet the specified condition only. A routing protocol, e.g. RIP, may need import the routing information discovered by other protocols to enrich its routing knowledge.
CHAPTER 34: IP ROUTING POLICY CONFIGURATION An IP-prefix is identified by the IP-prefix name. Each IP-prefix can include multiple list items, and each list item can independently specify the match range of the network prefix forms and is identified with an index-number. The index-number designates the matching check sequence in the IP-prefix. During the matching, the router checks list items identified by the sequence-number in the ascending order.
Configuring IP Routing Policy 395 Each node consists of a group of if-match clauses and apply clauses. The if-match clauses define the matching rules. The different if-match clauses for a node have the relationship of "AND". That is, the route must satisfy all the if-match clauses for the node to match the node before passing this node. The apply clauses define the executed action after the routing information passes the matching test. That is, the clause sets the routing information attribute.
CHAPTER 34: IP ROUTING POLICY CONFIGURATION Table 394 Define if-match conditions Operation Command Match the AS path domain of the BGP routing information if-match as-path acl-number Disable matching the AS path domain of the BGP routing information undo if-match as-path Match the community attribute if-match community { basic-community-number [ of the BGP routing information whole-match ] | adv-community-number } Disable matching the community attribute of the BGP undo if-match community routin
Configuring IP Routing Policy 397 Defining apply clauses for a route-policy The apply clauses specify actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clauses. Thereby, some attributes of the route can be modified. Perform the following configuration in route policy view.
CHAPTER 34: IP ROUTING POLICY CONFIGURATION By default, perform no settings. Note that if the routing information meets the match conditions specified in the route-policy and also notifies the MED value configured with the apply cost-type internal when notifying the IGP route to the EBGP peers, then this value will be regarded as the MED value of the IGP route.
Configuring IP Routing Policy Configuring a Community Attribute List 399 In BGP, community attribute is optional and transitive. Some community attributes known globally are called standard community attributes. Some community attributes are for special purpose. You can also define expanded community attribute. A route can have one more community attributes. The speakers of multiple community attributes of a route can act according to one, several or all attributes.
CHAPTER 34: IP ROUTING POLICY CONFIGURATION Applying Route Policy on Received or Advertised Routes Configuring to filter the received routes Perform the following configuration in routing protocol view. Define a policy to filter the routing information not satisfying the conditions while receiving routes with the help of an ACL or address prefix-list. gateway specifies that only the update packets from a particular neighboring router will be received.
Displaying and Debugging the Routing Policy 401 bgp: Route acquired by BGP By default, the filtering of the received and advertised routes will not be performed. Displaying and Debugging the Routing Policy After the above configuration, execute the display command in any view to display the running of the routing policy configuration, and to verify the effect of the configuration.
CHAPTER 34: IP ROUTING POLICY CONFIGURATION # Configure three static routes. [Switch A] ip route-static 20.0.0.1 255.0.0.0 12.0.0.2 [Switch A] ip route-static 30.0.0.1 255.0.0.0 12.0.0.2 [Switch A] ip route-static 40.0.0.1 255.0.0.0 12.0.0.2 # Enable the OSPF protocol and specifies the number of the area to which the interface belongs. [Switch [Switch [Switch [Switch A] router id 1.1.1.1 A] ospf A-ospf-1] area 0 A-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.
Troubleshooting Routing Policy 403 The if-match mode of at least one list item of the ip-prefix should be the permit mode. The list items of the deny mode can be defined first to rapidly filter the routing information not satisfying the requirement, but if all the items are in the deny mode, any routes will not pass the ip-prefix filtering. You can define an item of permit 0.0.0.
CHAPTER 34: IP ROUTING POLICY CONFIGURATION
35 ROUTE CAPACITY CONFIGURATION Route Capacity Configuration Introduction to Route Capacity Configuration Tasks In an actual network application, a routing table may contain a large quantity of route entries (especially OSPF routes and BGP routes). Generally, the routing information is stored in the memory of the switch and the total size of the switch memory will not change. When the size of the routing table increases to some degree, it may affect the operation of the system.
CHAPTER 35: ROUTE CAPACITY CONFIGURATION
36 RECURSIVE ROUTING CONFIGURATION Recursive Routing Configuration Recursive Routing Overview Configuring Recursive Routing Every route entry must have its next hop address. For a common route, its next hop address is within the network segment to which the router is directly connected; for a route requiring recursion, its next hop address is not within the network segment to which the router is directly connected.
CHAPTER 36: RECURSIVE ROUTING CONFIGURATION
IP MULTICAST OVERVIEW 37 n An Ethernet switch functions as a router when it runs IP multicast protocol. A router that is referred to in the following represents a generalized router or a layer 3 Ethernet switch running IP multicast protocol.
CHAPTER 37: IP MULTICAST OVERVIEW Figure 97 Data transmission in broadcast mode User A User B Broadcast User C User D Server User E Suppose the Users B, D, and E need the information, the information source Server broadcasts the information through the router; User A and User C can also receive the information. In that case, information security and rewards to services are not guaranteed. Moreover, bandwidth is terribly wasted when only a few part of users are in need of the information.
Implementation of IP Multicast 411 distribution of these users in the group. Finally, the information is transmitted to the intended receivers B,D and E properly and correctly. In multicast mode, the information sender is called the "multicast source", the receiver is called the "multicast group", and the routers for multicast information transmission are called "multicast routers". Members of a multicast group can scatter around the network; the multicast group therefore has no geographical limitation.
CHAPTER 37: IP MULTICAST OVERVIEW packet scales. Multicast packets use IP addresses of Class D as their destination addresses, but Class D IP addresses cannot be contained in the source IP field of IP packets. During unicast data transmission, a packet is transmitted "hop-by-hop" from the source address to the destination address. However, in IP multicast environment, a packet has more than one destination address, or a group of addresses. All the information receivers are added to a group.
Implementation of IP Multicast 413 Table 408 Reserved multicast address list Class D address range Description 224.0.0.13 All PIM routers 224.0.0.14 RSVP encapsulation 224.0.0.15 All CBT routers 224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP ...... ...... Ethernet Multicast MAC Addresses When a unicast IP packet is transmitted on the Ethernet, the destination MAC address is the MAC address of the receiver.
CHAPTER 37: IP MULTICAST OVERVIEW Figure 100 Application positions of multicast-related protocols AS1 User A PIM IGMP User B User C MBGP/MSDP IGMP Multicast User D PIM IGMP Server AS2 User E Multicast group management protocol Multicast groups use Internet group management protocol (IGMP) as the management protocols. IGMP runs between the host and multicast router and defines the membership establishment and maintenance mechanism between them.
RPF Mechanism for IP Multicast Packets 415 address is the RP address of the shared tree. A multicast packet arriving at the router will be forwarded according to the multicast forwarding entry if it passes the RPF check, or else, it will be discarded.
CHAPTER 37: IP MULTICAST OVERVIEW
STATIC MULTICAST MAC ADDRESS CONFIGURATION 38 Static Multicast MAC Address Overview The concept of "static multicast MAC address" is proposed to fulfill the feature of static Layer 2 multicast. When some network users need some specific information, the multicast information sender (the multicast source) sends the information only once, and the multicast packets are sent to the specified port with the help of the configured static multicast MAC address.
CHAPTER 38: STATIC MULTICAST MAC ADDRESS CONFIGURATION Static Multicast MAC Address Configuration Example Network requirements ■ Data packets with the destination MAC 0100-5e01-018d in VLAN 2 are to be sent to three specified ports, Ethernet 2/1/1, Ethernet 2/1/2, and Ethernet 2/1/3.
39 IGMP SNOOPING CONFIGURATION IGMP Snooping Overview IGMP Snooping Principle Running on the link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control. When receiving the IGMP messages transmitted between the host and router, the Layer 2 Ethernet switch uses IGMP Snooping to analyze the information carried in the IGMP messages.
CHAPTER 39: IGMP SNOOPING CONFIGURATION Figure 103 Multicast packet transmission when IGMP Snooping runs Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Video stream Multicast group member Implementing IGMP Snooping Video stream Non-multicast group member Video stream Non-multicast group member Related concepts of IGMP Snooping To facilitate the description, this section first introduces some related switch concepts of IGMP Snooping.
IGMP Snooping Overview 421 Figure 104 Implement IGMP Snooping Internet A router running IGMP IGMP packets A Ethernet switch A Ethernet Switch running IGMP Snooping running IGMP Snooping IGMP packets ■ IGMP general query message: Transmitted by the multicast router to the multicast group members to query which multicast group contains member. When an IGMP general query message arrives at a router port, the Ethernet switch will reset the aging timer of the port.
CHAPTER 39: IGMP SNOOPING CONFIGURATION ■ IGMP Snooping Configuration IGMP leave message: Transmitted from the multicast group member to the multicast router to notify that a host left the multicast group. When received a leave message of an IP multicast group, the Ethernet switch transmits the specific query message concerning that group to the port received the message, in order to check if the host still has some other member of this group and meanwhile starts a maximum response timer.
IGMP Snooping Configuration Configuring Router Port Aging Time 423 ■ Isolate-user-VLAN supports the IGMP-Snooping function. After IGMP-Snooping is enabled under isolate-user-VLAN, all secondary VLANs are IGMP-Snooping enabled. It makes no sense to enable IGMP-Snooping for a secondary VLAN. ■ In a secondary VLAN, IGMP packets will be directly converted and processed in isolate-user-VLAN, namely all the multicast services are implemented within isolate-user-VLAN.
CHAPTER 39: IGMP SNOOPING CONFIGURATION By default, the aging time of the multicast member is 260 seconds. Configuring Unknown Multicast Packets not Broadcasted within a VLAN c This configuration task is to enable/disable the function of not broadcasting unknown multicast packets within a VLAN. If this function is disabled but IGMP snooping enabled on VLAN, multicast packets are broadcasted on within the VLAN when the destination broadcast group has no member ports.
IGMP Snooping Configuration c Enabling/Disabling IGMP Snooping Fast Leave 425 CAUTION: ■ If an inexistent acl-number is bound to the VLAN, or if the bound acl-number is not configured with a rule, a host is still allowed to join any multicast group. ■ If no acl-number exists, you can also configure the filtering rule of multicast groups in VLAN view. That is, this rule is not restricted by the ACL itself, and is valid for all members in the specified VLAN.
CHAPTER 39: IGMP SNOOPING CONFIGURATION ■ When you configure IGMP Snooping fast leave on aggregation ports, the configuration takes effect only on primary aggregation ports. ■ If you add an IGMP V1 host of the same multicast group to the port, the switch does not remove the port when the port receives an IGMP Leave packet of the multicast group even you enable IGMP Snooping fast leave for the port.
Displaying and Maintaining IGMP Snooping Displaying and Maintaining IGMP Snooping 427 ■ You will fail to configure a port to be a static routing port if the VLAN identified by the vlan-id argument does not exist or the port does not belong to the VLAN. ■ You can configure multiple ports in a VLAN to be static routing ports by performing the above configuration repeatedly. The newly configured ports do not replace the existing static routing ports.
CHAPTER 39: IGMP SNOOPING CONFIGURATION Network diagram Figure 105 Network diagram for IGMP Snooping configuration Internet Ro uter Multicast Swit ch Configuration procedure Suppose you need to enable IGMP Snooping on VLAN10. The procedures are as follows: # Display the current state of IGMP Snooping. display igmp-snooping configuration # If IGMP Snooping is not enabled, enable it in system view. system-view System View: return to User View with Ctrl+Z.
Troubleshooting IGMP Snooping ■ 429 If IGMP Snooping is not enabled, carry out the igmp-snooping enable command in system view to enable IGMP Snooping. Then, use the same command in VLAN view to enable IGMP Snooping in the corresponding VLAN. 2 Multicast forwarding table set up by IGMP Snooping is incorrect. ■ Carry out the display igmp-snooping group command in any view to display if the multicast group is the expected one.
CHAPTER 39: IGMP SNOOPING CONFIGURATION
MULTICAST VLAN CONFIGURATION 40 Multicast VLAN Overview Based on the current multicast on demand, when users in different VLANs request the service, multicast flow is duplicated in each VLAN and thus a great deal of bandwidth is wasted. To solve this problem, we provide the multicast VLAN feature. With this feature, you can add switch ports to a multicast VLAN and enable IGMP Snooping to allow users in different VLANs to share the same multicast VLAN.
CHAPTER 40: MULTICAST VLAN CONFIGURATION Multicast VLAN Configuration Example Network requirements Configure a multicast VLAN, so that users in VLAN 2 and VLAN 3 receive multicast flows through the multicast VLAN10. Table 422 Device number and description Device Description Requirement The IP address of VLAN 2 interface is 168.10.1.1. The port E1/1/1 belongs to VLAN 2 and is connected to the Workstation Switch A Layer 3 switch The IP address of VLAN 10 interface is 168.20.1.1.
Multicast VLAN Configuration Example 433 [Switch A-Vlan-interface2] pim dm [Switch A-Vlan-interface2] quit # Configure the IP address of the VLAN 10 interface to 168.20.1.1. Enable the PIM-DM and IGMP protocols. [Switch [Switch [Switch [Switch [Switch A] interface vlan-interface 10 A-Vlan-interface10] ip address 168.20.1.1 255.255.255.0 A-Vlan-interface10] pim dm A-Vlan-interface10]igmp enable A-Vlan-interface10] quit # Define Ethernet 1/1/10 as a trunk port and add this port to VLAN 10.
CHAPTER 40: MULTICAST VLAN CONFIGURATION # Define Ethernet 1/1/2 as hybrid port. Add the port to VLAN 3 and VLAN 10. Make the port carry no VLAN label when it transmits packets of VLAN 3 and VLAN 10. Set the default VLAN ID of the port to VLAN 3.
COMMON MULTICAST CONFIGURATION 41 Introduction to Common Multicast Configuration The multicast common configuration is for both the multicast group management protocol and the multicast routing protocol. The configuration includes enabling IP multicast routing, displaying multicast routing table and multicast forwarding table, etc.
CHAPTER 41: COMMON MULTICAST CONFIGURATION n c ■ When you insert a new interface module, if this interface module does not support the current multicast router table size configured in the system, this interface module will be disabled.
Managed multicast Configuration 437 Managed multicast Configuration Managed multicast Overview The managed multicast feature controls user’s authority to join multicast groups. This feature is based on ports: users must first pass the 802.1x authentication set for their ports. Then they are allowed to join the multicast groups specifically configured for them but are prohibited from joining any multicast group they are not authorized to join.
CHAPTER 41: COMMON MULTICAST CONFIGURATION Managed Multicast Configuration Example Network requirements As shown in Figure 107, HostA and HostB join the multicast group. Layer 3 multicast is enabled on LSA, LSB, LSC and LSD. Managed multicast is enabled on LSA and LSC. Because managed multicast combines multicast with 802.1x, 802.1x must be enabled on LSA and LSC.
Configuring Broadcast/Multicast Suppression 439 # Create a local-user in system view. Then set the password and service type for the user. [SW8800] local-user liu [3Com-luser-liu] password simple aaa [3Com-luser-liu] service-type lan-access # In user view, configure the allowed multicast group for the user to join. [3Com-luser-liu] multicast 227.1.1.
CHAPTER 41: COMMON MULTICAST CONFIGURATION Displaying and Debugging Common Multicast Configuration After the above configuration, execute display command in any view to display the running of the multicast configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of multicast.
42 IGMP CONFIGURATION IGMP Overview Introduction to IGMP Internet Group Management Protocol (IGMP) is a protocol in the TCP/IP suite responsible for management of IP multicast members. It is used to establish and maintain multicast membership among IP hosts and their directly connected neighboring routers. IGMP excludes transmitting and maintenance of membership information among multicast routers, which are completed by multicast routing protocols.
CHAPTER 42: IGMP CONFIGURATION Leaving group mechanism In IGMP Version 1, hosts leave the multicast group quietly without informing the multicast router. In this case, the multicast router can only depend on the timeout of the response time of the multicast group to confirm that hosts leave the group. In Version 2, when a host is intended to leave, it will send a leave group message if it is the host who responds to the latest membership query message.
Introduction to IGMP Proxy 443 Description of IGMP proxy configuration Figure 108 A schematic diagram of IGMP proxy Exterior network 䚼㔥㒰 Switch A 33.33.33.1 VLVlan AN -interface interface 11 Normal group/Specific group querying messages IGMP join/leave messages 33.33.33.2 33.33.33.2 VL Vlan AN-interface interface100 100 Leaf network Ṷ㔥㒰 VL Vlan AN-interface interface 200 Switch B 22.22.22.1 Host Џᴎ Figure 108 illustrates how IGMP proxy works.
CHAPTER 42: IGMP CONFIGURATION ■ Switch A processes the message after receiving the IGMP message sent by Switch B through the interface of VLAN 100, just as the message is sent by a host directly connected to the interface of VLAN 100.
IGMP Configuration Enabling Multicast ■ Configuring the IGMP version ■ Configuring the IGMP query message interval ■ Configuring the IGMP querier present timer ■ Configuring the maximum query response time ■ Configuring the limit of IGMP groups on an interface ■ Adding a router to the specified multicast group.
CHAPTER 42: IGMP CONFIGURATION Table 434 Enable compatibility control function of the switch Operation Command Enabling compatibility control function of the switch igmp-report enhance enable By default, the compatibility control function of the switch is disabled. This command is often executed after IGMP or IGMP Spooning protocol is enabled in the system. Configuring the IGMP Version Perform the following configuration in VLAN interface view.
IGMP Configuration 447 ■ When other hosts receive the message from the IGMP querier and are interested in this group, they return the IGMP Membership Report message within the defined maximum response time. ■ If IGMP querier receives the report messages from other hosts within the period equal to robust-value × seconds, it continues membership maintenance for this group.
CHAPTER 42: IGMP CONFIGURATION Table 439 Configure the present time of IGMP querier Operation Command Change the present time of IGMP querier igmp timer other-querier-present seconds Restore the default value undo igmp timer other-querier-present By default, the value is twice the IGMP query message interval, namely 120 seconds. Configuring Maximum Response Time for IGMP Query Message When a router receives a query message, the host will set a timer for each multicast group it belongs to.
IGMP Configuration Configuring a Router to Join Specified Multicast Group 449 Usually, the host operating IGMP will respond to IGMP query packet of the multicast router. In case of response failure, the multicast router will consider that there is no multicast member on this network segment and will cancel the corresponding path. Configuring one interface of the router as multicast member can avoid such problem.
CHAPTER 42: IGMP CONFIGURATION packets and the ACL rule bound to the VLAN, the switch determines whether to discard the packets or let them pass. By setting the filtering rule of multicast groups in the VLAN, you can control access to IP multicast groups. You can only configure one ACL rule for each VLAN, and the new configured rule will replace the old one. Perform the following configuration in VLAN view.
IGMP Configuration c IGMP Configuration Example 451 ■ Fast leaves that are configured in system view and Ethernet port view operate separately. ■ The configuration made in system view will be effective to ports within all the specified VLANs, while the configuration in port view will be effective to the port within the specific VLANs (for example, when a trunk port belongs to multiple VLANs).
CHAPTER 42: IGMP CONFIGURATION Network diagram Figure 109 Network diagram for IGMP proxy configuration Exterior network 䚼㔥㒰 Switch A 33.33.33.1 VLVlan AN -interface interface 11 Normal group/Specific group querying messages IGMP join/leave messages 33.33.33.2 33.33.33.2 VL Vlan AN-interface interface100 100 Leaf network Ṷ㔥㒰 VL Vlan AN-interface interface 200 Switch B 22.22.22.1 Receiver Џᴎ Configuration steps 1 Configure Switch B. # Enable multicast.
Displaying and Debugging IGMP 453 # Enable multicast. system-view System View: return to User View with Ctrl+Z. [SwitchA] multicast routing-enable # Enable IGMP and PIM-DM for the interface of VLAN 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface 100] igmp enable [SwitchA-Vlan-interface 100] pim dm # Configure Vlan-interface 100 so that it will not use the IP address 33.33.33.
CHAPTER 42: IGMP CONFIGURATION
43 PIM-DM CONFIGURATION PIM-DM Overview Introduction to PIM-DM PIM-DM Working Principle PIM-DM (Protocol Independent Multicast, Dense Mode) belongs to dense mode multicast routing protocols. PIM-DM is suitable for small networks. Members of multicast groups are relatively dense in such network environments. The working procedures of PIM-DM include neighbor discovery, flood & prune and graft.
CHAPTER 43: PIM-DM CONFIGURATION forwarding. The unicast routing information as path judgment can come from any unicast routing protocol independent of any specified unicast routing protocol such as the routing information learned by RIP and OSPF Assert mechanism As shown in the following figure, both routers A and B on the LAN have their own receiving paths to multicast source S.
PIM-DM Configuration Enabling Multicast Enabling PIM-DM ■ Configuring the maximum number of PIM neighbor on an interface ■ Clearing PIM neighbors 457 Refer to “Enabling Multicast Routing” “Enabling Multicast Routing”. PIM-DM needs to be enabled in configuration of all interfaces. After PIM-DM is enabled on an interface, it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors. Perform the following configuration in VLAN interface view.
CHAPTER 43: PIM-DM CONFIGURATION Perform the following configuration in system view. Table 449 Entering PIM Operation Command Enter PIM view pim Clear the configuration performed in PIM view and return to system view undo pim Using undo pim command, you can, and back to system view. Configuring the Filtering of Multicast Source/Group You can set to filter the source (and group) address of multicast data packets via this command.
Displaying and Debugging PIM-DM 459 Table 452 Configure the maximum number of PIM neighbor on an interface Operation Command Configure the maximum number of PIM neighbor on an interface pim neighbor-limit limit Restore the limit of PIN neighbor to the default value pim neighbor-limit By default, the PIM neighbors on the interface are limited to 128.
CHAPTER 43: PIM-DM CONFIGURATION Table 455 Display and debug PIM-DM PIM-DM Configuration Example Operation Command Enable the PIM debugging debugging pim common { all | event | packet | timer } Disable the PIM debugging undo debugging pim common { all | event | packet | timer } Enable the PIM-DM debugging debugging pim dm { alert | all | mbr | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } } Disable the PIM-DM debugging undo debugging pim dm { al
PIM-DM Configuration Example [SW8800] interface vlan-interface 10 [3Com-vlan-interface10] ip address 1.1.1.1 255.255.0.0 [3Com-vlan-interface10] pim dm [3Com-vlan-interface10] quit [SW8800] interface vlan-interface 11 [3Com-vlan-interface11] ip address 2.2.2.2 255.255.0.0 [3Com-vlan-interface11] pim dm [3Com-vlan-interface11] quit [SW8800] interface vlan-interface 12 [3Com-vlan-interface12] ip address 3.3.3.3 255.255.0.
CHAPTER 43: PIM-DM CONFIGURATION
44 PIM-SM CONFIGURATION PIM-SM Overview Introduction to PIM-SM PIM-SM (Protocol Independent Multicast, Sparse Mode) belongs to sparse mode multicast routing protocols. PIM-SM is mainly applicable to large-scale networks with broad scope in which group members are relatively sparse. Different from the flood & prune principle of the dense mode, PIM-SM assumes that all hosts do not need to receive multicast packets, unless there is an explicit request for the packets.
CHAPTER 44: PIM-SM CONFIGURATION sent to leaf routers along the path built and then reach the hosts. In this way, an RP-rooted tree (RPT) is built as shown in Figure 8-1.
PIM-SM Configuration 465 network robustness and enhances the operation and management capability of multicast network.
CHAPTER 44: PIM-SM CONFIGURATION Entering the PIM View Configuring the Time Intervals for Ports to Send Hello Packets Refer to “Entering the PIM View” “Entering the PIM View”. In general, PIM-SM broadcasts Hello packets on the PIM-SM-enabled port periodically to detect PIM neighbors and determine the designated router (DR). For details, refer to “Configuring the Time Intervals for Ports to Send Hello Packets” “Configuring the Time Intervals for Ports to Send Hello Packets”.
PIM-SM Configuration 467 Table 458 Configure candidate-RPs Operation Command Configure a candidate-RP c-rp interface-type interface-number [ group-policy acl-number | priority priority-value ]* Remove the candidate-RP configured undo c-rp { interface-type interface-number | all } When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the multicast group in the specified range.
CHAPTER 44: PIM-SM CONFIGURATION Configuring the filtering of multicast source/group Refer to “Configuring the Filtering of Multicast Source/Group” “Configuring the Filtering of Multicast Source/Group”. Configuring the filtering of PIM neighbor Refer to “Configuring the Filtering of PIM Neighbor” “Configuring the Filtering of PIM Neighbor”. Refer to “Configuring the Maximum Number of PIM Neighbor on an Interface” “Configuring the Maximum Number of PIM Neighbor on an Interface”.
Displaying and Debugging PIM-SM 469 Table 463 Limit the range of legal C-RP Operation Command Set the limit legal C-RP range crp-policy acl-number Restore to the default setting undo crp-policy For detailed information of crp-policy, refer to the 3Com Switch 8800 Family Series Routing Switches Command Manual Clearing multicast route entries from PIM routing table Clearing PIM Neighbors Displaying and Debugging PIM-SM Refer to “Clearing PIM Routing Table Entries” “Clearing PIM Routing Table Entries
CHAPTER 44: PIM-SM CONFIGURATION Network diagram Figure 113 Network diagram for PIM-SM configuration HostA HostB VLAN11 VLAN12 VLAN12 VLAN10 LSA LSC VLAN10 VLAN11 VLAN10 VLAN11 VLAN12 LSB LSD Configuration procedure Configure LSA # Enable PIM-SM. system-view System View: return to User View with Ctrl+Z.
PIM-SM Configuration Example 471 [SW8800] multicast routing-enable [SW8800] vlan 10 [3Com-vlan10] port ethernet 2/1/2 to ethernet 2/1/3 [3Com-vlan10] quit [SW8800] interface vlan-interface 10 [3Com-vlan-interface10] igmp enable [3Com-vlan-interface10] pim sm [3Com-vlan-interface10] quit [SW8800] vlan 11 [3Com-vlan11] port ethernet 2/1/4 to ethernet 2/1/5 [3Com-vlan11] quit [SW8800] interface vlan-interface 11 [3Com-vlan-interface11] igmp enable [3Com-vlan-interface11] pim sm [3Com-vlan-interface11] quit [
CHAPTER 44: PIM-SM CONFIGURATION [3Com-vlan11] quit [SW8800] interface vlan-interface 11 [3Com-vlan-interface11] igmp enable [3Com-vlan-interface11] pim sm [3Com-vlan-interface11] quit [SW8800] vlan 12 [3Com-vlan12] port ethernet 2/1/6 to ethernet 2/1/7 [3Com-vlan12] quit [SW8800] interface vlan-interface 12 [3Com-vlan-interface12] igmp enable [3Com-vlan-interface12] pim sm [3Com-vlan-interface12] quit n You should enable PIM-SM on all equal-cost routes if there are any.
45 MSDP CONFIGURATION MSDP Overview Introduction No ISP would like to forward multicast traffic depending on the RP of competitors, though it has to obtain information from the source and distribute it among its members, regardless of the location of the multicast source RP. MSDP is proposed to solve this problem. Multicast source discovery protocol (MSDP) describes interconnection mechanism of multiple PIM-SM domains. It is used is to discover multicast source information in other PIM-SM domains.
CHAPTER 45: MSDP CONFIGURATION Working Principle Identifying multicast source and receiving multicast data As shown in Figure 114, the RPs of PIM-SM domains 1, 2 and 3 establish peer relationship between them. Domain 3 contains a group member.
MSDP Overview 475 Message forwarding and RPF check between MSDP peers As shown in Figure 115 “MSDP working principles (II)”, Switch A, Switch B, Switch C, Switch D, Switch E and Switch F belong to domain 1, domain 2 and domain 3 respectively. MSDP peer relationship is established between them, indicated with bi-directional arrows in the figure. Among them, Mesh Group is created among Switch B, Switch C and Switch D.
CHAPTER 45: MSDP CONFIGURATION If the SA message is sent from a MSDP peer in a different domain which is the next autonomous domain along the optimal path to the RP in the domain of source, as from Switch D to Switch F, it is received and forwarded to other peers. For other SA messages, they are neither received nor forwarded. Precautions for configuration The router operating MSDP must also run BGP or MBGP.
MSDP Configuration 477 Table 466 Configure MSDP peers Operation Command Configure MSDP peers peer peer-address connect-interface interface-type interface-number Remove MSDP peer configuration undo peer peer-address Add description to a MSDP peer peer peer-address description text Remove the description undo peer peer-address description text The command to add description is optional.
CHAPTER 45: MSDP CONFIGURATION Configuring Originating RP During the creation of SA message, an MSDP peer can be configured to use the IP address of a specified interface as the RP address in its SA message. Please perform the following configurations in MSDP view.
MSDP Configuration 479 Please perform the following configurations in MSDP view. Table 471 Request source information of MSDP peers Operation Command Configure the router to send SA request message to the specified MSDP peer when receiving the join message of a group peer peer-address request-sa-enable Restore the default configuration undo peer peer-address request-sa-enable The SA request message sent by a local RP will get the immediate response about all active sources.
CHAPTER 45: MSDP CONFIGURATION Multicast group addresses are described in ACL. If no ACL is specified, all SA request messages sent by the corresponding MSDP peer will be ignored. If an ACL is specified, only SA request messages of the groups permitted by the ACL will be processed. Controlling the Source Information Forwarded Controlling of source information also includes that of forwarding and receiving source information besides that of creating source information.
MSDP Configuration Controlling the Received Source Information 481 Please perform the following configurations in MSDP view.
CHAPTER 45: MSDP CONFIGURATION Table 479 Shut MSDP peers down Operation Command Shut a specified MSDP peer down shutdown peer-address Turn the MSDP peer up undo shutdown peer-address By default, MSDP peer is enabled. Clearing MSDP Connections, Statistics and SA Caching Configuration Perform the following configurations in user view.
MSDP Configuration Examples 483 Locating information loss and reducing configuration faults can be realized by tracing the network path of the specified (S, G, RP) entries. After the transmission path of SA messages is determined, the overflow of SA messages can be avoided by the correct configuration.
CHAPTER 45: MSDP CONFIGURATION system-view System View: return to User View with Ctrl+Z. [SwitchD] ip ip-prefix list-a permit 10.10.0.0 16 [SwitchD] msdp [SwitchD-msdp] peer 10.10.1.1 connect-interface Vlan-interface 10 [SwitchD-msdp] static-rpf-peer 10.10.1.1 rp-policy list-a [SwitchD-msdp] quit # Configure Switch B to be a static RPF peer of Switch D. [SwitchD] ip ip-prefix list-b permit 10.21.0.0 16 [SwitchD] msdp [SwitchD-msdp] peer 10.21.1.
MSDP Configuration Examples 485 Network diagram Figure 117 Network diagram for Anycast RP configuration SRC A SwitchE SwitchB Loopback0 10.10.1.1 PIM-SM domain Vlan-interface10 10.10.2.1/24 E1/1/2 Loopback10 10.1.1.1 Loopback10: Anycast RP address 10.1.1.1 SwitchD E1/1/3 Vlan-interface20 10.10.3.1/24 Loopback0: MSDP peer address & Originating-RP SRC B Vlan-interface10 10.21.3.1/24 E1/1/2 Loopback0 Loopback10 10.21.1.1 10.1.1.1 E1/1/3 SwitchA Vlan-interface20 10.21.2.
CHAPTER 45: MSDP CONFIGURATION [SwitchB-LoopBack10] pim sm [SwitchB-LoopBack10] quit # Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM. [SwitchB] interface Vlan-interface10 [SwitchB-Vlan-interface10] ip address 10.10.2.1 255.255.255.0 [SwitchB-Vlan-interface10] igmp enable [SwitchB-Vlan-interface10] pim sm [SwitchB-Vlan-interface10] undo shutdown [SwitchB-Vlan-interface10] quit # Configure the IP address of Vlan-interface20 and enable IGMP and PIM-SM.
MSDP Configuration Examples 487 [SwitchA-vlan20] port ethernet1/1/3 [SwitchA-vlan20] quit # Enable multicast. [SwitchA] multicast routing-enable # Configure the IP address of interface loopback0. [SwitchA] interface loopback0 [SwitchA-LoopBack0] ip address 10.21.1.1 255.255.255.255 [SwitchA-LoopBack0] quit # Configure the IP address of interface loopback10 and enable IGMP and PIM-SM. [SwitchA] interface loopback10 [SwitchA-LoopBack10] ip address 10.1.1.1 255.255.255.
CHAPTER 45: MSDP CONFIGURATION [SwitchA-msdp] originating-rp loopback0 [SwitchA-msdp] quit # Configure C-RP and BSR. [SwitchA] pim [SwitchA-pim] c-rp loopback 10 [SwitchA-pim] c-bsr loopback 10 30 MSDP Integrated Networking Network requirement In the following network, enable MSDP and configure an Anycast RP in PIM-SM domain 1; establish MSDP peer relationship among RPs across PIM-SM domains; and use MBGP between domains. For the related commands, refer to 9.
MSDP Configuration Examples 489 system-view System View: return to User View with Ctrl+Z. [SwitchA] vlan 10 [SwitchA-vlan10] port ethernet1/1/2 [SwitchA-vlan10] quit [SwitchA] vlan 30 [SwitchA-vlan30] port ethernet1/1/3 [SwitchA-vlan30] quit # Enable multicast. [SwitchA] multicast routing-enable # Configure the IP address of interface loopback0 and enable PIM-SM. [SwitchA] interface [SwitchA-LoopBack0] [SwitchA-LoopBack0] [SwitchA-LoopBack0] loopback0 ip address 10.25.1.1 255.255.255.
CHAPTER 45: MSDP CONFIGURATION [SwitchA] bgp 100 [SwitchA-bgp] undo synchronization [SwitchA-bgp] group in internal [SwitchA-bgp] peer 10.26.1.2 group in [SwitchA-bgp] peer 10.27.1.2 group in [SwitchA-bgp] peer in connect-interface loopback0 [SwitchA-bgp] ipv4-family multicast [SwitchA-bgp-af-mul] peer in enable [SwitchA-bgp-af-mul] peer 10.26.1.2 group in [SwitchA-bgp-af-mul] peer 10.27.1.
MSDP Configuration Examples [SwitchE] interface [SwitchE-LoopBack0] [SwitchE-LoopBack0] [SwitchE-LoopBack0] 491 loopback0 ip address 10.26.1.2 255.255.255.255 pim sm quit # Configure the IP address of interface lookback10 and enable PIM-SM. [SwitchE] interface loopback10 [SwitchE-LoopBack10] ip address 10.1.1.1 255.255.255.255 [SwitchE-LoopBack10] pim sm [SwitchE-LoopBack10] quit # Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM.
CHAPTER 45: MSDP CONFIGURATION [SwitchE-bgp] ipv4-family [SwitchE-bgp-af-mul] peer [SwitchE-bgp-af-mul] peer [SwitchE-bgp-af-mul] peer [SwitchE-bgp-af-mul] quit [SwitchE-bgp] quit multicast ex enable 10.29.1.1 group ex ex next-hop-local # Configure MSDP peer, Mess Group and Originating RP. [SwitchE] msdp [SwitchE-msdp] peer 10.29.1.1 connect-interface loopback 0 [SwitchE-msdp] static-rpf-peer 10.29.1.1 [SwitchE-msdp] peer 10.25.1.1 connect-interface loopback 0 [SwitchE-msdp] peer 10.27.1.
46 MBGP MULTICAST EXTENSION CONFIGURATION MBGP Multicast Extension Overview Introduction At present, the most widely used inter-domain unicast routing protocol is BGP-4. Because the multicast topology may be different from the unicast topology, BGP-4 must be modified in order to implement the transmission of inter-domain multicast routing information. Some routers in the network may only support unicast rather than multicast and may not forward multicast packets since the particular policy requires that.
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION ■ Send the routing information of a new reachable protocol. ■ Send the next hop information about the new protocol with the same coding mode as that of NLRI. ■ Enable the router to report part or all of the SNPAs (Sub-network Points of Attachment) saved in the local system.
MBGP Multicast Extension Configuration n Enabling MBGP Multicast Extension Protocol ■ Configure MBGP timer ■ Configure MBGP Peer (group) ■ Configure MBGP route aggregation ■ Configure an MBGP route reflector ■ Configure the MBGP community attributes ■ Configure the interaction between MBGP and IGP ■ Define AS path list and routing policy ■ Configure MBGP route filtering ■ Reset BGP connections 495 Only configuration tasks in IPv4 multicast sub-address family view are detailed below.
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION Configuring the MED Value for an AS The MED configured in BGP view is valid for both unicast and multicast. For the details of this configuration, refer to "BGP Configuration" of the Routing Protocol part. Comparing MED Values from Different AS Neighbor Paths Do not use this configuration unless you are sure that different ASs adopt the same IGP and route selection method. The configuration in BGP view works both in unicast and multicast.
MBGP Multicast Extension Configuration 497 Enabling a peer (group) Please perform the following configurations in IPV4 multicast sub-address family view. Table 485 Enable a peer (group) Operation Command Enable the specified peer (group) peer group-name enable Disable the specified peer (group) undo peer group-name enable Adding an MBGP peer to the group Please perform the following configurations in IPV4 multicast sub-address family view.
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION Configuring the local address as the next hop when advertising routes This involves removing the next hop configuration in the routing information advertised to a peer (group) and configuring the local address as the next hop address. It is valid only for IBGP peers/peer groups. Please perform the following configurations in IPV4 multicast sub-address family view.
MBGP Multicast Extension Configuration 499 Table 492 Configuring the AS-path-list-based route filtering policy for a peer (group) Operation Command Configure filtering policy for incoming packets peer { group-name | peer-address } as-path-acl acl-number import Remove incoming policy configuration undo peer { group-name | peer-address } as-path-acl acl-number import Configure routing policy for outgoing packets peer { group-name | peer-address } as-path-acl acl-number export Remove outgoing policy
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION multicast networks are very large, and it costs a good sum to establish a fully-closed network. Route reflector solves this problem. The core is to specify a router as the focus of the internal sessions. Multiple MBGP multicast routers can be peers of one central point, namely a multiple route reflector, which in turn creates peer relationship with other reflectors. The route reflector is the focus of other routers.
Displaying and Debugging MBGP Configuration 501 For the detailed configuration of regular expression of AS, refer to "BGP Configuration" of the Routing Protocol part. For other configurations, refer to the "IP Routing Policy Configuration" of the Routing Protocol part. Configuring MBGP Route Filtering The route filtering configuration of MBGP is the same as that of unicast BGP. For details, refer to "BGP Configuration" of the Routing Protocol part.
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION Network diagram Figure 119 Network diagram for MBGP path selection configuration Configuration procedure Configure Switch A: system-view System View: return to User View with Ctrl+Z. [SwitchA] vlan 20 [SwitchA-vlan20] port ethernet1/1/2 [SwitchA-vlan20] quit [SwitchA] interface vlan-interface 20 [SwitchA-Vlan-interface20] ip address 192.1.1.1 255.255.255.
MBGP Multicast Extension Configuration Example 503 [SwitchA-bgp-af-mul] peer a1 enable [SwitchA-bgp-af-mul] peer a2 enable # Configure the MED attribute of Switch A. ■ Add an ACL on Switch A to permit network 1.0.0.0/8. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule deny source any ■ Define two routing policies: set_med_50 and set_med_100, providing two MED values for network 1.0.0.0 (50 and 100 respectively).
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION [SwitchB-bgp] ipv4-family multicast [SwitchB-bgp-af-mul] peer b1 enable [SwitchB-bgp-af-mul] peer b2 enable Configure Switch C: system-view System View: return to User View with [SwitchC] vlan 30 [SwitchC-vlan30] port ethernet3/1/3 [SwitchC-vlan30] quit [SwitchC] interface vlan-interface 30 [SwitchC-Vlan-interface30] ip address [SwitchC-Vlan-interface30] quit [SwitchC] vlan 50 [SwitchC-vlan50] port ethernet3/1/5 [SwitchC-vlan50] quit [Switc
MBGP Multicast Extension Configuration Example 505 [SwitchC] bgp 200 [SwitchC-bgp] ipv4-family multicast [SwitchC-bgp-af-mul] peer 193.1.1.
CHAPTER 46: MBGP MULTICAST EXTENSION CONFIGURATION
MPLS ARCHITECTURE 47 n The 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to as Switch 8800 Family series) running MPLS can serve as routers. Routers mentioned in this manual can be either a router in common sense, or a layer 3 Ethernet switch running MPLS. MPLS (Multiprotocol Label Switching) encapsulates network layer packets with short and fixed-length labels. As the name implies, it supports multiple protocols, such as IP, IPv6, and IPX.
CHAPTER 47: MPLS ARCHITECTURE different FECs, based on their FECs, different labels are encapsulated into the packets. Later forwarding is based on these labels. Label structure The structure of the label is shown in Figure 120. Figure 120 Label structure Label Exp S TTL Label is located between the link layer header and the network layer packet, with the length of four bytes. A label contains four fields: Label: label value, 20 bits. Exp: three bits, reserved, used for COS.
MPLS Basic Concepts 509 Figure 121 Label position in packet Ethernet /SONET / SDH Frame mode ATM packet Cell mode ATM packet /PPP PPP Ethernet header/ PPP packet ҹ㔥༈ ༈header ҹ㔥༈ ༈ ATM༈ ATM header ༈ VPE/VCI VPI/VCI flag ᷛㅒ Layer 3 data ϝሖ᭄ flag ᷛㅒ Layer 3 data ϝሖ᭄ flag ᷛㅒ Layer 3 data ϝሖ᭄ In Ethernet packets and PPP packets, label stack lies between layer 2 header and layer 3 data, acting like a shim.
CHAPTER 47: MPLS ARCHITECTURE n Currently, the Switch 8800 Family series adopt the ordered label control mode. 5 Label retention mode There are two label-retention modes: liberal label retention mode and conservative label retention mode. Suppose there are two LSRs: Ru and Rd. For a specific FEC, if LSR Ru has received the label binding from LSR Rd, in case Rd is not the next hop of Ru and Ru saves this binding, then it is the liberal label retention.
MPLS Architecture 511 Figure 122 MPLS basic principle LSP Ingress Egress MPLS core router (LSR) MPLS edge router (LER) Forwarding Labeled Packets At the ingress, the packets entering the network are classified into FECs according to their characteristics. Usually, packets are classified into FECs according to the IP address prefix or host address. Packets in the same FEC pass through the same path (that is, LSP) in MPLS area.
CHAPTER 47: MPLS ARCHITECTURE Figure 123 Label distribution process LSP1 Ingress B A C LSP2 Egress Label request message E Label map message F D MPLS core router (LSR) G MPLS edge router (LER) LDP session H For the label distribution mentioned previously, there are two modes: DoD and DU. The main difference between these two modes is that the label mapping messages are distributed actively or passively.
MPLS Architecture 513 The path vector method refers to that the path information is recorded in the message bound with the forwarding label, and, for every hop, the corresponding router checks if its ID is contained in this record. If not, the router adds its ID into the record; and if yes, it indicates that a loop presents and the process for establishing LSP is terminated. LSP Tunnel and Hierarchy LSP tunnel MPLS supports LSP tunnel technology.
CHAPTER 47: MPLS ARCHITECTURE MPLS and Other Protocols (Routing Protocols) When LDP establishes LSP in hop-by-hop mode, the next hop is determined by using the information, which is usually collected by such routing protocols as IGP, BGP in each LSR route forwarding table, on the way. However, LDP just uses the routing information indirectly, rather than associates with various routing protocols directly.
48 MPLS Basic Capability Overview MPLS BASIC CAPABILITY CONFIGURATION Basic MPLS forwarding functions includes LDP session establishment and LSP path maintenance. The typical configuration procedure for enabling basic MPLS functions on a routing switch is as follows: 1 Configure LSR ID 2 Enable MPLS 3 Enable LDP 4 Enter VLAN interface view and enable MPLS and LDP on the interface Then the routing switch can provide MPLS forwarding and LDP signaling functions.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION Table 497 Define MPLS LSR ID Operation Command Define LSR ID mpls lsr-id ip-address Delete LSR ID undo mpls lsr-id By default, LSR ID is not defined. Enabling MPLS and Entering MPLS View In system view, you can first enable MPLS globally and enter MPLS view using the mpls command. Then you can directly enter MPLS view after using the mpls command in system view. Use the mpls command in VLAN interface view to enable MPLS on the VLAN interface.
LDP Configuration 517 Table 501 Configure the advertisement of local distribution labels Operation Command Cancel the configuration of the advertisement undo mpls ldp label-advertise { of local distribution labels fec-ip-prefix | all } By default, the labels of all destination addresses are advertised to all LDP peers. Configuring Static LSP You can manually set an LSR to be a node along an LSP, and place a limit on the traffic over the LSP.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION Table 503 Enable/disable LDP view Operation Command Enable LDP protocol mpls ldp Disable LDP undo mpls ldp By default, LDP is disabled. Enabling LDP on a VLAN interface To make the VLAN interface support LDP, you must enable LDP function on the interface in VLAN interface mode. After enabling the LDP function, the interface then sets up session. It begins to set up LSP if in topology-driven mode,.
LDP Configuration 519 remoteip: the IP address of the Remote-peer. It should be the ID of the peer LSR. Configuring session parameters Configuring session hold-time The LDP entity on the interface sends Hello packets periodically to find out LDP peer, and the established sessions must also maintain their existence by periodic message (if there is no LDP message, then Keepalive message must be sent). n There are two types of LDP sessions: Basic and Remote.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION Table 509 Configure Hello transport-address Operation Command Return to the default Hello transport-address undo mpls ldp transport-ip Transport-address defaults to the MPLS LSR ID of the current LSR. If there are multiple links connecting two neighboring LSRs, all the LDP-enabled interfaces on the links connecting LSR and its neighbor must have the same transport address.
Displaying and Debugging MPLS Basic Capability 521 The maximum hop count of loop detection is 32 by default. Setting the maximum hop count in path vector mode When path vector mode is adopted for loop detection, it is also necessary to specify the maximum value of LSP path. In this way, when one of the following conditions is met, it is considered that a loop happens and the LSP establishment fails. ■ The record of this LSR already exists in the path vector recording table.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION Table 515 Display statistics information of static LSP Operation Command Displaying the MPLS statistics information or LSP information of all ports or a single VLAN interface display mpls statistics { interface { Vlan-interface | all } | lsp { lsp-Index | all | lsp-name } Displaying MPLS-enabled interfaces After accomplishing the configuration tasks mentioned previously, you can execute the display command in any view to view the information related
Typical MPLS Configuration Example 523 Table 519 Enable the trap function of MPLS Displaying and Debugging LDP Operation Command Disable the LSP Trap function of MPLS undo snmp-agent trap enable lsp LDP display commands Comware provides abundant MPLS monitoring commands for monitoring states of LSRs, LDP sessions, interfaces and peers. These commands are the powerful debugging and diagnosing tools.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION The four switches all support MPLS, and LSP can be established between any two switches with the routing protocol OSPF.LDP establishes LSP by using routing information of OSPF. Network diagram Figure 126 Network diagram SwitchB Switch A VLAN201 168.1.1.2 VLAN201 168.1.1.1 VLAN203 172.17.1.1 VLAN202 100.10.1.2 SwitchD VLAN203 172.17.1.2 VLAN202 100.10.1.
Typical MPLS Configuration Example 525 [SW8800] mpls lsr-id 172.17.1.1 [SW8800] mpls [3Com-mpls] quit [SW8800] mpls ldp # Configure IP address and enable MPLS and LDP for VLAN interface 201. [SW8800] vlan 201 [3Com-vlan201] port gigabitethernet 2/1/1 [3Com-vlan201] quit [SW8800] interface vlan-interface 201 [3Com-Vlan-interface201] ip address 168.1.1.2 255.255.0.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION # Configure IP address and enable LDP and MPLS for VLAN interface 202. [SW8800] vlan 202 [3Com-vlan202] port gigabitethernet 2/1/1 [3Com-vlan202] quit [SW8800] interface Vlan-interface 202 [3Com-Vlan-interface202] ip address 100.10.1.1 255.255.255.0 [3Com-Vlan-interface202] mpls [3Com-Vlan-interface202] mpls ldp enable [3Com-Vlan-interface202] quit # Enable OSPF on the interface connecting Switch C with Switch B. [SW8800] Router id 100.10.1.
Troubleshooting MPLS Configuration 527 Solution: The default address for session transfer is MPLS LSR ID. The local machine should issue the LSR ID route (often the Loopback address) and lean the peer LSR ID route.
CHAPTER 48: MPLS BASIC CAPABILITY CONFIGURATION
49 BGP/MPLS VPN Overview BGP/MPLS VPN CONFIGURATION Traditional VPN, for which layer 2 tunneling protocols (L2TP, L2F and PPTP, and so on.) or layer 3 tunnel technology (IPSec, GRE and so on.) is adopted, is a great success and is therefore widely used. However, along with the increase of the size of VPNs , the deficiency of traditional VPN in such aspects as expansibility and manageability becomes more and more obvious.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION BGP/MPLS VPN Model BGP/MPLS VPN model Figure 127 MPLS VPN model site 1 VPN1 site 1 PE Backbone network of the service provider P CE CE P PE VPN 2 CE site 2 VPN2 site 3 PE P PE VPN1 site 2 CE CE As shown in Figure 127, MPLS VPN model contains three parts: CE, PE and P. ■ CE (Customer Edge) device: It is a composing part of the customer network, which is usually connected with the service provider directly through an interface.
BGP/MPLS VPN Overview 531 manage their internal VPN division, and the service provider can be saved from participating into users’ internal VPN management.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION VPN is just a private network, so it can use the same IP address to indicate different sites. But the IP address is supposed as unique when MP-BGP advertises CE routes between PE routers, so routing errors may occur for the different meaning in two systems. The solution is to switch IPv4 addresses to VPN-IPv4 address to generate globally unique addresses before advertising them, so PE routers is required to support MP-BGP.
BGP/MPLS VPN Overview 533 n The routes for other VPNs will not appear in the VPN’s routing table by using VPN Target attribute to filter routing information received at PE router, so the CE-transmitted data will only be forwarded within the VPN. BGP/MPLS VPN Implementation BGP/MPLS VPN works on this principle: It uses BGP to propagate VPN private routing information on carrier backbone network, and uses MPLS to forward VPN service traffic.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Exterior-layer label, known as LSP initialization label, distributed by MPLS LDP, is at the top of the label stack and indicates an LSP from the ingress PE to egress PE. By the switching of exterior-layer label, VPN packets can be forwarded along the LSP to the peer PE. Figure 130 illustrates the details: Figure 130 Forwarding VPN packets Layer1 1.1.1.2 CE1 Layer2 Layer2 1.1.1.2 1.1.1.2 PE1 1.1.1.1/24 CE2 PE2 P site1 1.1.1.2 P site2 1.1.1.
BGP/MPLS VPN Overview Hierarchical BGP/MPLS VPN Implementation 535 ■ Configuring basic MPLS capability on the MPLS backbone network. ■ Configuring MPLS LDP and setting up LDP LSP on the MPLS backbone network. ■ Configuring BGP on the MPLS backbone network (create IBGP peers between provider PEs). ■ Configuring basic MPLS capability on user-end network (including customer PEs).
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Figure 131 Hierarchical BGP/MPLS VPN MPLS backbone MPLS 偼ᑆ㔥 network PE Upper VPN PE SPE Lower VPN UPE UPE VPN1 Site1 CE Introduction to OSPF Multi-instance VPN2 Site1 CE VPN1 Site1 CE VPN2 Site1 CE As one of the most popular IGP routing protocols, OSPF is used as an internal routing protocol in many VPNs.
BGP/MPLS VPN Configuration 537 Figure 132 OSPF multi-instance application in MPLS/BGP VPN PE VPN GREEN 931 *5((1 Site2 6LWH OSPF Area2 263) $UHD VPN --RED RED VPN Site1 Site1 OSPF Area0 OSPF Area0 Area 0 OSPF 100 VPN - RED PE3 Area 2 OSPF 100 VPN-GREEN CE21 CE11 OSPF 200 VPN -GREEN Area 1 VPN GREEN 931 *5((1 Site1 6LWH OSPF Area1 263) $UHD CE31 Area 0 OSPF 100 VPN -RED MPLS VPN kbone MPLS VPNBac Backbone PE1 PE2 CE12 VPN 931 5(' RED Site2 6LWH OSPF Area1 263) $UHD OSPF 200 VPN -GREEN A
CHAPTER 49: BGP/MPLS VPN CONFIGURATION physical link with IP capabilities from PE to PE; advertise and update VPN network information. CE router The configuration on CE is relative simple. Only static route, RIP, OSPF or EBGP configuration is needed for VPN routing information exchange with the PE connected, MPLS configuration is not needed. PE router The configuration on PE is relative complex. After the configuration, the PE implements MPLS/BGP VPN core functions.
BGP/MPLS VPN Configuration 539 protocol in 3Com Switch 8800 Family Series Routing Switches Operation Manual Volume I. Configuring OSPF If you select OSPF mode for CE-PE route switching, you should then configure OSPF on CE. For configuring OSPF, see the routing protocol part in 3Com Switch 8800 Family Series Routing Switches Operation Manual Volume II. You must configure OSPF multi-instance to isolate services of different VPNs on CE router, which is now called Multi-VPN-Instance CE.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION By default, no VPN-instance is defined. 1 Configure RD for the vpn-instance After PE router is configured with RD, when a VPN route learned from CE is imported into BGP, BGP attaches the RD in front of the IPv4 address. Then the general IPv4 address which may overlaps between several VPN IPv4 addresses in the VPN is turned into a globally unique VPN IPv4 address and thus ensure the correct routing in the VPN.
BGP/MPLS VPN Configuration 541 The second one is related to IP address, in the form of 32-bit IP address (can be 0.0.0.0 here):16-bit user-defined number, for example, 172.1.1.1:1. Perform the following configuration in the VPN-instance view.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Table 530 Configure the vlan-id range of MPLS/VPN VLANs allowed Operation Command Configure the vlan-id range of MPLS/VPN VLANs allowed to pass Trunk fast Ethernet ports port trunk mpls vlan from vlan-id [ to ] vlanid Remove the configured vlan-id range of MPLS/VPN VLANs allowed to pass Trunk fast Ethernet ports undo port trunk mpls By default, the vlan-id range of MPLS/VPN VLANs is from 0 to 1023, and the default value of vlan-id is 0.
BGP/MPLS VPN Configuration 543 Table 532 Configure the MPLS/VPN VLAN vlan-id range for the interface c Operation Command Disable the 4K vpn-range for the interface undo port vpn-range share-mode enable CAUTION: ■ Ports supporting this function stop supporting the application of ACL rules. ■ Associate interface with VPN-instance VPN instance is associated with the direct-connect Site through interface binding.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION By default, the preference value for a static route is 60. You can also specify another preference for the static route you are configuring. 2 Configure RIP multi-instance If you select RIP mode for CE-PE route switching, you should then specify running environment for RIP instance on PE. With this command, you can enter RIP view and import and advertise RIP instance in the view. Perform the following configuration in the RIP view.
BGP/MPLS VPN Configuration 545 Perform the following configuration in the OSPF view. Table 537 Configure Domain ID Operation Command Configure Domain ID domain-id { id-number | id-addr } Return to the default value undo domain-id By default, id-number is 0 and id-addr is 0.0.0.0. It is recommended that all OSPF instances in a VPN are configured with either the same domain ID or the default value. c CAUTION: The configured value will not take effect unit the command reset ospf is executed.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Table 539 Configure Sham-link Operation Command Configure Sham-link sham-link source-addr destination-addr [ cost cost-value ] [ simple password | md5 keyid key ] [ dead seconds ] [ hello seconds ] [ retransimit seconds ] [ trans-delay seconds ] Delete a Sham-link undo sham-link source-addr destination-addr By default, the cost value is 1, dead value is 40 seconds, hello value is 10 seconds, retransmit value is 5 seconds and trans-delay value is 1 second.
BGP/MPLS VPN Configuration 547 Table 542 Activate/deactivate peer (group) Operation Command Activate the peer (group) peer group-name enable Deactivate the peer (group) undo peer group-name enable Step 4: Configure MBGP to import VPN route of direct-connect CE To advertise correct VPN route over public network to other PEs with which BGP adjacency has been created, a PE must import the VPN routing information of the direct-connect CE into its MBGP routing table.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Perform the following configuration in IPv4 instance sub-address family view. Table 545 Configure to allow/disable routing loop Operation Command Configure to allow routing loop peer { group-name | peer-address } allow-as-loop asn-limit Configure to disable routing loop undo peer { group-name | peer-address } allow-as-loop asn-limit By default, the received route update information is not allowed to generate loop information. Step 7: Configure BGP features.
BGP/MPLS VPN Configuration 549 2 Configure MP-IBGP Step 1: Enter protocol address family view. Perform the following configuration in BGP view. Table 547 Configure VPNv4 address family Operation Command Enter VPNv4 sub-address family view ipv4-family vpnv4 [ unicast ] Delete VPNv4 sub-address family view configuration undo ipv4-family vpnv4 [ unicast ] Step 2: Activate the peer (group). By default, BGP neighbor is active while MBGP neighbor is inactive.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION This command adds a default route which uses local address as the next hop on the PE SPE (system processing engine) Perform the following configuration in VPNv4 sub-address family view.
Displaying and Debugging BGP/MPLS VPN 551 Displaying IP routing table associated with VPN-instance After the above configuration, you can execute display command in any view to display the corresponding information in the IP routing tables related to VPN-instance, and to verify the effect of the configuration.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Typical BGP/MPLS VPN Configuration Example Integrated BGP/MPLS VPN Configuration Example n Network requirements ■ VPNA includes CE1 and CE3; VPNB includes CE2 and CE4. ■ Subscribers in different VPNs cannot access each other. The VPN-target attribute for VPNA is 111:1 and that for VPNB is 222:2. ■ The PEs and P are 3Com switches supporting MPLS, and CEs are common layer 3 switches.
Typical BGP/MPLS VPN Configuration Example 553 [CE1-vlan201] quit [CE1] interface Vlan-interface 201 [CE1-Vlan-interface201] ip address 168.1.1.1 255.255.0.0 [CE1-Vlan-interface201] quit [CE1] bgp 65410 [CE1-bgp] group 168 external [CE1-bgp] peer 168.1.1.2 group 168 as-number 100 [CE1-bgp] import-route direct [CE1-bgp] import-route static n The configuration on the other three CE switches (CE2 to CE4) is similar to that on CE1, the details are omitted here.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE1] mpls lsr-id 202.100.1.1 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1] vlan 201 [PE1-vlan201] port gigabitethernet 2/1/1 [PE1-vlan201] quit [PE1] interface Vlan-interface 201 [PE1-Vlan-interface201] ip address 172.1.1.1 255.255.0.0 [PE1-Vlan-interface201] mpls [PE1-Vlan-interface201] mpls ldp enable [PE1-Vlan-interface201] quit # Enable OSPF on the interface connecting PE1 and P and on the Loopback interface, import direct-connect routes.
Typical BGP/MPLS VPN Configuration Example 555 [P-vlan302] port gigabitethernet 3/1/2 [P-vlan302] quit [P] interface Vlan-interface 302 [P-Vlan-interface302] ip address 172.2.1.2 255.255.0.0 [P-Vlan-interface302] mpls [P-Vlan-interface302] mpls ldp enable [P-Vlan-interface302] quit [P] vlan 303 [P-vlan303] port gigabitethernet 3/1/3 [P-vlan303] quit [P] interface Vlan-interface 303 [P-Vlan-interface303] ip address 172.3.1.2 255.255.0.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE3-bgp-af-vpn-instance] peer 168.3.1.1 group 168 as-number 65430 [PE3-bgp-af-vpn-instance] quit [PE3-bgp] quit # Bind the interface connecting PE3 and CE3 to VPNA. [PE3] vlan 202 [PE3-vlan202] port gigabitethernet 2/1/2 [PE3-vlan202] quit [PE3] interface Vlan-interface 202 [PE3-Vlan-interface202] ip binding vpn-instance vpna [PE3-Vlan-interface202] ip address 168.3.1.2 255.255.0.
Typical BGP/MPLS VPN Configuration Example 557 [PE3-bgp-af-vpn] peer 202.100.1.1 group 202 [PE3-bgp-af-vpn] quit 5 Configure PE2 and PE4 The configuration of PE2 and PE4 is similar to that of PE1 and PE3. The details are omitted here. Extranet Configuration Example Network requirements Company A and Company B are located at City A and City B respectively. Their headquarters is located at City C. They respectively own VPN1 and VPN2. In this case, VPN function is provided by MPLS.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Configuration procedure n This configuration procedure has omitted configurations between PE and P, and configurations on CEs. For these details refer to the former example. 1 Configure PE-A: # Configure VPN-instance 1 for VPN1 on PE-A, so that it can send and receive VPN routing information of VPN-target 111:1.
Typical BGP/MPLS VPN Configuration Example 559 [PE-A-bgp-af-vpn] peer 20 enable [PE-A-bgp-af-vpn] peer 20.1.1.1 group 20 [PE-A-bgp-af-vpn] quit 2 Configure PE-C. # Create a VPN-instance 2 on PE-C, so that it can send and receive VPN routing information of VPN-target 111:1 and 222:2.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE-C-bgp] peer 30.1.1.1 group 30 [PE-C-bgp] peer 30.1.1.1 connect-interface loopback 0 [PE-C-bgp] ipv4-family vpnv4 [PE-C-bgp-af-vpn] peer 10 enable [PE-C-bgp-af-vpn] peer 10.1.1.1 group 10 [PE-C-bgp-af-vpn] peer 30 enable [PE-C-bgp-af-vpn] peer 30.1.1.1 group 30 [PE-C-bgp-af-vpn] quit 3 Configure PE-B: # Create VPN-instance 3 for VPN2 on PE-B, so that it can send and receive VPN routing information of VPN-target 222:2.
Typical BGP/MPLS VPN Configuration Example 561 [PE-B] bgp 100 [PE-B-bgp] group 20 [PE-B-bgp] peer 20.1.1.1 group 20 [PE-B-bgp] peer 20.1.1.1 connect-interface loopback 0 [PE-B-bgp] ipv4-family vpnv4 [PE-B-bgp-af-vpn] peer 20 enable [PE-B-bgp-af-vpn] peer 20.1.1.1 group 20 [PE-B-bgp-af-vpn] quit Hub&Spoke Configuration Example Network requirements Hub&Spoke networking is also called central server networking. The Site in the center is called Hub-Site, while the one not in the center is called Spoke-Site.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Network diagram Figure 136 Network diagram for Hub&Spoke CE1 Hub Site VLAN202 172.17.0.1/16 VLAN201 172.16.0.1/16 PE1 Loopback0 11.1.1.1/32 Internet Spoke Site CE2 Spoke Site PE3 20.1.1.2 PE2 VLAN201 172.15.0.1/16 Loopback0 22.1.1.1/32 Loopback0 33.1.1.1/32 CE3 VLAN201 172.18.0.
Typical BGP/MPLS VPN Configuration Example 563 [PE1-bgp-af-vpn-instance] peer 172.17.1.1 allow-as-loop 1 [PE1-bgp-af-vpn] quit [PE1-bgp] quit # Bind the VLAN interface connecting PE1 and CE1 to different VPN-instances. Bind the interface of the VLAN to which the Ethernet port Gigabitethernet 2/1/1 belongs to VPN-instance2, bind the interface of the VLAN to which the Ethernet port Gigabitethernet 2/1/2 belongs to VPN-instance3.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION # Set up EBGP adjacency between PE2 and CE2, import intra-CE2 VPN routes learned into MBGP VPN-instance address family. [PE2] bgp 100 [PE2-bgp] ipv4-family vpn-instance vpn-instance1 [PE2-bgp-af-vpn-instance] import-route static [PE2-bgp-af-vpn-instance] import-route direct [PE2-bgp-af-vpn-instance] group 172 external [PE2-bgp-af-vpn-instance] peer 172.15.1.
Typical BGP/MPLS VPN Configuration Example [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp] quit 565 import-route static import-route direct group 172 external peer 172.18.1.1 group 172 as-number 65001 quit # Bind the interface of the VLAN to which the port connecting PE3 and CE3 belongs to VPN-instance.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Network diagram Figure 137 Network diagram for CE dual-home AS:65003 AS:65004 CE3 CE4 VLAN211 192.168.13.2/24 VLAN311 192.168.13.1/24 VLAN211 192.168.23.2/24 Loopback0 3.3.3.3/32 VLAN312 30.1.1.1/24 VLAN214 30.1.1.2/24 Loopback0 1.1.1.1/32 VLAN211 172.11.11.1/24 VLAN211 172.11.11.2/24 PE3 AS:100 VLAN213 10.1.1.1/24 PE1 VLAN212 172.21.21.1/24 VLAN212 172.12.12.2/24 VLAN314 192.168.23.1/24 VLAN313 20.1.1.2/24 VLAN214 20.1.1.1/24 Loopback0 2.2.2.
Typical BGP/MPLS VPN Configuration Example 567 [PE1-bgp-af-vpn-instance] group 17211 external [PE1-bgp-af-vpn-instance] peer 172.11.11.2 group 17211 as-number 65001 [PE1-bgp-af-vpn-instance] quit [PE1-bgp] quit # Set up EBGP adjacency between PE1 and CE2 in VPN-instance 1.2, import intra-CE2 VPN routes learned into VPN-instance 1.2. [PE1-bgp] ipv4-family vpn-instance vpn-instance1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE1-vlan214] quit [PE1] interface Vlan-interface 214 [PE1-Vlan-interface214] mpls [PE1-Vlan-interface214] mpls ldp enable [PE1-Vlan-interface214] mpls ldp transport-ip interface [PE1-Vlan-interface214] ip address 30.1.1.2 255.255.255.0 [PE1-Vlan-interface214] quit # Enable OSPF on the interface connecting PE1 and PE2 and the interface connecting PE1 and PE3 and the Loopback interface, to achieve inter-PE communication. [PE1] Router-id 1.1.1.
Typical BGP/MPLS VPN Configuration Example 569 [PE2] bgp 100 [PE2-bgp] ipv4-family vpn-instance vpn-instance2.1 [PE2-bgp-af-vpn-instance] import-route direct [PE2-bgp-af-vpn-instance] import-route static [PE2-bgp-af-vpn-instance] group 17212 external [PE2-bgp-af-vpn-instance] peer 172.12.12.2 group 17212 as-number 65001 [PE2-bgp-af-vpn] quit # Set up EBGP adjacency between PE2 and CE2 in VPN-instance2.2, import intra-CE2 VPN routes learned into VPN-instance2.2.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp-af-vpn-instance] [PE3-bgp] quit import-route direct import-route static group 192 external peer 192.168.13.2 group 192 as-number 65003 quit # Set up EBGP adjacency between PE3 and CE4 in VPN-instance3.2, import intra-CE4 VPN routes learned into VPN-instance3.2. [PE3-bgp] ipv4-family vpn-instance vpn-instance3.
Typical BGP/MPLS VPN Configuration Example 571 Network diagram Figure 138 Network diagram for ASBR AS 200 AS 100 VLAN205 VLAN205 20.1.1.2/24 20.1.1.1/24 VLAN206 PE2:2.2.2.2/32 98.98.98.1/24 98.98.98.2/24 VLAN202 VLAN203 VLAN204 VLAN206 172.12.12.1/24 172.22.22.1/24 172.21.21.1/24 P1 P1:3.3.3.3/32 P2:4.4.4.4/32 VLAN201 VLAN201 VLAN201 172.12.12.2/24 172.21.21.2/24 172.22.22.2/24 VLAN205 10.1.1.2/24 PE1:1.1.1.1/32 VLAN201 172.11.11.1/24 VLAN201 172.11.11.2/24 VLAN205 10.1.1.1/24 CE1 PC1 192.168.11.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE1] interface Vlan-interface 205 [PE1-Vlan-interface205] mpls [PE1-Vlan-interface205] mpls ldp enable [PE1-Vlan-interface205] ip address 10.1.1.2 255.255.255.0 # Bind the VLAN interface with the VPN-instance.
Typical BGP/MPLS VPN Configuration Example 573 # Configure Loopback interface. [PE2] interface loopback 0 [PE2-LoopBack0] ip address 2.2.2.2 255.255.255.255 # Configure VPN-instance. [PE2] ip vpn-instance vpna [PE2-vpn-vpna] route-distinguisher 200:1 [PE2-vpn-vpna] vpn-target 100:1 both [PE2] ip vpn-instance vpnb [PE2-vpn-vpnb] route-distinguisher 200:2 [PE2-vpn-vpnb] vpn-target 100:2 both # Configure the VLAN interface connecting PE2 and P2.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION # Configure MPLS basic capability. [P1] mpls lsr-id 3.3.3.3 [P1] mpls [P1-mpls] quit [P1] mpls ldp # Configure the interface Loopback 0. [P1] interface loopback 0 [P1-LoopBack0] ip address 3.3.3.3 255.255.255.255 # Configure VLAN interface connecting PE1.
Typical BGP/MPLS VPN Configuration Example 575 The example adopts Option C to implement a cross-domain BGP/MPLS VPN, that is, the VPN routing is managed by the Multi-hop MP-EBGP which advertise label VPN-IPv4 routes between PEs. Network diagram Figure 139 Network diagram for Multihop EBGP cross-domain VPN BGP/MPLS Backbo ne AS 200 BGP/MPLS Backbo ne AS 100 Loop back0: 202.2 00. 1.1/ 32 Loop back0: 202.1 00. 1.1/ 32 VLAN 210 :VLAN 110 192.1 .1.1 /24 Loop back0: 172.1 .1.1 /16 202.1 00. 1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [ASBR-PE1] vlan 110 [ASBR-PE1-vlan110] interface vlan 110 [ASBR-PE1-Vlan-interface110] ip address 172.1.1.1 255.255.0.0 [ASBR-PE1-Vlan-interface110] quit [ASBR-PE2] vlan 210 [ASBR-PE1-vlan210] interface vlan 210 [ASBR-PE1-Vlan-interface210] ip address 192.1.1.1 255.255.255.0 [ASBR-PE1-Vlan-interface210] quit [ASBR-PE1] ospf [ASBR-PE1-ospf-1] area 0 [ASBR-PE1-ospf-1-area-0.0.0.0] network 172.1.0.0 0.0.255.255 [ASBR-PE1-ospf-1-area-0.0.0.0] network 202.100.1.1 0.0.
Typical BGP/MPLS VPN Configuration Example 577 [PE1] mpls lsr-id 172.1.1.2 [PE1-mpls] lsp-trigger all [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlan 110 [PE1-Vlan-interface110] mpls [PE1-Vlan-interface110] mpls ldp [PE1-Vlan-interface110] quit # Configure basic MPLS capability on ASBR-PE1, enable LDP on the interface connected to PE1, and enable MPLS on the interface connected to ASBR-PE2. [ASBR-PE1] mpls lsr-id 172.1.1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION # Configure CE1 [CE1] vlan 410 [CE1-vlan410] interface vlan 410 [CE1-Vlan-interface410] ip address 168.1.1.2 255.255.0.
Typical BGP/MPLS VPN Configuration Example 579 [CE1-bgp] peer 168.1.1.1 group 20 as-number 100 [CE1-bgp] quit # Configure PE1: set up EBGP peer relation with CE1, IBGP peer relation with ASBR-PE1, and Multihop MP-EBGP peer relation with PE2. [PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-af-vpn-instance] group 10 external [PE1-bgp-af-vpn-instance] peer 168.1.1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION # Configure CE2. [CE2] bgp [CE2-bgp] [CE2-bgp] [CE2-bgp] 65002 group 10 external peer 168.2.2.1 group 10 as-number 200 quit # Configure PE2: set up EBGP peer relation with CE2, IBGP peer relation with ASBR-PE2, and Multihop MP-EBGP peer relation with PE1. [PE2] bgp 200 [PE2-bgp] ipv4-family vpn-instance vpna [PE2-bgp-af-vpn-instance] group 10 external [PE2-bgp-af-vpn-instance] peer 168.2.2.
Typical BGP/MPLS VPN Configuration Example 581 [ASBR-PE2-bgp] peer 20 route-policy rtp-ibgp export [ASBR-PE2-bgp] peer 202.200.1.2 group 20 [ASBR-PE2-bgp] peer 202.200.1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION # Configure VPN-instance [SPE] ip vpn-instance vpn1 [SPE-vpn-vpn1] route-distinguisher 100:1 [SPE-vpn-vpn1] vpn-target 100:1 both # Configure interfaces (So far as a PE router concerned, its Loopback 0 interface must be assigned with a host address of 32-bit mask. [SPE] vlan 201 [SPE-vlan201] port gigabitethernet 2/1/1 [SPE-vlan201] quit [SPE] interface Vlan-interface 201 [SPE-Vlan-interface201] ip address 10.0.0.1 255.0.0.
Typical BGP/MPLS VPN Configuration Example 583 [UPE] ip vpn-instance vpn1 [UPE-vpn-vpn1] route-distinguisher 100:1 [UPE-vpn-vpn1] vpn-target 100:1 both # Configure interfaces [UPE] vlan 301 [UPE-vlan301] port gigabitethernet 2/2/1 [UPE-vlan301] quit [UPE] interface Vlan-interface 301 [UPE-Vlan-interface301] mpls [UPE-Vlan-interface301] mpls ldp enable [UE1-Vlan-interface301] mpls ldp transport-ip interface [UPE-Vlan-interface301] ip address 10.0.0.2 255.0.0.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Network diagram Figure 141 Network diagram for OSPF multi-instance LoopBack0: 1.1.1.1 CE1 10.10.10.10 PE1 1.1.1.1 LoopBack0: 3.3.3.3 VLAN202 168.1.13.1/24 VLAN201 VLAN201 10.1.1.1/24 10.1.1.2/24 VLAN202 168.1.13.2/24 LoopBack1: 50.1.1.3 LoopBack1: 50.1.1.1 VLAN203 168.1.12.1/24 VLAN202 12.1.1.1/24 PE3 3.3.3.3 VLAN201 168.1.23.1/24 MPLS VPN Backbone sham link 12.1.1.0/24 (backdoor) VLAN202 12.1.1.2/24 VLAN203 168.1.12.2/24 (168.1.1.
Typical BGP/MPLS VPN Configuration Example [PE1-Vlan-interface201] ospf cost 1 [PE1-Vlan-interface201] quit [PE1] vlan 202 [PE1-vlan202] port gigabitethernet 2/1/2 [PE1-vlan202] quit [PE1] interface Vlan-interface 202 [PE1-Vlan-interface202] ip address 168.1.13.1 255.255.255.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE1] ospf 1000 [PE1-ospf-1000] area 0 [3Com-ospf-1000-area-0.0.0.0] network 168.12.1.0 0.0.0.255 [3Com-ospf-1000-area-0.0.0.0] network 50.1.1.1 0.0.0.0 2 Configure PE2 # Enable MPLS and LDP. [PE2] mpls lsr-id 50.1.1.2 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp # Configure VPN-instance VPN1.
Typical BGP/MPLS VPN Configuration Example [PE2] bgp [PE2-bgp] [PE2-bgp] [PE2-bgp] [PE2-bgp] [PE2-bgp] 100 undo synchronization group fc internal peer 50.1.1.1 group fc peer 50.1.1.1 connect-interface LoopBack1 peer 50.1.1.3 group fc # Configure VPN-instance and import OSPF and direct-connect route.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [CE1] vlan 201 [CE1-vlan201] port gigabitethernet 2/1/1 [CE1-vlan201] quit [CE1] interface Vlan-interface 201 [CE1-Vlan-interface201] ip address 10.1.1.1 255.255.255.0 [CE1-Vlan-interface201] ospf cost 1 # Configure OSPF. [CE1] ospf 100 router-id 10.10.10.129 [CE1-ospf-100] import-route direct [CE1-ospf-100] area 0.0.0.0 [CE1-ospf-100-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [CE1-ospf-100-area-0.0.0.0] network 12.1.1.0 0.0.0.
Typical BGP/MPLS VPN Configuration Example Network diagram Figure 142 Network diagram for nested VPN CE5 VPN1 AS50003 VLAN 210 18.1.1.2/8 VLAN 210 18.1.1.1/8 prov_pe1 5.5.5.5 VLAN 110 10.1.1.1/8 CE7 VLAN 310 1.1.1.2/8 VPN3 cust_pe1 6.6.6.6 VLAN 310 1.1.1.1/8 VLAN 510 15.1.1.2/8 CE1 AS100 AS600 VLAN 510 15.1.1.1/8 VPN1 AS50001 CE2 VPN2 prov_pe2 4.4.4.4 CE6 VLAN 110 10.1.1.2/8 VPN2 VLAN 410 2.1.1.2/8 VLAN 410 2.1.1.1/8 VLAN 610 16.1.1.2/8 CE3 cust_pe2 7.7.7.7 AS500 VLAN 610 16.1.1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [prov_pe1-Vlan-interface110] [prov_pe1-Vlan-interface110] [prov_pe2] ospf [prov_pe2-ospf] area 0 [prov_pe2-ospf-area-0.0.0.0] [prov_pe2-ospf-area-0.0.0.0] ip address 10.1.1.2 255.0.0.0 quit network 4.4.4.4 0.0.0.0 network 10.0.0.0 0.255.255.255 Configure basic MPLS capability and MPLS LDP on the backbone network. # Configure prov_pe1. [prov_pe1] [prov_pe1] [prov_pe1] [prov_pe1[prov_pe1[prov_pe1- mpls lsr-id 5.5.5.
Typical BGP/MPLS VPN Configuration Example 591 # Configure prov_pe1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [cust_pe2-Vlan-interface410] mpls [cust_pe2-Vlan-interface410] quit 3 Configure EBGP between provider PE and customer PE. # Configure prov_pe1 to access the corresponding Customer PE.
Typical BGP/MPLS VPN Configuration Example 593 [cust_pe2-bgp] ipv4-family vpnv4 [cust_pe2-bgp-af-vpn] peer ebgp enable [cust_pe2-bgp-af-vpn] peer 2.1.1.2 group ebgp 4 On each Customer PE, configure the sub-VPN that accesses the network through the Customer PE. # Configure cust_pe1.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION Configuration procedure 1 Configuring CE router # Configure instance VPN1 [CE] ip vpn-instance vpn1 [CE-vpn-vpn1] route-distinguisher 100:1 [CE-vpn-vpn1] vpn-target 100:1 export-extcommunity [CE-vpn-vpn1] vpn-target 100:1 import-extcommunity # Configure instance VPN2 [CE] ip vpn-instance vpn2 [CE-vpn-vpn2] route-distinguisher 200:1 [CE-vpn-vpn2] vpn-target 200:1 export-extcommunity [CE-vpn-vpn2] vpn-target 200:1 import-extcommunity # Configure VLAN201.
Typical BGP/MPLS VPN Configuration Example 595 [CE] ospf 100 vpn-instance vpn1 [CE-ospf-100] vpn-instance-capability simple [CE-ospf-100] area 0.0.0.0 [CE-ospf-100-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [CE-ospf-100-area-0.0.0.0] network 10.2.1.0 0.0.0.255 # Configure OSPF 300. [CE] ospf 300 vpn-instance vpn2 [CE-ospf-300] vpn-instance-capability simple [CE-ospf-300] area 0.0.0.1 [CE-ospf-300-area-0.0.0.1] network 20.1.1.0 0.0.0.255 [CE-ospf-300-area-0.0.0.1] network 20.2.1.0 0.0.0.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [PE1] interface loopback 0 [PE1-LoopBack0] ip address 1.1.1.9 32 [PE1-LoopBack0] quit [PE1] vlan 110 [PE1-vlan110] interface vlan-interface 110 [PE1-Vlan-interface110] ip address 192.168.1.1 24 [PE1-Vlan-interface110] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.
Typical BGP/MPLS VPN Configuration Example [PE1-Vlan-interface310] [PE1-Vlan-interface310] [PE1-Vlan-interface310] [PE1] vlan 210 [PE1-vlan210] interface [PE1-Vlan-interface210] [PE1-Vlan-interface210] [PE1-Vlan-interface210] 597 ip binding vpn-instance vpn1 ip address 20.2.1.2 24 quit vlan-interface 210 ip binding vpn-instance vpn2 ip address 20.1.1.2 24 quit # Configure basic MPLS capability on PE2. [PE2] mpls lsr-id 2.2.2.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION [CE3] vlan 210 [CE3-vlan210] interface vlan-interface 210 [CE3-Vlan-interface210] ip address 20.3.1.1 24 [CE3-Vlan-interface210] quit [CE3] bgp 65430 [CE3-bgp] import-route direct [CE3-bgp] group 10 external [CE3-bgp] peer 20.3.1.2 group 10 as-number 100 [CE3-bgp] quit # Configure PE1: Configure PE1 to be the IBGP peer of PE2 in BGP-VPNv4 sub-address family view. Configure PE1 to be the EBGP peer of CE1 in the BGP VPN1 instance view.
Troubleshooting BGP/MPLS VPN Configuration 599 # Configure a default route pointing to PE1 on CE2. [CE2] ip route-static 0.0.0.0 0.0.0.0 20.1.1.2 # Configure a multiple-role host route on PE1. [PE1] ip route-static vpn-instance vpn1 172.16.0.0 16 vpn2 20.1.1.1 # Import the route of VPN1 to VPN2 using the RT attribute.
CHAPTER 49: BGP/MPLS VPN CONFIGURATION ■ Check whether the BGP adjacent is established correctly. ■ Check whether the routing import/export relation of the VPN-instance is correct. ■ Check whether allow-as-loop is configured between spoke PE and hub PE. Symptom 4 Fall to specify the Loopback interface at the peer end as the BGP neighbor.
CARD INTERMIXING FOR MPLS SUPPORT 50 Overview Introduction to Card Intermixing n Card Intermixing Mechanism The intermixing feature is used to enable deployment of MPLS VPN services on cards that do not support MPLS. Switch 8800 Family routing switches support various modes of MPLS VPN function and provide abundant and differentiated MPLS VPN service to meet the differentiated needs of different users in the performance, reliability, port utilization of MPLS VPN functions.
CHAPTER 50: CARD INTERMIXING FOR MPLS SUPPORT n Because the destination port in intermixing configuration is to be looped back and therefore is locked automatically, you cannot enter the port view. Therefore, you cannot perform other configurations on the destination port.
Intermixing Configuration Task 603 ■ It is not allowed to make the redirected source port or destination port to leave redirected VLAN in the normal way; ■ It is not allowed to configure protocol VLANs on the redirected source port or destination port; ■ It is not allowed to delete the redirected VLAN or VLAN interface; ■ It is not allowed to configure/add Loopback ports in the redirected VLAN; ■ It is not allowed to use STP edge port as the redirected destination port; ■ It is not allowed to c
CHAPTER 50: CARD INTERMIXING FOR MPLS SUPPORT Configuring MPLS VPN Configure BGP/MPLS VPN (L3VPN) or L2VPN. Refer to “BGP/MPLS VPN Configuration” and the "VPN Operation" section in 3Com Switch 8800 Family Series Routing Switches Operation Manual. for detailed configuration information. Configuring flow template and ACL rules The packets to be redirected are identified through the flow template and ACL configurations.
Intermixing Configuration Task 605 You can define the flow template by means of the IP + VLAN + DMAC method to make sure that different kinds of packets are processed in different ways: ■ If ARP packets do not match IP rules in redirection, they will be processed on the non-MPLS card; ■ If Layer 2 traffic does not match DMAC in redirection, it will be L2-forwarded on the non-MPLS card; ■ If Layer 3 packets (including unicast protocol packets) match the rule, they will be redirected to the MPLS card.
CHAPTER 50: CARD INTERMIXING FOR MPLS SUPPORT n Typical Networking Example ■ The source port joins in the corresponding VLAN automatically after the configuration of intermixing redirection, and the source port leaves the corresponding VLAN automatically after the intermixing redirection is deleted. ■ When using the VPLS intermixing redirection command, you have to enable join-vlan explicitly.
Intermixing Configuration Task 607 [CE1-bgp] import-route direct [CE1-bgp] import-route static n The configuration on CE2 is similar to that on CE1, so the configuration procedure is omitted. 2 Configure PE1 # Configure global MPLS. [PE1] mpls lsr-id 1.1.1.1 [PE1] mpls [PE1] mpls ldp # Configure public network interface and enable MPLS on the interface. [PE1] interface loopback0 [PE1-LoopBack0] ip address 1.1.1.
CHAPTER 50: CARD INTERMIXING FOR MPLS SUPPORT c CAUTION: If the VRRP protocol is enabled on the VLAN port to which the source port of MPLS VPN redirection belongs, you must configure another ACL rule to redirect the packets whose destination address is the virtual MAC address of VRRP, so that ICMP packets whose destination address is the virtual MAC address of VRRP can be processed normally. # Configure VLAN interface.
Intermixing Configuration Task 609 # Configure an interface and enable MPLS on the interface. [P] interface loopback0 [P-LoopBack0] ip address 3.3.3.3 32 [P-LoopBack0] quit [P] vlan 100 [P-vlan100] port GigabitEthernet 2/1/1 [P-vlan100] interface vlan-interface 100 [P-vlan-interface100] ip address 196.168.1.2 255.255.255.
CHAPTER 50: CARD INTERMIXING FOR MPLS SUPPORT # Configure VPN-instance. The configuration of VPN B is similar to that of VPN A, so followed is only the configuration of VPN A. [PE2] ip vpn-instance vpna [PE2-vpn-vpna] route-distinguisher 100:1 [PE2-vpn-vpna] vpn-target 100:1 both [PE2-vpn-vpna] quit # Configure ACL, redirection and Layer 2 ACL (Custom flow template should be configured before this step).
Restrictions in Networking of Various MPLS Cards 611 [PE2-bgp] peer 1.1.1.1 connect-interface loopback0 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpn] peer 100 enable [PE2-bgp-af-vpn] peer 1.1.1.1 group 100 n The configuration of L2 VPN VLL intermixing is similar to that of L3VPN intermixing, so the description of configuration process is omitted. The configuration of L2 VPN VLL intermixing is also implemented through the traffic-redirect command.
CHAPTER 50: CARD INTERMIXING FOR MPLS SUPPORT Combination of Multiple MPLS cards and Multiple non-MPLS Cards ■ In card intermixing networking, non-MPLS cards can only be used for access at the private network side, and MPLS card must be used for access at the public network side. ■ MPLS card has influence on the forwarding performance of a switch.
51 MPLS VLL MPLS L2VPN Overview Introduction to MPLS L2VPN MPLS L2VPN provides MPLS network-based Layer 2 VPN services. For users, an MPLS L2VPN is a Layer 2 switched network, through which Layer 2 connections can be established between network nodes. Figure 146 MPLS L2VPN CE VPN A PE CE VPN A VC PE LSP VC P P PE VPN B CE CE VPN B MPLS L2VPN has the following advantages: ■ Multiple network layer protocols supported, such as IP, IPv6, IPX, and SNA. ■ Powerful extensibility.
CHAPTER 51: MPLS VLL Figure 147 Structure of an MPLS L2VPN packet Tunnel label Tunnel label VC label VC label L2 PDU L2 PDU Label Stack Label Stack The fields in an MPLS L2VPN packet are described as follows: Tunnel label (the outer label) is an MPLS label or a GRE label. It is used to transmit a packet from one PE to anther. VC label (the inner label) is a lower layer label used to identify the links between PEs and CEs.
MPLS L2VPN Overview 615 draft-martini-l2circuit-trans-mpls-09.txt draft-kompella-ppvpn-l2vpn-02.txt Martini draft defines the way to implement MPLS L2VPN by establishing point-to-point links. Here, LDP (Label Distribution Protocol) is used as the signaling protocol to exchange VC labels. This kind of MPLS L2VPNs is known as Martini MPLS L2VPNs. Kompella draft defines how to establish MPLS L2VPNs in MPLS networks through end-to-end (CE-to-CE) connections.
CHAPTER 51: MPLS VLL Table 563 Features and implementation ways of the three types of MPLS L2VPNs VPN type Implementation Feature Similar to Layer 3 BGP/MPLS VPN defined in RFC2547. Users can assign extra labels to VPNs for future use. This eases the configuration work loads of VPN deployment and capacity expansion. PEs discover Layer 2 VPN nodes automatically through IBGP sessions established between them. They also propagate the VPN information.
CCC MPLS L2VPN Configuration 617 Table 564 Configure CCC MPLS L2VPN c CCC MPLS L2VPN Configuration Example Operation Command Description Establish local CCC connection ccc ccc-connection-name interface vlan-interface vlan-id out-interface Establish remote CCC connection ccc ccc-connection-name interface vlan-interface vlan-id transmit-lsp transmit-lsp-name receive-lsp receive-lsp-name Required. Two types of CCC connections exist: local CCC connection and remote CCC connection.
CHAPTER 51: MPLS VLL Network diagram Figure 149 Network diagram for CCC MPLS L2VPN CE B Local connection VLAN213 VLAN211 VLAN212 CE A VLAN211 VLAN212 VLAN214 P PE A P VLAN212 PE B Remote connection Configuration procedure 1 Configure PE-A. # Enable MPLS globally. [PE_A] mpls lsr-id 1.1.1.1 [PE_A] mpls # Enable MPLS L2VPN globally. [PE_A] mpls l2vpn # Configure VLAN 211.
CCC MPLS L2VPN Configuration 619 # Configure the local connection. [PE_A] ccc local-conn interface vlan-interface 211 out-interface vlan-interface 213 # Configure a static LSP, with the out-label of 100 and the egress interface being the interface of VLAN 214. [PE_A] mpls [3Com-mpls] static-lsp ingress PEA-PEB l2vpn nexthop 5.5.5.2 outlabel 100 # Configure a static LSP, with the in-label of 211 and the ingress interface being the interface of VLAN 214.
CHAPTER 51: MPLS VLL [3Com-mpls] static-lsp egress PEA-PEB l2vpn incoming-interface vlaninterface 212 in-label 101 # Configure the remote connection. [SW8800] ccc remote-connection interface vlan-interface 211 transmit -lsp PEB-PEA receive-lsp PEA-PEB 3 Configure P. [PE_P] mpls lsr-id 10.0.0.
Martini MPLS L2VPN Configuration 621 Martini MPLS L2VPN Configuration Configuring Martini MPLS L2VPN c Martini MPLS L2VPN Configuration Example Table 565 Configure Martini MPLS L2VPN Operation Command Description Enter system view system-view - Configure the LSR ID mpls lsr-id lsr-id Required Enable MPLS mpls Required Quit to system view quit - Configure the LDP remote peer Required.
CHAPTER 51: MPLS VLL Configuration procedure 1 Configure PE-A. # Configure the LSR ID. Enable MPLS, LDP, and MPLS L2VPN. [PE-A] mpls [PE-A] mpls [PE-A-mpls] [PE-A] mpls [PE-A] mpls lsr-id 192.1.1.1 quit ldp l2vpn # Configure VLAN 212. [PE-A] vlan 212 [PE-A-vlan212] port gigabitethernet 2/1/2 [PE-A-vlan212]interface vlan-interface 212 [PE-A-Vlan-interface212] quit # Configure VLAN 21.
Martini MPLS L2VPN Configuration 623 2 Configure PE-B. # Configure the LSR ID. Enable MPLS, LDP, and MPLS L2VPN. [PE-B] mpls [PE-B] mpls [PE-B-mpls] [PE-B] mpls [PE-B] mpls lsr-id 192.1.1.2 quit ldp l2vpn # Configure VLAN 22. [PE-B] vlan 22 [PE-B-vlan22] port gigabitethernet 2/1/1 [PE-B-vlan22] interface Vlan-interface 22 [PE-B-Vlan-interface22] ip address 169.1.1.1 255.255.0.0 [PE-B-Vlan-interface22] mpls [PE-B-Vlan-interface22] mpls ldp enable # Configure VLAN 212.
CHAPTER 51: MPLS VLL [PE-P] mpls [PE-P] mpls [PE-P-mpls] [PE-P] mpls [PE-P] mpls lsr-id 192.1.1.3 quit ldp l2vpn # Configure an IP address for the Loopback interface, which is used as the LSR ID. [PE-P] interface loopback 0 [PE-P-LoopBack0] ip address 192.1.1.3 255.255.255.255 [PE-P-LoopBack0] quit # Configure the VLAN interface.
Kompella MPLS L2VPN Configuration 625 Kompella MPLS L2VPN Configuration Configuring Kompella MPLS L2VPN Table 566 Configure Kompella MPLS L2VPN Operation Command Description Enter system view system-view - Configure the LSR ID mpls lsr-id lsr-id Required Enable MPLS mpls Required Enable MPLS L2VPN globally mpls l2vpn Required Perform BGP (border gateway protocol) related configuration. Make sure BGP Refer to BGP Configuration in operates properly and routers Routing Protocol module.
CHAPTER 51: MPLS VLL Table 566 Configure Kompella MPLS L2VPN Operation Command Description Configure the RD (route distinguisher) of the MPLS L2VPN route-distinguisher route-distinguisher Required. For an MPLS L2VPN, you must configure the RD before performing other configurations. An RD cannot be modified once it is configured. The only way to modify a configured RD is to remove the corresponding MPLS L2VPN and create another one.
Kompella MPLS L2VPN Configuration 627 VLAN is Trunk type. It is not recommended to use Hybrid type as the port link type in a private network VLAN. The user access modes of the instance in all peer PEs must be consistent. Kompella MPLS L2VPN Configuration Example Network requirements CEs shown in Figure 151 are in the same VLAN as the corresponding PEs resides in. A remote connection is required between CE-A and CE-B.
CHAPTER 51: MPLS VLL [PE-A] bgp 100 [PE-A-bgp] group 100 internal [PE-A-bgp] peer 100 connect-interface loopback0 [PE-A-bgp] peer 3.3.3.3 group 100 [PE-A-bgp] l2vpn-family [PE-A-bgp-af-l2vpn] peer 100 enable # Create and configure the VPN. [PE-A] mpls l2vpn vpn1 encapsulation ethernet [PE-A-mpls-l2vpn-vpn1] route-distinguisher 100:1 [PE-A-mpls-l2vpn-vpn1] vpn-target 100:1 # Create CE1 and configure the corresponding connection.
Displaying and Debugging MPLS L2VPN [PE-B-Vlan-interface22] [PE-B-Vlan-interface22] [PE-B-Vlan-interface22] [PE-B-Vlan-interface22] [PE-B-Vlan-interface22] 629 ip address 6.6.6.1 24 mpls mpls ldp enable mpls ldp transport-ip interface quit # Configure BGP. [SW8800] bgp 100 [PE-B-bgp] group 100 internal [PE-B-bgp] peer 100 connect-interface loopback0 [PE-B-bgp] peer 1.1.1.1 group 100 [PE-B-bgp] l2vpn-family [PE-B-bgp-af-l2vpn] peer 100 enable # Create and configure VPN1.
CHAPTER 51: MPLS VLL Table 567 Display and debug L2VPN Operation Command Description Display information about a display ccc [ ccc-name | type [ local | CCC MPLS L2VPN connection remote ] ] Display information about a Martini MPLS L2VPN connection display mpls l2vc [ interface vlan-interface vlan-id | verbose ] Display information about a Kompella MPLS L2VPN connection display mpls l2vpn [ vsi-name [ local-ce | remote-ce ] | connection [ vsi-name [ down | remote-ce | up | verbose ] | brief | int
Troubleshooting MPLS L2VPN ■ 631 Connection being down indicates configurations concerning encapsulation of the two ends are not the same. Make sure the encapsulation types and MTUs configured for the local and remote PE devices are consistent. A connection fails if the encapsulation types configured on the two ends are not the same. Symptom 4: Fail to ping the peer end of a CCC MPLS L2VPN connection. The sending and receiving channels are up, so does the link connection.
CHAPTER 51: MPLS VLL
VPLS CONFIGURATION 52 n The service processor card mentioned in this chapter refers to the 3C17548 VPLS Application Module. VPLS Overview Introduction to VPLS Today, IP networks have spread throughout the world. And the operators are focusing on using their existing IP networks to provide enterprises with low-cost private networks.
CHAPTER 52: VPLS CONFIGURATION Table 568 Acronyms Basic VPLS Network Architectures Acronym Full name UPE User Facing PE VLL Virtual Leased Line VPLS Virtual Private LAN Service VSI Virtual Switching Instance LSP Label Switched Path There are two kinds of VPLS network architectures: PW logical multipoint-to-multipoint connection architecture and hierarchical architecture. Figure 152 depicts a VPLS network architecture with PW logical multipoint-to-multipoint connection.
VPLS Operational Principle 635 Figure 153 Hierarchical VPLS network architecture As shown in Figure 153, the network topology of the VPLS network is hierarchical, and the access range of the network is expansible. The core devices (NPEs) in the core network require high performance because VPN traffic concentrates there, while the edge devices (UPEs) require lower performance because they are mainly used for VPN service access.
CHAPTER 52: VPLS CONFIGURATION Figure 154 L2VPN universal transmission components The transmission components and their functions in a VPLS network are as follows: Attachment circuit An attachment circuit (AC) is a virtual connection link between CE and PE. User’s layer 2 and layer 3 data are transmitted to the peer site through AC without any modification. Pseudowire A pseudowire (PW) is a bidirectional virtual connection between two VSIs in a VPN.
Concepts Related to VPLS 637 PW signaling PW signaling (pseudowire signaling) protocol on which VPLS bases is used to establish and maintain PW. It can also be used to automatically discover peer PEs of VSIs. Currently, PW signaling protocol includes label distribution protocol (LDP) and border gateway protocol (BGP).
CHAPTER 52: VPLS CONFIGURATION NPE It is a core PE device, located at the edge of the VPLS core network. It provides VPLS transparent transmission service in the core network. VSI Through virtual switching instance (VSI) you can map the actually connected links to each virtual links.
VPLS Basic Configuration Configuring Routing Protocols 639 You must perform some basic routing configuration on your switch such that it can exchange routing information with other P and PE devices. Currently, you can choose the following routing protocols: static routing, routing information protocol (RIP), open shortest path first (OSPF), exterior border gateway protocol (EBGP), and so on.
CHAPTER 52: VPLS CONFIGURATION Creating a VPLS Instance Specifying a VPLS instance name Use the vsi command to create a VPLS instance or enter VSI view. When creating a VPLS instance, you must specify a locally unique VPLS instance name, and must choose automatic discovery or manual configuration as peer discovery mechanism. Currently, only manual configuration, namely, static mode, is supported.
VPLS Basic Configuration 641 Table 576 Configure an IP address for a peer PE Operation Command Create a VPLS peer PE contained in the instance peer peer-ip [ vc-id vc-id ] [ upe | dual-npe ] [ encapsulation { ethernet | vlan } ] Remove the specified VPLS peer PE undo peer peer-ip By default, VC-ID is as big as VSI-ID. Specifying the VC encapsulation type of the VSI Perform the following configuration in VSI view.
CHAPTER 52: VPLS CONFIGURATION Configuring Static MAC Address ■ A VPLS instance can be bound to multiple VLANs. You can bind a VPLS instance to up to eight VLANs. ■ It is not allowed to bind VSI instances to VLAN-interface1. Use the mac-address command to configure a static MAC address for the VPLS instance. The address you configured can be either a MAC address on a local CE or a MAC address on a remote CE. Perform the following configuration in system view.
VPLS Basic Configuration 643 Table 581 Configure user-defined flow template Operation Command Define flow template flow-template user-defined slot slotnum template-info Define user flow template in port view flow-template user-defined Remove flow template undo flow-template user-defined When you define the flow template, the total size of all the elements in the template must be less than 16 bytes. Configuring ACL rules Use the following commands to define a Layer 2 ACL.
CHAPTER 52: VPLS CONFIGURATION Configuring VPLS load sharing When multiple moduloes exist within a single chassis, the load can be shared between them. For example, Configure VSls through 7 with label ranges 0 through 7 respectively. Then associate the VPLS module in slot 0 with label ranges 0 through 3 and the VPLS module in slot 1 with label ranges 4 through 7 using the ACL command listed in Table 584.
VPLS Basic Configuration 645 By default, the VPN rate limitation is 102,400 kbps. Configuring VPN broadcast suppression percentage Use the broadcast-restrain command to configure the VPN broadcast suppression percentage, which is in the range of 0 to 100. You cannot set the percentage to 0. In the VSI, the part of broadcast traffic (including broadcast, multicast, and unknown unicast) beyond the suppression percentage is discarded. Perform the following configuration in VSI view.
CHAPTER 52: VPLS CONFIGURATION Table 589 Configure other VPLS characteristics Operation Command Define/remove a description of this VPLS instance Disable/enable the VPN service of the VPLS instance Configure the maximum number of the MAC addresses in the VPN Displaying and Debugging VPLS description text undo description shutdown undo shutdown mac-table limit mac-limit VPLS provides various displaying and debugging commands to monitor the LDP session status, tunnel configuration, all LSPs and the
VPLS Basic Configuration Example 647 Network diagram Figure 155 Network diagram for VPLS configuration of back-to back PEs CE1 VPN1 VL AN 100 PE 1 E6 /1/48 5.6.7.8 1 0.10.10.10/24 PE2 VLAN 100 10.10.10.11/24 10.10.10.11/24 E6/1/48 VLAN VLAN10 10 G4/1/1 g4/1/1 VLAN 10 VLAN 10 G4/1/1 g4/1/1 CE2 1.2.3.4 VPN1 Configuration procedure n The VPLS service processor card is on slot 5 on PE1 and PE2, and the common interface card is on slot 4.
CHAPTER 52: VPLS CONFIGURATION # Configure a LDP remote peer (PE2) to set up LDP session. [PE1] mpls ldp remote-peer 1 [PE1-mpls-remote1] remote-ip 1.2.3.4 # Enable L2VPN globally. [PE1] mpls l2vpn # Configure a VPLS instance and VSI-ID (VPN-ID). Enter VSI-LDP view to configure the IP address of PE2. [PE1] vsi 3Com static [PE1-vsi-3Com] pwsignal ldp [PE1-vsi-3Com-ldp] vsi-id 500 [PE1-vsi-3Com-ldp] peer 1.2.3.
VPLS Basic Configuration Example 649 # Enable the ACL in port view. [PE1] interface GigabitEthernet4/1/1 [PE1-GigabitEthernet4/1/1] packet-filter inbound link-group 4001 rule 1 2 Configure PE2 # Configure the Router ID used to advertise OSPF routing information. Generally, the interface address of both MPLS LSI-ID and Loopback0 can be configured with the same IP address. [PE2] router id 1.2.3.4 # Configure mpls lsr-id. Enable MPLS and MPLS LDP globally. [PE2] mpls lsr-id 1.2.3.
CHAPTER 52: VPLS CONFIGURATION [PE2-vsi-3Com-ldp] vsi-id 500 [PE2-vsi-3Com-ldp] peer 5.6.7.8 [PE2-vsi-3Com-ldp] quit # Configure a private VLAN, add a port to it, and bind a VSI instance. [PE2] vlan 100 [PE2-vlan-100] port Ethernet 6/1/48 [PE2-vlan-100] interface vlan 100 [PE2-vlan-interface100] l2 binding vsi 3Com access-mode ethernet # Enable VLAN-VPN on the port of the private network.
Troubleshooting VPLS 651 ■ Expansion session is abnormal: verify that the commands used to configure the expansion session are executed on both ends, and the configurations are all right. ■ The interface of the private VLAN is not bound with the corresponding VPLS instance, or is DOWN: make sure the interface is UP, or the PW to the UPE is UP.
CHAPTER 52: VPLS CONFIGURATION
53 Introduction to VRRP VRRP CONFIGURATION Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. In general, a default route (for example, 10.100.10.1 as shown in the following internetworking diagram) will be configured for every host on a network, so that the packets destined to some other network segment from the host will go through the default route to the Layer 3 Switch, implementing communication between the host and the external network.
CHAPTER 53: VRRP CONFIGURATION Figure 157 Network diagram for virtual router Network Actual IP address10.100.10.2 Actual IP address10.100.10.3 Master Backup Virtual IP address10.100.10.1 Virtual IP address10.100.10.1 10.100.10.7 Host 1 Ethernet 10.100.10.8 Host 2 10.100.10.9 Host 3 This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the virtual router).
Configuring VRRP Enabling/Disabling the Function to Ping the Virtual IP Address 655 This operation enables or disables the function to ping the virtual IP address of the virtual router. The standard protocol of VRRP does not support the ping function, then the user cannot judge with ping command whether an IP address is used by the virtual router.
CHAPTER 53: VRRP CONFIGURATION The following commands can be used to set correspondence between the IP address and the MAC address. Perform the following configuration in system view.
Configuring VRRP 657 Table 596 Configure the priority of switches in the virtual router. Operation Command Configure the priority of switches in the virtual router. vrrp vrid virtual-router-ID priority priority Clear the priority of switches in the virtual router. undo vrrp vrid virtual-router-ID priority The priority ranges from 0 to 255. The greater the number, the higher the priority. However the value can only be taken from 1 to 254.
CHAPTER 53: VRRP CONFIGURATION In a network under possible security threat, the authentication type can be set to simple. Then the switch will add the authentication key into the VRRP packets before transmitting it. The receiver will compare the authentication key of the packet with the locally configured one. If they are the same, the packet will be taken as a true and legal one. Otherwise it will be regarded as an illegal packet to be discarded.
Displaying and debugging VRRP 659 Table 599 Configure virtual router timer Operation Command Clear virtual router timer undo vrrp vrid virtual-router-ID timer advertise By default, adver-interval is configured to be 1. Configuring Switch to Track a Specified Interface VRRP interface track function has expanded the backup function. Backup is provided not only to the interface where the virtual router resides, but also to some other malfunctioning switch interface.
CHAPTER 53: VRRP CONFIGURATION Table 601 Display and debug VRRP Operation Command Display the configuration information of the VRRP-enabled IFM device display vrrp ifm Display VRRP statistics information display vrrp statistics [ vlan-interface interface-number [ virtual-router-ID ] Display VRRP summary information display vrrp summary Clear the statistics information about VRRP reset vrrp statistics [ vlan-interface interface-number [ virtual-router-ID ] ] Enable VRRP debugging.
VRRP Configuration Example Networking diagram Figure 158 Network diagram for VRRP configuration 10.2.3.1 Host B Internet V LAN-interface3: 10.100.10.2 Switch_A VLAN-interface2: 202.38.160.1 Switch_B Virtual IP address: 202.38.160.111 VLAN-interface2: 202.38.160.2 202.38.160.3 Host A Configuration Procedure Configure switch A # Configure VLAN 2. [LSW-A] vlan 2 [LSW-A-vlan2] interface vlan 2 [LSW-A-vlan-interface2] ip address 202.38.160.1 255.255.255.
CHAPTER 53: VRRP CONFIGURATION [LSW-B] vrrp ping-enable [LSW-B] interface vlan 2 [LSW-B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 [LSW-B-vlan-interface2] vrrp vrid 1 preempt-mode The virtual router can be used soon after configuration. Host A can configure the default gateway as 202.38.160.111. Under normal conditions, switch A functions as the gateway, but when switch A is turned off or malfunctioning, switch B will function as the gateway instead.
VRRP Configuration Example 663 # Track an interface. [LSW_A-vlan-interface2] vrrp vrid 1 track vlan-interface 3 reduced 30 Configure switch B # Configure VLAN2. [LSW-B] vlan 2 [LSW-B-vlan2] interface vlan 2 [LSW-B-vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-vlan-interface2] quit # Enable the function to ping the virtual IP address of virtual router. [3ComLSW-B] vrrp ping-enable # Create a virtual router. [LSW-B] interface vlan 2 [LSW_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.
CHAPTER 53: VRRP CONFIGURATION [LSW-A] vlan 2 [LSW-A-vlan2] interface vlan 2 [LSW-A-vlan-interface2] ip address 202.38.160.1 255.255.255.0 # Create virtual router 1. [LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for the virtual router. [LSW_A-vlan-interface2] vrrp vrid 1 priority 150 # Create virtual router 2. [LSW_A-vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 Configure switch B # Configure VLAN2.
Troubleshooting VRRP 665 Fault 2: More than one Masters existing within the same virtual router There are also 2 reasons. One is short time coexistence of many Master switches, which is normal and needs no manual intervention. Another is the long time coexistence of many Master switches, which may be because switches in the virtual router cannot receive VRRP packets from each other, or receive some illegal packets.
CHAPTER 53: VRRP CONFIGURATION
HA CONFIGURATION 54 Introduction to HA HA (high availability) is to achieve a high availability of the system and to recover the system as soon as possible in the event of fabric failures so as to shorten the MTBF (Mean Time Between Failure) of the system. The functions of HA are mainly implemented by the application running on master and slave modules. The two modules are working in the master-slave mode: one module works in master mode, the other work in slave mode.
CHAPTER 54: HA CONFIGURATION Restarting the Slave System Manually ■ “Enabling/Disabling Automatic Synchronization” ■ “Synchronizing the Configuration File Manually” ■ “Configuring the Load Mode of the Master and Slave Modules” In the environment in which the slave system is available, the user can restart the slave system manually. Perform the following configuration in user view.
Displaying and Debugging HA Configuration 669 himself, he can do it manually to backup the configuration file saved in the master module. Perform the following configuration in user view. Table 605 Synchronize the configuration file manually Operation Command Synchronize the configuration file manually slave update configuration This operation can backup the configuration file to the slave module only if a slave system is available.
CHAPTER 54: HA CONFIGURATION HA Configuration Example Network requirements Take the master module out and make the slave module take over the work of the master to ensure the normal operation. Configuration procedure # Synchronize the configuration file manually. slave update configuration # Display the switchover state. display switchover state # Start the master-slave switchover manually after you confirm and press .
55 Introduction to ARP ARP CONFIGURATION Address resolution protocol (ARP) is used to resolve an IP address into a MAC address. Necessity of ARP An IP address cannot be directly used for communication between network devices because network devices can identify only MAC addresses. An IP address is only an address of a host in the network layer. To send datagrams through the network layer to the destination host, the MAC address of the host is required.
CHAPTER 55: ARP CONFIGURATION Normally, dynamic ARP takes effect and automatically searches for the resolution from the IP address to the Ethernet MAC address without the help of an administrator. ARP concepts ARP entries used in Switch 8800 Family series routing switches include dynamic ARP entries and static ARP entries. Static entries are further divided into long static ARP entries and short static ARP entries.
Configuring ARP 673 By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP. Note that: Configuring the Dynamic ARP Aging Timer ■ As long as a switch operates, its static ARP mapping entries remain valid unless you perform operations that make ARP invalid, such as change or remove VLAN virtual interfaces, remove a VLAN, or remove an interface from a VLAN. These operations cause the corresponding ARP mapping entries to be automatically removed.
CHAPTER 55: ARP CONFIGURATION Table 610 Add multicast ARP ports Configuration step Command Description Enter system view system-view - Add multicast ARP ports arp static ip-address mac-address vlan-id multi-port interface-type interface-number [ vpn-instance vpn-instance-name ] - To cancel the configuration, use the corresponding undo command.
Displaying and Debugging ARP ■ 675 If a device finds that the IP addresses carried in a received gratuitous packet conflict with those of its own, it returns an ARP response to the sending device to notify of the IP address conflict. By sending gratuitous ARP packets, a network device can: ■ Determine whether or not IP address conflicts exist between it and other network devices. ■ Trigger other network devices to update its hardware address stored in their caches.
CHAPTER 55: ARP CONFIGURATION Execute the reset command in user view to clear ARP mapping table. Execute the debugging command in user view to debug ARP configuration.
ARP TABLE SIZE CONFIGURATION 56 Introduction to ARP Table Size Configuration You can manually configure the maximum numbers of ARP entries (that is, the sizes of ARP tables) on an Switch 8800 Family routing switch to meet your actual needs. The following table lists the specifications and numbers of ARP entries on variious models.
CHAPTER 56: ARP TABLE SIZE CONFIGURATION ■ As a short static ARP entry is included into the number of normal ARP entries like a normal long static ARP entry, if a card is configured to support up to 8K aggregation ARP entries, the card does not support the configuration of neither kinds.
Configuration Example 679 Table 617 Display ARP table size configuration Configuration Example Operation Command Description Display the current maximum numbers of ARP entries and the intending counterparts that will take effect after the switch is restarted next time display arp max-entry You can carry out the display command in any view.
CHAPTER 56: ARP TABLE SIZE CONFIGURATION
57 DHCP CONFIGURATION Some Concepts about DHCP DHCP Principles This is a world where networks are ever-growing in both size and complexity, and the network configuration is getting more and more complex. As is often the case, the number of hosts in a network exceeds that of the available IP addresses, and position changes of hosts (when users carry their laptops from here to there, or move to a wireless network) require reassigned new IP addresses.
CHAPTER 57: DHCP CONFIGURATION ■ Automatic IP address assignment. The DHCP server automatically assigns fixed IP addresses to DHCP clients when they connect to the network for the first time. After that, the IP addresses are always occupied by the DHCP clients. ■ Dynamic IP address assignment. The DHCP server leases IP addresses to DHCP clients for predetermined period of time and reclaims them at the expiration of the period. In this case, a DHCP client must reapply for an IP address regularly.
Some Concepts about DHCP 683 IP address carried in the packet, and broadcasts a DHCP_Request packet to each DHCP server. The packet contains the IP address carried by the DHCP_Offer packet. ■ Acknowledgement. Upon receiving the DHCP_Request packet, the DHCP server that owns the IP address the DHCP_Request packet carries sends a DHCP_ACK packet to the DHCP client. And then the DHCP client binds TCP/IP protocol components to its network adapter.
CHAPTER 57: DHCP CONFIGURATION DHCP provide a framework about how to set a host on a TCP/IP network. DHCP is derived from BOOTP, and possesses more function such as automatic allocation of reusable network addresses and additional configuration options. DHCP can act as a BOOTP relay agent, so a DHCP user and a BOOTP user can interact with each other.
Configuring General DHCP 685 Table 619 Configure the processing method for current VLN interface Operation Command Specify to forward DHCP packets to local DHCP server and let the local server assign IP addresses in global address pools to DHCP clients dhcp select global Specify to forward DHCP packets to local DHCP server and let the local server assign IP addresses in VLAN interface address pool to DHCP clients dhcp select interface Specify to forward DHCP packets to remote DHCP servers.
CHAPTER 57: DHCP CONFIGURATION Table 621 Enable/Disable fake DHCP server detection Operation Command Enable fake DHCP server detection dhcp server detect Disable fake DHCP server detection undo dhcp server detect Fake DHCP server detection is disabled by default.
Configuring DHCP Server 687 common to all levels in the address pool structure or some subnets only for the network segment or for corresponding subnets. The display dhcp server tree command displays the tree-like structure of address pool, where address pools on the same level are sorted by the time they are created. The dhcp server ip-pool command can be used to create a global DHCP address pool and enter the corresponding address pool view.
CHAPTER 57: DHCP CONFIGURATION Table 623 Configure static address binding for a global DHCP address pool Operation Command Free a statically bound IP address undo static-bind ip-address Configure a MAC address to be statically bound static-bind mac-address mac-address Free a statically bound MAC address undo static-bind mac-address IP addresses in a global DHCP address pool are not statically bound by default.
Configuring DHCP Server 689 Each DHCP address pool can be configured with only one address range. If you execute the network command multiple times, then only the last configured address range works. c CAUTION: When addresses are obtained through DHCP Relay, the subnet mask of the normal address pool, the global binding address pool and the Relay address must be the same.
CHAPTER 57: DHCP CONFIGURATION Configuring a lease time for multiple VLAN interfaces Perform the following configuration in system view.
Configuring DHCP Server 691 By default, global address pools and VLAN interface address pools are not configured with any DHCP client domain name. If you execute the dhcp server domain-name command multiple times, the newly configured DHCP client domain name overwrites the existing one. Configuring DNS Server Address for DHCP Clients When a host uses a domain name to access the Internet, the domain name must be translated into an IP address. Domain name system (DNS) is responsible for the translation.
CHAPTER 57: DHCP CONFIGURATION Configuring NetBIOS Server Address for DHCP Clients For clients running a Windows operating system and communicating through the NetBIOS protocol, translations between host name and IP address are carried out by Windows Internet Naming Service (WINS) servers. So you need to perform configurations concerning WINS for these clients. At present, you can configure up to eight NetBIOS server addresses for a DHCP address pool.
Configuring DHCP Server 693 ■ p-node: Nodes of this type establish their mappings by communicating with NetBIOS server. (p stands for peer-to-peer.) ■ m-node: Nodes of this type are p nodes which take some broadcast features. (m stands for mixed.) ■ h-node: Nodes of this type are b nodes which take peer-to-peer mechanism. (h stands for hybrid.) Configuring NetBIOS node type for a global DHCP address pool Perform the following configuration in DHCP address pool view.
CHAPTER 57: DHCP CONFIGURATION Table 642 Configure a custom DHCP options for a global DHCP address pool Operation Command option code { ascii ascii-string | hex Configure a custom DHCP option for a global hex-string | ip-address ip-address [ ip-address DHCP address pool ]} Remove a custom DHCP option configured for undo option code a global DHCP address pool Configuring custom DHCP options for current VLAN interface Perform the following configuration in VLAN interface view.
Configuring DHCP Server 695 If you execute the gateway-list command multiple times, the newly configured IP addresses overwrite the existing ones. Configuring Parameters for DHCP Server to Send Ping Packets To avoid address conflict caused by reassigning an in-use IP address, before assigning an IP address to a DHCP client, the DHCP server detects the network using the ping instructions to ensure the IP address is not occupied.
CHAPTER 57: DHCP CONFIGURATION Table 647 Display the configuration information about the DHCP server Operation Command Display the forbidden IP addresses in the DHCP address pool display dhcp server forbidden-ip Display the information about IP address binding in DHCP address pool(s) display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ vlan-interface vlan-id ] | all } Display the statistics about the DHCP server display dhcp server statistics Display the information
Configuring DHCP Server 697 Network diagram Figure 161 Network diagram for DHCP server DHCP client DHCP client 10.110.0.0 Ethernet 10.110.1.1 Sw itch ( DHCP Server) Configuration procedure # Enter system view. system-view # Create VLAN2. [SW8800]vlan 2 # Enter VLAN interface view and create Vlan-interface 2. [SW8800]interface Vlan-interface 2 # Assign an IP address to Vlan-interface 2. [3Com-Vlan-interface2]ip address 10.110.1.1 255.255.0.
CHAPTER 57: DHCP CONFIGURATION Configuring DHCP Relay Introduction to DHCP Relay This is a world where networks are ever-growing in both size and complexity, and the network configuration is getting more and more complex. As is often the case, the number of hosts in a network exceeds that of the available IP addresses, and position changes of hosts (when users carry their laptops from here to there, or move to a wireless network) require reassigned new IP addresses.
Configuring DHCP Relay 699 Note that the entire configuration procedure may goes through multiples times of such interactions.
CHAPTER 57: DHCP CONFIGURATION n ■ The DHCP client applies for an IP address through the DHCP relay. When the packet from DHCP client passes the DHCP relay, the DHCP relay adds its primary IP address in the packet and forwards the packet to the DHCP server. When receiving the packet, DHCP server allocates an IP address in the same segment as the IP address added by the DHCP relay.
Configuring DHCP Relay 701 Table 653 Display and debug DHCP Relay DHCP Relay Configuration Example Operation Command Enable debugging for DHCP Relay debugging dhcp relay { all| packet | error | event } Disable debugging for DHCP Relay undo debugging dhcp relay { all| packet | error | event } Network requirements As shown in Figure 163, two DHCP clients located at the same network segment (10.110.0.0) are connected to a switch through a port in VLAN 2.
CHAPTER 57: DHCP CONFIGURATION [3Com-Vlan-interface2]ip relay address 202.38.1.2 n Besides the above configurations for DHCP Relay, you need to configure address pool on the DHCP server and make sure the DHCP server and the switch interface connecting the two DHCP clients is routing reachable with each other. c CAUTION: Do not change or delete the IP address of the interface corresponding to the DHCP Relay; otherwise users will be unable to obtain IP addresses to access the Internet.
DHCP Option 82 Configuration 703 Sub-option 2 also belongs to Option 82 and defines the Remote ID. Usually configured on the DHCP relay devices, it indicates that the forwarded packets will carry the MAC address of the relay device. Generally, sub-option 1 and sub-option 2 are used together to identify a DHCP client. ■ Sub-option 5 Sub-option 5 also belongs to Option 82 and defines the link selection.
CHAPTER 57: DHCP CONFIGURATION Figure 165 Sub-option structure SubOpt: Indicates the number of the sub-option. Sub-options contained in this packet are sub-option 1, sub-option 2 and sub-option 5. They have the following meanings: ■ Sub-option 1 defines the Circuit ID. ■ Sub-option 2 defines the Remote ID. ■ Sub-option 5 defines the Link Selection. Len: Indicates the length of the Sub-option Value field. Sub-option Value: Indicates the sub-option value.
DHCP Option 82 Configuration 705 configurations for maintenance convenience. You can select to use the bridge MAC address of the Relay, the device name (configured through sysname), or user-defined strings.
CHAPTER 57: DHCP CONFIGURATION 5 After receiving the DHCP request packet forwarded by the DHCP relay, the DHCP server records the information carried by the option in the packet. Then, the DHCP server sends to the DHCP relay a response packet which carries the DHCP configuration information and Option 82 information. 6 After receiving the response packet sent by the DHCP server, the DHCP relay strips Option 82 information in the packet.
DHCP Option 82 Configuration 707 Table 654 Enable Option 82 support on DHCP relay on the current VLAN interface Operation Command Remarks Optional Configure the strategy for the dhcp relay information DHCP relay to process the strategy { drop | keep | replace request packets that carry } Option 82 By default, the DHCP relay adopts the strategy replace to process the request packets that carry Option 82. That is, the DHCP relay replaces the original Option 82 in the packets with its own Option 82.
CHAPTER 57: DHCP CONFIGURATION Network diagram Figure 166 Network diagram for Option 82 support on DHCP relay configuration DHCP client DHCP client DHCP server 202.38.1.2 10.110.0.0 Ethernet 10.110.1.1 Internet Switch ( DHCP relay ) 202.38.1.1 Ethernet 202.38.0.0 Configuration procedure Suppose the DHCP relay and the DHCP server is reachable to each other. The following only introduces the configuration on the switch which serves as the DHCP relay.
58 Introduction to DNS DNS CONFIGURATION Used in the TCP/IP application, Domain Name System (DNS) is a distributed database which provides the translation between domain name and the IP address. In this way, the user can use domain names that are easy to memorize and meaningful, and never needs to keep obscure IP addresses in mind. There are two kinds of domain name resolutions: static domain name resolution and dynamic domain name resolution, which supplement each other in real application.
CHAPTER 58: DNS CONFIGURATION "3Com", the system regards it as a host name and add a domain name suffix to search. After all the domain names are failed to be searched out in this way, the system finally searches with the primarily input domain name. If the input domain name does include ".", like "www.3Com", the system searches with it directly. The system adds each suffix to search one by one only after the search fails. If the input domain name contains a "." in the final position, like "3Com.com.
Displaying and Debugging Domain Name Resolution Configure the IP Address of Domain Name Server 711 You are required to configure the domain name sever if you need to use the function of the dynamic domain name resolution. In this way, you can send the inquiry request packets to the appropriate sever. The system supports up to six domain name severs. Perform the following configuration in system view.
CHAPTER 58: DNS CONFIGURATION Network diagram Figure 167 Network diagram for DNS client 172.16.1.1 Internet DNS Server Switch Configuraiton procedure # Enable dynamic domain name resolution [SW8800] dns resolve # Configure the IP address of the domain name server to 172.16.1.1. [SW8800] dns server 172.16.1.1 # Configure the domain name suffix as com. [SW8800] dns domain com # Ping a host with the specified domain name. [SW8800] ping ftp Trying DNS server (172.16.1.1) PING ftp.com (200.200.200.
NETSTREAM CONFIGURATION 59 n The application module described in this chapter refers to 3C17542 Network Monitoring Module (NMM). Netstream Overview Introduction to Netstream Netstream provides the packet statistics function. It can classify the stream information according to the destination IP address, destination port number, source IP address, source port number, protocol number and ToS of the packet, and performs independent statistics for different stream information.
CHAPTER 59: NETSTREAM CONFIGURATION Netstream Configuration ■ If Netstream Aggregation is configured, the stream information will be classified and aggregated to generate aggregation information according to certain rules, and then sent in the format of version 8 UDP packets. ■ The MPLS stream statistics information is sent in the format of version 9 UDP packets.
Netstream Configuration 715 Table 661 Configure Netstream Operation Command Configure the active aging of Netstream ip Netstream timeout active minutes Configure the inactive timeout of Netstream ip Netstream timeout inactive seconds Description Optional By default, the active aging of Netstream is 30 minutes Optional By default, the inactive timeout of Netstream is 60 seconds Optional Configure the packet refresh rate of the template ip Netstream template refresh packets Configure the aging time
CHAPTER 59: NETSTREAM CONFIGURATION aggregation log. The eleven aggregation modes are independent of each other, so they can be configured at the same time. n c Netstream Configuration Examples ■ The configuration in system view affects version 5 UDP packets. Additionally, this configuration is also effective for version 8 UDP packets when the source port and destination address arguments are not configured in aggregation view.
Netstream Configuration Examples 717 # Map the packets received on GigabitEthernet3/1/3 to slot 5. [Switch_A] mirror-group 1 inbound GigabitEthernet3/1/3 mirror-to slo t 5 # Enable the Netstream function on the module of slot 5. [Switch_A] ip Netstream enable slot 5 # Configure the export source address of the Netstream statistics packets. [Switch_A] ip Netstream export source 12.110.2.10 # Configure the export destination address and destination port number of the Netstream statistics packets.
CHAPTER 59: NETSTREAM CONFIGURATION
NDP CONFIGURATION 60 Introduction to NDP Neighbor discovery protocol (NDP) is used to discover the information about a neighbor device directly connected, including the type, software/hardware version, port connected, ID, port address, and hardware platform of the neighbor device. A device running NDP periodically sends NDP packets to all ports with NDP enabled while receiving NDP packets from the neighbor device.
CHAPTER 60: NDP CONFIGURATION n Enabling NDP in the System ■ On the management device, NDP must be enabled in the system and on the ports. ■ On member devices and candidate devices, the NPD feature must also be enabled in the system and on the corresponding ports. The aging timer for the NDP information sent from the management device is used during NDP operation. To collect the NDP information sent by the neighbor device, you must enable NDP on the switch.
NDP Configuration Example 721 Table 666 Configure the aging timer for NDP information Operation Command Description By default, the aging timer for NDP information is 180 seconds. Configure the aging timer for ndp timer aging NDP information aging-in-secs Configuring the interval at which NDP packets are sent The aging timer for NDP information must be greater than or equal to the interval at which NDP packets are sent; otherwise, the NDP information table will be unstable.
CHAPTER 60: NDP CONFIGURATION ■ The information of the neighbor switches Switch B and Switch C that are connected to Switch A should be visible to Switch A through NDP configuration. Network diagram Figure 170 Network diagram for NDP configuration Sw itch A Ethernet 1/1/1 Ethernet 1/1/2 Ethernet 1/1/1 Sw itch B Ethernet 1/1/1 Sw itch C Configuration procedure 1 Configure Switch A. # Enable NDP in the system and on Ethernet 1/1/1 and Ethernet 1/1/2.
POE CONFIGURATION 61 PoE Overview PoE on the Switch 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to as Switch 8800 Family series) support power-over-Ethernet (PoE). Equipped with external power supply and PoE-capable cards, Switch 8800 Family series can provide 48 VDC power for remote powered devices (PDs, such as IP phones, WLAN APs, and Network cameras) through twisted pairs. ■ The Switch 8800 Family series support LEGACY Power Supply standard.
CHAPTER 61: POE CONFIGURATION External PSE4500-A Power System If PSE4500-A power system is taken as the external power supply of the switch, the power distribution is as follows: 1 Input voltage: 110 VAC ■ One or two PSUs (power supply unit) of the PSE4500-A power system can provide 1,200 W of power. ■ If the PSE4500-A power modules work in 2+1 redundancy backup mode, an output power of 2,500 W is provided and one power module works for the purpose of backup.
PoE Configuration 725 Table 669 PoE configuration tasks on the Switch 8800 Family series No Operation Command Description 1 Enter system view system-view - 2 Configure the maximum power of switch poe power max-value max-value 3 Enable PoE on a module poe enable slot slot-num 4 Enable the module to detect poe legacy enable slot the compatibility of the PD slot-num connected to it 5 Configure the PoE power management for a module on the switch Optional poe power-management { By default, yo
CHAPTER 61: POE CONFIGURATION Displaying PoE Configuration ■ The reserved power for a blank slot will be recycled automatically by the system if you insert a PoE-incapable card into the slot. ■ When a card is almost fully loaded and a new PD is added, the switch will respond to the PD according to the PoE priority set on the port. ■ The PoE priority of each port is based on its card. In other words, the switch cannot compare the priorities of ports on different cards.
Comprehensive Configuration Example 727 Network diagram Figure 171 PoE remote power supplying Configuration procedure # Set the maximum power to 400 W on the card in slot 3. By default, the power of each card is full, so the power on the card in slot 5 need not be configured. [SW8800] poe max-power 400 slot 3 # Enable PoE on the ports GigabitEthernet3/1/1 through GigabitEthernet3/1/48.
CHAPTER 61: POE CONFIGURATION
POE PSU SUPERVISION CONFIGURATION 62 Introduction to PoE PSU Supervision The PoE-capable Switch 8800 Family series can monitor the external PoE PSUs through the power supervision module on the PoE external power system. The PoE PSU supervision module enables you to: AC Input Alarm Thresholds Configuration ■ Set the alarm thresholds for the AC input voltages of the PoE PSUs. ■ Set the alarm thresholds for the DC output voltages of the PoE PSUs. ■ Query PSU information such as voltage and power.
CHAPTER 62: POE PSU SUPERVISION CONFIGURATION Configuration procedure # Enter system view. system-view # Set the overvoltage alarm threshold of AC input for PoE PSUs to 264.0 V. [SW8800] poe-power input-thresh upper 264.0 # Set the undervoltage alarm threshold of AC input for PoE PSUs to 181.0 V. [SW8800] poe-power input-thresh lower 181.0 # Display the information about the AC input for the PoE PSUs.
Displaying PoE Supervision Information 731 [SW8800] poe-power output-thresh upper 57.0 # Set the undervoltage alarm threshold of DC output for the PoE PSUs to 45.0 V. [SW8800] poe-power output-thresh lower 45.0 # Display the DC output state of the PoE PSUs. [SW8800] display poe-power dc-output state # Display the DC output voltage/current values of the PoE PSUs.
CHAPTER 62: POE PSU SUPERVISION CONFIGURATION Network diagram Figure 172 Network diagram for PoE supervision configuration Configuration procedure # Enter system view. system-view # Set the overvoltage alarm threshold of AC input for PoE PSUs to 264.0 V. [SW8800] poe-power input-thresh upper 264.0 # Set the undervoltage alarm threshold of AC input for PoE PSUs to 181.0 V. [SW8800] poe-power input-thresh lower 181.
63 Overview UDP HELPER CONFIGURATION UDP Helper functions as a relay that converts UDP broadcast packets into unicast packets and forwards them to a specified server. With the UDP Helper function enabled, the device decides whether to forward a received UDP broadcast packet according to the UDP port number of the packet. If the packet needs to be forwarded, the device modifies the destination IP address in the IP header and then sends the packet to the specified destination server.
CHAPTER 63: UDP HELPER CONFIGURATION Table 674 Configure UDP helper Operation Command Description Optional Specify the UDP ports whose packets need to be forwrded 1 When the function is enabled, the broadcast packets of the default UDP ports are unicast to the corresponding destination server. Refer to Table 675 udp-helper port { port | dns | for the list of default UDP netbios-ds | netbios-ns | ports. tacacs | tftp | time } 2 The system supports up to 256 UDP ports.
Displaying UDP Helper 735 Note that: 1 You cannot specify the UDP ports before the function of forwarding UDP broadcast packets is enabled. Otherwise, the system prompts error. 2 The dns | netbios-ds | netbios-ns | tacacs | tftp | time keyword refers to six default UDP ports. You can specify a default UDP port in one of the two following ways: ■ Specifying the port number. ■ Specifying the keyword. For example, the udp-helper port 53 command speicifies the same port as the udp-helper port dns command.
CHAPTER 63: UDP HELPER CONFIGURATION
64 SNMP Overview SNMP CONFIGURATION By far, the Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network.
CHAPTER 64: SNMP CONFIGURATION Figure 173 Architecture of the MIB tree 1 2 1 1 1 B 2 2 6 5 A The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}. The number string is the Object Identifier of the managed object.
Configuring SNMP Setting Community Names 739 ■ “Setting the Destination Address of Trap” ■ “Setting Lifetime of Trap Message” ■ “Setting the Engine ID of a Local Device” ■ “Setting/Deleting an SNMP Group” ■ “Setting the Source Address of Trap” ■ “Adding/Deleting a User to/from an SNMP Group” ■ “Creating/Updating View Information or Deleting a View” ■ “Setting the Size of the SNMP Packet Sent/Received by an Agent” ■ “Disabling SNMP Agent” ■ SNMP V1 and SNMPV2C adopt the community name a
CHAPTER 64: SNMP CONFIGURATION Table 679 Set the system information Operation Command Set the system information snmp-agent sys-info { contact sysContact | location sysLocation | version { { v1 | v2c | v3 }* | all } } Restore the default information undo snmp-agent sys-info { { contact | location }* | version { { v1 | v2c | v3 }* | all } } By default, the contact information for system maintenance is "R&D Hangzhou, 3Com 3Com Technology Co., Ltd.
Configuring SNMP 741 Table 681 Set the destination address of trap Setting Lifetime of Trap Message Operation Command Delete the destination address of trap undo snmp-agent target-host host-addr securityname securityname You can use the following command to set lifetime of Trap message. Trap message that exists longer than the set lifetime will be dropped. Perform the following configuration in system view.
CHAPTER 64: SNMP CONFIGURATION Perform the following configuration in system view. Table 685 Set the source address of trap Operation Command Set the Source Address of Trap snmp-agent trap source interface-type interface-number Remove the source address of trap undo snmp-agent trap source n Currently, this command takes effect only on the interfaces with vlan-interface type.
Displaying and Debugging SNMP Setting the Size of the SNMP Packet Sent/Received by an Agent 743 You can use the following commands to set the size of SNMP packet sent/received by an agent. Perform the following configuration in system view.
CHAPTER 64: SNMP CONFIGURATION that of the VLAN interface on the switch is 129.102.0.1. Perform the following configurations on the switch: setting the community name and access authority, administrator ID, contact and switch location, and enabling the switch to send trap packets. Network diagram Figure 174 Network diagram for SNMP configuration Vlan-interface2: 3.0.1.31 3Com-3 Vlan-interface2: 1.0.1.11 3Com-1 1.0.1.2 3.0.1.2 Vlan-interface2: 3.0.1.32 3Com-4 3Com-0 Vlan-interface2: 1.0.1.
SNMP Configuration Example 745 The switch supports 3Com’s network management products. Users can query and configure the switch through the network management system. For details, see the manuals for the network management products.
CHAPTER 64: SNMP CONFIGURATION
RMON CONFIGURATION 65 RMON Overview Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the widely used Network Management standards by far.
CHAPTER 65: RMON CONFIGURATION The following sections describe the RMON configuration tasks.
Configuring RMON 749 After you defined the alarm entry, the system then processes the entry in the following way: 1 Sampling the defined alarm-variable according to the time interval sampling-time that you have set 2 Comparing the sampled value with the configured threshold and handling them in the way described in the following table Table 693 Handling the alarm entry Adding/Deleting an Entry to/from the Extended RMON Alarm Table n Case Processing The sampled value is greater than the configured upp
CHAPTER 65: RMON CONFIGURATION Table 695 Handling the extended alarm entry Adding/Deleting an Entry to/from the History Control Table Case Processing The result is less than the configured lower limit threshold-value2 The defined event event-entry2 is triggered The history data management helps you set the history data collection, periodical data collection and storage of the specified ports. The sampling information includes the utilization ratio, error counts and total number of packets.
RMON Configuration Example 751 Table 698 Display and debug RMON RMON Configuration Example Operation Command Display the RMON statistics display rmon statistics [ port-num ] Display the history information of RMON display rmon history [ port-num ] Display the alarm information of RMON display rmon alarm [ alarm-table-entry ] Display the extended alarm information of RMON display rmon prialarm [ prialarm-table-entry ] Display the RMON event display rmon event [ event-table-entry ] Display the
CHAPTER 65: RMON CONFIGURATION 64 : 0 256-511: 0 , , 65-127 : 0 512-1023: 0 , , 128-255 : 0 1024-max : 0 # Configure an event before configuring alarm and prialarm. [SW8800]rmon event 1 log owner 3Com-rmon [SW8800]display rmon event 1 Event table 1 owned by 3Com-rmon is VALID. Description: null. Will cause log when triggered, last triggered at 1days 01h:42m:09s. #Configure an alarm group. [SW8800]rmon alarm 1 1.3.6.1.2.1.16.1.1.1.4.
66 NTP CONFIGURATION Brief Introduction to NTP NTP Functions As the network topology gets more and more complex, it becomes important to synchronize the clocks of the equipment on the whole network. Network Time Protocol (NTP) is the TCP/IP that advertises the accurate time throughout the network.
CHAPTER 66: NTP CONFIGURATION Figure 176 Basic operating principle of NTP NTP packet 1. 10:00:00AM NETWORK LS_A ---------------------------------------------------------------- LS_B --------------------------------------- NTP packet 2. NTP packet 10:00:00AM LS_B --------------------------------------11:00:01AM 11:00:02AM NETWORK LS_A ---------------------------------------------------------------NTP Packet received at 10:00:03 4.
NTP Configuration 755 ■ The delay for a round trip of an NTP packet traveling between Switch A and B: Delay= (T4-T1) - (T3-T2). ■ Offset of Switch A clock relative to Switch B clock: offset= ( (T2-T1) + (T4-T3) ) /2. In this way, Switch A uses the above-mentioned information to set the local clock and synchronize it with the clock on Switch B. The operating principle of NTP is briefly introduced above. For details, refer to RFC1305.
CHAPTER 66: NTP CONFIGURATION Configuring NTP Server Mode Set a remote server whose ip address is ip-address as the local time server. ip-address specifies a host address other than a broadcast, multicast or reference clock IP address. In this case, the local Switch operates in Client mode. In this mode, only the local client synchronizes its clock with the clock of the remote server, while the reverse synchronization will not happen. Perform the following configuration in system view.
NTP Configuration 757 By default, no broadcast service is configured and the version number number defaults to 3. This command can only be configured on the interface where the NTP broadcast packets will be transmitted. Configuring NTP Broadcast Client Mode Designate an interface on the local Switch to receive NTP broadcast messages and operate in broadcast client mode. The local Switch listens to the broadcast from the server.
CHAPTER 66: NTP CONFIGURATION Configuring NTP Multicast Client Mode Designate an interface on the local Switch to receive NTP multicast messages and operate in multicast client mode. The local Switch listens to the multicast from the server. When it receives the first multicast packets, it starts a brief client/server mode to switch messages with a remote server for estimating the network delay.
NTP Configuration 759 Table 707 Set the specified key as reliable Operation Command Set the specified key as reliable ntp-service reliable authentication-keyid key-number Cancel the specified reliable undo ntp-service reliable authentication-keyid key-number key.
CHAPTER 66: NTP CONFIGURATION Table 710 Set authority to access a local switch Operation Command Set authority to access a local switch ntp-service access { query | synchronization | server | peer } acl-number Cancel settings of the authority undo ntp-service access { query | synchronization | to access a local switch server | peer } IP address ACL number is specified through the acl-number parameter and ranges from 2000 to 2999.
NTP Configuration Example 761 NTP Configuration Example Configuring a NTP Server Network requirements On 3Com1, set local clock as the NTP master clock at stratum 2. On 3Com2, configure 3Com1 as the time server in server mode and set the local equipment as in client mode. (Note: 3Com1 supports to configure the local clock as the master clock) Network diagram Figure 177 Typical NTP configuration network diagram Vlanˉ interface2: Vlanˉ interface2: 3.0.1.31 1.0.1.11 3Com-3 3Com-1 3.0.1.2 1.0.1.
CHAPTER 66: NTP CONFIGURATION [3Com2] display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 00:00:00.000 UTC Jan 1 1900(00000000.
NTP Configuration Example 763 # Set the local clock as the NTP master clock at stratum 2. [3Com3] ntp-service refclock-master 2 Configure Switch 3Com4. # Enter system view. <3Com4> system-view # Set 3Com1 as the NTP server at stratum 3 after synchronization. [3Com4] ntp-service unicast-server 3.0.1.31 # Set 3Com5 as peer [3Com4] ntp-service unicast-peer 3.0.1.33 Configure Switch 3Com5.(3Com4 has been synchronized by 3Com3) # Enter system view.
CHAPTER 66: NTP CONFIGURATION [Quidwa4] display ntp-service sessions source reference stra reach poll now offset delay disper ******************************************************************** [12345]3.0.1.33 LOCAL(0) 2 377 64 16 0.0 0.0 0.9 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Configure NTP Broadcast Mode Network requirements On 3Com3, set local clock as the NTP master clock at stratum 2 and configure to broadcast packets from Vlan-interface2.
NTP Configuration Example 765 The above examples configured 3Com4 and 3Com1 to listen to the broadcast through Vlan-interface2, 3Com3 to broadcast packets from Vlan-interface2. Since 3Com1 and 3Com3 are not located on the same segment, they cannot receive any broadcast packets from 3Com3, while 3Com4 is synchronized by 3Com3 after receiving its broadcast packet.
CHAPTER 66: NTP CONFIGURATION # Enter system view. <3Com3> system-view # Set the local clock as a master NTP clock at stratum 2. [3Com3] ntp-service refclock-master 2 # Enter Vlan-interface2 view. [3Com3] interface vlan-interface 2 # Set it as a multicast server. [3Com3-Vlan-Interface2] ntp-service multicast-server Configure Switch 3Com4: # Enter system view. <3Com4> system-view # Enter Vlan-interface2 view. [3Com4] interface vlan-interface 2 # Enable multicast client mode.
NTP Configuration Example 767 Network diagram Figure 179 Network diagram for NTP configuration example Vlan-interface2: 3.0.1.31 3Com-3 Vlan-interface2: 1.0.1.11 3Com-1 1.0.1.2 3.0.1.2 Vlan-interface2: 3.0.1.32 3Com-4 3Com-0 Vlan-interface2: 1.0.1.12 3Com-2 Vlan-interface2: 3.0.1.33 3Com-5 ...... Configuration procedure Configure Switch 3Com1. # Enter system view. <3Com1> system-view # Set the local clock as the master NTP clock at stratum 2.
CHAPTER 66: NTP CONFIGURATION # Set the key. [3Com1] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Configure the key as reliable.
67 SSH TERMINAL SERVICE SSH Terminal Service SSH Overview This chapter introduces the secure shell (SSH) feature. When a user telnets to the switch from an insecure network, the SSH feature can provide secure information and powerful authentication functionality, thereby protecting the switch from attacks such as IP address spoofing and clear text password interception attacks. The switch can act as either SSH server or SSH client.
CHAPTER 67: SSH TERMINAL SERVICE W orkstation Local switch Local Ethernet Laptop Server W orkstation PC SSH client WAN Remote Ethernet Remote switch SSH server Laptop PC Server Figure 181 Establish an SSH channel through a WAN To establish an SSH authentication secure connection, the server and the client must go through the following five phases: 1 Version number negotiation: ■ The client sends a TCP connection request.
SSH Terminal Service n 771 ■ The server initiates a procedure to authenticate the user. If the server is configured not to authenticate the user, the process proceeds to session request phase directly. ■ The client employs an authentication mode to authenticate the server till the authentication succeeds or the server tears down the connection because of timeout. SSH provides two authentication modes: password authentication and RSA authentication.
CHAPTER 67: SSH TERMINAL SERVICE Table 713 SSH2.0 configuration tasks Operation Command Description Configure default authentication type for SSH users Required; ssh authentication-type default [ password | rsa | all By default, users are unable to | password-publickey ] log in to the system.
SSH Terminal Service 773 Generating or destroying an RSA key pair Use this configuration task to generate or destroy an RSA key pair (including the host key and server key) of the server. The naming conventions for the keys are switchname + host and switchname + server respectively. After this command is entered, the system prompts you to input the number of the key pair bits. Pay attention to the following: ■ The host key and the server key must have a difference of at least 128 bits in length.
CHAPTER 67: SSH TERMINAL SERVICE authentication mode. In this case, whatever the default authentication mode, the user cannot log in because the user’s authentication mode is null. 2 Standard radius does not support user-level attributes.
SSH Terminal Service 775 By default, the system does not update the server key. Configuring the authentication timeout Use this configuration task to set the authentication timeout of SSH connections. Perform the following configuration in system view. Table 719 Set the SSH authentication timeout Operation Command Set the SSH authentication timeout ssh server timeout seconds Restore the default SSH authentication timeout undo ssh server timeout By default, the authentication timeout is 60 seconds.
CHAPTER 67: SSH TERMINAL SERVICE Entering the public key edit view After entering the public key view by the rsa peer-public-key command, you can use the public-key-code begin command to enter the public key edit view and input the public key of the client. When inputting the public key, you may type spaces between the characters (the system will delete the spaces automatically), or press and then continue to input the key.
SSH Terminal Service 777 Table 725 Configure the compatibility mode Operation Command Set the server to be compatible with the SSH 1.x client ssh server compatible_ssh1x enable Set the server to be incompatible with the SSH undo ssh server compatible_ssh1x 1.x client By default, the server is compatible with the SSH 1.x client. SSH Client Configuration The following sections describe the SSH client configuration tasks.
CHAPTER 67: SSH TERMINAL SERVICE Perform the following configuration in system view. Table 728 Configure/cancel the first-time authentication of the server Operation Command Configure the first-time authentication of the server ssh client first-time enable Cancel the first-time authentication of the server undo ssh client first-time By default, the client does not perform the first-time authentication.
SSH Terminal Service 779 Configuration procedure 1 Generate the RSA key. [SW8800] rsa local-key-pair create n If the configuration for generating the local key has already been completed, skip this step. 2 Set the user login authentication mode. The following shows the configuration methods for both password authentication and RSA public key authentication. ■ Password authentication. # Create the local user client001, and set the authentication mode of the user interface to AAA.
CHAPTER 67: SSH TERMINAL SERVICE [SW8800] rsa peer-public-key sw8800002 [3Com-rsa-public-key] public-key-code begin [8505A-rsa-public-key]public-key-code begin RSA key code view: return to last view with "public-key-code end".
SFTP Service 781 Connected to 10.165.87.136 ... Enter password: ********************************************************* * All rights reserved (1997-2004) * * Without the owner’s prior written consent, * *no decompiling or reverse-engineering shall be allowed.* ********************************************************* # Configure the client to authenticate the server for the first time. system-view [SW8800] ssh client first-time enable Access the remote server and perform operations.
CHAPTER 67: SSH TERMINAL SERVICE Configuring the default service type and the default directory for SFTP users Perform the following configuration in system view.
SFTP Service SFTP Client Configuration 783 The following table describes the SFTP client configuration tasks.
CHAPTER 67: SSH TERMINAL SERVICE Table 735 Start the SFTP client Operation Command Start the SFTP client sftp ipaddr [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des | aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] Shutting down the SFTP client Use this configuration task to shut down the SFTP client program.
SFTP Service 785 Table 738 SFTP file operations Operation Command Change the name of the specified file on the server rename old-name new-name Download a file from the remote server get remote-file [ local-file ] Upload a local file to the remote server put local-file [ remote-file ] Display the list of files in the specified directory dir [ remote-path ] ls [ remote-path ] delete remote-file Delete a file from the server n remove remote-file ■ The dir command and the ls command have the sam
CHAPTER 67: SSH TERMINAL SERVICE Configuration procedure 1 Configure Switch B. # Start the SFTP server. [SW8800] sftp server enable # Specify the service type as SFTP. [SW8800] ssh user 8040 service-type sftp # Set the authentication mode to password. [SW8800] ssh user 8040 authentication-type password 2 Configure Switch A # Configure the server with a public key whose name is the IP address of the server. [SW8800] rsa peer-public-key 10.111.27.
SFTP Service -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup drwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup sftp-client> delete z Remove this File?(Y/N) flash:/zy File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup drwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup 787 225 283 0 225 0 Aug Aug Sep Sep Sep 24 24 01 01 01 08:01 07:39 06:22 06:55 08:00 pubkey2 pubkey1 new pub z 1759 225 283
CHAPTER 67: SSH TERMINAL SERVICE drwxrwxrwx 1 noone -rwxrwxrwx 1 noone -rwxrwxrwx 1 noone sftp-client> # Exit SFTP.
FILE SYSTEM MANAGEMENT 68 File System Configuration File System Overview The switch provides a file system module for user’s efficient management over the storage devices such as Flash memory. The file system offers file access and directory management, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file.
CHAPTER 68: FILE SYSTEM MANAGEMENT Table 740 Directory operation File Operation Operation Command Display the current working directory pwd Display the information about directories or files dir [ / all ] [ file-url ] Change the current directory cd directory The file system can be used to delete or undelete a file and permanently delete a file. Also, it can be used to display file contents, rename, copy and move a file and display the information about a specified file.
File System Configuration 791 Considering that when dismounting the CF card you may be performing the write operation on it, the switch provides the umount command which can stop the CF card to ensure the safety and consistency of the file operations on it, that is, you must execute the umount command to stop the CF card before dismounting it. The system saves logs in the CF card. The log file is saved in the root directory with the name logfileX.txt, where the X is an integral number ranging from 1 to 5.
CHAPTER 68: FILE SYSTEM MANAGEMENT
69 DEVICE MANAGEMENT Device Management Overview With the device management function, the switch can display the current running state and event debugging information about the slots, thereby implementing the maintenance and management of the state and communication of the physical devices. In addition, there is a command available for rebooting the system, when some function failure occurs.
CHAPTER 69: DEVICE MANAGEMENT Table 745 Enable the Timing Reboot Function Operation Command Cancel the parameter configuration of timing undo schedule reboot reboot function of the switch Check the parameter configuration of the reboot terminal service of the current switch n Specifying the Bootstrap Programs for the Switch display schedule reboot The precision of switch timer is 1 minute. The switch will reboot in one minute when time comes to the specified rebooting point.
Device Management Configuration n Upgrading BootROM 795 The 3Com Switch 8800 Family series switches (hereinafter referred to as Switch 8800 Family series) support master/slave fabric switchover. The two modules both have a program system. The program user can operate the programs on both modules. When you specify the bootstrap APP program for use by the slave module at the next startup, make sure that the URL of the program starts with "slot[No.]#[flash: | cf:]/", where [No.
CHAPTER 69: DEVICE MANAGEMENT Table 750 Update service processing modules c Displaying and Debugging Device Management Operation Command Download the host software of service processing module to the system memory update l3plus slot slot-no filename file-name ftpserver server-name username user-name password password [ port port-num ] CAUTION: ■ When you use the update l3plus command to update service processing modules, you must use the switch host APP file which includes the load program of
Device Management Configuration Example 797 Network diagram Figure 185 Network diagram for FTP configuration Network Switch PC Configuration procedure 1 Configure FTP server parameters on the PC: a user named as switch, password hello, read & write authority over the Switch directory on the PC.
CHAPTER 69: DEVICE MANAGEMENT boot bootrom boot.app slot 0 # Use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the switch. boot boot-loader primary flash:/switch.app slot 0 disp boot-loader The primary app to boot of slot 0 at the next time is: flash:/switch.app The backup app to boot of slot 0 at the next time is: flash:/switch.app The app to boot of slot 0 at this time is: flash:/switch.
Device Management Configuration Example c 799 CAUTION: If the Flash Memory on the switch is not sufficient, delete the original application program in the flash before uploading the new one into the flash of the switch. 1 After uploading, performs upgrading on the switch. # You can use the boot boot-loader command to specify the new file as the application program on the next booting and reboot the switch to implement the upgrading of the application program.
CHAPTER 69: DEVICE MANAGEMENT
70 FTP&TFTP CONFIGURATION FTP Configuration FTP Overview FTP (File Transfer Protocol) is a universal method for transmitting files on the Internet and IP networks. In this method, files are copied from one system to another. FTP supports definite file types (such as ASCII and Binary) and file structures (byte stream and record). Even now, FTP is still used widely, while most users transmit files by Email and Web.
CHAPTER 70: FTP&TFTP CONFIGURATION The configuration of the switching as FTP server. Table 753 Configuration of the switch as FTP server Device Switch PC c Enabling/Disabling FTP Server Configuration Default Remarks Start FTP server. FTP server is disabled You can view the configuration information of FTP server with the display ftp-server command Configure authentication and authorization for FTP server.
FTP Configuration 803 Table 755 Configure the FTP Server Authentication and Authorization Operation Command Delete local FTP user (in system view) undo local-user { username | all [ service-type { ftp | lan-access | telnet | ppp | ssh | terminal } ] | multicast [ domain domain-name ] ipaddress | password-display-mode } Set the password display mode when the switch displays local user information local-user password-display-mode { auto | cipher-force } Restore the password display mode when the undo
CHAPTER 70: FTP&TFTP CONFIGURATION Displaying and Debugging FTP Server After the above configuration, execute display command in any view to display the running of the FTP Server configuration, and to verify the effect of the configuration. Table 757 Display and debug FTP Server Operation Command Display FTP server display ftp-server Display the connected FTP users.
FTP Configuration 805 Configuration procedure 1 Configure FTP server parameters on the PC: a user named as switch, password hello, read and write authority over the Switch directory on the PC. 2 Configure the switch # Log into the switch through the Console port locally or Telnet remotely. Then type in the right command in user view to establish FTP connection, then correct username and password to log into the FTP server. ftp 2.2.2.2 Trying ... Press CTRL+K to abort Connected. 220 WFTPD 2.
CHAPTER 70: FTP&TFTP CONFIGURATION The switch application switch.app is stored on the PC. Using FTP, the PC can upload the switch.app from the remote FTP server and download the vrpcfg.cfg from the FTP server for backup purpose.
TFTP Configuration 807 acknowledgement to it. To upload a file, the client sends a request to the TFTP server and then transmits data to it and receives the acknowledgement from it. TFTP transmits files in two modes, binary mode for program files and ASCII mode for text files. The administrator needs to configure the IP addresses of TFTP client and server before configuring TFTP, and makes sure that the route between the client and server is reachable. The switch can only function as a TFTP client.
CHAPTER 70: FTP&TFTP CONFIGURATION Uploading Files by Means of TFTP To upload a file, the client sends a request to the TFTP server and then transmits data to it and receives the acknowledgement from it. You can use the following commands to upload files. Perform the following configuration in user view.
TFTP Configuration 809 [SW8800] interface vlan 1 [3Com-vlan-interface1] ip address 1.1.1.1 255.255.255.0 [3Com-vlan-interface1] quit # Enter system view and download the switch.app from the TFTP server to the Flash Memory of the switch. tftp 1.1.1.2 get switch.app switch.app # Upload the vrpcfg.cfg to the TFTP server. tftp 1.1.1.2 put vrpcfg.cfg vrpcfg.cfg # Use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the switch.
CHAPTER 70: FTP&TFTP CONFIGURATION
71 INFORMATION CENTER Information Center Function Introduction to Information Center The information center is an indispensable part of the switch. It serves as an information center of the system software modules. The logging system is responsible for most of the information outputs, and it also makes detailed classification to filter the information efficiently.
CHAPTER 71: INFORMATION CENTER 3 Timestamp If the logging information is send to the log host, the default format of timestamp is date The date format of timestamp is " Mmm dd hh:mm:ss yyyy". Mmm " is month field, such as: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. dd" is day field, if the day is little than 10th, one blank should be added, such as " 7". hh:mm:ss" is time field, "hh" is from 00 to 23, "mm" and "ss" are from 00 to 59. yyyy" is year field.
Information Center Function 813 Table 762 The module name field Module name Description DRVVPLS Virtual private LAN service drive module ETH Ethernet module FTPS FTP server module HA High availability module HABP 3Com authentication bypass protocol module HWCM 3Com configuration management MIB module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module ISIS Intermediate system-to-intermediate system intra-domain routing protocol module L2INF L2 inter
CHAPTER 71: INFORMATION CENTER Table 762 The module name field Module name Description SYSMIB System MIB module TAC Terminal access controller module TELNET Telnet module USERLOG User calling logging module VFS Virtual file system module VLAN Virtual local area network module VOS Virtual operate system module VRRP VRRP (virtual router redundancy protocol) module VTY VTY (virtual type terminal) module Notice: There is a slash (’/’) between module name and severity.
Information Center Function 815 The system assigns a channel in each output direction by default. See the table below. Table 764 Numbers and names of the channels for log output n Output direction Channel number Default channel name Console 0 console Monitor 1 monitor Information center loghost 2 loghost Trap buffer 3 trapbuf Logging buffer 4 logbuf snmp 5 snmpagent Log file 6 logfile The settings in the 7 directions are independent from each other.
CHAPTER 71: INFORMATION CENTER Table 765 Send the configuration information to the loghost Device Configuration Refer to configuration Loghost cases for related log host configuration Default value Configuration description - - 2 Sending the configuration information to the console terminal Table 766 Send the configuration information to the console terminal. Device Configuration Default value Configuration description By default, information Enable information center center is enabled.
Information Center Function 817 Table 767 Send the configuration information to the monitor terminal Device Switch Configuration Default value Configuration description Enable information center By default, information center is enabled Other configurations are valid only if the information center is enabled Set the information output direction to the monitor - - - You can define which modules and information to be sent out and the time-stamp format of information, and so on.
CHAPTER 71: INFORMATION CENTER Table 769 Send the configuration information to the trap buffer Device Configuration description Configuration Default value Enable information center By default, information center is enabled Other configurations are valid only if the information center is enabled Set the information output direction to the trapbuffer - You can configure the size of the trap buffer at the same time - You can define which modules and information to be sent out and the time-sta
Information Center Function Sending the Configuration Information to the Loghost 819 To send configuration information to the loghost, follow the steps below: 1 Enabling information center Perform the following configuration in system view. Table 771 Enable/disable information center n Operation Command Enable information center info-center enable Disable information center undo info-center enable Information center is enabled by default.
CHAPTER 71: INFORMATION CENTER Table 773 Define information source Operation Command Cancel the configuration of information source undo info-center source { modu-name | default | all } channel { channel-number | channel-name } modu-name specifies the module name; default represents all the modules; all represents all the information filter configuration in channel channel-number except default; level refers to the severity levels; severity specifies the severity level of information.
Information Center Function 821 Table 775 Configure to output information to console terminal Operation Command Output information to Console info-center console channel { channel-number | channel-name } Cancel the configuration of outputting information to Console undo info-center console channel 3 Configuring information source on the switch By this configuration, you can define the information that sent to console terminal is generated by which modules, information type, information level, and so
CHAPTER 71: INFORMATION CENTER Table 777 Configure the output format of time-stamp Operation Command Configure the output format of the time-stamp info-center timestamp { log | trap | debugging } { boot | date | none } Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } 4 Enable terminal display function To view the output information at the console terminal, you must first enable the corresponding log, debugging and trap information functions at the switch.
Information Center Function n 823 Information center is enabled by default. After information center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 Configuring to output information to Telnet terminal or dumb terminal Perform the following configuration in system view.
CHAPTER 71: INFORMATION CENTER module-based filtering settings and severity threshold. When a user modifies these settings, it will be reflected on other clients. n If you want to view the debugging information of some modules on the switch, you must select debugging as the information type when configuring information source, meantime using the debugging command to turn on the debugging switch of those modules.
Information Center Function 825 Table 783 Enable terminal display function Sending the Configuration Information to the Log Buffer Operation Command Enable terminal display function of trap information terminal trapping Disable terminal display function of trap information undo terminal trapping To send configuration information to the log buffer, follow the steps below: 1 Enabling information center Perform the following configuration in system view.
CHAPTER 71: INFORMATION CENTER Table 786 Define information source Operation Command Define information source info-center source { modu-name | default } channel { channel-number | channel-name } [ debug { level severity | state state }* | log { level severity | state state }* | trap { level severity | state state }* ]* Cancel the configuration of information source undo info-center source { modu-name | default | all } channel { channel-number | channel-name } modu-name specifies the module name
Information Center Function 827 Table 788 Enable/disable information center n Operation Command Enable information center info-center enable Disable information center undo info-center enable Information center is enabled by default. After information center is enabled, system performances are affected when the system processes much information because of information classification and outputting.
CHAPTER 71: INFORMATION CENTER Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging. When there is no specific configuration record for a module in the channel, use the default one.
Information Center Function 829 Table 793 Configure to output information to SNMP NM Operation Command Cancel the configuration of outputting information to SNMP NM undo info-center snmp channel 3 Configuring information source on the switch By this configuration, you can define the information that sent to SNMP NM is generated by which modules, information type, information level, and so on.
CHAPTER 71: INFORMATION CENTER Table 795 Configure the output format of time-stamp Operation Command Configure the output format of the time-stamp info-center timestamp { log | trap | debugging } { boot | date | none } Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } 4 Configuring of SNMP and network management workstation on the switch You have to configure SNMP on the switch and the remote workstation to ensure that the information is correctly sent to SNMP N
Information Center Function ■ 831 The modules that allowed to output information are ARP and IP Network diagram Figure 192 Network diagram Network Switch PC Configuration steps 1 Configuration on the switch # Enable information center [SW8800] info-center enable # Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English; set that the modules which are allowed to output information are ARP and IP.
CHAPTER 71: INFORMATION CENTER information center loghost a.b.c.d facility configured on the switch. Otherwise, the log information probably cannot be output to the loghost correctly. Step 3: After the establishment of information (log file) and the revision of /etc/syslog.conf, you should send a HUP signal to syslogd (system daemon), through the following command, to make syslogd reread its configuration file /etc/syslog.conf.
Information Center Function 833 [SW8800] info-center loghost 202.38.1.10 facility local7 language english [SW8800] info-center source default channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost. Step 1: Perform the following command as the super user (root). # mkdir /var/log/3Com # touch /var/log/3Com/information Step 2: Edit file /etc/syslog.conf as the super user (root), add the following selector/actor pairs.
CHAPTER 71: INFORMATION CENTER The modules that allowed to output information are ARP and IP Network diagram Figure 194 Network diagram console 3& Switch Configuration procedure 1 Configuration on the switch # Enable information center. [SW8800] info-center enable # Configure console terminal log output; allow modules ARP and IP to output information; the severity level is restricted within the range of emergencies to informational.
72 Basic System Configuration Setting a Name for a Switch Setting the System Clock SYSTEM MAINTENANCE AND DEBUGGING The basic system configuration and management include: ■ Switch name setting ■ System clock setting ■ Time zone setting ■ Summer time setting Perform the following configuration in system view.
CHAPTER 72: SYSTEM MAINTENANCE AND DEBUGGING Table 800 Set the summer time Operation Command Set the name and range of the summer time clock summer-time zone-name { one-off | repeating } start-time start-date end-time end-date offset-time Remove the setting of the summer time undo clock summer-time By default, the summer time is not set. Displaying the Status and Information of the System The switch provides the display command for displaying the system status and statistics information.
System Debugging 837 3 1 Debugging information 2 Figure 195 Debugging output Protocol debugging switch ON 1 1 3 OFF 3 ON Screen output switch ON 3 1 OFF You can use the following commands to control the above-mentioned debugging. Perform the following operations in user view.
CHAPTER 72: SYSTEM MAINTENANCE AND DEBUGGING Table 803 Display diagnostic information n Operation Command Display diagnostic information display diagnostic-information When using the display diagnostic-information command to keep track of the switch, you should execute the command at least twice so that you can compare the information for locating problems. Testing Tools for Network Connection ping The ping command can be used to check the network connectivity and host reachability.
Testing Tools for Network Connection tracert 839 The tracert is used for testing the gateways passed by the packets from the source host to the destination one. It is mainly used for checking if the network is connected and analyzing where the fault occurs in the network. The execution process of the tracert command is described as follows: Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent, for the TTL is timeout.
CHAPTER 72: SYSTEM MAINTENANCE AND DEBUGGING
73 Introduction to Protocol Port Security Setting the State of Protocol Port PROTOCOL PORT SECURITY CONFIGURATION The protocol port security function is short for TCP, UDP protocol port close check function.
CHAPTER 73: PROTOCOL PORT SECURITY CONFIGURATION Table 809 Set the status of HTTP protocol port Operation Command Shutdown the port of HTTP protocol ip http shutdown Open the port of HTTP protocol undo ip http shutdown By default, the port 80 of HTTP protocol is enabled.
Introduction to Egress Packet Statistics 843 74 PACKET STATISTICS CONFIGURATION Introduction to Egress Packet Statistics n Configuring Egress Packet Statistics Counters A card provides two sets of counters for monitoring egress packet statistics of the card. The monitored objects include ports, VLANs, ports+VLANs, and cards. In addition to these four types of objects, a traffic class (TC) or a drop precedence (DP) can also be monitored.
CHAPTER 74: PACKET STATISTICS CONFIGURATION
75 Ethernet Port Loopback Detection Function Configuring the Loopback Detection Function ETHERNET PORT LOOPBACK DETECTION Use the following configuration tasks can enable the port loopback detection function, configure the VLAN enabled with the loopback detection function (you can configure up to 800 such VLANs) and set the interval for external loopback detection on ports to check whether there exists a loop on each port or not.
CHAPTER 75: ETHERNET PORT LOOPBACK DETECTION
76 QINQ CONFIGURATION QinQ Overview Introduction to QinQ QinQ refers to the technology that enables packets to be transmitted across the operators’ backbone networks with VLAN tags of private networks nested in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks, which are nested in the VLAN tags of public networks, remain intact.
CHAPTER 76: QINQ CONFIGURATION Implementation of QinQ QinQ can be implemented on Switch 8800 Family series switches in the following ways: 1 Enabling VLAN VPN on ports With VLAN VPN enabled, a received packet is tagged with the default VLAN tag of the port no matter whether or not the packet carries a VLAN tag. Otherwise, the packet is transmitted with the default VLAN tag carried.
VLAN VPN Configuration 849 VLAN VPN Configuration Configuration Prerequisites Configuration procedure ■ GARP VLAN registration protocol (GVRP), spanning tree protocol (STP), and 802.1x protocol are disabled on the ports. ■ IGMP Snooping is disabled in the VLAN to which the ports belong. ■ IGMP is disabled in the VLAN to which the port belongs. ■ This port is not a VLAN-VPN uplink port.
CHAPTER 76: QINQ CONFIGURATION Table 814 Configure VLAN VPN for PVC Configuration step Command Description Enter PVC view pvc { name pvc-name [ vpi/vci ] | vpi/vci } Enable VLAN VPN for PVC vlan-vpn enable By default, VLAN VPN is disabled by default. Traffic Classification-Based Nested VLAN Configuration Configuration prerequisites Configuration procedure ■ ACLs and corresponding rules to be applied already exist. ■ The VLANs to be specified by the nested-vlanid argument already exist.
Traffic Classification-Based Nested VLAN Configuration 851 Table 815 Configure traffic classification-based nest vlan Configuration step Modify outer VLAN tags for the packets matching the ACL flow rules c Traffic Classification-Based Nested VLAN Configuration Example Command Deliver a Layer 3 traffic classification rule traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] modified-vlan modified-vlanid Deliver both Layer 2 and Layer 3 traffic classificatio
CHAPTER 76: QINQ CONFIGURATION Network diagram Figure 199 QinQ network diagram GE4/1/2 (hybrid VLAN 600 tagged 1000 untagged) SwitchA GE4/11 (trunk permit VLAN 600, 1000) GE3/1/2 (trunk permit VLAN 600, 1000) SwitchB GE3/1/1 (trunk permit VLAN 600, 1000) GE2/1/2 (trunk permit VLAN 600, 1000) SwitchC GE2/1/1 (hybrid VLAN 600 tagged 1000 untagged) Configuration procedure # Enable IGMP-snooping in VLAN 600.
Adjusting TPID Values for QinQ Packets 853 # Configure the uplink port GigabitEthernet 4/1/1 to a trunk port and allow the packets of VLAN 1000 and VLAN 600 to pass the uplink port.
CHAPTER 76: QINQ CONFIGURATION ■ Switch B only permits packets of VLAN 10. ■ It is desired that packets of VLANs other than VLAN 10 can be exchanged between the networks connected to Switch A and Switch C.
VLAN-VPN Tunnel Configuration 855 Because Switch B is produced by other vendor, related commands may differ from those available to Switch 8800 Family switches. So only the operation is listed, as shown below: n ■ Configure GigabitEthernet3/1/1 and GigabitEthernet3/1/3 ports of Switch B to be trunk ports. ■ Add the two ports to VLAN 10. The following describes how a packet is forwarded from Switch A to Switch C.
CHAPTER 76: QINQ CONFIGURATION Figure 201 Diagram of the VLAN-VPN tunnel network hierarchy Operator’ s Network Packet ingress/egress device Packet ingress/egress device Network Network A Configuring VLAN-VPN Users Network Network B Perform the following configuration to configure VLAN-VPN tunnel.
VLAN-VPN Tunnel Configuration 857 Network diagram Figure 202 Configure VLAN-VPN tunnel Switch C Switch D E 4/1/3 E 4/1/1 E 4/1/2 E0/1 VLAN 20 E 3/1/3 E 3/1/1 VLAN 20 E 3/1/2 VLAN 10 Switch A E0/1 VLAN 10 Switch B Configuration procedure 1 Configure switch A. # Enable RSTP. [Switch_A] stp enable # Set the port to a trunk port and allow the packets of VLAN 10 to pass the port.
CHAPTER 76: QINQ CONFIGURATION [Switch_C] vlan 20 [Switch_C-Vlan20] port Ethernet4/1/1 [Switch_C-Vlan20] quit # Disable the STP protocol and enable VLAN-VPN on Ethernet4/1/1. [Switch_C] interface Ethernet4/1/1 [Switch_C-Ethernet4/1/1] stp disable [Switch_C-Ethernet4/1/1] vlan-vpn enable [Switch_C-Ethernet4/1/1] quit # Add Ethernet4/1/2 to VLAN 20. [Switch_C] vlan 20 [Switch_C-Vlan20] port Ethernet4/1/3 [Switch_C-Vlan20] quit # Disable the STP protocol and enable VLAN-VPN on Ethernet4/1/2.
VLAN-VPN Tunnel Configuration 859 # Disable the STP protocol and enable VLAN-VPN on Ethernet3/1/3. [Switch_D] interface Ethernet3/1/2 [Switch_D-Ethernet3/1/2] stp disable [Switch_D-Ethernet3/1/2] vlan-vpn enable [Switch_D-Ethernet3/1/2] quit # Set Ethernet3/1/3 to a trunk port and add this port to all the VLANs.
CHAPTER 76: QINQ CONFIGURATION
NQA CONFIGURATION 77 Introduction to NQA NQA, which is an enhancement of the ping function, is used to test the performance of various protocols operating in the network.The ping function can only use the ICMP protocol to test the round trip travel time of data packets between the local endpoint and the specified destination endpoint by command lines.
CHAPTER 77: NQA CONFIGURATION Introduction to NQA Configuration Tasks Table 818 Introduction to the configuration tasks of the ICMP test in NQA Operation Command Remarks Enter system view system-view - Enable the client function of the NQA nqa-agent enable Configure the maximum number of the test tasks performed simultaneously nqa-agent max-requests max-number Required; By default, NQA client is disabled. Optional; The default maximum number of the test tasks performed simultaneously is 5.
NQA Configuration 863 Table 818 Introduction to the configuration tasks of the ICMP test in NQA Operation Command Set the name of the VPN instance vpn-instance name Remarks Optional; By default, no name of the VPN instance is set Optional; Set the source IP address of this test source-ip ip-address Set the source interface source-interface { interface-name | interface-type interface-number } Assume the connection mode between the destination sendpacket passroute address and the equipment enabling
CHAPTER 77: NQA CONFIGURATION c NQA Configuration Example CAUTION: ■ When the system is testing, parameters that are configured in the NQA test group view cannot be changed except the simple description of the operations and the condition of sending the Trap information to the network management system. ■ You can use the undo test-enable command to stop the test at any time. And you can stop the test by means of disabling the NQA client or deleting the test group.
Displaying and Maintaining NQA 865 system-view System View: return to User View with Ctrl+Z. [SW8800] nqa administrator icmp # Configure the test type as icmp. [SW8800-nqa-administrator-icmp] test-type icmp # Configure the destination IP to 192.168.80.80. [SW8800-nqa-administrator-icmp] destination-ip 192.168.80.80 # Configure the test times to 5. [SW8800-nqa-administrator-icmp] count 5 4 Execute the test # Execute one test.
CHAPTER 77: NQA CONFIGURATION
78 Introduction to Password Control Configuration PASSWORD CONTROL CONFIGURATION Switch 8800 Family series switches provide the password control function. Before a user can log in to the switch, a system login password must be configured. After a password is configured, the user must enter the password each time he or she wants to log in to the switch. The user and can successfully log in to the switch and proceed with operations only if he or she passes the authentication.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION ■ When adding or deleting a history password record, the system requests the standby card to perform backup. ■ When purging all history records or the history records of a certain user, the system requests the standby card to perform backup. ■ When adding a user to or deleting a user from the blacklist, the system requests the standby card to perform backup.
Introduction to Password Control Configuration ■ Configuring system password parameters ■ Configuring super password parameters ■ Deleting history password records 869 After the configuration, you can carry out display password-control in any view to view the password control information for all users, including the enabled/disabled state of password aging, the aging time, the enabled/disabled state of the minimum password length limitation and the configured minimum password length, the enabled/dis
CHAPTER 78: PASSWORD CONTROL CONFIGURATION Table 820 Basic configuration tasks of password control Operation Command Description Display password control information for all users display password-control Display can be carried out in any view Display super password control information display password-control super display can be carried out in any view To cancel an operation, use the undo form of the corresponding command.
Introduction to Password Control Configuration 871 The password for super commands is processed in a similar way. However, no pre-expiration alert is given when the super password is to expire; the user is only notified whether the password has expired or not. For an FTP user, no pre-expiration alert is given either when the password is to expire. The user is only notified about password errors but cannot change the password. Only the administrator can change the password.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION Table 823 Configuring minimum password length Operation Command Description Enter system view system-view - password-control length length The value range of the minimum password length is 4 to 32 characters. The default value is 10 characters.
Introduction to Password Control Configuration 873 Table 824 Configuring the maximum number of attempts and the processing mode for failed login attempts Operation Command Description View information of users added to the blacklist display password-control blacklist display can be carried out in any view Remove a user or users from the blacklist reset password-control blacklist [ username username ] If the command is carried out without username, all users will be removed from the blacklist If th
CHAPTER 78: PASSWORD CONTROL CONFIGURATION Table 826 Configuring the timeout time for password authentication System Logging Function Operation Command Description Enter system view system-view - Configure password timeout time password-control authentication-timeout authentication-timeout The value range of password authentication timeout time is 30 to 120 seconds, and the default value is 60 seconds The system can automatically log related information in case of the following events: ■ W
Introduction to Password Control Configuration Confirm :********** Updating the password-file 875 ,please wait... # Enable password aging: [SW8800] password-control aging enable Password aging enabled for all users. Default: 90 days. # Enable limitation of the minimum password length: [SW8800] password-control length enable Password minimum length enabled for all users. Default: 10 characters.
CHAPTER 78: PASSWORD CONTROL CONFIGURATION
79 ACRONYMS AAA Authentication, Authorization and Accounting ABR Area Border Router AC Access Code ACK ACKnowledgement ACL Access Control List ADSL Asymmetric Digital Subscriber Line AFI Authority and Format Identifier AH Authentication Header AM Accounting Management ANSI American National Standard Institute AP Access Preamble ARP Address Resolution Protocol AS Access Server ASBR Autonomous System Border Router ASCII American Standard Code for Information Interchange ASF Al
CHAPTER 79: ACRONYMS CF Call Forwarding services CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter-Domain Routing CIST Common and Internal Spanning Tree CL Configuration Librarian CLNP Connectionless Network Protocol CON Conference Calling CoS Class of Service CPU Central Processing Unit CRC Cyclic Redundancy Check C-RP Candidate-RP CSNP Complete SNP DA Destination Address DB Dummy Burst DC DC signaling DCE Data Cir
FIFO First In First Out FIN Finance Management Dept.
CHAPTER 79: ACRONYMS LDP Label Distribution Protocol LER Label Edge Router LIB Indicator Light Immobility Board QOS Switch QoS LR Location Registration LS Latest Start Time LSA Link State Advertisement LSAck Low Speed Data LSD Low Speed Data LSDB Link State Database LSP Label Switch Path LSPDU Link State Protocol Data Unit LSPM Label Switch Path Management LSR Label Switch Router LSU Link State Update MAC Media Access Control MAN Metropolitan Area Network MAP Mobile
NMS Network Management Station NPDU Network Protocol Data Unit NPE Network Facing PE NSAP Network Service Access Point NSM Neighbour State Machine NTP Network Time Protocol OAM Operation Administration and Maintenance OC-3 OC-3 OSI Open Systems Interconnection OSPF Open Shortest Path First PAP Password Authentication Protocol PAT Pointing Acquisition Tracking PCM percentage of completion method PD Powered Device PDU Protocol Data Unit PE Provider Edge Router PHP Penulti
CHAPTER 79: ACRONYMS RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RT rate RTD Radio Test Device SA Solution Architecture SAFI Subsequent Address Family Identifier SBM SGSN Basic Module SDH Synchronous Digital Hierarchy SEL Clock Selection Control Board SET Secure Electronic Transaction SF Sampling Frequency SITE site SNMP Simple Network Management Protocol SOH Section Overhead SONET Synchronous Optical NETwork SP
VDSL Very High Speed DSL; Very High Rate DSL VFS Virtual File System VLAN Virtual LAN VLL Virtual Leased Lines VOS Virtual Operate System VPDN Virtual Private Data Network VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network Comware Versatile Routing Platform VSI Virtual Switch Interface WAN Wide Area Network WINS Windows Internet Naming Service WRR Weighted Round Robin WWW World Wide Web
