3Com® Switch 8800 Family Configuration Guide Advanced Software Version 5 Switch 8807 Switch 8810 Switch 8814 www.3Com.com Part Number: 10016063 Rev.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2006, 2007 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 19 Related Documentation 1 20 LOGGING IN TO A SWITCH Setting up the Configuration Environment Through the Console Port Setting up the Configuration Environment Through Telnet 23 Setting up the Configuration Environment Through a Modem 25 2 BASIC CONFIGURATIONS Basic Configurations CLI Features 33 3 27 LOGGING IN TO A SWITCH Setting up the Configuration Environment Through the Console Port Setting up the Configuration Environment Through Telnet 39 Setting up the
6 ETHERNET INTERFACE CONFIGURATION Ethernet Interface Configuration 55 Maintaining and Displaying an Ethernet Interface 7 60 MAC ADDRESS TABLE MANAGEMENT CONFIGURATION Introduction to MAC Address Table 63 Configuring MAC Address Table Management 64 Displaying MAC Address Table Management 67 MAC Address Table Management Configuration Example 8 LINK AGGREGATION OVERVIEW Link Aggregation 69 Approaches to Link Aggregation 71 Load Sharing in a Link Aggregation Group Service Loop Group 74 Link Aggregation P
Configuring GVRP 142 Displaying and Maintaining GVRP 143 GVRP Configuration Example 144 13 BPDU TUNNELING CONFIGURATION Introduction to BPDU Tunneling 149 Configuring BPDU Isolation 150 Configuring BPDU Transparent Transmission 151 BPDU Tunneling Configuration Example 152 14 VLAN CONFIGURATION Introduction to VLAN 155 Configuring Basic VLAN Attributes 157 Configuring VLAN Interface Basic Attributes 157 Configuring the Port-Based VLAN 158 Configuring the Protocol-Based VLAN 161 Displaying and Maintaining
19 IP ROUTING OVERVIEW IP Routing and Routing Table 187 Routing Protocol Overview 189 Displaying and Maintaining a Routing Table 20 191 ARP CONFIGURATION ARP Overview 193 Configuring ARP 195 Configuring Gratuitous ARP 197 Configuring ARP Source Suppression 198 Configuring ARP Defense against IP Packet Attack 21 199 PROXY ARP CONFIGURATION Proxy ARP Overview 201 Enabling Proxy ARP 201 Displaying and Maintaining Proxy ARP 202 Proxy ARP Configuration Example 202 22 IP ADDRESSING CONFIGURATION IP Addre
25 ROUTING POLICY CONFIGURATION Introduction to Routing Policy 243 Routing Policy Configuration Task List 245 Defining Filtering Lists 245 Configuring a Routing Policy 247 Displaying and Maintaining the Routing Policy Routing Policy Configuration Examples 252 Troubleshooting Routing Policy Configuration 26 256 STATIC ROUTING CONFIGURATION Introduction 259 Configuring a Static Route 260 Displaying and Maintaining Static Routes Configuration Example 262 27 251 262 IPV6 STATIC ROUTING CONFIGURATION Int
Configuring OSPF Network Optimization 330 Displaying and Maintaining OSPF Configuration OSPF Configuration Examples 337 Troubleshooting OSPF Configuration 350 31 337 IPV6 OSPFV3 CONFIGURATION Introduction to OSPFv3 353 IPv6 OSPFv3 Configuration Task List 355 Configuring OSPFv3 Basic Functions 356 Configuring OSPFv3 Area Parameters 357 Configuring OSPFv3 Routing Information Management Tuning and Optimizing an OSPFv3 Network 360 Displaying and Maintaining OSPFv3 363 OSPFv3 Configuration Examples 363 Troubl
Tuning and Optimizing BGP Networks 442 Configuring a Large Scale BGP Network 444 Displaying and Maintaining BGP Configuration BGP Configuration Examples 448 Troubleshooting BGP Configuration 467 36 447 IPV6 BGP CONFIGURATION IPv6 BGP Overview 469 Configuration Task List 470 Configuring IPv6 BGP Basic Functions 471 Controlling Route Distribution and Reception 473 Configuring IPv6 BGP Route Attributes 476 Tuning and Optimizing IPv6 BGP Networks 478 Configuring a Large Scale IPv6 BGP Network 480 Displaying
IGMP Configuration Examples Troubleshooting IGMP 536 41 534 IGMP SNOOPING CONFIGURATION IGMP Snooping Overview 539 IGMP Snooping Configuration Task List 543 Configuring Basic Functions of IGMP Snooping 544 Configuring IGMP Snooping Port Functions 546 Configuring IGMP-Related Functions 549 Configuring a Multicast Group Policy 552 Displaying and Maintaining IGMP Snooping 555 IGMP Snooping Configuration Examples 555 Troubleshooting IGMP Snooping Configuration 560 42 PIM CONFIGURATION PIM Overview 563 Conf
MLD Snooping Configuration Task List 653 Configuring Basic Functions of MLD Snooping 654 Configuring MLD Snooping Port Functions 656 Configuring MLD-Related Functions 659 Configuring an IPv6 Multicast Group Policy 661 Displaying and Maintaining MLD Snooping 664 MLD Snooping Configuration Examples 664 Troubleshooting MLD Snooping 669 46 IPV6 PIM CONFIGURATION IPv6 PIM Overview 671 Configuring IPv6 PIM-DM 681 Configuring IPv6 PIM-SM 684 Configuring IPv6 PIM Common Information 691 Displaying and Maintaining
Troubleshooting DHCP Server Configuration 51 734 DHCP RELAY AGENT CONFIGURATION Introduction to DHCP Relay Agent 735 Configuring DHCP Relay Agent 736 Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example 742 Troubleshooting DHCP Relay Agent Configuration 743 52 DNS CONFIGURATION DNS Overview 745 Configuring Static Domain Name Resolution 747 Configuring Dynamic Domain Name Resolution 747 Displaying and Maintaining DNS 747 DNS Configuration Example 748 Troublesh
57 IPV4 ACL CONFIGURATION Creating a Time Range 805 Configuring a Basic IPv4 ACL 806 Configuring an Advanced IPv4 ACL 807 Configuring an Ethernet Frame Header ACL 809 Configuring a User-Defined ACL 810 Displaying and Maintaining IPv4 ACLs 811 IPv4 ACL Configuration Examples 812 58 IPV6 ACL CONFIGURATION Creating a Time Range 815 Configuring a Basic IPv6 ACL 815 Configuring an Advanced IPv6 ACL 816 Displaying and Maintaining IPv6 ACLs 818 IPv6 ACL Configuration Examples 818 59 FLOW TEMPLATE CONFIGURATIO
64 PRIORITY MAPPING Priority Mapping Overview 851 Configuring a Priority Mapping Table 852 Configuring Port Priority 854 Configuring to Trust Packet Priority 856 65 CONGESTION AVOIDANCE Congestion Avoidance Overview 859 Configuring WRED 861 Displaying and Maintaining WRED 862 WRED Configuration Examples 862 66 AGGREGATION CAR CONFIGURATION Aggregation CAR Overview 863 Referencing Aggregation CAR in Traffic Behaviors 67 863 VLAN POLICY CONFIGURATION VLAN Policy Overview 865 Applying VLAN Policy 866 D
71 802.1X CONFIGURATION 802.1x Overview 917 Configuring 802.1x 926 Configuring a Guest VLAN 928 Displaying and Maintaining 802.1x 929 802.1x Configuration Example 929 Guest VLAN Configuration Example 932 72 CONFIGURING SSH VERSION 2.0 SSH2.
Configuring User Resource Limit 995 Configuring Connection-limit 996 Displaying and Maintaining NAT 997 NAT Configuration Example 998 Troubleshooting NAT 1003 77 DEVICE MANAGEMENT Device Management Overview 1005 Configuring Device Management 1005 Displaying and Maintaining Device Management Configuration Device Management Configuration Example 1009 78 POE CONFIGURATION PoE Overview 1011 PoE Configuration Task List 1012 Configuring the PoE Power 1012 Configuring a PSE 1013 Configuring a PoE Interface 101
Displaying and Maintaining the TFTP Client 1047 TFTP Client Configuration Examples 1047 83 SNMP CONFIGURATION SNMP Overview 1049 SNMP Configuration 1050 Trap Configuration 1052 Displaying and Maintaining SNMP 1054 SNMP Configuration Examples 1054 84 RMON CONFIGURATION RMON Overview 1057 Configuring RMON 1059 Displaying and Maintaining RMON 1060 RMON Configuration Examples 1061 85 NTP CONFIGURATION NTP Overview 1063 NTP Configuration Task List 1068 Configuring the Operation Modes of NTP 1068 Configurin
ABOUT THIS GUIDE This guide describes the 3Com® Switch 8800 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch. This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches.
ABOUT THIS GUIDE Table 2 Text Conventions Convention Description Words in italics Italics are used to: Emphasize a point. Denote a new term at the place where it is defined in the text. Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents. Click OK. Words in bold Related Documentation Boldface type is used to highlight command names. For example, “Use the display user-interface command to...
1 LOGGING IN TO A SWITCH Setting up the Configuration Environment Through the Console Port 1 Set up the local configuration environment by connecting the serial port of the computer (or a terminal) with the Console port of the switch through a cable, as shown in Figure 1. Figure 1 Set up the local configuration environment through the Console port RS-232 Serial port Console port Connection cable 2 Run the terminal emulation program (Terminal in Windows 3.X or HyperTerminal in Windows 9X, etc.
CHAPTER 1: LOGGING IN TO A SWITCH Figure 3 Configure the connection port Figure 4 Configure communication parameters of the port 3 Power on the switch to display the POST (power-on self test) information on the terminal. After the POST, the system will prompt you to press the key and display the command line prompt (such as ). 4 Enter the commands, configure the switch or view the running status of the switch.
Setting up the Configuration Environment Through Telnet 23 Setting up the Configuration Environment Through Telnet Telnetting a Switch from a PC (Terminal) If you have properly configured the IP address of a VLAN interface through the Console port (using the ip address command in VLAN interface view) and specified the Ethernet port connecting the terminal to the VLAN (using the port command in VLAN view), you can log in to the switch through Telnet and configure the switch.
CHAPTER 1: LOGGING IN TO A SWITCH Figure 6 Run the Telnet program 4 The system displays "Login authentication" on the terminal and prompts you to enter a password. The system displays command line prompt (such as ) if the password is correct.
Setting up the Configuration Environment Through a Modem 25 xxxx indicates the password to be set for the Telnet user. 2 Telnet the switch functioning as the Telnet client. 3 Perform the following operation on the client: telnet xxxx xxxx indicates the host name or IP address of the server, and the host name must be the one configured by the ip host command or resolved by the DNS client.
CHAPTER 1: LOGGING IN TO A SWITCH 3 Dial up to connect to the switch through the terminal emulation program and Modem at the remote side (the dialed number should be the telephone number of the Modem connected to the switch), as shown in Figure 9 and Figure 10.
BASIC CONFIGURATIONS 2 While performing basic configurations of the system, go to these sections for information you are interested in: Basic Configurations Entering/Exiting System View n Configuring the Device Name ■ “Basic Configurations” on page 27 ■ “CLI Features” on page 33 This section covers the following topics: ■ “Entering/Exiting System View” on page 27 ■ “Configuring the Device Name” on page 27 ■ “Configuring the System Clock” on page 27 ■ “Configuring a Banner” on page 28 ■ “C
CHAPTER 2: BASIC CONFIGURATIONS Configuring a Banner To do... Use the command... Remarks Set a daylight summer time scheme clock summer-time zone-name { one-off | repeating } start-time start-date end-time end-date offset-time Optional Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed.
Basic Configurations 29 Follow these steps to configure a banner: To do... Use the command...
CHAPTER 2: BASIC CONFIGURATIONS Table 1 Hotkeys reserved by the system Hotkey Function Displays the previous command in the history command buffer. Redisplays the current line information. Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of the cursor. Deletes all the characters to the left of the cursor. Deletes all the characters to the right of the cursor.
Basic Configurations 31 To do... Use the command... Remarks Switch the user level super [ level ] Optional Enter system view system-view - Configure the password for switching the user level super password [ level Optional user-level ] { simple | cipher } By default, no password is password needed for switching the user level.
CHAPTER 2: BASIC CONFIGURATIONS Displaying and Maintaining Basic Configurations To do... Use the command... Display information on system display version version Display information on the system clock display clock Display information on terminal users display users [ all ] Remarks Available in any view Display the configuration files display saved in the device storage saved-configuration [ medium.
CLI Features n CLI Features Online Help with Command Lines 33 ■ display task ■ display logbuffer ■ display history all ■ For the detailed description of the display users command, refer to “Displaying and Maintaining User Interface(s)” on page 50. ■ The display commands discussed above are for the global configuration. Refer to the corresponding section for the display command for specific protocol and interface.
CHAPTER 2: BASIC CONFIGURATIONS 2 Enter a command and a separated by a space. If is at the position of a keyword, all the keywords are given with a brief description. language-mode ? chinese Chinese environment english English environment 3 Enter a command and a separated by a space. If is at the position of a parameter, the description about this parameters is given.
CLI Features 35 command, refer to “User Interface Configuration” on page 43). The following table lists the operations that you can perform. Follow these steps to access history commands: n Command Line Error Information To do... Use the key/command... Result View the history commands display history-command Displays the commands that you have entered Access the previous history command Up-arrow key or Displays the earlier history command, if there is any.
CHAPTER 2: BASIC CONFIGURATIONS Table 5 Edit functions Key Function Up-arrow key or Displays history commands Down-arrow key or key Pressing after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line.
3 LOGGING IN TO A SWITCH Setting up the Configuration Environment Through the Console Port 1 Set up the local configuration environment by connecting the serial port of the computer (or a terminal) with the Console port of the switch through a cable, as shown in Figure 11. Figure 11 Set up the local configuration environment through the Console port RS-232 Serial port Console port Connection cable 2 Run the terminal emulation program (Terminal in Windows 3.X or HyperTerminal in Windows 9X, etc.
CHAPTER 3: LOGGING IN TO A SWITCH Figure 13 Configure the connection port Figure 14 Configure communication parameters of the port 3 Power on the switch to display the POST (power-on self test) information on the terminal. After the POST, the system will prompt you to press the key and display the command line prompt (such as ). 4 Enter the commands, configure the switch or view the running status of the switch.
Setting up the Configuration Environment Through Telnet 39 Setting up the Configuration Environment Through Telnet Telnetting a Switch from a PC (Terminal) If you have properly configured the IP address of a VLAN interface through the Console port (using the ip address command in VLAN interface view) and specified the Ethernet port connecting the terminal to the VLAN (using the port command in VLAN view), you can log in to the switch through Telnet and configure the switch.
CHAPTER 3: LOGGING IN TO A SWITCH Figure 16 Run the Telnet program 4 The system displays "Login authentication" on the terminal and prompts you to enter a password. The system displays command line prompt (such as ) if the password is correct.
Setting up the Configuration Environment Through a Modem 41 xxxx indicates the password to be set for the Telnet user. 2 Telnet the switch functioning as the Telnet client. 3 Perform the following operation on the client: telnet xxxx xxxx indicates the host name or IP address of the server, and the host name must be the one configured by the ip host command or resolved by the DNS client.
CHAPTER 3: LOGGING IN TO A SWITCH 3 Dial up to connect to the switch through the terminal emulation program and Modem at the remote side (the dialed number should be the telephone number of the Modem connected to the switch), as shown in Figure 19 and Figure 20.
4 USER INTERFACE CONFIGURATION When configuring user interface, go to these sections for information you are interested in: ■ “User Interface Overview” on page 43 ■ “Configuring User Interface” on page 44 ■ “Configuring Asynchronous Serial Interface Attributes” on page 45 ■ “Configuring Terminal Attributes” on page 45 ■ “Configuring Modem Attributes” on page 46 ■ “Configuring the auto-execute Command” on page 47 ■ “Configuring User Privilege Level” on page 47 ■ “Configuring Access Restricti
CHAPTER 4: USER INTERFACE CONFIGURATION User Interface Numbering ■ AUX port: A view which you log in from the AUX port. AUX port is also a line device port. The device has only one AUX port of EIA/TIA-232 DTE type. This port is usually used for dialup access via modem. ■ VTY (Virtual Type Terminal): A view which you log in through VTY. VTY port is a logical terminal line used when you access the device by means of Telnet or SSH.
Configuring Asynchronous Serial Interface Attributes Task 45 Remarks “Configuring Access Restriction on VTY User Optional Interface(s)” on page 48 Configuring Asynchronous Serial Interface Attributes “Configuring Supported Protocols on VTY User Interface(s)” on page 48 Optional “Configuring Authentication Mode at Login” on page 49 Optional “Sending Messages to the Specified User Interface(s)” on page 50 Optional “Releasing the Connection Established on the User Interface(s)” on page 50 Optional
CHAPTER 4: USER INTERFACE CONFIGURATION To do... Use the command... Remarks Start the terminal service shell Optional The terminal service is enabled on all user interfaces by default.
Configuring the auto-execute Command n Configuring the auto-execute Command 47 The above configuration takes effect only for the AUX and VTY ports working in flow mode. With the auto-execute command command enabled, the system automatically executes the configured command when you log in. After the command is completed or after the tasks triggered by the command are completed, the connection breaks automatically.
CHAPTER 4: USER INTERFACE CONFIGURATION Follow these steps to configure the user privilege level under a user interface: Configuring Access Restriction on VTY User Interface(s) To do... Use the command...
Configuring Authentication Mode at Login 49 The protocol inbound ssh command fails if the authentication mode is password or none. For the corresponding configuration, refer to the authentication-mode command in the Switch 8800 Command Reference Guide. ■ Configuring Authentication Mode at Login The protocol(s) configured through the protocol inbound command takes effect next time you log in from that user interface.
CHAPTER 4: USER INTERFACE CONFIGURATION To do... Use the command... Remarks Set local authentication password set authentication Required password { cipher | simple } No local authentication password password is set by default. Follow these steps to configure authentication mode at login as scheme: n Sending Messages to the Specified User Interface(s) n Releasing the Connection Established on the User Interface(s) Displaying and Maintaining User Interface(s) To do... Use the command...
Displaying and Maintaining User Interface(s) To do... Use the command...
CHAPTER 4: USER INTERFACE CONFIGURATION
MANAGEMENT ETHERNET PORT CONFIGURATION 5 When configuring management Ethernet port, go to these sections for information you are interested in: Management Ethernet Port Overview Management Ethernet Port Configuration ■ “Management Ethernet Port Overview” on page 53 ■ “Management Ethernet Port Configuration” on page 53 Each Fabric on a Switch 8800 series switch provides a 10/100Base-TX management Ethernet port (M-Ethernet) which has the functions listed below: ■ Connected with a PC, the port implem
CHAPTER 5: MANAGEMENT ETHERNET PORT CONFIGURATION
6 ETHERNET INTERFACE CONFIGURATION When configuring Ethernet interfaces, go to these sections for information you are interested in: ■ “Ethernet Interface Configuration” on page 55 ■ “Maintaining and Displaying an Ethernet Interface” on page 60 Ethernet Interface Configuration Configuration Task List Complete the following tasks to configure an Ethernet interface: Task Remarks “Basic Ethernet Interface Configuration” on page 55 Optional “Configuring Flow Control on an Ethernet Interface” on page
CHAPTER 6: ETHERNET INTERFACE CONFIGURATION Similarly, if you configure the transmission rate for an Ethernet interface by using the speed command with the auto keyword specified, the transmission rate is determined through auto-negotiation too. Follow these steps to perform basic Ethernet interface configurations: To do... Use the command...
Ethernet Interface Configuration Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface 57 An Ethernet interface operates in one of the two physical link states: up or down. During the suppression time, physical-link-state changes will not be propagated to the system. Only after the suppression time has elapsed will the system be notified of the physical-link-state changes by the physical layer.
CHAPTER 6: ETHERNET INTERFACE CONFIGURATION Configuring a Port Group To make the configuration task easier for users, certain devices allow users to configure on a single port as well as on multiple ports in a port group. In port group view, the user only needs to input the configuration command once on one port and that configuration will apply to all ports in the port group. This effectively reduces redundant configurations.
Ethernet Interface Configuration To do... Use the command... Remarks Enter system view system-view - Enter Ethernet Enter Ethernet interface view interface view or port group Enter port view group view interface interface-type interface-number Use either command.
CHAPTER 6: ETHERNET INTERFACE CONFIGURATION Configuring the Cable Type for an Ethernet Interface Configuring the Source MAC Address for an Interface Follow these steps to configure the cable type for an Ethernet Interface: To do... Use the command...
Maintaining and Displaying an Ethernet Interface To do... Use the command...
CHAPTER 6: ETHERNET INTERFACE CONFIGURATION
MAC ADDRESS TABLE MANAGEMENT CONFIGURATION 7 When configuring MAC table management, go to these sections for information you are interested in: n Introduction to MAC Address Table ■ “Introduction to MAC Address Table” on page 63 ■ “Configuring MAC Address Table Management” on page 64 ■ “Displaying MAC Address Table Management” on page 67 ■ “MAC Address Table Management Configuration Example” on page 67 The term router and router icons mentioned in the following routing protocol refer to the rout
CHAPTER 7: MAC ADDRESS TABLE MANAGEMENT CONFIGURATION As shown in Figure 21, when forwarding a frame, the device looks up the MAC address table. If an entry is available for the destination MAC address, the device forwards the frame directly from the hardware. If not, it does the following: 1 Broadcast the frame. 2 After the frame reaches the destination, the destination sends back a response with its MAC address. (If no response is received, the frame will be dropped.
Configuring MAC Address Table Management Disabling Global MAC Address Learning 65 You may need to disable MAC address learning sometimes to prevent the MAC address table from being saturated, for example, when your device is being attacked by a great deal of packets with different source MAC addresses. Disabling the global MAC address learning disables the learning function on all ports.
CHAPTER 7: MAC ADDRESS TABLE MANAGEMENT CONFIGURATION n Configuring Maximum Number of MAC Addresses an Ethernet Port or a Port Group Can Learn The aging time of the MAC address is available on all ports. The MAC address aging timer takes effect only on dynamic MAC address entries (learned or administratively configured) only. To prevent a MAC address table from so large that it may degrade forwarding performance, you may restrict the number of MAC addresses that can be learned.
Displaying MAC Address Table Management Displaying MAC Address Table Management 67 To do... Use the command...
CHAPTER 7: MAC ADDRESS TABLE MANAGEMENT CONFIGURATION
LINK AGGREGATION OVERVIEW 8 When configuring link aggregation, go to these sections for information you are interesting in: Link Aggregation ■ “Link Aggregation” on page 69 ■ “Approaches to Link Aggregation” on page 71 ■ “Load Sharing in a Link Aggregation Group” on page 73 ■ “Service Loop Group” on page 74 ■ “Link Aggregation Port Group” on page 75 Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called a logical group, to increase reliability and bandw
CHAPTER 8: LINK AGGREGATION OVERVIEW When aggregating ports, link aggregation control automatically assigns each port an operational key based on its rate, duplex mode, and other basic configurations. In a manual or static LACP aggregation, the selected ports share the same operational key.
Approaches to Link Aggregation 71 Table 6 Consistency considerations for ports in an aggregation Approaches to Link Aggregation Manual Link Aggregation Category Considerations MAC address learning ■ MAC address learning capability ■ Setting of maximum number of MAC addresses that can be learned on the port ■ Forwarding of frames with unknown destination MAC addresses after the upper limit of the MAC address table is reached The options available for implementing link aggregation are described
CHAPTER 8: LINK AGGREGATION OVERVIEW interrupted. You need to avoid the situation however as the selected/unselected state of a port may become different after a reboot. n Currently, the number of the selected ports in a manual aggregation group created on a Switch 8800 can be up to eight. Port Configuration Considerations in manual aggregation As mentioned above, in a manual aggregation group, only ports with configurations consistent with those of the master port can become selected.
Load Sharing in a Link Aggregation Group ■ 73 If they are the same, compare the system MAC addresses. The system with the smaller ID has higher priority. (the lower the LACP priority, the smaller the MAC address, and the smaller the device ID) 2 Compare the port IDs that each comprises a port LACP priority and a port number on the system with higher ID as follows: n ■ Compare the port LACP priorities. The port with lower port LACP priority wins out.
CHAPTER 8: LINK AGGREGATION OVERVIEW Service Loop Group As a Switch 8800 can accommodate different types of I/O Modules, service loop ports are needed to redirect services between I/O Modules. Through service loop ports, packets reaching an I/O Module can be passed to another one for being processed. Service loop group is used to increase the throughput for redirecting packets among I/O Modules. Service loop group is implemented by creating link aggregation group for service loop ports.
Link Aggregation Port Group Link Aggregation Port Group 75 As mentioned earlier, in a manual or static aggregation group, a port can be selected only when its configuration is the same as that of the master port in terms of duplex/speed pair, link state, and other basic configurations. Their configuration consistency requires administrative maintenance, which is troublesome after you change some configuration.
CHAPTER 8: LINK AGGREGATION OVERVIEW
LINK AGGREGATION CONFIGURATION 9 When performing link aggregation configuration, go to these sections for information you are interesting in: ■ “Configuring Link Aggregation” on page 77 ■ “Displaying and Maintaining Link Aggregation” on page 80 ■ “Link Aggregation Configuration Example” on page 80 Configuring Link Aggregation c CAUTION: If an abnormal operating state of a port in a dynamic aggregation group caused by the existence of an empty aggregation group, you can try the following steps to c
CHAPTER 9: LINK AGGREGATION CONFIGURATION ports, its group type changes to manual with LACP disabled on its member ports; if not, its group type directly changes to manual. n Configuring a Static LACP Link Aggregation Group ■ An aggregation group cannot include ports with static MAC addresses, 802.1x-enabled ports, MAC address authentication-enabled ports, or POS interfaces. Besides, ports operating as upstream ports of isolation groups cannot be added to manual or static aggregation groups.
Configuring Link Aggregation n Configuring an Name for a Link Aggregation Group c Configuring a Service Loop Group 79 When making configuration, be aware that after a load-balancing aggregation group changes to a non-load balancing group due to resources exhaustion, either of the following may happen: ■ Forwarding anomaly resulted from inconsistency of the two ends in the number of selected ports.
CHAPTER 9: LINK AGGREGATION CONFIGURATION ■ Entering Aggregation Port Group View For a service loop group containing only one port, you can only remove the port from the service loop group by removing the service loop group. In aggregation port group view, you can make configuration for all the member ports in a link aggregation group at one time. Follow these steps to enter aggregation port group view: c Displaying and Maintaining Link Aggregation To do... Use the command...
Link Aggregation Configuration Example 81 Network diagram Figure 22 Network diagram for link aggregation Device A Link aggregation Device B Configuration procedure n ■ This example only describes how to configure link aggregation on Switch A. To achieve link aggregation, do the same on Switch B. ■ Manual aggregation group, static aggregation group, and dynamic aggregation group can all be used here. 1 In manual aggregation approach # Create manual aggregation group 1.
CHAPTER 9: LINK AGGREGATION CONFIGURATION # Enable LACP on ports Ethernet 1/1/1 through Ethernet 1/1/3.
10 PORT MIRRORING CONFIGURATION When configuring port mirroring, go to these sections for information you are interested in: ■ “Introduction to Port Mirroring” on page 83 ■ “Configuring Local Port Mirroring” on page 84 ■ “Configuring Remote Port Mirroring” on page 85 ■ “Displaying Port Mirroring” on page 87 ■ “Port Mirroring Configuration Example” on page 87 Introduction to Port Mirroring Classification of Port Mirroring Implementing Port Mirroring There are two kinds of port mirroring: local
CHAPTER 10: PORT MIRRORING CONFIGURATION the remote destination port mirroring group by the remote device receiving the packets. n c Configuring Local Port Mirroring ■ Port mirroring group supports inter-module mirroring, which means that the destination port and source ports can be located on different modules of a device. In addition, a destination port can monitor multiple source ports simultaneously.
Configuring Remote Port Mirroring Configuring Remote Port Mirroring Configuring a Remote Source Mirroring Group 85 While configuring remote port mirroring, you need to configure the remote source port mirroring group and the remote destination port mirroring group on both devices. You need to configure source ports, reflector ports, and remote port mirroring VLAN for a remote source mirroring group. Follow these steps to configure a remote source port mirroring group: To do... Use the command...
CHAPTER 10: PORT MIRRORING CONFIGURATION Configuring a Remote Destination Port Mirroring Group ■ A remote source mirroring group can have only one reflector port. ■ A port can be configured as a reflector port only when it operates with the following settings being the defaults: operation mode (half duplex/full duplex), port speed, and MDI setting. ■ Use a remote port mirroring VLAN for remote port mirroring only. ■ Only existing static VLANs can be configured as remote port mirroring VLANs.
Displaying Port Mirroring To do... Use the command... Add the The port is an access destination port port to the remote port The port is a trunk mirroring VLAN port port access vlan rprobe-vlan-id The port is a hybrid port n Displaying Port Mirroring 87 Remarks Perform one of these three operations according to the port port trunk permit vlan type. rprobe-vlan-id port hybrid vlan rprobe-vlan-id { tagged | untagged } ■ Only existing static VLANs can be configured as remote port mirroring VLANs.
CHAPTER 10: PORT MIRRORING CONFIGURATION Network diagram Figure 23 Network diagram for local port mirroring configuration Host A Switch A Eth1/1/1 Eth1/1/3 Eth1/1/2 Switch C Host B Server Switch B Configuration procedure 1 Configure Switch C. # Enter system view. system-view # Create a local port mirroring group. [Sysname] mirroring-group 1 local # Add port Ethernet 1/1/1 and Ethernet 1/1/2 to the port mirroring group as source ports.
Port Mirroring Configuration Example 89 ■ Port Ethernet 1/1/3 of Switch A and port Ethernet 1/1/1 of Switch B are two trunk ports. They are connected together. ■ Port Ethernet 1/1/2 of Switch B and port Ethernet 1/1/1 of Switch C are two trunk ports. They are connected together. ■ The Server is connected to port Ethernet 1/1/2 of Switch C. It is desired to monitor packets of Host A and Host B on the Server. This can be achieved by configuring remote port mirroring groups, as described below.
CHAPTER 10: PORT MIRRORING CONFIGURATION [Sysname] vlan 2 [Sysname-vlan2] quit # Configure VLAN 2 as the remote port mirroring VLAN of the remote port mirroring group. Add port Ethernet 1/1/1 and Ethernet1/1/2 to the remote port mirroring group as source ports. Configure port Ethernet 1/1/4 as the reflector port.
Port Mirroring Configuration Example 91 [Sysname] mirroring-group 1 remote-destination # Create VLAN 2 and disable MAC address learning in it. Add port Ethernet1/1/2 to it. [Sysname] vlan 2 [Sysname-vlan2] mac-address max-mac-count 0 [Sysname-vlan2] port ethernet 1/1/2 [Sysname-vlan2] quit # Configure VLAN 2 as the remote port mirroring VLAN of the remote destination port mirroring group. Add port Ethernet 1/1/2 to the remote destination port mirroring group as the destination port.
CHAPTER 10: PORT MIRRORING CONFIGURATION
11 MSTP CONFIGURATION When configuring MSTP, go to these sections for information you are interested in: ■ “MSTP Overview” on page 93 ■ “Configuration Task List” on page 107 ■ “Configuring the Root Bridge” on page 109 ■ “Configuring Leaf Nodes” on page 120 ■ “Performing mCheck” on page 124 ■ “Configuring the VLAN Ignore Feature” on page 125 ■ “Configuring Digest Snooping” on page 126 ■ “Configuring No Agreement Check” on page 128 ■ “Configuring Protection Functions” on page 130 ■ “Displ
CHAPTER 11: MSTP CONFIGURATION Basic concepts in STP 1 Root bridge A tree network must have a root; hence the concept of "root bridge" has been introduced in STP. An STP network has only one root bridge. The root bridge is globally significant in the entire network, and is the logical center of the network. However, it need not be the physical center of the network. The root bridge may change when the network topology changes.
MSTP Overview 95 Figure 25 A schematic diagram of designated bridges and designated ports Switch A AP1 AP2 BP1 CP1 Switch B Switch C BP 2 CP2 LAN As shown in Figure 25, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Switch A, Switch B, and Switch C. n ■ If Switch A forwards configuration BPDUs to Switch B through AP1, the designated bridge for Switch B is Switch A, and the designated port is AP1 on Switch A. ■ Two Switches are connected to the LAN: Switch B and Switch C.
CHAPTER 11: MSTP CONFIGURATION ■ Root path cost ■ Designated bridge ID (in the form of device priority) ■ Designated port ID (in the form of port ID) ■ Initial state Upon initialization of a device, each port generates a configuration BPDU with itself as the root, in which the root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port.
MSTP Overview 97 The process of selecting the root port and designated ports is as follows: Table 10 Selection of the root port and designated ports Step Description 1 The root port is the port through which the optimum configuration BPDU was received.
CHAPTER 11: MSTP CONFIGURATION Figure 26 Network diagram for STP algorithm ■ Initial state of each device The following table shows the initial state of each device.
MSTP Overview Table 12 Comparison process and result on each device BPDU of the port after comparison Device Comparison process Switch A ■ Port AP1 receives a configuration BPDU AP1: {0, 0, 0, AP1} from Switch B (that is, {1, 0, 1, BP1}). AP2: {0, 0, 0, AP2} As the configuration BPDU of the local port (that is, {0, 0, 0, AP1}) is superior to the received configuration BPDU, the received configuration BPDU is discarded. ■ Port AP2 receives a configuration BPDU from Switch C (that is, {2, 0, 2, CP1}).
CHAPTER 11: MSTP CONFIGURATION Table 12 Comparison process and result on each device BPDU of the port after comparison Device Comparison process Switch C ■ Port CP1 receives a configuration BPDU CP1: {0, 0, 0, AP2} from Switch A (that is, {0, 0, 0, AP2}). CP2: {1, 0, 1, BP2} As the received configuration BPDU is superior to that of the local port (that is, {2, 0, 2, CP1}), Switch C uses the received configuration BPDU as the configuration BPDU of CP1.
MSTP Overview 101 After the comparison processes described in the table above, a spanning tree with Switch A as the root bridge is stabilized, as shown in Figure 27. Figure 27 A spanning tree with Switch A as the root bridge n To facilitate description, the spanning tree computing process in this example is simplified, while the actual process is more complicated.
CHAPTER 11: MSTP CONFIGURATION Introduction to MSTP Why MSTP 1 Disadvantages of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transitioning to the forwarding state, even if it is a port on a point-to-point link or it is an edge port. The rapid spanning tree protocol (RSTP) is an optimized version of STP.
MSTP Overview 103 Figure 28 Basic concepts in MSTP 1 MST region An MST region is composed of multiple devices in a switched network and network segments among them. These devices have the following characteristics: ■ All are MSTP-enabled, ■ They have the same region name, ■ They have the same VLAN-to-instance mapping configuration, ■ They have the same MSTP revision level configuration, and ■ They are physically linked with one another.
CHAPTER 11: MSTP CONFIGURATION same region name, the same VLAN-to-instance mapping (VLAN 1 is mapped to MST instance 1, VLAN 2 to MST instance 2, and the rest to CIST. 3 IST Internal spanning tree (IST) is a spanning tree that runs in an MST region, with the instance number of 0. ISTs in all MST regions and the common spanning tree (CST) jointly constitute the common and internal spanning tree (CIST) of the entire network. An IST is a section of the CIST in an MST region.
MSTP Overview 105 if a device in region A0 is interconnected with the first port of a device in region D0 and the common root bridge of the entire switched network is located in region A0, the first port of that device in region D0 is the boundary port of region D0. n Currently, the Switch 8800s are not capable of recognizing boundary ports.
CHAPTER 11: MSTP CONFIGURATION ■ Port 3 and port 4 of device D connect downstream to other MST regions. 11 Port states In MSTP, port states fall into the following tree: n ■ Forwarding: the port learns MAC addresses and forwards user traffic; ■ Learning: the port learns MAC addresses but does not forwards user traffic; ■ Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MST instances, a port can be in different states.
Configuration Task List ■ 107 Between two MST regions, the packet is forwarded along the CST. Implementation of MSTP on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree computing.
CHAPTER 11: MSTP CONFIGURATION Task “Configuring the Root Bridge” on page 109 Remarks “Configuring an MST Region” Required on page 109 “Specifying the Root Bridge or Optional a Secondary Root Bridge” on page 110 “Configuring the Work Mode Optional of MSTP Device” on page 112 “Configuring the Priority of the Current Device” on page 113 Optional “Configuring the Maximum Hops of an MST Region” on page 113 Optional “Configuring the Network Diameter of a Switched Network” on page 114 Optional “Confi
Configuring the Root Bridge Task 109 Remarks “Configuring Leaf Nodes” on “Configuring an MST Region” Required page 120 on page 109 “Configuring the Work Mode Optional of MSTP Device” on page 112 “Configuring the Timeout Factor” on page 116 Optional “Configuring the Maximum Optional Transmission Rate of Ports” on page 116 “Configuring Ports as Edge Ports” on page 117 Optional “Configuring Path Costs of Ports” on page 120 Optional “Configuring Port Priority” on Optional page 123 “Configuring Whether
CHAPTER 11: MSTP CONFIGURATION n To do... Use the command... Remarks Configure the VLAN-to-instance mapping table instance instance-id vlan vlan-list Optional vlan-mapping modulo modulo By default, all VLANs in an MST region are mapped to MST instance 0.
Configuring the Root Bridge 111 Specifying the current device as the root bridge of a specific spanning tree Follow these steps to specify the current device as the root bridge of a specific spanning tree: To do... Use the command...
CHAPTER 11: MSTP CONFIGURATION ■ When specifying the root bridge or a secondary root bridge, you can specify the network diameter and hello time. However, these two options are effective only for MST instance 0, namely the CIST. If you include these two options in your command for any other instance, the configuration can succeed, but they will not actually work.
Configuring the Root Bridge Configuring the Priority of the Current Device 113 The priority of a device determines whether it can be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. By setting the priority of a device to a low value, you can specify the device as the root bridge of spanning tree. An MSTP-compliant device can have different priorities in different MST instances.
CHAPTER 11: MSTP CONFIGURATION Configuration example # Set the maximum hops of the MST region to 30. system-view [Sysname] stp max-hops 30 Configuring the Network Diameter of a Switched Network Any two stations in a switched network are interconnected through specific paths, which are composed of a series of devices. Represented by the number of devices on a path, the network diameter is the path that comprises more devices than any other among these paths.
Configuring the Root Bridge 115 Configuration procedure Follow these steps to configure the timers of MSTP: To do... Use the command...
CHAPTER 11: MSTP CONFIGURATION Configuration example # Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max age to 2,100 centiseconds. [Sysname] [Sysname] [Sysname] Configuring the Timeout Factor system-view stp timer forward-delay 1600 stp timer hello 300 stp timer max-age 2100 A device sends hello packets to the devices around it at a specific interval to check whether any link is faulty.
Configuring the Root Bridge To do... Use the command...
CHAPTER 11: MSTP CONFIGURATION Configuration example # Configure Ethernet 1/1/1 to be an edge port. system-view [Sysname] interface ethernet 1/1/1 [Sysname-Ethernet1/1/1] stp edged-port enable Configuring Whether Ports Connect to Point-to-Point Links A point-to-point link is a link directly connecting with two devices.
Configuring the Root Bridge 119 The default packet format setting is auto, namely a port recognizes the two MSTP packet formats automatically. You can configure the MSTP packet format to be used by a port as 802.1s-compliant standard format or compatible format using corresponding commands. After the configuration, when working in MSTP mode, the port sends and receives only MSTP packets of the format you have configured.
CHAPTER 11: MSTP CONFIGURATION n To do... Use the command...
Configuring Leaf Nodes 121 instances. Setting an appropriate path cost allows VLAN traffic flows to be forwarded along different physical links, thus to enable per-VLAN load balancing. The device can automatically calculate the path cost; alternatively, you can also configure the path cost for ports. Specifying a standard that the device uses when calculating the path cost You can specify a standard for the device to use in automatic calculation for the path cost.
CHAPTER 11: MSTP CONFIGURATION Table 14 Link speed vs. path cost Link speed Duplex state 802.1D-1998 802.1t Private standard 1000 Mbps Single Port 4 20,000 20 Aggregated Link 2 Ports 4 10,000 18 4 6,666 16 4 5,000 14 Single Port 2 2,000 2 Aggregated Link 2 Ports 2 1,000 1 2 666 1 2 500 1 Aggregated Link 3 Ports Aggregated Link 4 Ports 10 Gbps Aggregated Link 3 Ports Aggregated Link 4 Ports n In the calculation of the path cost value of an aggregated link, 802.
Configuring Leaf Nodes 123 Configuration example I # Configure the path cost of Ethernet 1/1/1 in MST instance 1 to 2000. system-view [Sysname] interface ethernet 1/1/1 [Sysname-Ethernet1/1/1] stp instance 1 cost 2000 Configuration example II # Configure MSTP to automatically calculate the path cost of Ethernet 1/1/1 based on the IEEE 802.1D-1998 standard.
CHAPTER 11: MSTP CONFIGURATION Configuration example # Set the priority of port Ethernet 1/1/1 to 16 in MST instance 1. system-view [Sysname] interface ethernet 1/1/1 [Sysname-Ethernet1/1/1] stp instance 1 port priority 16 Configuring Whether Ports Connect to Point-to-Point Links Configuring the MSTP Packet Format for Ports Enabling the MSTP Feature Performing mCheck Refer to “Configuring Whether Ports Connect to Point-to-Point Links” on page 118..
Configuring the VLAN Ignore Feature c 125 CAUTION: The stp mcheck command is meaningful only when the device works in the MSTP (or RSTP) mode, not in the STP-compatible mode. Configuration example # Perform mCheck on port Ethernet 1/1/1.
CHAPTER 11: MSTP CONFIGURATION ■ Ethernet 1/1/1 on Switch A and Ethernet 1/1/2 on Switch B allow VLAN 1 to pass. Ethernet 1/1/3 on Switch A and Ethernet 1/1/4 on Switch B allow VLAN 2 to pass. ■ Switch A is the root bridge, and both Switch A and Switch B run MSTP. Ethernet 1/1/4 on Switch B is blocked, causing traffic block on VLAN 2. ■ Configure VLAN Ignore to keep the ports in VLAN 2 on Switch B in the forwarding state.
Configuring Digest Snooping Configuration Procedure 127 Follow these steps to configure Digest Snooping: To do... Use the command...
CHAPTER 11: MSTP CONFIGURATION Network diagram Figure 32 Digest Snooping configuration Configuration procedure 1 Enable Digest Snooping on Switch A # Enable Digest Snooping on Ethernet 1/1/2. system-view [SysnameA] interface ethernet 1/1/2 [SysnameA-Ethernet1/1/2] stp config-digest-snooping # Enable global Digest Snooping.
Configuring No Agreement Check 129 Figure 33 Rapid state transition mechanism on the MSTP designated port Upstream switch Downstream switch Root port blocks other non-edge ports Proposal for rapid transition Root port changes to forwarding Agreement to upstream switch e Agr e m ent Designated port changes to forwarding state Root port Designated port Figure 34 Rapid state transition mechanism on the RSTP designated port Upstream switch Downstream switch Proposal for rapid transition e Agr e
CHAPTER 11: MSTP CONFIGURATION To do... Use the command... Remarks Enter Ethernet Enter Ethernet interface or interface view port group Enter port view group view interface interface-type interface-number Choose either Enable No Agreement Check port-group { manual port-group-name | aggregation agg-id } stp no-agreement-check Required Not enabled by default n Configuration Examples The No Agreement Check feature can take effect only when it is enabled on the root port.
Configuring Protection Functions n 131 Among loop guard, root guard and edge port setting, only one function can take effect on the same port at the same time. These protection functions function as follows: ■ BPDU guard For access layer devices, the access ports generally have user terminals (such as PCs) or file servers directly connected to them. These ports are usually configured as edge ports to allow rapid transition.
CHAPTER 11: MSTP CONFIGURATION ■ TC-BPDU attack guard A device removes the corresponding forwarding entries upon receiving a TC-BPDU (a PDU notifying of a topology change). If a malicious user forges large amount of TC-BPDUs and sends them to a device in a short period, the device may be busy removing the forwarding entries, decreasing the performance of the switch and introducing potential stability risks. The TC-BPDU attack guard function can relieve a switch from this dilemma.
Configuring Protection Functions To do... Use the command...
CHAPTER 11: MSTP CONFIGURATION Configuration procedure Follow these steps to enable the TC-BPDU attack guard function To do... Use the command... Remarks Enter system view system-view - Enable the TC-BPDU attack guard function stp tc-protection enable Optional Enabled by default Configuration example # Enable the TC-BPDU attack guard function. system-view [Sysname] stp tc-protection enable Displaying and Maintaining MSTP MSTP Configuration Examples To do... Use the command...
MSTP Configuration Examples 135 Network diagram Figure 36 Network diagram for MSTP configuration n "Permit:" beside each link in the figure is followed by the VLANs the packets of which are permitted to pass this link. Configuration procedure 1 Configuration on Switch A # Configure an MST region.
CHAPTER 11: MSTP CONFIGURATION system-view [SysnameB] stp region-configuration [SysnameB-mst-region] region-name example [SysnameB-mst-region] instance 1 vlan 10 [SysnameB-mst-region] instance 3 vlan 30 [SysnameB-mst-region] instance 4 vlan 40 [SysnameB-mst-region] revision-level 0 # Activate MST region configuration manually. [SysnameB-mst-region] active region-configuration [SysnameB-mst-region] quit # Configure Switch B as the root bridge of MST instance 3.
MSTP Configuration Examples 4 Configuration on Switch D # Configure an MST region. system-view [SysnameD] stp region-configuration [SysnameD-mst-region] region-name example [SysnameD-mst-region] instance 1 vlan 10 [SysnameD-mst-region] instance 3 vlan 30 [SysnameD-mst-region] instance 4 vlan 40 [SysnameD-mst-region] revision-level 0 # Activate MST region configuration manually.
CHAPTER 11: MSTP CONFIGURATION
GVRP CONFIGURATION 12 GARP VLAN registration protocol (GVRP) is a GARP application. Based on the operating mechanism of GARP, GVRP maintains and propagates dynamic VLAN registration information for the GVRP devices on a network.
CHAPTER 12: GVRP CONFIGURATION ■ Leave to deregister some attribute with other participants. Together with Join messages, Leave messages help GARP participants complete attribute reregistration and deregistration. ■ LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of the LeaveAll timer, which starts upon the startup of a GARP application entity.
Introduction to GVRP 141 GARP message format The following figure illustrates the format of GARP messages, which are carried in GARP PDUs. Figure 37 Figure 11-1 GARP message format 1 3 N Protocol ID 1 Message 1 ... 2 Message N End Mark GARP PDU structure N Attribute Type Attribute List Message structure 1 N Attribute 1 1 Attribute Length ...
CHAPTER 12: GVRP CONFIGURATION GVRP GVRP enables a device to propagate local VLAN registration information to other participant devices and dynamically update the VLAN registration information from other devices to its local database about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a LAN maintain the same VLAN registration information.
Displaying and Maintaining GVRP n Configuring GARP Timers 143 ■ Because GVRP is not compatible with the BPDU tunneling feature, you must disable BPDU tunneling before enabling GVRP on a BPDU tunneling-enabled Ethernet interface. ■ Because global GVRP is not compatible with Isolate-user-VLAN, make sure that no Isolate-user-vlan has been created on the switch before enabling GVRP. ■ You should enable GVRP globally before enabling it on a port.
CHAPTER 12: GVRP CONFIGURATION To do... Use the command...
GVRP Configuration Example 145 system-view [SysnameB] gvrp # Configure port Ethernet1/1/2 as a trunk port, allowing all VLANs to pass. [SysnameB] interface ethernet 1/1/2 [SysnameB-Ethernet1/1/2] port link-type trunk [SysnameB-Ethernet1/1/2] port trunk permit vlan all # Enable GVRP on Ethernet1/1/2, the trunk port. [SysnameB-Ethernet1/1/2] gvrp [SysnameB-Ethernet1/1/2] quit # Create VLAN 3 (a static VLAN).
CHAPTER 12: GVRP CONFIGURATION system-view [SysnameA] gvrp # Configure port Ethernet1/1/1 as a trunk port, allowing all VLANs to pass. [SysnameA] interface ethernet 1/1/1 [SysnameA-Ethernet1/1/1] port link-type trunk [SysnameA-Ethernet1/1/1] port trunk permit vlan all # Enable GVRP on Ethernet1/1/1. [SysnameA-Ethernet1/1/1] gvrp # Set the GVRP registration type to fixed on the port.
GVRP Configuration Example 147 The following dynamic VLANs exist: 2 GVRP Configuration Example III Network requirements Configure GVRP for dynamic VLAN information registration and update between the switches. Set the "forbidden" GVRP registration mode on the trunk port of Switch A and keep the default "normal" mode on the trunk port of Switch B.
CHAPTER 12: GVRP CONFIGURATION [SysnameB] interface ethernet 1/1/2 [SysnameB-Ethernet1/1/2] port link-type trunk [SysnameB-Ethernet1/1/2] port trunk permit vlan all # Enable GVRP on Ethernet1/1/2. [SysnameB-Ethernet1/1/2] gvrp [SysnameB-Ethernet1/1/2] quit # Create VLAN 3 (a static VLAN). [SysnameB] vlan 3 [SysnameB-vlan3] return 3 Verify the configuration # Display dynamic VLAN information on Switch A.
BPDU TUNNELING CONFIGURATION 13 When configuring BPDU tunneling, refer to the following sections: ■ “Introduction to BPDU Tunneling” on page 149 ■ “Configuring BPDU Isolation” on page 150 ■ “Configuring BPDU Transparent Transmission” on page 151 ■ “BPDU Tunneling Configuration Example” on page 152 Introduction to BPDU Tunneling Why BPDU Tunneling To avoid loops in your network, you can enable the spanning tree protocol (STP) on your device.
CHAPTER 13: BPDU TUNNELING CONFIGURATION BPDU isolation When a port receives BPDUs of other networks, the port will discard the BPDUs, so that they will not take part in spanning tree calculation. Refer to “Configuring BPDU Isolation” on page 150. BPDU transparent transmission As shown in Figure 41, the upper part is the service provider network, and the lower part represents the customer networks. The customer networks include network A and network B.
Configuring BPDU Transparent Transmission To do... Use the command... Remarks Enter system view system-view - Enable BPDU tunneling globally bpdu-tunnel dot1q enable Optional 151 Enabled by default The configured BPDU tunneling on a port cannot take effect unless BPDU tunneling is enabled globally.
CHAPTER 13: BPDU TUNNELING CONFIGURATION ■ BPDU Tunneling Configuration Example The BPDU tunneling feature is incompatible with the GVRP feature, so these two features cannot be enabled at the same time. For introduction to GVRP, refer to “GVRP Configuration” on page 139. Network requirements ■ Customer A, Customer B, Customer C, and Customer D are customer network access devices.
BPDU Tunneling Configuration Example 2 Configuration on Provider B # Configure BPDU isolation on Ethernet 1/1/2. system-view [Sysname] interface ethernet 1/1/2 [Sysname-Ethernet1/2] port access vlan 4 [Sysname-Ethernet1/1/2] undo ntdp enable [Sysname-Ethernet1/1/2] bpdu-tunnel dot1q enable 3 Configuration on Provider C # Configure BPDU transparent transmission on Ethernet 1/1/3.
CHAPTER 13: BPDU TUNNELING CONFIGURATION
14 VLAN CONFIGURATION When configuring VLAN, go to these sections for information you are interested in: ■ “Introduction to VLAN” on page 155 ■ “Configuring Basic VLAN Attributes” on page 157 ■ “Configuring VLAN Interface Basic Attributes” on page 157 ■ “Configuring the Port-Based VLAN” on page 158 ■ “Configuring the Protocol-Based VLAN” on page 161 ■ “Displaying and Maintaining VLAN” on page 163 ■ “VLAN Configuration Examples” on page 163 Introduction to VLAN VLAN Overview The communicatio
CHAPTER 14: VLAN CONFIGURATION A VLAN is not restricted by physical factors, that is to say, hosts that reside in different network segments may belong to the same VLAN; a VLAN can be with the same switch, or span across multiple switches or routers. VLAN technology has the following advantages: VLAN Fundamental ■ Broadcast traffic is confined to each VLAN, reducing bandwidth utilization and improving network performance. ■ LAN security is improved.
Configuring Basic VLAN Attributes 157 ■ The CFI field, one bit in length, specifies whether or not the MAC addresses are encapsulated in standard format when packets are transmitted across different medium. This field is not described here. ■ The VLAN ID field, 12 bits in length and with its value ranging from 0 to 4095, identifies the ID of the VLAN a packet belongs to. As VLAN IDs of 0 and 4095 are reserved by the protocol, the actual value of this field ranges from 1 to 4094.
CHAPTER 14: VLAN CONFIGURATION To do... Use the command...
Configuring the Port-Based VLAN 159 ■ An Access port only belongs to one VLAN. Therefore, its default VLAN is the VLAN it belongs to and cannot be configured. ■ You can configure the default VLAN for the Trunk port or the Hybrid port as they can both belong to multiple VLANs.
CHAPTER 14: VLAN CONFIGURATION To do... Use the command... Remarks Enter VLAN view vlan vlan-id Required The VLAN must be created first before entering its view Add an Access port to the current VLAN port interface-list Required By default, the system will add all ports to VLAN 1 Follow the following steps to configure the Access-port-based VLAN in Ethernet interface view/port group view: To do... Use the command...
Configuring the Protocol-Based VLAN n Configuring the Hybrid-Port-Based VLAN To do... Use the command... Remarks Configure the default VLAN for the Trunk port port trunk pvid vlan vlan-id Optional 161 VLAN 1 is the default by default ■ To convert a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.
CHAPTER 14: VLAN CONFIGURATION categorize VLANs include: IP, IPX, and AppleTalk (AT). The encapsulation formats include: Ethernet II, 802.3, 802.3/802.2 LLC, and 802.3/802.2 SNAP. A protocol-based VLAN can be defined by a protocol template, which is determined by the encapsulation format and protocol type. A port can be associated to multiple protocol templates. An untagged packet (that is, packet carrying no VLAN tag) reaching a port associated with a protocol-based VLAN will be processed as follows.
Displaying and Maintaining VLAN To do... Enter Ethernet interface view or port group view c Displaying and Maintaining VLAN Use the command... Remarks Enter Ethernet interface view interface interface-type interface-number Use either command.
CHAPTER 14: VLAN CONFIGURATION ■ The default VLAN ID of the Trunk port is 100; ■ The Trunk port allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass. Network diagram Figure 46 Network diagram for port-based VLAN configuration Eth1/1 /1 Eth1/1 /1 Switch A Switch B Configuration procedure Configure Switch A: # Create VLAN 100. system-view [SysnameA] vlan 100 [SysnameA-vlan100] quit # Enter Ethernet interface view of Ethernet 1/1/1.
VLAN Configuration Examples 165 Network diagram Figure 47 Network diagram for protocol-based VLAN configuration Eth1 /1/1 Host A Switch B Et h 1/ 1/ 2 IP network Switch A Host B Configuration procedure # Create VLAN 2 and VLAN 6 and configure them as protocol-based VLANs.
CHAPTER 14: VLAN CONFIGURATION
SUPER VLAN CONFIGURATION 15 When configuring super VLAN, go to these sections for information you are interested in: Introduction to Super VLAN ■ “Introduction to Super VLAN” on page 167 ■ “Configuring Super VLAN” on page 167 ■ “Displaying Super VLAN” on page 168 ■ “Super VLAN Configuration Example” on page 168 With the development of networks, network address resource has become more and more scarce. The concept of Super VLAN was introduced to save the IP address space.
CHAPTER 15: SUPER VLAN CONFIGURATION To do... Use the command...
Super VLAN Configuration Example 169 Network diagram Figure 48 Network diagram for super-VLAN configuration VLAN 2 Vlan -int10 10.0.0.1/24 VLAN 3 VLAN 5 Configuration procedure # Create VLAN 10, configure its VLAN interface address as 10.0.0.1/24. system-view [Sysname] vlan 10 [Sysname-vlan10] quit [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0 # Enable local proxy ARP.
CHAPTER 15: SUPER VLAN CONFIGURATION
16 ISOLATE-USER VLAN CONFIGURATION When configuring Isolate-user VLAN, go to these sections for information you are interested in: Introduction to Isolate-User-VLAN ■ “Introduction to Isolate-User-VLAN” on page 171 ■ “Configuring Isolate-User-VLAN” on page 172 ■ “Displaying and Maintaining Isolate-User-VLAN” on page 173 ■ “Isolate-User-VLAN Configuration Example” on page 173 The isolate-user-VLAN adopts a two-tier VLAN structure.
CHAPTER 16: ISOLATE-USER VLAN CONFIGURATION Figure 49 Network diagram for isolate-user-VLAN configuration Switch A VLAN 10 Switch B VLAN 2 Configuring Isolate-User-VLAN VLAN 5 VLAN 8 Configure the isolate-user-VLAN through the following steps: 1 Create the isolate-user-VLAN; 2 Create the secondary VLAN; 3 Add ports to the isolate-user-VLAN ( note that the ports cannot be Trunk ports) and ensure that at least one port has the isolate-user-VLAN as its default VLAN; 4 Add ports to the secondary VL
Displaying and Maintaining Isolate-User-VLAN n Displaying and Maintaining Isolate-User-VLAN Isolate-User-VLAN Configuration Example To do...
CHAPTER 16: ISOLATE-USER VLAN CONFIGURATION Network diagram Figure 50 Isolate-User-VLAN configuration diagram VLAN 5 VLAN 6 VLAN 2 Host A VLAN 2 Et h1 /1 /1 h1 Et /2 Eth1 /1/5 3 / 1/ h1 Et Switch B /2 Host C Eth1 /1/5 Switch A Switch C E th 1 /1 /3 Host B Host D VLAN 3 VLAN 3 Configuration procedure The following are the configuration procedures for Switch B and Switch C. 1 Configure Switch B # Configure the isolate-user-VLAN.
Isolate-User-VLAN Configuration Example 175 [SysnameC] vlan 3 [SysnameC-vlan3] port ethernet1/1/3 [SysnameC-vlan3] quit [SysnameC] vlan 2 [SysnameC-vlan2] port ethernet1/1/2 # Establish the mapping between the isolate-user-vlan and the secondary VLANs. [SysnameC-vlan2] quit [SysnameC] isolate-user-vlan 6 secondary 2 to 3 Verification # Display the isolate-user-VLAN configuration on Switch B.
CHAPTER 16: ISOLATE-USER VLAN CONFIGURATION
PORT ISOLATION CONFIGURATION 17 When configuring port isolation, go to these sections for information you are interested in: Introduction to Port Isolation ■ “Introduction to Port Isolation” on page 177 ■ “Configuring Isolation Groups on a Device” on page 178 ■ “Displaying Isolation Groups” on page 179 ■ “Port Isolation Configuration Example” on page 179 To implement Layer 2 isolation, you can add different ports to different VLANs. However, this will waste the limited VLAN resource.
CHAPTER 17: PORT ISOLATION CONFIGURATION two types of connectivity of Layer 2 data on ports within and outside the isolation group, as shown in Figure 1-1: Figure 51 Connectivity of layer 2 data between ports inside and outside an isolation group on a device supporting uplink port Uplink ports in an isolation group Ports outside the isolation group Uplink ports in the same isolation group Ordinary ports in the same isolation group Ordinary ports in an isolation group Ports outside the isolation g
Displaying Isolation Groups To do... Enter Ethernet interface view or port group view Use the command... Remarks Enter Ethernet interface view interface interface-type interface-number One of them is required. Enter port group view port-group { manual port-group-name | aggregation agg-id } 179 Configured in Ethernet interface view, the setting is effective on the current port only; configured in port group view, the setting is effective on all ports in the port group.
CHAPTER 17: PORT ISOLATION CONFIGURATION Networking diagram Figure 52 Networking diagram for port isolation configuration Internet Eth1/1/1 Switch Eth1/1/2 Eth1/1/4 Eth1 /1/3 Host A Host B Host C Configuration procedure # Create a VLAN, and add the ports to this VLAN. system-view [Sysname] vlan 2 [Sysname-vlan2] port ethernet 1/1/1 to ethernet 1/1/4 [Sysname-vlan2] quit # Create Isolation Group 2.
QINQ CONFIGURATION 18 Introduction to QinQ Understanding QinQ In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a device can support a maximum of 4,094 VLANs. In actual applications, however, a large number of VLAN are required to isolate users, especially in metropolitan area networks (MANs), and 4,094 VLANs are far from satisfying such requirements.
CHAPTER 18: QINQ CONFIGURATION Implementations of QinQ ■ Saves the public network VLAN ID resources. ■ Enables customers to plan their own private network VLAN IDs, without running into conflicts with public network VLAN IDs. ■ Provides a simple Layer 2 VPN solution for small-sized MANs or Enterprise networks. For Switch 8800s, the QinQ feature is implemented through enabling the basic QinQ feature on ports.
Configuring Basic QinQ 183 Table 17 Protocol type values Configuring Basic QinQ Protocol type Value PPPoE 0x8863/0x8864 MPLS 0x8847/0x8848 IPX/SPX 0x8137 IS-IS 0x8000 LACP 0x8809 802.1x 0x888E Cluster 0x88A7 Reserved 0xFFFD/0xFFFE/0xFFFF Follow these steps to configure basic QinQ: To do... Use the command...
CHAPTER 18: QINQ CONFIGURATION c QinQ Configuration Examples CAUTION: ■ Perform the above configuration on ports (of devices in the service provider network) with customer networks connected to them. ■ The qinq ethernet-type command needs to be coupled with the qinq enable command. Network requirements ■ Provider A and Provider B are service provider network access devices. ■ Customer A and Customer B are customer network access devices.
QinQ Configuration Examples 185 # Configure Ethernet 1/1/4 as a trunk port and configure the port to permit frames of VLAN 10. [Sysname] interface ethernet 1/1/4 [Sysname-Ethernet1/1/4] port link-type trunk [Sysname-Ethernet1/1/4] port trunk permit vlan 10 # Set the TPID value of Ethernet 1/1/4 to 0x8200. [Sysname-Ethernet1/1/4] qinq ethernet-type 8200 2 Configuration on Provider B # Enter system view. system-view [Sysname] vlan 10 [Sysname-vlan10] quit # Enter Ethernet 1/1/2 port view.
CHAPTER 18: QINQ CONFIGURATION
IP ROUTING OVERVIEW 19 Go to these sections for information you are interested in: n ■ “IP Routing and Routing Table” on page 187 ■ “Routing Protocol Overview” on page 189 ■ “Displaying and Maintaining a Routing Table” on page 191 The term "router" or router icon in this document refers to a router in a generic sense or a Layer 3 switch. IP Routing and Routing Table Routing Routing Through a Routing Table Routing in the Internet is achieved through routers.
CHAPTER 19: IP ROUTING OVERVIEW ■ Outbound interface: Specifies the interface through which the IP packets are to be forwarded. ■ IP address of the next hop: Specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the IP address of the next hop. ■ Priority for the route. Routes to the same destination but having different nexthops may have different priorities and be found by various routing protocols or manually configured.
Routing Protocol Overview Destination Network Nexthop Interface 10.0.0.0 10.0.0.1 2 11.0.0.0 11.0.0.1 1 12.0.0.0 11.0.0.2 1 13.0.0.0 13.0.0.4 3 14.0.0.0 13.0.0.2 3 15.0.0.0 13.0.0.2 3 16.0.0.0 10.0.0.2 2 189 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies.
CHAPTER 19: IP ROUTING OVERVIEW This chapter focuses on unicast routing protocols. For information on multicast routing protocols, refer to “IPv6 Multicast Routing and Forwarding Configuration” on page 515. Version of IP protocol IPv4 routing protocols: RIP, OSPF, BGP and IS-IS. IPv6 routing protocols: RIPng, OSPFv3, BGP4+, IPv6 IS-IS. Routing Protocols and Routing Priority Different routing protocols may find different routes to the same destination. However, not all of those routes are optimal.
Displaying and Maintaining a Routing Table 191 Route backup Route backup can help improve network reliability. With route backup, you can configure multiple routes to the same destination, expecting the one with the highest priority to be the main route and all the rest backup routes. Under normal circumstances, packets are forwarded through the main route. When the main route goes down, the route with the highest priority among the backup routes is selected to forward packets.
CHAPTER 19: IP ROUTING OVERVIEW To do... Use the command...
20 ARP CONFIGURATION When configuring ARP, go to these sections for information you are interested in: ■ “ARP Overview” on page 193 ■ “Configuring ARP” on page 195 ■ “Configuring Gratuitous ARP” on page 197 ■ “Configuring ARP Source Suppression” on page 198 ■ “Configuring ARP Defense against IP Packet Attack” on page 199 ■ “Displaying and Maintaining ARP” on page 199 ARP Overview ARP Function Address resolution protocol (ARP) is used to resolve an IP address into a MAC address.
CHAPTER 20: ARP CONFIGURATION ARP Address Resolution Process ■ Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value "0x0800" represents an IP address. ■ Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6".
Configuring ARP 195 4 After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out. n ARP Mapping Table When Host A and Host B are not on the same subnet, a gateway helps finish ARP address resolution. After obtaining the destination MAC address, the device adds the IP-to-MAC mapping into its own ARP mapping table.
CHAPTER 20: ARP CONFIGURATION c Configuring the Maximum Number of ARP Entries a VLAN Interface Can Learn Setting Aging Time for Dynamic ARP Entries CAUTION: ■ A static ARP entry is effective when the Ethernet switch works normally. However, when a VLAN or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved.
Configuring Gratuitous ARP 197 Suppose that the IP address of Vlan-interface10 is 10.10.10.5/24 and that this interface receives an ARP packet from 10.11.11.1. Because these two IP addresses are not on the same subnet, Vlan-interface10 cannot process the packet. With this feature enabled, the device will make judgment on natural network basis. Because the IP address of Vlan-interface10 is a Class A address and its default mask length is 8, these two IP addresses are on the same natural network.
CHAPTER 20: ARP CONFIGURATION A device can implement the following functions by sending gratuitous ARP packets: ■ Determining whether its IP address is already used by another device. ■ Informing other devices of its MAC address change so that they can update their ARP entries. A device receiving a gratuitous ARP packet can add the information carried in the packet to its own dynamic ARP entry table if it finds no corresponding ARP entry for the ARP packet in the cache.
Configuring ARP Defense against IP Packet Attack 199 Configuring ARP Defense against IP Packet Attack Introduction to ARP Defense against IP Packet Attack In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of the next hop. If the address resolution is successful, the forwarding chip forwards the packet directly. Otherwise, the device runs software for further processing.
CHAPTER 20: ARP CONFIGURATION To do... Use the command...
21 PROXY ARP CONFIGURATION When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview ■ “Proxy ARP Overview” on page 201 ■ “Enabling Proxy ARP” on page 201 ■ “Displaying and Maintaining Proxy ARP” on page 202 For an ARP request of a host on a network to be forwarded to an interface that is on the same network but isolated at Layer 2 or a host on another network, the device connecting the two physical or virtual networks must be able to respond to the
CHAPTER 21: PROXY ARP CONFIGURATION Displaying and Maintaining Proxy ARP Proxy ARP Configuration Example To do... Use the command... Remarks Display whether proxy ARP is enabled display proxy-arp [ interface interface-type interface-number ] Available in any view Display whether local proxy ARP is enabled display local-proxy-arp [ interface interface-type interface-number ] Available in any view Network requirement Host A belongs to VLAN 1, and Host D belongs to VLAN 2.
Proxy ARP Configuration Example n For the local proxy ARP configuration example, refer to “Super VLAN Configuration” on page 167.
CHAPTER 21: PROXY ARP CONFIGURATION
22 IP ADDRESSING CONFIGURATION When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview IP Address Classes ■ “IP Addressing Overview” on page 205 ■ “Configuring IP Addresses” on page 207 ■ “Displaying IP Addressing Configuration” on page 210 This section covers these topics: ■ “IP Address Classes” on page 205 ■ “Special Case IP Addresses” on page 206 ■ “Subnetting and Masking” on page 206 ■ “IP Unnumbered”
CHAPTER 22: IP ADDRESSING CONFIGURATION Figure 60 IP address classes 0 7 15 Class A 0 Net-id Class B 1 0 Class C 1 1 0 23 31 Host-id Net-id Host-id Net-id Class D 1 1 1 0 Multicast address Class E 1 1 1 1 Reserved Host-id Table 18 describes the address ranges of these five classes. Currently, the first three classes of IP addresses are used in quantity. Table 18 IP address classes and ranges Class Address range Description A 0.0.0.0 to 127.255.255.
Configuring IP Addresses 207 Each subnet mask comprises 32 bits related to the corresponding bits in an IP address. In a subnet mask, the part containing consecutive ones identifies the combination of net-id and subnet-id whereas the part containing consecutive zeros identifies the host-id. Subnetting is valid with a single network. All these subnetworks appear as one.
CHAPTER 22: IP ADDRESSING CONFIGURATION n This chapter only covers how to assign an IP address manually. For IP address assignment through DHCP, refer to “DHCP Address Allocation” on page 717.
Configuring IP Addresses 209 Network diagram Figure 62 Network diagram for IP addressing configuration 172.16.1.0/24 Switch Host B Vlan -int1 172 .16 .1.1/24 172 .16 .2.1/24 sub 172.16.1.2/24 172 .16.2.2 /24 Host A 172.16.2.0/24 Configuration procedure # Assign a primary IP address and a secondary IP address to Vlan-interface1. system-view [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 172.16.2.
CHAPTER 22: IP ADDRESSING CONFIGURATION ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms ms ms ms ms --- 172.16.2.
IPV6 BASICS CONFIGURATION 23 When configuring IPv6 basics, go to these sections for information you are interested in: n IPv6 Overview IPv6 Features ■ “IPv6 Overview” on page 211 ■ “Configuring Basic IPv6 Functions” on page 221 ■ “Configuring IPv6 NDP” on page 222 ■ “Configuring PMTU Discovery” on page 226 ■ “Configuring IPv6 TCP Properties” on page 227 ■ “Configuring IPv6 FIB-Based Forwarding” on page 228 ■ “Configuring Capacity and Update Period of Token Bucket” on page 228 ■ “Configur
CHAPTER 23: IPV6 BASICS CONFIGURATION Figure 63 Comparison between IPv4 packet header format and basic IPv6 packet header format 0 3 Ver 7 HL 15 Identification TTL 23 ToS Protocol 31 0 Total length F Fragment offset Ver 3 11 Traffic class Payload length 15 23 31 Flow label Next Hop limit header Header checksum Source address (32 bits) Source address (128 bits) Destination address (32 bits) Options Padding IPv4 header Destination address (128 bits) Basic IPv 6 header Adequate ad
IPv6 Overview 213 Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is a group of Internet control message protocol version 6 (ICMPv6) messages that manages the information exchange between neighbor nodes on the same link. The group of ICMPv6 messages takes the place of address resolution protocol (ARP) message, Internet control message protocol version 4 (ICMPv4) router discovery message, and ICMPv4 redirection message to provide a series of other functions.
CHAPTER 23: IPV6 BASICS CONFIGURATION n ■ Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. ■ Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).
IPv6 Overview 215 Multicast address IPv6 multicast addresses listed in Table 20 are reserved for special purpose.
CHAPTER 23: IPV6 BASICS CONFIGURATION ■ “Neighbor reachability detection” on page 218 ■ “Duplicate address detection” on page 218 ■ “Router/prefix discovery and address autoconfiguration” on page 218 ■ “Redirection” on page 219 Table 21 lists the types and functions of ICMPv6 messages used by the NDP.
IPv6 Overview 217 Table 21 Types and functions of ICMPv6 messages ICMPv6 message Number Function Neighbor advertisement (NA) message 136 Used to respond to an NS message. When the link layer changes, the local node initiates an NA message to notify neighbor nodes of the node information change. Router solicitation (RS) message 133 After started, a host sends an RS message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration.
CHAPTER 23: IPV6 BASICS CONFIGURATION solicited-node multicast address of node B. The NS message contains the link-layer address of node A. 2 After receiving the NS message, node B judges whether the destination address of the packet corresponds to the solicited-node multicast address. If yes, node B unicasts an NA message containing its link-layer address. 3 Node A acquires the link-layer address of node B from the NA message. After that, node A and node B can communicate.
IPv6 Overview 219 Stateless address autoconfiguration means that a host automatically configures an IPv6 address according to the information obtained through router/prefix discovery. The router/prefix discovery is implemented through RS and RA messages. The router/prefix discovery procedure is as follows: 1 After started, a host sends an RS message to request the router for the address prefix and other configuration information for the purpose of autoconfiguration.
CHAPTER 23: IPV6 BASICS CONFIGURATION The working procedure of the PMTU discovery is as follows: 1 The source host uses its MTU to fragment packets and then sends them to the destination host. 2 If the MTU supported by the forwarding interface is less than the packet size, the forwarding device will discard the packet and return an ICMPv6 error packet containing the interface MTU to the source host.
Configuring Basic IPv6 Functions 221 Configuring Basic IPv6 Functions Enabling the IPv6 Packet Forwarding Function Before IPv6-related configurations, you must enable the IPv6 packet forwarding function. Otherwise, an interface cannot forward IPv6 packets even if an IPv6 address is configured, resulting in communication failures in the IPv6 network. Follow these steps to enable the IPv6 packet forwarding function: Configuring an IPv6 Unicast Address To do... Use the command...
CHAPTER 23: IPV6 BASICS CONFIGURATION To do... Configure an IPv6 link-local address n Use the command... Remarks Automatically generate a link-local address ipv6 address auto link-local Optional Manually assign a link-local address for an interface ipv6 address ipv6-address link-local By default, after an IPv6 site-local address or global unicast address is configured for an interface, a link-local address will be generated automatically.
Configuring IPv6 NDP n Configuring the Maximum Number of Neighbors Dynamically Learned To do... Use the command... Remarks Configure a static neighbor entry ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number } Required 223 CAUTION: You can adopt either of the two methods above to configure a static neighbor entry for a VLAN interface.
CHAPTER 23: IPV6 BASICS CONFIGURATION Table 22 Parameters in an RA message and their descriptions Parameters Description Cur hop limit When sending an IPv6 packet, a host uses the value of this parameter to fill the Cur Hop Limit field in IPv6 headers. Meanwhile, the value of this parameter is equal to the value of the Cur Hop Limit field in response messages of the device.
Configuring IPv6 NDP To do... Use the command... Remarks Configure the current hop limit ipv6 nd hop-limit value Optional Enter interface view interface interface-type interface-number - Disable the RA message suppression undo ipv6 nd ra halt Optional 225 64 by default. By default, RA messages are suppressed.
CHAPTER 23: IPV6 BASICS CONFIGURATION c CAUTION: The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages. Configuring the Number of Attempts to Send an NS Message for DAD An interface sends a neighbor solicitation (NS) message for DAD after acquiring an IPv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message.
Configuring IPv6 TCP Properties To do... Use the command... Remarks Enter system view system-view - Configure a static PMTU for a ipv6 pathmtu ipv6-address [ specified IPv6 address value ] Configuring the Aging Time for PMTU 227 Required By default, no static PMTU is configured.
CHAPTER 23: IPV6 BASICS CONFIGURATION Configuring IPv6 FIB-Based Forwarding With the caching function of IPv6 FIB enabled, the device searches the FIB cache when forwarding packets, thus reducing the time in searching IP packets and improving the forwarding efficiency. In the load sharing mode of IPv6 FIB, the device can decide how to select an equal cost multi-path (ECMP) route to forward packets.
Configuring IPv6 DNS 229 To do... Use the command... Configure the capacity and update period of the token bucket ipv6 icmp-error { bucket Optional bucket-size | ratelimit interval By default, the capacity of a }* token bucket is 10 and the update period is 100 milliseconds. That is, at most 10 IPv6 ICMP error packets can be sent within these 100 milliseconds. Remarks The update period "0" indicates that the number of ICMPv6 error packets sent is not restricted.
CHAPTER 23: IPV6 BASICS CONFIGURATION To do... Use the command... Remarks Configure the DNS suffix. dns domain domain-name Required By default, no DN suffix is configured, that is, the domain name is resolved according to the input information. n Displaying and Maintaining IPv6 Basics Configuration The dns resolve and dns domain commands are the same as those of IPv4 DNS. For details about the commands, refer to the Switch 8800 Command Reference Guide. To do... Use the command...
IPv6 Configuration Examples n IPv6 Configuration Examples To do... Use the command... Clear the statistics of IPv6 packets reset ipv6 statistics [ slot slot-number ] Clear all IPv6 TCP connection statistics reset tcp ipv6 statistics Clear the statistics of all IPv6 UDP packets reset udp ipv6 statistics 231 The display dns domain and display dns server commands are the same as those of IPv4 DNS. For details about the commands, refer to the Switch 8800 Command Reference Guide.
CHAPTER 23: IPV6 BASICS CONFIGURATION [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address auto link-local # Configure an EUI-64 address for the interface VLAN-interface 2. [SwitchB-Vlan-interface2] ipv6 address 2001::/64 eui-64 # Configure a global unicast address for VLAN-interface 2. [SwitchB-Vlan-interface2] ipv6 address 3001::2/64 Verification # Display the IPv6 information of the interface on Switch A.
Troubleshooting IPv6 Basics Configuration c 233 CAUTION: When you ping a link-local address, you should use the "-i" parameter to specify an interface for the link-local address.
CHAPTER 23: IPV6 BASICS CONFIGURATION Solution: ■ Carry out the display current-configuration command in any view or the display this command in system view to check that the IPv6 packet forwarding function is enabled. ■ Carry out the display ipv6 interface command in any view to check that the IPv6 address of the interface is correct and that the interface is up.
IP PERFORMANCE CONFIGURATION 24 When configuring IP performance, go to these sections for information you are interested in: IP Performance Overview ■ “IP Performance Overview” on page 235 ■ “Enabling Forwarding of Directed Broadcasts to a Directly Connected Network” on page 235 ■ “Configuring TCP Attributes” on page 237 ■ “Configuring TCP MSS for the Interface” on page 238 ■ “Configuring ICMP Error Packet Sending” on page 238 ■ “Displaying and Maintaining IP Performance” on page 240 In some
CHAPTER 24: IP PERFORMANCE CONFIGURATION Enabling Forwarding of Directed Broadcasts to a Directly Connected Network (in System View) Enabling Forwarding of Directed Broadcasts to a Directly Connected Network (in Interface View) Follow these steps to enable the device to forward directed broadcasts: To do... Use the command...
Configuring TCP Attributes 237 # Configure IP addresses for Vlan-interface3 and Vlan-interface2. [SwitchA] interface vlan-interface 3 [SwitchA-Vlan-interface3] ip address 1.1.1.2 24 [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable Vlan-interface2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast ■ l Configure Switch B # Enable Switch B to receive directed broadcasts.
CHAPTER 24: IP PERFORMANCE CONFIGURATION To do... c Use the command... Remarks Configure TCP synwait timer’s tcp timer syn-timeout timeout value time-value Optional Configure TCP finwait timer’s tcp timer fin-timeout timeout value time-value Optional Configure the size of TCP receive/send buffer Optional tcp window window-size By default, the timeout value is 75 seconds. By default, the timeout value is 675 seconds. By default, the buffer is 8 kilobytes.
Configuring ICMP Error Packet Sending 239 Switch 8800s will send ICMP redirect packets to the source host under the following conditions: n ■ The receiving and forwarding interfaces are the same ■ The selected route has not been created or modified by ICMP redirect packet ■ The selected route is not the default route of the switch ■ There is no source route option in the packet When performing hardware forwarding, Switch 8800s will not forward ICMP redirect packets even if the above conditions a
CHAPTER 24: IP PERFORMANCE CONFIGURATION n When performing hardware forwarding, Switch 8800s will not forward ICMP destination unreachable packets even if the above conditions are satisfied. Disadvantage of sending ICMP error packets Although sending ICMP error packets facilitate control and management, it still has the following disadvantages: ■ Sending a lot of ICMP packets will increase network traffic.
Displaying and Maintaining IP Performance 241 To do... Use the command...
CHAPTER 24: IP PERFORMANCE CONFIGURATION
ROUTING POLICY CONFIGURATION 25 A routing policy is used on a router for route inspection, filtering, attributes modifying when routes are received, advertised, or redistributed.
CHAPTER 25: ROUTING POLICY CONFIGURATION ACL ACL involves IPv4 ACL and IPv6 ACL. When defining an ACL, you can specify IP addresses and prefixes to match destinations or next hops of routing information. For ACL configuration, refer to “ACL Overview” on page 801. IP prefix list IP prefix list involves IPv4 and IPv6 prefix list. IP prefix list plays a role similar to ACL, but it is more flexible than ACL and easier to understand.
Routing Policy Configuration Task List 245 order of node sequence number. Once a node is matched, the routing policy is passed and the packet will not go through the next node. Each node comprises a list of if-match and apply clauses. The if-match clauses define the match criteria. The matching objects are some attributes of routing information. The different if-match clauses on a node is in logical AND relationship.
CHAPTER 25: ROUTING POLICY CONFIGURATION n To do... Use the command... Remarks Enter system view system-view - Define an IPv4 prefix list ip ip-prefix ip-prefix-name [ Required index index-number ] { permit | Not defined by default deny } ip-address mask-length [ greater-equal min-mask-length ] [ less-equal max-mask-length ] If all items are set to the deny mode, no routes can pass the IPv4 prefix list. Therefore, you need to define the permit 0.0.0.
Configuring a Routing Policy Defining an AS Path ACL 247 You can define multiple items for an AS path ACL that is identified by number. During matching, the relation between items is logical OR, that is, if the route matches one of these items, it passes the AS path ACL. To define an AS path ACL, use the following commands: Defining a Community List To do... Use the command...
CHAPTER 25: ROUTING POLICY CONFIGURATION Prerequisites ■ if-match clauses: Define the match criteria that routing information must satisfy. The matching objects are some attributes of routing information. ■ apply clauses: Specify the actions performed after specified match criteria are satisfied, concerning attribute settings for passed routing information.
Configuring a Routing Policy Use the command... To do...
CHAPTER 25: ROUTING POLICY CONFIGURATION To do... Match RIP, OSPF, or IS-IS routes having the specified tag value n Defining apply Clauses for the Routing Policy Use the command... Remarks if-match tag value Optional Not configured by default ■ The if-match clauses of a route-policy are in logic AND relationship, namely, routing information has to satisfy all if-match clauses before being executed with apply clauses. ■ You can specify no or multiple if-match clauses for a routing policy.
Displaying and Maintaining the Routing Policy To do... Use the command... Set a next hop for IPv4 routes apply ip-address next-hop Optional ip-address Not set by default 251 Remarks The next hop set using the apply ip-address next-hop command does not take effect for route redistribution. for IPv6 routes apply ipv6 next-hop ipv6-address Optional Not set by default The next hop set using the apply ip-address next-hop command does not take effect for route redistribution.
CHAPTER 25: ROUTING POLICY CONFIGURATION To do... Use the command... Remarks Clear IPv4 prefix list statistics reset ip ip-prefix [ ip-prefix-name ] Available in user view Clear IPv6 prefix statistics reset ip ipv6-prefix [ ipv6-prefix-name ] Routing Policy Configuration Examples Applying Routing Policy When Redistributing IPv4 Routes Network Requirements ■ Switch B exchanges routing information with Switch A via OSPF, with Switch C via IS-IS.
Routing Policy Configuration Examples 253 [SwitchC] interface vlan-interface 202 [SwitchC-Vlan-interface202] isis enable [SwitchC-Vlan-interface202] quit [SwitchC] interface vlan-interface 203 [SwitchC-Vlan-interface203] isis enable [SwitchC-Vlan-interface203] quit # Configure Switch B. system-view [SwitchB] isis [SwitchB-isis-1] is-level level-2 [SwitchB-isis-1] network-entity 10.0000.0000.0002.
CHAPTER 25: ROUTING POLICY CONFIGURATION # Configure an ACL with the number of 2002, letting pass route 172.17.2.0/24. [SwitchB] acl number 2002 [SwitchB-acl-basic-2002] rule permit source 172.17.2.0 0.0.0.255 [SwitchB-acl-basic-2002] quit # Configure an IP prefix list named prefix-a, letting pass route 172.17.1.0/24. [SwitchB] ip ip-prefix prefix-a index 10 permit 172.17.1.0 24 5 Configure a routing policy.
Routing Policy Configuration Examples Network diagram Figure 71 Network diagram for routing policy application to route redistribution 20::/32 30::/32 40::/32 Vlan-int100 10::1/32 Vlan -int200 11::1 /32 Vlan -int100 10::2 /32 Switch A Switch B Configuration procedure 1 Configure Switch A # Configure IPv6 addresses for Vlan-interface 100 and Vlan-interface 200.
CHAPTER 25: ROUTING POLICY CONFIGURATION [SwitchB] ipv6 [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ipv6 address 10::2 32 # Enable RIPng on Vlan-interface 100. [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Enable RIPng. [SwitchB] ripng # Display RIPng routing table information.
Troubleshooting Routing Policy Configuration 257 Processing procedure 1 Use the display ip ipv6-prefix command to display IP prefix list information. 2 Use the display route-policy command to display routing policy information.
CHAPTER 25: ROUTING POLICY CONFIGURATION
STATIC ROUTING CONFIGURATION 26 When configuring a static route, go to the following sections for information you are interested in: n ■ “Introduction” on page 259 ■ “Configuring a Static Route” on page 260 ■ “Displaying and Maintaining Static Routes” on page 262 ■ “Configuration Example” on page 262 The term "router" in this document refers to a router in a generic sense or an Ethernet switch running routing protocols.
CHAPTER 26: STATIC ROUTING CONFIGURATION Application Environment of Static Routing Before configuring a static route, you need to know the following concepts: 1 Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask).
Configuring a Static Route To do... Use the command... Remarks Enter system view system-view - Configure a static route ip route-static dest-address { mask | mask-length } { gateway-address | interface-type interface-number [ gateway-address ] | vpn-instance d-vpn-instance-name gateway-address } [ preference preference-value ] [ tag tag-value ] [ description description-text ] Required 261 By default, the preference of static routes is 60, tag is 0, and no description information is configured.
CHAPTER 26: STATIC ROUTING CONFIGURATION Displaying and Maintaining Static Routes To do... Use the command...
Configuration Example # Configure a default route on Switch C system-view [SwitchC] ip route-static 0.0.0.0 0.0.0.0 1.1.5.5 3 Configure the hosts The default gateways for the three hosts A, B and C are 1.1.2.3, 1.1.6.1 and 1.1.3.1 respectively. 4 View the configuration result # Display the IP routing table of Switch A. [SwitchA] display ip routing-table Routing Tables: Public Destinations : 7 Routes : 7 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 1.1.2.0/24 1.1.2.3/32 1.1.
CHAPTER 26: STATIC ROUTING CONFIGURATION # Use the tracert command on Host B to check reachability to Host A. [HostB] tracert 1.1.2.2 Tracing route to 1.1.2.2 over a maximum of 30 hops 1 2 3 <1 ms <1 ms 1 ms Trace complete. <1 ms <1 ms <1 ms <1 ms <1 ms <1 ms 1.1.6.1 1.1.4.1 1.1.2.
IPV6 STATIC ROUTING CONFIGURATION 27 When configuring IPv6 Static Routing, go to these sections for information you are interested in: n Introduction to IPv6 Static Routing ■ “Introduction to IPv6 Static Routing” on page 265 ■ “Configuring an IPv6 Static Route” on page 265 ■ “Displaying and Maintaining IPv6 Static Routes” on page 266 ■ “IPv6 Static Routing Configuration Example” on page 266 The term "router" in this document refers to either a router in a generic sense or an Ethernet switch runn
CHAPTER 27: IPV6 STATIC ROUTING CONFIGURATION Configuring an IPv6 Static Route n Displaying and Maintaining IPv6 Static Routes n IPv6 Static Routing Configuration Example To do... Use the commands...
IPv6 Static Routing Configuration Example 267 Network diagram Figure 73 Network diagram for static routes (on switches) Host B 2::2/64 Vlan -int400 2::1 /64 Vlan -int200 4::2 /64 Vlan- int300 5::2/64 Switch B Vlan -int200 4::1/64 Vlan -int100 1::1/64 Host A Vlan -int300 5::1/64 Vlan -int500 3::1 /64 Switch A Switch C Host C 1::2/64 3::2/64 Configuration procedure 1 Configure the IPv6 addresses of all VLAN interfaces (Omitted) 2 Configure IPv6 static routes.
CHAPTER 27: IPV6 STATIC ROUTING CONFIGURATION Destination NextHop Interface : ::1 : ::1 : InLoop0 Protocol Preference Cost : Direct : 0 : 0 Destination NextHop Interface : 1:: : 1::1 : Vlan-interface100 Protocol Preference Cost : Direct : 0 : 0 Destination NextHop Interface : 1::1 : ::1 : InLoop0 Protocol Preference Cost : Direct : 0 : 0 Destination NextHop Interface : FE80:: : :: : NULL0 Protocol Preference Cost : Direct : 0 : 0 # Verify the connectivity with the ping command.
RIP CONFIGURATION 28 n The term "router" in this document refers to a router in a generic sense or an Ethernet switch running routing protocols.
CHAPTER 28: RIP CONFIGURATION ■ Egress interface: Packet outgoing interface. ■ Metric: Cost from the local router to the destination. ■ Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. ■ Route tag: Identifies a route, used in routing policy to flexibly control routes. For information about routing policy, refer to “Routing Protocol Overview” on page 189.
RIP Overview RIP Version 271 ■ Poison reverse. A router sets the metric of routes received from a neighbor to 16 and sends back these routes to the neighbor to help delete useless information from the neighbor’s routing table. ■ Triggered updates. A router advertises updates once the metric of a route is changed rather than after the update period expires to speed up the network convergence. RIP has two versions, RIP-1 and RIP-2.
CHAPTER 28: RIP CONFIGURATION ■ IP Address: Destination IP address of the route; can be a natural network, subnet or a host address. ■ Metric: Cost of the route. RIP-2 message format The format of RIP-2 message is similar with RIP-1. Figure 75 shows it. Figure 75 RIP-2 Message Format 0 Header 7 Command 15 Version 31 Unused AFI Route tag IP address Route Entries Subnet mask Next hop Metric The differences from RIP-1 are stated as following. ■ Version: Version of RIP.
RIP Overview 273 n RFC 1723 only defines plain text authentication. For information about MD5 authentication, refer to “Configuring RIP-2 Message Authentication” on page 281. TRIP Triggered RIP (TRIP), a RIP extension on WAN, is mainly used in dial-up network. Working mechanism Routing information is sent in triggered updates rather than periodic broadcasts to reduce the routing management cost the WAN.
CHAPTER 28: RIP CONFIGURATION RFC 2082: RIP-2 MD5 Authentication RFC 2091: Triggered Extensions to RIP to Support Demand Circuits Configuring RIP Basic Functions Configuration Prerequisites Configuration Procedure Before configuring RIP features, finish the following tasks. ■ Configure the link layer protocol. ■ Configure the IP address on each interface, and make sure all adjacent routers are reachable with each other at the network layer.
Configuring RIP Advanced Functions To do... Use the command... Remarks Enable the interface to send RIP messages rip output Optional 275 Enabled by default Configuring a RIP version You can configure a RIP version in RIP or interface view. ■ If neither global nor interface RIP version is configured, the interface sends RIP-1 broadcasts and can receive RIP-1 broadcast and unicast packets, RIP-2 broadcast, multicast, and unicast packets.
CHAPTER 28: RIP CONFIGURATION ■ “Configuring RIP-2 Route Summarization” on page 276 ■ “Disabling Host Route Reception” on page 277 ■ “Advertising a Default Route” on page 277 ■ “Configuring Inbound/Outbound Route Filtering Policies” on page 278 ■ “Configuring a Priority for RIP” on page 278 ■ “Configuring RIP Route Redistribution” on page 278 Before configuring RIP routing feature, finish the following tasks: Configuring an Additional Routing Metric ■ Configure an IP address for each in
Configuring RIP Advanced Functions To do... Use the command... Remarks Enable RIP-2 automatic route summarization summary Optional 277 Enabled by default Advertise a summary route You can configure RIP-2 to advertise a summary route on the specified interface. To do so, use the following commands: n Disabling Host Route Reception To do... Use the command...
CHAPTER 28: RIP CONFIGURATION n Configuring Inbound/Outbound Route Filtering Policies To do... Use the command... Remarks Enable RIP to advertise a default route default-route originate cost value Required Not enabled by default The router enabled to advertise a default route does not receive default routes from RIP neighbors. Route filtering is supported by the router.
Optimizing the RIP Network Optimizing the RIP Network To do... Use the command... Remarks Configure a default metric for redistributed routes default-cost value Optional Redistribute routes from another protocol import-route protocol [ process-id ] [ Required allow-ibgp ] [ cost cost | route-policy route-policy-name | tag tag ] * 279 The default metric is applied if no metric is specified when redistributing routes.
CHAPTER 28: RIP CONFIGURATION To do... Use the command... Remarks Enter system view system-view - Enter interface view interface interface-type interface-number - Enable split horizon rip split-horizon Optional Enabled by default n Disabling the split horizon function on a point-to-point link does not take effect.
Optimizing the RIP Network n Configuring RIP-2 Message Authentication To do... Use the command... Remarks Enter system view system-view -- Enter RIP view rip [ process-id ] [ vpn-instance vpn-instance-name ] -- Enable the zero field check on received RIP-1 messages checkzero Optional Enable the source IP address validation on received RIP messages validate-source-address 281 Enabled by default Optional Enabled by default ■ The zero field check is invalid for RIP-2 messages.
CHAPTER 28: RIP CONFIGURATION Configuring TRIP In a connection oriented network, a device may establish connections to multiple remote devices. In a WAN, links are created and removed as needed. In such applications, a link created between two nodes for data transmission is temporary and infrequently. TRIP should be enabled when it is necessary to exchange routing information via on-demand links or triggered RIP. Enable TRIP Follow these steps to enable TRIP: To do... Use the command...
Displaying and Maintaining RIP Configuration To do... Use the command... Remarks Enter system view system-view -- Bind RIP to MIB rip mib-binding process-id Optional 283 By default, MIB is bound to the RIP process with the smallest process ID Displaying and Maintaining RIP Configuration To do... Use the command...
CHAPTER 28: RIP CONFIGURATION [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 192.168.1 3 24 # Configure Switch B. system-view [SwitchB] vlan 100 [SwitchB-vlan100] port ethernet1/2 [SwitchB-vlan100] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 192.168.1.2 24 2 Configure basic RIP functions # Configure Switch A. [SwitchA] rip [SwitchA-rip-1] network 192.168.1.0 [SwitchA-rip-1] network 172.16.0.0 [SwitchA-rip-1] network 172.
RIP Configuration Examples 285 Peer 192.168.1.2 on Vlan-interface100 Destination/Mask Nexthop 10.0.0.0/8 192.168.1.2 10.2.1.0/24 192.168.1.2 10.1.1.0/24 192.168.1.2 Cost 1 1 1 Tag 0 0 0 Flags RA RA RA Sec 50 16 16 From the routing table, you can see RIP-2 uses classless subnet mask. n Configuring RIP Route Redistribution Since RIP-1 routing information has a long aging time, it will still exist until aged out after RIP-2 is configured.
CHAPTER 28: RIP CONFIGURATION system-view [SwitchC] rip 200 [SwitchC-rip-200] network 192.168.2.0 [SwitchC-rip-200] network 192.168.3.0 [SwitchC-rip-200] network 192.168.4.0 # Display the routing table of Switch A. [SwitchA] display ip routing-table Routing Tables: Public Destinations : 10 Routes : 10 Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 127.0.0.1/32 172.16.1.0/24 172.16.1.1/32 172.17.1.0/24 172.17.1.1/32 192.168.1.0/24 192.168.1.3/32 192.168.0.0/24 192.168.0.
Troubleshooting RIP Configuration 287 [SwitchB] acl number 2000 [SwitchB-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255 [SwitchB-acl-basic-2000] rule permit [SwitchB-acl-basic-2000] quit [SwitchB] rip 100 [SwitchB-rip-100] filter-policy 2000 export rip 200 # Display the routing table of Switch A. [SwitchA] display ip routing-table Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 127.0.0.1/32 172.16.1.0/24 172.16.1.1/32 172.
CHAPTER 28: RIP CONFIGURATION In the RIP network, make sure all the same timers within the whole network are identical and relationships between timers are reasonable. For example, the timeout timer value should be larger than the update timer value. Solution: ■ Use the display rip command to check the configuration of RIP timers ■ Use the timers command to adjust timers properly.
IPV6 RIPNG CONFIGURATION 29 When configuring RIPng, go to these sections for information you are interested in: n Introduction to RIPng ■ “Introduction to RIPng” on page 289 ■ “Configuring RIPng Basic Functions” on page 292 ■ “Configuring RIPng Route Control” on page 292 ■ “Tuning and Optimizing the RIPng Network” on page 294 ■ “Displaying and Maintaining RIPng Configuration” on page 296 ■ “RIPng Configuration Example” on page 297 The term "router" in this document refers to a router in a ge
CHAPTER 29: IPV6 RIPNG CONFIGURATION RIPng supports Split Horizon and Poison Reverse to prevent routing loops, and route redistribution. Each RIPng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information: RIPng Packet Format ■ Destination address: IPv6 address of a host or a network. ■ Next hop address: IPv6 address of a neighbor along the path to the destination.
Introduction to RIPng 291 Figure 80 Next hop RTE format 0 7 15 31 IPv6 next hop address (16 octets) Must be zero Must be zero 0xFF IPv6 next hop address is the IPv6 address of the next hop. Figure 81 shows the format of the IPv6 prefix RTE. Figure 81 IPv6 prefix RTE format 0 7 15 31 IPv6 prefix (16 octets) Route tag RIPng Packet Processing Procedure Prefix length ■ IPv6 prefix: Destination IPv6 address prefix. ■ Route tag: Route tag. ■ Prefix len: Length of the IPv6 address prefix.
CHAPTER 29: IPV6 RIPNG CONFIGURATION Configuring RIPng Basic Functions ■ RFC2081: RIPng Protocol Applicability Statement ■ RFC2453: RIP Version 2 In this section, you are presented with the information to configure the basic RIPng features. You need to enable RIPng first before configuring other tasks, but it is not necessary for RIPng related interface configurations, such as assigning an IPv6 address.
Configuring RIPng Route Control Configuring an Additional Route Metric 293 ■ Define an IPv6 ACL before using it for route filtering. Refer to “IPv6 ACL Configuration” on page 815 for related information. ■ Define an IPv6 address prefix list before using it for route filtering. Refer to “Defining Filtering Lists” on page 245 for related information. An additional route metric can be added to the metric of an inbound or outbound RIP route, namely, the inbound and outbound additional metric.
CHAPTER 29: IPV6 RIPNG CONFIGURATION Configuring a RIPng Route Filtering Policy You can reference a configured IPv6 ACL or prefix list to filter received/advertised routing information as needed. For filtering outbound routes, you can also specify a routing protocol from which to filter routing information redistributed. Follow these steps to configure a RIPng route filtering policy: Configuring the RIPng Priority To do... Use the command...
Tuning and Optimizing the RIPng Network Prerequisites Configuring RIPng Timers 295 ■ “Configuring RIPng Timers” on page 295 ■ “Configuring Split Horizon” on page 295 ■ “Configuring Poison Reverse” on page 296 ■ “Enabling Zero Field Check on RIPng Packets” on page 296 ■ “Configuring the Maximum Number of Equal Cost Routes for Load Balancing” on page 296 Before tuning and optimizing the RIPng network, complete the following tasks: ■ Configure a network layer address for each interface ■ Confi
CHAPTER 29: IPV6 RIPNG CONFIGURATION n Configuring Poison Reverse n Enabling Zero Field Check on RIPng Packets n Configuring the Maximum Number of Equal Cost Routes for Load Balancing Generally, you are recommended to enable the split horizon to prevent routing loops. Follow these steps to configure poison reverse: To do... Use the command...
RIPng Configuration Example To do... RIPng Configuration Example Use the command... 297 Remarks Display the routing display ripng process-id route information of a specified RIPng process Available in any view Display RIPng interface display ripng process-id information interface [ interface-type interface-number ] Available in any view Network requirements As shown in Figure 82, all switches run RIPng.
CHAPTER 29: IPV6 RIPNG CONFIGURATION # Configure Switch C. [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface Vlan-interface 101 [SwitchC-Vlan-interface101] ripng 1 enable [SwitchC-Vlan-interface101] quit [SwitchC] interface Vlan-interface 300 [SwitchC-Vlan-interface300] ripng 1 enable [SwitchC-Vlan-interface300] quit [SwitchC] interface Vlan-interface 400 [SwitchC-Vlan-interface400] ripng 1 enable [SwitchC-Vlan-interface400] quit # Display the routing table of Switch B.
RIPng Configuration Example via FE80::F54C:0:9FDB:1, cost 299 1, tag 0, A, 14 Sec Peer FE80::D472:0:3C23:1 on Vlan-interface100 Dest 1::/64, via FE80::D472:0:3C23:1, cost 1, tag 0, A, 25 Sec [SwitchA] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------Peer FE80::476:0:3624:1 on Vlan-interface100 Dest 2::/64, via FE80::476:0:3624:1, cost 2, tag 0, A, 7 Sec
CHAPTER 29: IPV6 RIPNG CONFIGURATION
OSPF CONFIGURATION 30 Open Shortest Path First (OSPF) is a link state based interior gateway protocol developed by the OSPF working group of the Internet Engineering Task Force (IETF). At present, OSPF version 2 (RFC2328) is used.
CHAPTER 30: OSPF CONFIGURATION Basic Concepts ■ Authentication: Supports interface-based packet authentication to guarantee the security of packet exchange. ■ Multicast: Supports packet multicasting on some types of links. Autonomous System A set of routers using the same routing protocol to exchange routing information constitute an Autonomous System (AS).
Introduction to OSPF ■ 303 LSAck (Link State Acknowledgment) Packet: Acknowledges received LSU packets. It contains the Headers of LSAs requiring acknowledgement (a packet can acknowledge multiple LSAs). LSA types OSPF sends routing information in LSAs, which, as defined in RFC 2328, have the following types: ■ Router LSA: Type-1 LSA, originated by all routers, flooded throughout a single area only. This LSA describes the collected states of the router’s interfaces to an area.
CHAPTER 30: OSPF CONFIGURATION OSPF Area Partition and Route Summarization Area partition When a large number of OSPF routers are present on a network, LSDBs may become so large that a great amount of storage space is occupied and CPU resources are exhausted performing SPF computation. In addition, as the topology of a large network is prone to changes, enormous OSPF packets may be created, reducing bandwidth utilization. Each topology change makes all routers perform route calculation.
Introduction to OSPF 305 3 Backbone Router At least one interface of a backbone router must be attached to the backbone area. Therefore, all ABRs and internal routers in area 0 are backbone routers. 4 Autonomous System Border Router (ASBR) The router exchanging routing information with another AS is an ASBR, which may not reside on the boundary of the AS. It can be an internal router or area border router.
CHAPTER 30: OSPF CONFIGURATION Figure 85 Virtual link application 1 Transit Area Area 0 ABR Virtual Link ABR Area 2 Area 1 Another application of virtual links is to provide redundant links. If the backbone area cannot maintain internal connectivity due to a physical link failure, configuring a virtual link can guarantee logical connectivity in the backbone area, as shown below.
Introduction to OSPF 307 ■ A (totally) stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area. ■ Virtual links cannot transit (totally) stub areas. NSSA area Similar to a stub area, an NSSA area imports no AS external LSA (Type5 LSA) but can import Type7 LSAs that are generated by the ASBR and distributed throughout the NSSA area. When traveling to the NSSA ABR, Type7 LSAs are translated into Type5 LSAs by the ABR for advertisement to other areas.
CHAPTER 30: OSPF CONFIGURATION OSPF has two types of route summarization: 1 ABR route summarization To distribute routing information to other areas, an ABR generates Type3 LSAs on a per network segment basis for an attached non-backbone area. If contiguous network segments are available in the area, you can summarize them with a single network segment. The ABR in the area distributes only the summary LSA to reduce the scale of LSDBs on routers in other areas.
Introduction to OSPF 309 ■ NBMA (Non-Broadcast Multi-Access): when the link layer protocol is Frame Relay, ATM or X.25, OSPF considers the network type as NBMA by default. Packets on these networks are sent to unicast addresses. ■ P2MP (point-to-multipoint): by default, OSPF considers no link layer protocol as P2MP, which is a conversion from other network types such as NBMA in general. On P2MP networks, packets are sent to multicast addresses (224.0.0.5).
CHAPTER 30: OSPF CONFIGURATION become the new DR in a very short period by avoiding adjacency establishment and DR reelection. Meanwhile, other routers elect another BDR, which requires a relatively long period but has no influence on routing calculation. Other routers, also known as DRothers, establish no adjacency with each other and exchange no routing information, thus, reducing the number of adjacencies on broadcast and NBMA networks.
Introduction to OSPF 311 Figure 90 OSPF packet format IP header OSPF packet header Number of LSAs LSA header LSA Data OSPF packet header OSPF packets are classified into five types that have the same packet header, as shown below. Figure 91 OSPF packet header 0 7 Version 15 Type 31 Packet length Router ID Area ID Checksum AuType Authentication Authentication n ■ Version: OSPF version number, which is 2 for OSPFv2.
CHAPTER 30: OSPF CONFIGURATION Figure 92 Hello packet format 0 7 Version 15 31 1 Packet length Router ID Area ID Checksum AuType Authentication Authentication Network Mask HelloInterval Options Rtr Pri RouterDeadInterval Designatedrouter Backup designated router Neighbor ... Neighbor Major fields: ■ Network Mask: The network mask associated with the router’s sending interface. If two routers have different network masks, they cannot become neighbors.
Introduction to OSPF 313 Figure 93 DD packet format 0 7 Version 15 31 2 Packet length Router ID Area ID Checksum AuType Authentication Authentication Interface MTU Options 0 0 0 0 0 I M M S DD sequence number LSA header ... LSA header Major fields: ■ Interface MTU: The size in bytes of the largest IP datagram that can be sent out the associated interface, without fragmentation.
CHAPTER 30: OSPF CONFIGURATION Figure 94 LSR packet format 0 7 Version 15 3 31 Packet length Router ID Area ID Checksum AuType Authentication Authentication LS type Link state ID Advertising router ...
Introduction to OSPF 315 Figure 96 LSAck packet format 0 7 Version 15 31 5 Packet length Router ID Area ID Checksum AuType Authentication Authentication LSA header ... LSA header LSA header format All LSAs have the same header, as shown in the following figure. Figure 97 LSA header format 0 7 15 LS age 31 Options LS type Linke state ID Advertising Router LS sequence number LS checksum Length Major fields: ■ LS age: The time in seconds elapsed since the LSA was originated.
CHAPTER 30: OSPF CONFIGURATION Formats of LSAs 1 Router LSA Figure 98 Router LSA format 0 7 15 LS age 31 Options 1 Linke state ID Advertising Router LS sequence number LS checksum 0 V E B Length 0 # links Link ID Link data Type #TOS metric ... TOS 0 TOS metric Link ID Link data ... Major fields: ■ Link State ID: The ID of the router that originated the LSA. ■ V (Virtual Link): Set to 1 if the router that originated the LSA is a virtual link endpoint.
Introduction to OSPF 317 Figure 99 Network LSA format 0 7 15 31 LS age Options 2 Linke state ID Advertising Router LS sequence number LS checksum Length Network mask Attached router ...
CHAPTER 30: OSPF CONFIGURATION n A Type3 LSA can be used to advertise a default route, having the Link State ID and Network Mask set to 0.0.0.0. 4 AS external LSA An AS external LSA originates from an ASBR, describing routing information to a destination outside the AS.
Introduction to OSPF 319 Figure 102 NSSA external LSA format 0 7 15 LS age 31 Options 7 Linke state ID Advertising Router LS sequence number LS checksum Length Network mask E TOS Metric Forwarding address External route tag ... Supported OSPF Features Multi-process With multi-process support, multiple OSPF processes can run on a router simultaneously and independently. Routing information interactions between different processes seem like interactions between different routing protocols.
CHAPTER 30: OSPF CONFIGURATION When a router shuts down, its neighbors will delete it from their neighbor tables and inform other routers, resulting in SPF recalculation. If the router restarts in several seconds, it is unnecessary to perform SPF recalculation, and reestablish adjacencies. To avoid unnecessary SPF calculation, when a router restarts, it will inform neighboring routers the shutdown is temporary.
OSPF Configuration Task List 321 Configuring area IDs on PEs can differentiate VPNs. Sites in the same VPN are considered as directly connected. PE routers then exchange OSPF routing information like on a dedicated line, thus network management and OSPF operation efficiency are improved. OSPF sham link An OSPF sham link is a point-to-point link between two PE routers on the MPLS VPN backbone.
CHAPTER 30: OSPF CONFIGURATION Task “Configuring OSPF Route Control” on page 327 Description “Configuring OSPF Route Optional Summarization” on page 327 “Configuring OSPF Inbound Optional Route Filtering” on page 328 “Configuring ABR Type3 LSA Optional Filtering” on page 328 “Configuring the OSPF Link Cost of an Interface” on page 328 Optional “Configuring the Maximum Number of OSPF Routes” on page 329 Optional “Configuring the Maximum Optional Number of Equal Cost Routes for Load Balancing” on p
Configuring OSPF Basic Functions Task “Configuring OSPF Network Optimization” on page 330 323 Description “Configuring OSPF Packet Timers” on page 331 Optional “Configuring the LSA Optional Transmission Delay” on page 332 “Configuring the SPF Optional Calculation Interval” on page 332 “Configuring the Minimum LSA Repeating Arrival Interval” on page 333 Optional “Configuring the LSA Optional Generation Interval” on page 333 “Disabling Interfaces from Sending OSPF Packets” on page 333 Optional “Confi
CHAPTER 30: OSPF CONFIGURATION The system supports OSPF multi-instance. You can configure an OSPF process to run in a specified VPN instance to configure an association between the two. The configurations for routers in an area are performed on the area basis. Wrong configurations may cause communication failures, even routing information block or routing loops between neighboring routers. To configure OSPF basic functions, use the following commands: To do... Use the command...
Configuring OSPF Network Types Prerequisites Configuration Procedure Before configuring an OSPF area, you have configured: ■ IP addresses for interfaces, making neighboring nodes accessible with each other at network layer. ■ OSPF basic functions To configure OSPF area parameters, use the following commands: To do... Use the command...
CHAPTER 30: OSPF CONFIGURATION Prerequisites Configuring the OSPF Network Type for an Interface n Configuring an NBMA Neighbor Before configuring OSPF network types, you have configured: ■ IP addresses for interfaces, making neighboring nodes accessible with each other at network layer. ■ OSPF basic functions To configure the OSPF network type for an interface, use the following commands: To do... Use the command...
Configuring OSPF Route Control Configuring OSPF Route Control Prerequisites Configuring OSPF Route Summarization 327 ■ The former is for actual DR election. ■ The latter is to indicate whether a neighbor has election right or not. If you configure the DR priority for a neighbor as 0, the local router will consider the neighbor has no election right, thus no hello packet is sent to this neighbor, reducing the number of hello packets for DR/BDR election on networks.
CHAPTER 30: OSPF CONFIGURATION Configuring OSPF Inbound Route Filtering n Configuring ABR Type3 LSA Filtering Configuring the OSPF Link Cost of an Interface To configure OSPF to filter received routes, use the following commands: To do... Use the command...
Configuring OSPF Route Control n Configuring the Maximum Number of OSPF Routes Configuring the Maximum Number of Equal Cost Routes for Load Balancing Configuring the Priority of OSPF Routes To do... Use the command... Remarks Configure a bandwidth reference value bandwidth-reference value Optional 329 The value defaults to 100 Mbps If the cost value is not configured for an interface, OSPF computes the interface cost automatically: Interface cost= Bandwidth reference value/Interface bandwidth.
CHAPTER 30: OSPF CONFIGURATION To do... Use the command... Remarks Configure the priority of OSPF routes preference [ ase ] [ route-policy route-policy-name ] value Optional The priority of OSPF internal routes defaults to 10 The priority of OSPF external routes defaults to 150 Configuring OSPF Route Redistribution To configure OSPF route redistribution, use the following commands: To do... Use the command...
Configuring OSPF Network Optimization Prerequisites Configuring OSPF Packet Timers 331 ■ Change values of OSPF packet timers to adjust the OSPF network convergence speed and network load. On low speed links, you need to consider the delay time for sending LSAs on interfaces. ■ Change the interval for SPF calculation to reduce resource consumption caused by frequent network changes. ■ Configure OSPF authentication to meet high security requirements of some mission-critical networks.
CHAPTER 30: OSPF CONFIGURATION n Configuring the LSA Transmission Delay To do... Use the command... Remarks Specify the retransmission interval ospf timer retransmit interval Optional The retransmission interval defaults to 5 seconds. ■ The hello and dead intervals restore to default values after you change the network type for an interface. ■ The dead interval should be at least four times the hello interval on an interface. ■ The poll interval is at least four times the hello interval.
Configuring OSPF Network Optimization Configuring the Minimum LSA Repeating Arrival Interval 333 When an interface receives an LSA that is the same with the previously received LSA within a specified interval, the minimum LSA repeating arrival interval, the interface will discard the LSA. To configure the minimum LSA repeating arrival interval, use the following commands: To do... Use the command...
CHAPTER 30: OSPF CONFIGURATION n Configuring Stub Routers ■ Different OSPF processes can disable the same interface from sending OSPF packets. Use of the silent-interface command disables only the interfaces associated with the current process rather than interfaces associated with other processes.
Configuring OSPF Network Optimization To do... Use the command...
CHAPTER 30: OSPF CONFIGURATION Configuring OSPF Network Management To Configure OSPF network management, use the following commands: To do... Use the command...
Displaying and Maintaining OSPF Configuration Displaying and Maintaining OSPF Configuration 337 To do... Use the command...
CHAPTER 30: OSPF CONFIGURATION Configuring OSPF Basic Functions Network requirements As shown in the following figure, all switches run OSPF. The AS is split into three areas, in which, SwitchA and SwitchB act as ABRs to forward routing information between areas. After configuration, all switches can learn routes to every network segment in the AS. Network diagram Figure 103 Network diagram for OSPF basic configuration Area 0 Switch A Switch B Vlan -int100 192 .168 .0.1 /24 Vlan -int100 192 .168.
OSPF Configuration Examples 339 system-view [SwitchC] ospf [SwitchC-ospf-1] area 1 [SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] quit [SwitchC-ospf-1] quit # Configure SwitchD system-view [SwitchD] ospf [SwitchD-ospf-1] area 2 [SwitchD-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [SwitchD-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255 [SwitchD-ospf-1-area-0.0.0.
CHAPTER 30: OSPF CONFIGURATION # Display the Link State Database on SwitchA. [SwitchA] display ospf lsdb OSPF Process 1 with Router ID 192.168.1.1 Link State Database type Router Router Network Sum-Net Sum-Net Sum-Net Sum-Net LinkState ID 192.168.1.1 192.168.2.1 192.168.0.2 192.168.1.0 172.17.1.0 192.168.2.0 172.16.1.0 type Router Router Network Sum-Net Sum-Net Sum-Net LinkState ID 192.168.1.2 192.168.1.1 192.168.1.2 172.17.1.0 192.168.2.0 192.168.0.0 Area: 0.0.0.0 AdvRouter 192.168.1.1 192.168.
OSPF Configuration Examples Configuring an OSPF Stub Area 341 Network requirements The following figure shows an AS is split into three areas, where all switches run OSPF. SwitchA and SwitchB act as ABRs to forward routing information between areas. SwitchD acts as the ASBR, redistributing routes (static routes). It is required to configure Area1 as a Stub area, reducing LSAs to this area without affecting route reachability.
CHAPTER 30: OSPF CONFIGURATION 192.168.1.0/24 192.168.2.0/24 1 3 Transit 192.168.1.2 Inter 192.168.1.1 Routing for ASEs Destination 200.0.0.0/8 Cost 1 type Tag Type2 1 Total Nets: 6 Intra Area: 2 n Inter Area: 3 ASE: 1 192.168.1.2 192.168.1.1 NextHop 192.168.1.1 0.0.0.1 0.0.0.1 AdvRouter 192.168.2.2 NSSA: 0 In the above output, since SwitchC resides in a normal OSPF area, its routing table contains an external route. 4 Configure Area1 as a Stub area. # Configure SwitchA.
OSPF Configuration Examples 343 # Display the OSPF routing table on SwitchC. [SwitchC] display ospf routing OSPF Process 1 with Router ID 192.168.1.2 Routing Tables Routing for Network Destination Cost 0.0.0.0/0 65536 172.16.1.0/24 1 192.168.1.0/24 65535 Total Nets: 3 Intra Area: 2 n Configuring an OSPF NSSA Area type Inter Stub Transit Inter Area: 1 NextHop 192.168.1.1 172.16.1.1 192.168.1.2 ASE: 0 AdvRouter 192.168.1.1 192.168.1.2 192.168.1.2 Area 0.0.0.1 0.0.0.1 0.0.0.
CHAPTER 30: OSPF CONFIGURATION [SwitchA] ospf [SwitchA-ospf-1] area 1 [SwitchA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit # Configure SwitchC. [SwitchC] ospf [SwitchC-ospf-1] area 1 [SwitchC-ospf-1-area-0.0.0.1] nssa [SwitchC-ospf-1-area-0.0.0.
OSPF Configuration Examples Intra Area: 2 n Configuring OSPF DR Election Inter Area: 3 ASE: 1 NSSA: 0 You can see on SwitchD an external route imported from the NSSA area. Network requirements ■ In the following figure, OSPF Switches A, B, C and D reside on the same network segment. ■ It is required to configure SwitchA as the DR, SwitchC as the BDR. Network diagram Figure 106 Network diagram for OSPF DR election configuration Switch A Switch D DR Vlan -int1 196.1.1.1/24 Vlan- int1 196.1.1.
CHAPTER 30: OSPF CONFIGURATION system-view [SwitchC] router id 3.3.3.3 [SwitchC] ospf [SwitchC-ospf-1] area 0 [SwitchC-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.0] quit [SwitchC-ospf-1] quit # Configure SwitchD system-view [SwitchD] router id 4.4.4.4 [SwitchD] ospf [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [SwitchD-ospf-1-area-0.0.0.
OSPF Configuration Examples 347 [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ospf dr-priority 0 [SwitchB-Vlan-interface1] quit # Configure SwitchC [SwitchC] interface vlan-interface 1 [SwitchC-Vlan-interface1] ospf dr-priority 2 [SwitchC-Vlan-interface] quit # Display neighbor information on SwitchD. [SwitchD] display ospf peer OSPF Process 1 with Router ID 4.4.4.4 Neighbors Area 0.0.0.0 interface 192.168.1.4(Vlan-interface1)’s neighbors Router ID: 1.1.1.1 Address: 192.168.1.
CHAPTER 30: OSPF CONFIGURATION Authentication Sequence: [ 0 ] Router ID: 2.2.2.2 Address: 192.168.1.2 State: 2-Way Mode: None Priority: 0 DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0 Dead timer due in 35 sec Neighbor is up for 00:01:44 Authentication Sequence: [ 0 ] GR State: Normal Router ID: 3.3.3.3 Address: 192.168.1.3 State: Full Mode: Nbr is Slave Priority: 2 DR: 192.168.1.1 BDR: 192.168.1.
OSPF Configuration Examples 349 Network diagram Figure 107 Network diagram for OSPF virtual link configuration Switch A Vlan -int200 10 .1.1.1/8 Switch B Area 1 Vlan -int100 192.168 .1.1/24 Vlan -int100 192 .168 .1 .2/24 Virtual Link Vlan -int200 172.16.1.1/16 Area 0 Area 2 Configuration procedure 1 Configure IP addresses for interfaces (omitted) 2 Configure OSPF basic functions # Configure SwitchA system-view [SwitchA] ospf 1 router-id 1.1.1.
CHAPTER 30: OSPF CONFIGURATION # Configure SwitchA [SwitchA] ospf [SwitchA-ospf-1] area 1 [SwitchA-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [SwitchA-ospf-1-area-0.0.0.1] quit [SwitchA-ospf-1] quit # Configure SwitchB [SwitchB] ospf 1 [SwitchB-ospf-1] area 1 [SwitchB-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1 [SwitchB-ospf-1-area-0.0.0.1] quit # Display the OSPF routing table on SwitchA. [SwitchA] display ospf routing OSPF Process 1 with Router ID 1.1.1.
Troubleshooting OSPF Configuration 351 5 On an NBMA network, using the peer ip-address command to specify the neighbor manually is required. 6 On an NBMA or a broadcast network, at least one connected interface must have a DR priority higher than 0. Incorrect Routing Information Symptom OSPF cannot find routes to other areas. Analysis The backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be connected to the backbone.
CHAPTER 30: OSPF CONFIGURATION
IPV6 OSPFV3 CONFIGURATION 31 n The term "router" refers to a router in a generic sense or an Ethernet switch running routing protocols in this document.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION The five packets have the same packet header, which different from the OSPFv2 packet header is only 16 bytes in length, has no authentication field, but is added with an Instance ID field to support multi-instance per link. Figure 108 gives the OSPFv3 packet header.
IPv6 OSPFv3 Configuration Task List 355 flooding scope. It was introduced because Router-LSAs and Network-LSAs contain no address information now. Timers of OSPFv3 Timers in OSPFv3 include: ■ OSPFv3 packet timer ■ LSA delay timer ■ SPF timer OSPFv3 packet timer Hello packets are sent periodically between neighboring routers for finding and maintaining neighbor relationships, or for DR/BDR election. The hello interval must be identical on neighboring interfaces.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION Task Description “Configuring OSPFv3 Routing Information Management” on page 358 “Configuring OSPFv3 Route Summarization” on page 358 Optional “Configuring OSPFv3 Inbound Route Filtering” on page 358 Optional “Configuring Link Costs for Optional OSPFv3 Interfaces” on page 359 “Configuring the Maximum Optional Number of OSPFv3 Load-balanced Routes” on page 359 “Tuning and Optimizing an OSPFv3 Network” on page 360 “Configuring a Priority for OSPFv3” on page
Configuring OSPFv3 Area Parameters ■ Configuring OSPFv3 Area Parameters 357 When configuring a router ID, make sure each router has a unique ID. If a router runs multiple OSPFv3 processes, you need to specify a router ID for each process. The stub area and virtual link support of OSPFv3 has the same principle and application environments with OSPFv2. Splitting an OSPFv3 AS into multiple areas reduces the number of LSAs on networks and extends OSPFv3 application.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION n Configuring OSPFv3 Routing Information Management Prerequisites Configuring OSPFv3 Route Summarization n Configuring OSPFv3 Inbound Route Filtering To do... Use the command...
Configuring OSPFv3 Routing Information Management n Configuring Link Costs for OSPFv3 Interfaces 359 Use of the filter-policy import command can only filter routes computed by OSPFv3. Only routes not filtered can be added into the local routing table. You can configure OSPFv3 link costs for interfaces to adjust routing calculation. To configure the link cost for an OSPFv3 interface, use the following commands: To do... Use the command...
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION To do... Use the command...
Tuning and Optimizing an OSPFv3 Network To do... Use the command...
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION Disable Interfaces from Sending OSPFv3 Packets To disable interfaces from sending OSPFv3 packets, use the following commands: To do... Use the command...
Displaying and Maintaining OSPFv3 Displaying and Maintaining OSPFv3 363 To do... Use the command...
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION It is required to configure Area 2 as a stub area, reducing LSAs into the area without affecting route reachability.
OSPFv3 Configuration Examples 365 [SwitchC] ospfv3 [SwitchC-ospfv3-1] router-id 3.3.3.3 [SwitchC-ospfv3-1] quit [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] ospfv3 1 area 0 [SwitchC-Vlan-interface100] quit [SwitchC] interface vlan-interface 400 [SwitchC-Vlan-interface400] ospfv3 1 area 2 [SwitchC-Vlan-interface400] quit # Configure Switch D system-view [SwitchD] ipv6 [SwitchD] ospfv3 [SwitchD-ospfv3-1] router-id 4.4.4.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION Type NextHop : IA : FE80::F40D:0:93D0:1 Cost : 3 Interface: Vlan400 *Destination: 2001:2::/64 Type : I NextHop : directly-connected Cost : 1 Interface: Vlan400 *Destination: 2001:3::/64 Type : IA NextHop : FE80::F40D:0:93D0:1 Cost : 4 Interface: Vlan400 3 Configure Area 2 as a stub area # Configure Switch D [SwitchD] ospfv3 [SwitchD-ospfv3-1] area 2 [SwitchD-ospfv3-1-area-0.0.0.
OSPFv3 Configuration Examples 367 # Display OSPFv3 routing table information on Switch D. You can find route entries are reduced. All non direct routes are removed except the default route. [SwitchD] display ospfv3 routing E1 - Type 1 external route, IA - Inter area route, E2 - Type 2 external route, * - Selected route I - Intra area route OSPFv3 Router with ID (4.4.4.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION system-view [SwitchA] ipv6 [SwitchA] ospfv3 [SwitchA-ospfv3-1] router-id 1.1.1.1 [SwitchA-ospfv3-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ospfv3 1 area 0 [SwitchA-Vlan-interface100] quit # Configure Switch B system-view [SwitchB] ipv6 [SwitchB] ospfv3 [SwitchB-ospfv3-1] router-id 2.2.2.
OSPFv3 Configuration Examples 369 ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 1 Full/DROther 00:00:30 Vlan100 0 2.2.2.2 1 Full/DROther 00:00:37 Vlan200 0 3.3.3.3 1 Full/Backup 00:00:31 Vlan100 0 3 Configure DR priorities for interfaces. # Configure the DR priority of Vlan-interface100 as 100 on Switch A.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION # Display neighbor information on Switch D. You can find Switch A becomes the DR. [SwitchD] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 100 Full/DR 00:00:34 Vlan100 0 2.2.2.2 0 2-Way/DROther 00:00:34 Vlan200 0 3.3.3.
Troubleshooting OSPFv3 Configuration 371 3 Use the display ospfv3 lsdb command to display Link State Database information to check integrity. 4 Display information about area configuration using the display current-configuration configuration command. If more than two areas are configured, at least one area is connected to the backbone. 5 In a Stub area, all routers are configured with the stub command. 6 If a virtual link is configured, use the display ospf vlink command to check the neighbor state.
CHAPTER 31: IPV6 OSPFV3 CONFIGURATION
DUAL STACK CONFIGURATION 32 When configuring dual stack, go to these sections for information you are interested in: n Dual Stack Overview ■ “Dual Stack Overview” on page 373 ■ “Configuring Dual Stack” on page 373 The term "router" in this document refers to a router in a generic sense or an Ethernet switch running routing protocols. Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4 nodes.
CHAPTER 32: DUAL STACK CONFIGURATION To do... Use the command... Remarks Enter system view system-view - Enable the IPv6 packet forwarding function ipv6 Required Disabled by default. Enter interface view interface interface-type interface-number - Configure an IPv4 address for the interface ip address ip-address { Required mask | mask-length } [ sub By default, no IP ] address is configured. The support for the sub keyword varies with devices.
TUNNELING CONFIGURATION 33 Introduction to Tunneling The expansion of Internet results in scarce IPv4 addresses. Although the techniques such as temporary IPv4 address allocation and network address translation (NAT) relieve the problem of IPv4 address shortage to some extent, they not only increase the overhead in address resolution and processing, but also lead to high-level application failures. Furthermore, they will still face the problem that IPv4 addresses will eventually be used up.
CHAPTER 33: TUNNELING CONFIGURATION c CAUTION: The devices at both ends of an IPv6 over IPv4 tunnel must support IPv4/IPv6 dual stack.
Introduction to Tunneling 377 Type According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the following types: ■ IPv6 manually configured tunnel ■ Automatic IPv4-compatible IPv6 tunnel ■ 6to4 tunnel ■ ISATAP tunnel ■ IPv6-over-IPv4 GRE tunnel (GRE tunnel for short) Among the above tunnels, the IPv6 manually configured tunnel and GRE tunnel are configured tunnels, while the automatic IPv4 compatible IPv6 tunnel, 6to4 tunnel, and intra-site automatic tunnel ad
CHAPTER 33: TUNNELING CONFIGURATION Figure 113 6to4 tunnel 6to4 router 6to4 network Site 2 6to4 router 6to4 network Site 1 el t un n 6to 4 Router B IPv4 network 6 to4 Router A tu nn el 6to4 relay IPv4 network Site 3 Router C 4 ISATAP tunnel With the application of the IPv6 technique, there will be more and more IPv6 hosts in the existing IPv4 network. The ISATAP tunneling technique provides a satisfactory solution for IPv6 application. An ISATAP tunnel is a point-to-point automatic tunnel.
Introduction to Tunneling 379 ■ If the source IP address of the tunnel packet matches the expedite termination subnet, the packet is sent to the IPv6 switch fabric to forward or sent to the CPU for processing. ■ If the tunnel packet needs to be forwarded, the IPv6 switch fabric decapsulates the tunnel packet to obtain the original IPv6 packet and then forwards it directly.
CHAPTER 33: TUNNELING CONFIGURATION Tunneling Configuration Task List Complete these tasks to configure the tunneling feature: Task Configuring IPv6 over IPv4 GRE tunnel n Remarks “Configuring IPv6 Manually Configured Tunnel” on page 380 Optional “Configuring Automatic IPv4-Compatible IPv6 Tunnel” on page 384 Optional “Configuring 6to4 Tunnel” on page 387 Optional “Configuring ISATAP Tunnel” on page 391 Optional “Configuring IPv4 over IPv4 Tunnel” on page 395 Optional “Configuring Tunnel
Configuring IPv6 Manually Configured Tunnel To do... Configure an IPv6 address for the tunnel interface Use the command... Remarks Configure a global unicast IPv6 address or a site-local address ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } Required Configure a link-local IPv6 address ipv6 address auto link-local Optional Configure the tunnel to be an IPv6 manually configured tunnel 381 Use any command.
CHAPTER 33: TUNNELING CONFIGURATION Configuration Example ■ When configuring a static route, you need to configure a route to the destination address (the destination IPv6 address of the packet, instead of the tunnel destination IPv4 address) and set the next-hop to the tunnel interface number or network address at the local end of the tunnel. Such configurations must be performed at both ends of the tunnel.
Configuring IPv6 Manually Configured Tunnel 383 [SwitchA] ipv6 # Configure a link aggregation group and set the service type to tunnel. [SwitchA] link-aggregation group 1 mode manual [SwitchA] link-aggregation group 1 service-type tunnel [SwitchA] interface GigabitEthernet 3/1/2 [SwitchA-GigabitEthernet3/1/2] stp disable [SwitchA-GigabitEthernet3/1/2] port link-aggregation group 1 [SwitchA-GigabitEthernet3/1/2] quit # Configure an IPv6 manually configured tunnel.
CHAPTER 33: TUNNELING CONFIGURATION [SwitchB] interface tunnel 0/0/1 [SwitchB-Tunnel0/0/1] aggregation-group 2 [SwitchB-Tunnel0/0/1] expediting enable [SwitchB-Tunnel0/0/1] quit # Configure a static from the interface Tunnel0/0/1 of Switch B to Switch A. [SwitchB] ipv6 route-static 1::0 64 tunnel 0/0/1 Configuration verification After the above configurations, you can successfully ping the IPv6 address of the peer tunnel interface from one switch.
Configuring Automatic IPv4-Compatible IPv6 Tunnel To do... Use the command... Remarks Configure an automatic IPv4-compatible tunnel-protocol IPv6 tunnel ipv6-ipv4 auto-tunnel Required Configure a source address for the tunnel Required source { ip-address | ipv6-address | interface-type interface-number } By default, the tunnel is a GRE tunnel. The same tunnel type should be configured at both ends of the tunnel. Otherwise, packet delivery will fail.
CHAPTER 33: TUNNELING CONFIGURATION Network diagram Figure 117 Network diagram for an automatic IPv4-compatible IPv6 tunnel Dual stack Dual stack Vlan -int100 2.1.1.2 /8 Vlan-int100 2.1 .1.1/8 IPv4 netwok Tunnel 0 ::2.1 .1.1/96 Tunnel0 ::2.1.1 .2/96 Switch A Switch B Configuration procedure The following example shows how to configure an automatic IPv4-compatible IPv6 tunnel between Switch A and Switch B.
Configuring 6to4 Tunnel 387 # Configure an IPv4 address for the interface VLAN-interface 12. [SwitchB] vlan 12 [SwitchB-vlan12] port GigabitEthernet 3/1/1 [SwitchB] interface Vlan-interface 12 [SwitchB-GigabitEthernet3/1/1] ip address 2.1.1.2 255.0.0.0 [SwitchB-GigabitEthernet3/1/1] quit # Configure an automatic IPv4-compatible IPv6 tunnel. [SwitchB] interface tunnel 0/0/1 [SwitchB-Tunnel0/0/1] ipv6 address ::2.1.1.
CHAPTER 33: TUNNELING CONFIGURATION To do... Use the command... Create a tunnel interface and enter tunnel interface view interface tunnel number Required Configure an IPv6 Configure an IPv6 address for the global unicast tunnel interface address or site-local address ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-lengt h} By default, there is no tunnel interface on the device. ipv6 address ipv6-address link-local Configure a source address for the tunnel Required.
Configuring 6to4 Tunnel Configuration Example 389 ■ No destination address needs to be configured for an automatic tunnel because the destination address can automatically be obtained from the IPv4 address embedded in the IPv4-compatible IPv6 address. ■ If the tunnel interface addresses at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded.
CHAPTER 33: TUNNELING CONFIGURATION [SwitchA-vlan100] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 2.1.1.1 24 [SwitchA-Vlan-interface100] quit # Configure a route from the interface VLAN-interface 100 to the interface VLAN-interface 100 of Switch B. (Here the next-hop address of the static route is represented by [nexthop]. In practice, you should configure the real next-hop address according to the network.) [SwitchA] ip route-static 5.1.1.
Configuring ISATAP Tunnel 391 [SwitchB-Vlan-interface100] ip address 5.1.1.1 24 [SwitchB-Vlan-interface100] quit # Configure a route from the interface VLAN-interface 100 to the interface VLAN-interface 100 of Switch A. (Here the next-hop address of the static route is represented by [nexthop]. In practice, you should configure the real next-hop address according to the network.) [SwitchB] ip route-static 2.1.1.1 24 [nexthop] # Configure an IPv6 address for the interface VLAN-interface 101.
CHAPTER 33: TUNNELING CONFIGURATION Configuration Procedure Follow these steps to configure an ISATAP tunnel: To do... Use the command... Remarks Enter system view system-view - Enable the IPv6 packet forwarding function ipv6 Required Create a tunnel interface and enter tunnel interface view interface tunnel number Required Configure an IPv6 address for the tunnel interface ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-lengt h} Required.
Configuring ISATAP Tunnel c Configuration Example 393 CAUTION: ■ For automatic IPv4-compatible IPv6 tunnels, 6to4 tunnels, or ISATAP tunnels, their tunnel interfaces must have different source addresses. ■ If the tunnel interface addresses at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded. You can configure static or dynamic routes.
CHAPTER 33: TUNNELING CONFIGURATION [Switch-vlan101] port GigabitEthernet 1/1/2 [Switch-vlan101] quit [Switch] interface vlan-interface 101 [Switch-Vlan-interface101] ip address 2.1.1.1 255.0.0.0 [Switch-Vlan-interface101] quit Configure a link aggregation group and set the service type to tunnel.
Configuring IPv4 over IPv4 Tunnel 395 # A link-local address (fe80::5efe:2.1.1.2) in the ISATAP format is automatically generated for the ISATAP interface. Configure an IPv4 address for the ISATAP switch on the ISATAP interface. C:\>ipv6 rlu 2 2.1.1.1 # After carrying out the above command, look at the information on the ISATAP interface.
CHAPTER 33: TUNNELING CONFIGURATION To do... Use the command... Remarks Configure an IPv4 address for ip address ip-address { mask | Required the tunnel interface mask-length } [ sub ] By default, no IPv4 address is configured for the tunnel interface.
Configuring IPv4 over IPv4 Tunnel 397 Network diagram Figure 120 Network diagram for an IPv4 over IPv4 tunnel Switch A Switch B Vlan -int101 192 .13 .2.1/24 Vlan-int100 10.1.1.1/24 IPv4 netwok Tunnel 1/0 /0 10 .1.2.1/24 Vlan -int101 131 .108 .5.2/24 Tunnel2 /0/0 10.1 .2.2/24 IPv4 Group 1 Vlan-int100 10.1.3 .1/24 IPv4 Group 2 Configuration procedure 1 Configure Switch A # Configure an IPv4 address for the interface VLAN-interface 100.
CHAPTER 33: TUNNELING CONFIGURATION # Reference link aggregation group 1 in tunnel interface view. [SwitchA] interface tunnel 1/0/0 [SwitchA-Tunnel1/0/0] aggregation-group 1 [SwitchA-Tunnel1/0/0] quit # Configure a static route from Switch A through the interface Tunnel 1/0/0 to Group 2. [SwitchA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 2 Configure Switch B. # Configure an IPv4 address for the interface VLAN-interface 100.
Configuring Tunnel Hybrid Insertion 399 # Configure a static route from Switch B through the interface Tunnel 2/0/0 to Group 1. [SwitchB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2/0/0 Configuration verification After the above configuration, you can successfully ping the address of the access interface of the peer IPv4 group from one switch.
CHAPTER 33: TUNNELING CONFIGURATION n Configuration Example To do... Use the command...
Configuring Tunnel Hybrid Insertion ■ 401 On PC A, the next hop gateway address of the route to PC B (6666::6/64) is set to 1000::1, and on PC B, the next hop gateway address of the route to PC A (1000::2/64) s is set to 6666::9. Network diagram Figure 121 Network diagram for tunnel hybrid insertion Switch A Switch B Vlan- int10 1.1.1 .1/24 IPv4 network Tunnel4 /0/0 IPv6 network PC A 1000::2/64 Vlan -int10 1 .1.1.
CHAPTER 33: TUNNELING CONFIGURATION [SwitchA-Tunnel4/0/0] destination 1.1.1.2 [SwitchA-Tunnel4/0/0] aggregation-group 1 # Enable expedite termination on the interface Tunnel 4/0/0. [SwitchA-Tunnel4/0/0] expediting enable [SwitchA-Tunnel4/0/0] quit # Enable RIPng on the interface Tunnel 4/0/0.
Displaying and Maintaining Tunneling Configuration 403 [SwitchB-Tunnel3/0/0] destination 1.1.1.1 [SwitchB-Tunnel3/0/0] aggregation-group 1 # Enable expedite termination on the interface Tunnel 3/0/0. [SwitchB-Tunnel3/0/0] expediting enable # Enable RIPng on the interface Tunnel 3/0/0.
CHAPTER 33: TUNNELING CONFIGURATION Troubleshooting Tunneling Configuration Symptom: After the configuration of related parameters such as tunnel source address, tunnel destination address, and tunnel type, the tunnel interface is still not up. Solution: Follow the steps below: 1 The common cause is that the physical interface of the tunnel source is not up.
GRE CONFIGURATION 34 When configuring GRE, go to these sections for information you are interested in: n ■ “GRE Overview” on page 405 ■ “Configuring a GRE over IPv4 Tunnel” on page 408 ■ “Displaying and Maintaining GRE” on page 410 ■ “GRE Tunnel Configuration Example” on page 411 ■ “Troubleshooting GRE” on page 416 ■ Routers mentioned and router icons illustrated in the contents below represent the general routers and Ethernet switches running routing protocols.
CHAPTER 34: GRE CONFIGURATION 3 If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface. 4 Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet and submits to the IP module. 5 The IP module encapsulates the packet in an IP packet, and then forwards the IP packet out through the corresponding network interface based on its destination address and the routing table.
GRE Overview 407 3 The GRE module checks the key, checksum and sequence number, and then strips off the GRE header and submits the payload to the IPX module. 4 The IPX module performs the subsequent forwarding processing for the packet. n GRE Applications Encapsulation and decapsulation processes on both ends of the GRE tunnel and the resulting increase in data volumes will degrade the forwarding efficiency for the GRE-enabled device to some extent.
CHAPTER 34: GRE CONFIGURATION When the hop count between two terminals exceeds 15, the terminals cannot communicate with each other. Using GRE, you can hide some hops so as to enlarge the scope of the network.
Configuring a GRE over IPv4 Tunnel 409 To do... Use the command... Configure an IPv4 address for the tunnel interface ip address ip-address { mask Any of the three must be | mask-length } selected. Configur e an IPv6 address for the tunnel interface ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } By default, no IPv4 address is configured on a tunnel interface.
CHAPTER 34: GRE CONFIGURATION Displaying and Maintaining GRE ■ For a tunnel interface that is configured with any of the above features, all the configuration disappears once that interface is deleted. ■ The source address and destination address of a tunnel uniquely identify a path. They must be configured at both ends of the tunnel and are mutually the source address and the destination address.
GRE Tunnel Configuration Example 411 GRE Tunnel Configuration Example GRE IPv4 over IPv4 Tunnel Configuration Example Network requirements Switch 1 and Switch 2 are interconnected through an IPv4 network. Two private IPv4 subnets Group1 and Group2 are interconnected through a GRE tunnel between the two switches. Network diagram Figure 128 Network diagram for GRE application Vlan-interface100 10.1.1.1/24 IPv4 Group1 Vlan-interface100 10.1.3.
CHAPTER 34: GRE CONFIGURATION # Configure the source address of interface Tunnel 4/0/1 to be the IP address of the VLAN interface of interface GigabitEthernet 4/1/2. [Sysname1-Tunnel4/0/1] source vlan-interface 101 # Configure the destination address for interface Tunnel 4/0/1 (IP address of the VLAN interface to which GigabitEthernet 4/1/2 of Switch 2 belongs). [Sysname1-Tunnel4/0/1] destination 131.108.5.
GRE Tunnel Configuration Example 413 [Sysname2] interface tunnel 4/0/1 # Configure an IPv4 address for interface Tunnel 4/0/1. [Sysname2-Tunnel4/0/1] ip address 10.1.2.2 255.255.255.0 # Configure the tunnel encapsulation mode. [Sysname2-Tunnel4/0/1] tunnel-protocol gre # Configure the source address for interface tunnel4/0/1 (IP address of the VLAN interface to which GigabitEthernet 4/1/2 belongs).
CHAPTER 34: GRE CONFIGURATION Network diagram Figure 129 Network diagram for GRE application Vlan-interface100 2002::1:1 2002::1:1/64 IPv6 IPv4 Group1 Vlan-interface100 2003::1:2/64 IPv 6 4 Group2 IPv4 Netw ork Sw itch1 Tunnel 4/0/1 Vlan-interface101 192.13.2.1/24 192.13.2.1/24 Tunnel 4/0/1 Vlan-interface101 131.108.5.2/24 Sw itch 2 Configuration procedure 1 Configure Switch 1 # Enter system view. system-view # Enable IPv6. [Sysname1] ipv6 # Configure Vlan-interface100.
GRE Tunnel Configuration Example 415 # Configure the destination address of interface Tunnel 4/0/1 to be the IP address of the Vlan interface to which GigabitEthernet 4/1/2 of Switch 2 belongs. Additionally, enable the expediting function. [Sysname1-Tunnel4/0/1] destination 131.108.5.2 [Sysname1-Tunnel4/0/1] expediting enable [Sysname1-Tunnel4/0/1] quit # Create service loop group 1, setting the configuration mode to manual and the service type to tunnel.
CHAPTER 34: GRE CONFIGURATION [Sysname2-Vlan-interface101] ip address 131.108.5.2 255.255.255.0 [Sysname2-Vlan-interface101] quit # Create an interface named Tunnel 4/0/1. [Sysname2] interface tunnel 4/0/1 # Configure an IPv6 address for interface Tunnel 4/0/1. [Sysname2-Tunnel4/0/1] ipv6 address 2001::1:2 64 # Configure the tunnel encapsulation mode.
Troubleshooting GRE 417 PC B run IPv4 and they are connected to each other via a GRE tunnel between Switch 1 and Switch 2. Figure 130 Troubleshoot GRE Switch1 PC A 10.1.1.1/16 Vlan-inter face 2 Tunnel 1/0/0 Switch3 Internet tunnel Switch2 Vlan-inter face 1 Tunnel 1/0/0 PC B 10.2.1.1/16 Symptom: The interfaces at both ends of the tunnel are configured correctly and can ping each other, but PC A and PC B cannot ping each other.
CHAPTER 34: GRE CONFIGURATION
BGP CONFIGURATION 35 Border Gateway Protocol (BGP) is a dynamic inter-AS route discovery protocol.
CHAPTER 35: BGP CONFIGURATION ■ Providing abundant routing policies, allowing for implementing flexible route filtering and selection ■ Easy to extend, satisfying new network developments A router advertising BGP messages is called a BGP speaker, which exchanges new routing information with other BGP speakers. When a BGP speaker receives a new route or a route better than the current one from another AS, it will advertise the route to all the other BGP speakers in the local AS.
BGP Overview 421 Open After a TCP connection is established, the first message sent by each side is an Open message for peer relationship establishment. The Open message contains the following fields: Figure 132 BGP open message format 0 15 7 31 Version My Autonomous System Hold Time BGP Identifier Opt Parm Len Optional Parameters ■ Version: This 1-octet unsigned integer indicates the protocol version number of the message. The current BGP version is 4.
CHAPTER 35: BGP CONFIGURATION ■ Unfeasible Routes Length: The total length of the Withdrawn Routes field in octets. A value of 0 indicates neither any route is being withdrawn from service, nor Withdrawn Routes field is present in this Update message. ■ Withdrawn Routes: This is a variable length field that contains a list of IP prefixes of routes that are being withdrawn from service. ■ Total Path Attribute Length: Total length of the Path Attributes field in octets.
BGP Overview BGP Path Attributes 423 Classification of path attributes Path attributes fall into four categories: ■ Well-known mandatory: Must be recognized by all BGP routers and must be included in every update message. Routing information error occurs without this attribute. ■ Well-known discretionary: Can be recognized by all BGP routers and optional to be included in every update message as needed. ■ Optional transitive: Transitive attribute between ASs.
CHAPTER 35: BGP CONFIGURATION determine ASs to route massages back. The number of the AS closest with the receiver’s AS is leftmost, as shown below: Figure 136 AS_PATH attribute 8.0.0.0 AS 10 D=8.0.0.0 (10) D=8.0.0.0 (10) AS 40 AS 20 D=8.0.0.0 (20,10) D=8.0.0.0 (40,10) D=8.0.0.0 (30,20,10) AS 30 AS 50 In general, a BGP router does not receive routes containing the local AS number to avoid routing loops.
BGP Overview 425 configured, the NEXT_HOP attribute will be modified. For load-balancing information, refer to “BGP Route Selection” on page 426. Figure 137 NEXT_HOP attribute D=8.0.0.0 NEXT_HOP=1.1.1.1 AS 100 AS 200 1.1.1.1/24 EBGP 1.1.2.1/24 8.0.0.0 EBGP D=8.0.0.0 NEXT_HOP=1.1.2.1 AS 300 IBGP D=8.0.0.0 NEXT_HOP=1.1.2.1 4 MED (MULTI_EXIT_DISC) The MED attribute is exchanged between two neighboring ASs, each of which will not advertise the attribute to any other AS.
CHAPTER 35: BGP CONFIGURATION This attribute is exchanged between IBGP peers only, thus not advertised to any other AS. It indicates the priority of a BGP router. LOCAL_PREF is used to determine the best route for traffic leaving the local AS. When a BGP router obtains from several IBGP peers multiple routes to the same destination but with different next hops, it considers the route with the highest LOCAL_PREF value as the best route.
BGP Overview n 427 ■ Select the route with the shortest AS-PATH ■ Select ORIGIN IGP, EGP, Incomplete routes in turn ■ Select the route with the lowest MED value ■ Select routes learned from EBGP, confederation, IBGP in turn ■ Select the route with the smallest next hop cost ■ Select the route with the shortest CLUSTER_LIST ■ Select the route with the smallest ORIGINATOR_ID ■ Select the route advertised by the router with the smallest Router ID ■ CLUSTER_IDs of route reflectors form a CLU
CHAPTER 35: BGP CONFIGURATION Figure 140 Network diagram for BGP load balancing AS 100 Router A Router B Router C Router E Router D AS 200 In the above figure, Router D and Router E are IBGP peers of Router C. Router A and Router B both advertise a route destined for the same destination to Router C. If load balancing is configured and the two routes have the same AS_PATH attribute, ORIGIN attribute, LOCAL_PREF and MED, Router C adds both the two routes to its route table for load balancing.
BGP Overview 429 route recursion. Router C has no idea about the route 8.0.0.0/8, so it discards the packet. Figure 141 IBGP and IGP synchronization AS 10 AS 30 Router A EBGP Router C IGP IGP EBGP Router E IBGP Router D Router B AS 20 If synchronization is configured in this example, the IBGP router (Router D) checks the learned IBGP route from its IGP routing table first.
CHAPTER 35: BGP CONFIGURATION BGP route dampening uses a penalty value to judge the stability of a route. The bigger the value, the less stable the route. Each time a route flap occurs (the state change of a route from active to inactive is a route flap.), BGP adds a penalty value (1000, which is a fixed number and cannot be changed) to the route.
BGP Overview 431 Community A peer group makes peers in it enjoy the same policy, while a community makes a group of BGP routers in several ASs enjoy the same policy. Community is a path attribute and advertised between BGP peers, without being limited by AS. A BGP router can modify the community attribute for a route before sending it to other peers. Besides using the well-known community attribute, you can define the extended community attribute using a community list to help define a routing policy.
CHAPTER 35: BGP CONFIGURATION Figure 144 Network diagram for route reflectors Route Reflector1 Route Reflector2 IBGP Cluster IBGP IBGP Client IBGP Client Client AS 65000 When clients of a route reflector are fully meshed, route reflection is unnecessary because it consumes more bandwidth resources. The system supports using related commands to disable route reflection in this case.
BGP Overview 433 The deficiency of confederation is: when changing an AS into a confederation, you need to reconfigure your routers, and the topology will be changed. In large-scale BGP networks, both route reflector and confederation can be used. MP-BGP Overview The legacy BGP-4 supports IPv4, but does not support some other network layer protocols like IPv6.
CHAPTER 35: BGP CONFIGURATION RFC1997: BGP Communities Attribute RFC2796: BGP Route Reflection RFC3065: Autonomous System Confederations for BGP Features in draft stage include Graceful Restart and extended community attributes.
Configuring BGP Basic Functions ■ Prerequisites Configuration Procedure 435 In general, IP addresses of loopback interfaces are used to improve stability of BGP connections. The neighboring nodes are accessible to each other at the network layer. To configure BGP basic functions, use the following commands: To do... Use the command...
CHAPTER 35: BGP CONFIGURATION ■ It is required to specify for a BGP router a router ID, a 32-bit unsigned integer and the unique identifier of the router in the AS. ■ You must create a peer group before configuring basic functions for it. For information about creating a peer group, refer to “Configuring BGP Peer Groups” on page 444. ■ You can specify a router ID manually. If not, the system selects an IP address as the router ID.
Controlling Route Distribution and Reception n Configuring BGP Route Summarization 437 ■ The ORIGIN attribute of routes redistributed using the import-route command is Incomplete. ■ The ORIGIN attribute of networks advertised into the BGP routing table with the network command is IGP and these networks must exist in the local IP routing table. Using a routing policy makes routes control more flexible.
CHAPTER 35: BGP CONFIGURATION Configuring BGP Route Distribution Policy To configure BGP route distribution policy, use the following commands: To do... Use the command...
Controlling Route Distribution and Reception To do... Use the command...
CHAPTER 35: BGP CONFIGURATION Configuring BGP Route Dampening Through configuring BGP route dampening, you can suppress unstable routes to neither add them to the local routing table nor advertise them to BGP peers. To configure BGP route dampening, use the following commands: To do... Use the command...
Configuring BGP Routing Attributes To do... Use the command...
CHAPTER 35: BGP CONFIGURATION Tuning and Optimizing BGP Networks ■ You can specify a fake AS number to hide the real one as needed. The fake AS number applies to EBGP peers only, that is, EBGP peers in other ASs can only find the fake AS number. ■ The peer substitute-as command is used only in specific networking environments. Inappropriate use of the command may cause routing loops.
Tuning and Optimizing BGP Networks To do... Configure BGP timers Use the command... Remarks Configure keepalive interval and holdtime timer keepalive keepalive hold holdtime Optional Configure keepalive interval and holdtime for a peer/peer group peer { group-name | ip-address } timer keepalive keepalive hold holdtime The keepalive interval defaults to 60 seconds, holdtime defaults to 180 seconds.
CHAPTER 35: BGP CONFIGURATION c Configuring a Large Scale BGP Network CAUTION: ■ The maximum keepalive interval should be 1/3 of the holdtime and no less than 1 second. The holdtime is no less than 3 seconds unless it is set to 0. ■ The intervals set with the peer timer command are preferred to those set with the timer command. ■ Use of the peer keep-all-routes command saves all routing updates from the peer regardless of whether the filtering policy is configured.
Configuring a Large Scale BGP Network To do... Use the command... Remarks Configure Create an EBGP peer a pure group EBGP peer Specify the AS number group for the group group group-name external Optional group group-name external Optional Add a peer into the group Configure Create an EBGP peer a mixed group EBGP peer Specify a peer and the group AS number for the peer respectively Add a peer into the group c Configuring BGP Community You can add multiple peers into peer group-name the group.
CHAPTER 35: BGP CONFIGURATION Configuring a BGP Route Reflector c Configuring a BGP Confederation To configure a BGP route reflector, use the following commands: To do... Use the command...
Displaying and Maintaining BGP Configuration 447 Displaying and Maintaining BGP Configuration Displaying BGP Configuration To do... Use the command...
CHAPTER 35: BGP CONFIGURATION Resetting BGP Connections To do... Use the command...
BGP Configuration Examples Switch B Vlan-int200 200.1.1.2/24 Vlan-int400 9.1.1.1/24 Vlan-int200 200.1.1.1/24 Vlan-int300 9.1.3.1/24 Switch C Vlan-int500 9.1.2.2/24 Vlan-int500 9.1.2.1/24 Vlan-int300 9.1.3.2/24 Configuration procedure 1 Configure IP addresses for interfaces (omitted) 2 Configure IBGP connections # Configure Switch B. system-view [SwitchB] bgp 65009 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 9.1.1.2 as-number 65009 [SwitchB-bgp] peer 9.1.3.
CHAPTER 35: BGP CONFIGURATION # Display peer information on Switch B. [SwitchB] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 3 Peers in established state : 3 Peer V AS MsgRcvd MsgSent 9.1.1.2 9.1.3.2 200.1.1.2 4 65009 4 65009 4 65008 56 49 49 56 62 65 OutQ PrefRcv Up/Down 0 0 0 State 0 00:40:54 Established 0 00:44:58 Established 1 00:44:03 Established You can find Switch B has established BGP connections to other routers.
BGP Configuration Examples 451 [SwitchB] bgp 65009 [SwitchB-bgp] import-route direct # Display BGP routing table information on Switch A. [SwitchA] display bgp routing-table Total Number of Routes: 7 BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *> *> *> *> *> * * 8.0.0.0 9.1.1.0/24 9.1.1.2/32 9.1.3.0/24 9.1.3.2/32 200.1.1.0 200.1.1.
CHAPTER 35: BGP CONFIGURATION BGP and IGP Interaction Configuration Network requirements As shown below, OSPF is used as the IGP protocol in ASwitch 7750 Family9, where Switch C is a non-BGP switch. Between Switch A and Switch B is an EBGP connection. Network diagram Figure 147 Network diagram for BGP and IGP interaction Vlan-int100 8.1.1.1/24 AS 65009 Switch A Vlan -int200 3.1.1.2/24 Vlan -int200 3.1 .1.1/24 Vlan -int300 9.1.1.1/24 Vlan-int400 9.1.2.1/24 Vlan-int300 9.1.1.
BGP Configuration Examples 453 Total Number of Routes: 3 BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *> *> *> 8.1.1.0/24 9.1.1.0/24 9.1.2.0/24 0.0.0.0 3.1.1.1 3.1.1.1 0 0 2 0 0 0 i 65009? 65009? # Configure OSPF to redistribute routes from BGP on Switch B.
CHAPTER 35: BGP CONFIGURATION Reply from 9.1.2.1: bytes=56 Sequence=3 ttl=254 time=47 ms Reply from 9.1.2.1: bytes=56 Sequence=4 ttl=254 time=46 ms Reply from 9.1.2.1: bytes=56 Sequence=5 ttl=254 time=47 ms --- 9.1.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
BGP Configuration Examples [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] 455 peer 200.1.1.2 as-number 65008 peer 9.1.1.2 as-number 65009 network 9.1.1.0 255.255.255.0 quit # Configure SwitchC system-view [SwitchC] bgp 65009 [SwitchC-bgp] router-id 3.3.3.3 [SwitchC-bgp] peer 200.1.2.2 as-number 65008 [SwitchC-bgp] peer 9.1.1.1 as-number 65009 [SwitchC-bgp] network 9.1.1.0 255.255.255.0 [SwitchC-bgp] quit # Display the routing table on Switch A.
CHAPTER 35: BGP CONFIGURATION 4 Configure MED # Configure the default MED of SwitchB. [SwitchB] bgp 65009 [SwitchB-bgp] default med 100 # Display the routing table on SwitchA. [SwitchA] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *> *> * 8.0.0.0 9.1.1.0/24 0.0.0.0 200.1.2.
BGP Configuration Examples 457 system-view [SwitchA] bgp 10 [SwitchA-bgp] router-id 1.1.1.1 [SwitchA-bgp] peer 200.1.2.2 as-number 20 [SwitchA-bgp] network 9.1.1.0 255.255.255.0 [SwitchA-bgp] quit # Configure SwitchB system-view [SwitchB] bgp 20 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 200.1.2.1 as-number 10 [SwitchB-bgp] peer 200.1.3.2 as-number 30 [SwitchB-bgp] quit # Configure SwitchC system-view [SwitchC] bgp 30 [SwitchC-bgp] router-id 3.3.3.
CHAPTER 35: BGP CONFIGURATION 3 Configure BGP community # Configure a routing policy [SwitchA] route-policy comm_policy permit node 0 [SwitchA-route-policy] apply community no-export [SwitchA-route-policy] quit # Apply the routing policy [SwitchA] bgp 10 [SwitchA-bgp] peer 200.1.2.2 route-policy comm_policy export [SwitchA-bgp] peer 200.1.2.2 advertise-community # Display the routing table on SwitchB. [SwitchB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.
BGP Configuration Examples Network diagram Figure 150 Network diagram for BGP confederation configuration (on switches) Switch C Switch B Switch F Vlan-int100 Vlan -int100 Vlan- int100 AS 65002 AS 65003 Vlan -int100 0 t3 0 Switch D nin AS 100 Vl a V lan-int200 Vlan- int200 Switch A Vlan- int400 Vlan -int100 Vlan -int200 Vlan -int500 AS 65001 Vlan- int200 Vlan-int100 AS 200 Switch E Device Interface IP address Device Interface IP address Switch A Vlan-int100 200.1.1.
CHAPTER 35: BGP CONFIGURATION # Configure SwitchC system-view [SwitchC] bgp 65003 [SwitchC-bgp] router-id 3.3.3.3 [SwitchC-bgp] confederation id 200 [SwitchC-bgp] confederation peer-as 65001 65002 [SwitchC-bgp] peer 10.1.2.1 as-number 65001 [SwitchC-bgp] quit 3 Configure IBGP connections in ASwitch 7750 Family1. # Configure SwitchA [SwitchA] bgp [SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] 65001 peer 10.1.3.2 peer 10.1.3.2 peer 10.1.4.2 peer 10.1.4.
BGP Configuration Examples 461 # Display the routing table of SwitchB. [SwitchB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *>i 9.1.1.0/24 10.1.1.1 0 [SwitchB] display bgp routing-table 9.1.1.0 100 0 (65001) 100i BGP local router ID : 2.2.2.
CHAPTER 35: BGP CONFIGURATION Network diagram Figure 151 Network diagram for BGP route reflector configuration Router Reflector Vlan-int100 1 .1.1.1/8 Vlan -int300 193 .1 .1.1/24 Switch A Vlan -int400 194 .1.1 .1/24 Switch C Vlan-int200 192.1.1.1 /24 Vlan -int300 193 .1.1.2/24 Vlan- int200 192 .1.1.2/24 Vlan-int400 194.1.1.
BGP Configuration Examples 463 [SwitchD-bgp] peer 194.1.1.1 as-number 200 [SwitchD-bgp] quit 3 Configure the route reflector # Configure SwitchC [SwitchC] bgp [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] 200 peer 193.1.1.2 reflect-client peer 194.1.1.2 reflect-client quit 4 Verify the above configuration # Display the BGP routing table of SwitchB. [SwitchB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 200.1.2.
CHAPTER 35: BGP CONFIGURATION Network diagram Figure 152 Network diagram for BGP path selection configuration (on switches) AS 200 Vlan -int100 AS 100 Vlan -int300 Switch B Vlan-int101 Vlan -int300 Vlan -int100 Vlan -int400 Vlan -int200 Switch D Switch A Vlan -int400 Vlan-int200 Switch C Device Interface IP address Device Interface IP address Switch A Vlan-int101 1.0.0.0/8 Switch D Vlan-int400 195.1.1.1/24 Vlan-int100 192.1.1.1/24 Vlan-int300 194.1.1.1/24 Vlan-int200 193.
BGP Configuration Examples 465 [SwitchD-ospf-1-area-0.0.0.0] quit [SwitchD-ospf-1] quit 3 Configure BGP connections # Configure Switch A system-view [SwitchA] bgp 100 [SwitchA-bgp] peer 192.1.1.2 as-number 200 [SwitchA-bgp] peer 193.1.1.2 as-number 200 # Advertise network 1.0.0.0/8 to the BGP routing table of Switch A. [SwitchA-bgp] network 1.0.0.0 8 [SwitchA-bgp] quit # Configure Switch B. [SwitchB] bgp [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] 200 peer 192.1.1.1 as-number 100 peer 194.1.1.
CHAPTER 35: BGP CONFIGURATION [SwitchA-route-policy] if-match acl 2000 [SwitchA-route-policy] apply cost 100 [SwitchA-route-policy] quit # Apply routing policy apply_med_50 to the route advertised to peer 193.1.1.2 (Switch C), and apply_med_100 to the route advertised to peer 192.1.1.2 (Switch B). [SwitchA] bgp [SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] 100 peer 193.1.1.2 route-policy apply_med_50 export peer 192.1.1.
Troubleshooting BGP Configuration 467 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *>i 1.0.0.0 * i 193.1.1.1 192.1.1.1 0 0 200 100 0 0 100i 100i You can find route 1.0.0.0/8 learned from SwitchC is the optimal. Troubleshooting BGP Configuration No BGP Peer Relationship Established Symptom Display BGP peer information using the display bgp peer command.
CHAPTER 35: BGP CONFIGURATION
IPV6 BGP CONFIGURATION 36 n ■ The term "router" refers to a router in a generic sense or an Ethernet switch running routing protocols in this document. ■ This chapter describes only configuration specific to IPv6 BGP. For BGP related information, refer to “BGP Configuration” on page 419.
CHAPTER 36: IPV6 BGP CONFIGURATION IPv6 BGP utilizes BGP multiprotocol extensions for application in IPv6 networks. The original messaging and routing mechanisms of BGP are not changed.
Configuring IPv6 BGP Basic Functions Task “Tuning and Optimizing IPv6 BGP Networks” on page 478 “Configuring a Large Scale IPv6 BGP Network” on page 480 471 Description “Configuring IPv6 BGP Timers” on page 479 Optional “Configuring IPv6 BGP Soft Reset” on page 479 Optional “Configuring the Maximum Number of Equal Cost Routes” on page 480 Optional “Configuring IPv6 BGP Peer Group” on page 480 Optional “Configuring IPv6 BGP Community” on page 482 Optional “Configuring an IPv6 BGP Optional Route
CHAPTER 36: IPV6 BGP CONFIGURATION Configuring a Preferred Value for Routes from a Peer/Peer Group Specifying a Local Update Source Interface to a Peer/Peer Group n Configuring a Non Direct EBGP Connection to a Peer/Peer Group To do... Use the command...
Controlling Route Distribution and Reception Configuring Description for a Peer/Peer Group n Disabling Session Establishment to a Peer/Peer Group Logging Session State and Event Information of a Peer/Peer Group 473 To configure description for a peer/peer group, use the following commands: To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION Configuring IPv6 BGP Route Redistribution To configure IPv6 BGP route redistribution and filtering, use the following commands: To do... Use the command...
Controlling Route Distribution and Reception n Configuring Route Reception Policy To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION Configuring IPv6 BGP and IGP Route Synchronization With this feature enabled and when a non-BGP router is responsible for forwarding packets in an AS, IPv6 BGP speakers in the AS cannot advertise routing information to outside ASs unless all routers in the AS know the latest routing information. By default, when a BGP router receives an IBGP route, it only checks the reachability of the route’s next hop before advertisement.
Configuring IPv6 BGP Route Attributes Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes 477 To do so, use the following commands: To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION Tuning and Optimizing IPv6 BGP Networks To do... Use the command...
Tuning and Optimizing IPv6 BGP Networks Prerequisites Configuring IPv6 BGP Timers Before configuring IPv6 BGP timers, you have: ■ Enabled IPv6 function ■ Configured IPv6 BGP basic functions To do so, use the following commands: To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION To do... Configuring the Maximum Number of Equal Cost Routes Configuring a Large Scale IPv6 BGP Network Use the command...
Configuring a Large Scale IPv6 BGP Network To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION n Configuring IPv6 BGP Community To do... Use the command... Remarks Specify the AS number of an IPv6 peer peer ipv6-address as-number as-number Required Add the IPv6 peer into the peer group peer ipv6-address group ipv6-group-name Required Not specified by default Not added by default ■ After you add an IPv6 EBGP peer to the peer group, the system will automatically create the EBGP peer in IPv6 address family view.
Displaying and Maintaining IPv6 BGP Configuration To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION To do... Use the command...
IPv6 BGP Configuration Examples Resetting IPv6 BGP Connections To do... Use the command...
CHAPTER 36: IPV6 BGP CONFIGURATION Configuration procedure 1 Configure IPv6 addresses for interfaces (omitted) 2 Configure IBGP connections # Configure Switch B. system-view [SwitchB] ipv6 [SwitchB] bgp 65009 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] ipv6-family [SwitchB-bgp-af-ipv6] peer 9:1::2 as-number 65009 [SwitchB-bgp-af-ipv6] peer 9:3::2 as-number 65009 [SwitchB-bgp-af-ipv6] quit [SwitchB-bgp] quit # Configure Switch C.
IPv6 BGP Configuration Examples 487 [SwitchB] bgp 65009 [SwitchB-bgp] ipv6-family [SwitchB-bgp-af-ipv6] peer 10::2 as-number 65008 # Display IPv6 peer information on Switch B. [SwitchB] display bgp ipv6 peer BGP local router ID : 2.2.2.
CHAPTER 36: IPV6 BGP CONFIGURATION #Configure Switch B. system-view [SwitchB] ipv6 [SwitchB] bgp 200 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] ipv6-family [SwitchB-bgp-af-ipv6] peer 100::1 as-number 100 [SwitchB-bgp-af-ipv6] peer 101::1 as-number 200 [SwitchB-bgp-af-ipv6] peer 101::1 next-hop-local # Configure Switch C. system-view [SwitchC] ipv6 [SwitchC] bgp 200 [SwitchC-bgp] router-id 3.3.3.
Troubleshooting IPv6 BGP Configuration 489 Processing steps 1 Use the display current-configuration command to verify the peer’s AS number. 2 Use the display bgp ipv6 peer command to verify the peer’s IPv6 address. 3 If the loopback interface is used, check whether the peer connect-interface command is configured. 4 If the peer is not directly connected, check whether the peer ebgp-max-hop command is configured. 5 Check whether a route to the peer is available in the routing table.
CHAPTER 36: IPV6 BGP CONFIGURATION
MULTICAST OVERVIEW 37 n Introduction to Multicast ■ The term "router" in this document refers to a router in a generic sense or a Switch 8800 running the multicast routing protocol. ■ Unless otherwise stated, the term "multicast" in this document refers to IP multicast. As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
CHAPTER 37: MULTICAST OVERVIEW Assume that Hosts B, D and E need this information. The information source establishes a separate transmission channel for each of these hosts. In unicast transmission, the traffic over the network is proportional to the number of hosts that need the information. If a large number of users need the information, the information source needs to send a copy of the same information to each of these users.
Introduction to Multicast 493 for multicast packets through multicast routing protocols, the packets are replicated only where the tree branches, as shown in Figure 157: Figure 157 Multicast transmission Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Assume that Hosts B, D and E need the information. To receive the information correctly, these hosts need to join a receiver set, which is known as a multicast group.
CHAPTER 37: MULTICAST OVERVIEW For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 24. Table 24 An analogy between TV transmission and multicast transmission n Advantages and Applications of Multicast Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a channel. A multicast source sends multicast data to a multicast group.
Multicast Architecture 495 ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not ware of the position of a multicast source in advance. However, they can join or leave the multicast group at any time. SFM model The SFM model is derived from the ASM model.
CHAPTER 37: MULTICAST OVERVIEW IP multicast falls in the scope of end-to-end service. The multicast architecture involves the following four parts: 1 Addressing mechanism: Information is sent from a multicast source to a group of receivers through a multicast address. 2 Host registration: Receiver hosts are allowed to join and leave multicast groups dynamically. This mechanism is the basis for group membership management.
Multicast Architecture 497 ■ Permanent group addresses: Multicast addresses reserved by IANA for routing protocols. Such an address identifies a group of specific network devices (also known as reserved multicast groups). For detail, see Table 26. A permanent group address will never change. There can be any number of, or even 0, members in a permanent multicast group. ■ Temporary group addresses: Group addresses that are temporarily assigned for user multicast groups.
CHAPTER 37: MULTICAST OVERVIEW Figure 158 IPv4-to-MAC address mapping 5 bits lost XXXX X 32-bit IP address 1110 XXXX XXXX XXXX XXXX XXXX XXXX XXXX Ă 23 bits mapped Ă 0XXX XXXX XXXX XXXX XXXX XXXX 48-bit MAC address 0000 0001 0000 0000 0101 1110 25-bit MAC address prefix The high-order four bits of a multicast IPv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a MAC address, so five bits of the multicast IPv
Multicast Architecture 499 Table 27 Values of the Scope field Value Meaning 5 Site-local scope 6, 7, 9 through D Unassigned 8 Organization-local scope E Global scope Multicast Protocols n ■ Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP/MLD, PIM/IPv6 PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding
CHAPTER 37: MULTICAST OVERVIEW establishing and maintaining group memberships between hosts and Layer multicast devices. 2 Multicast routing protocols A multicast routing protocol runs between Layer 3 multicast devices to establish and maintain multicast routes and forward multicast packets correctly and efficiently. A multicast route is a loop-free data transmission path from a data source to multiple receivers. Namely, it is a multicast distribution tree.
Multicast Packets Forwarding Mechanism 501 Figure 161 Positions of Layer 2 multicast protocols Source Multicast VLAN /IPv6 Multicast VLAN IGMP Snooping /MLD Snooping Receiver Receiver IPv4/IPv6 multicast packets 1 IGMP Snooping/MLD Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) and Multicast Listener Discovery Snooping (MLD Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP or ML
CHAPTER 37: MULTICAST OVERVIEW The RPF check mechanism is the basis for most multicast routing protocols to implement multicast forwarding. n For details about RPF, refer to “RPF Mechanism” on page 503 or “RPF Mechanism” on page 515.
MULTICAST ROUTING AND FORWARDING CONFIGURATION 38 When configuring multicast routing and forwarding, go to the following sections for information you are interested in: n ■ “Multicast Routing and Forwarding Overview” on page 503 ■ “Configuring Multicast Routing and Forwarding” on page 507 ■ “Displaying and Maintaining Multicast Routing and Forwarding” on page 510 ■ “Configuration Examples” on page 511 ■ “Troubleshooting Multicast Routing and Forwarding” on page 513 The term "router" in this do
CHAPTER 38: MULTICAST ROUTING AND FORWARDING CONFIGURATION Implementation of the RPF mechanism Upon receiving a multicast packet that a multicast source S sends to a multicast group G, the device first searches its multicast forwarding table: 1 If the corresponding (S, G) entry exists, and the interface on which the packet actually arrived is the incoming interface in the multicast forwarding table, the device forwards the packet to all the outgoing interfaces.
Multicast Routing and Forwarding Overview 505 the destination address. The corresponding routing entry explicitly defines the RPF interface and the RPF neighbor. 2 Then, the device selects one from these two optimal routes as the RPF route.
CHAPTER 38: MULTICAST ROUTING AND FORWARDING CONFIGURATION means that the interface on which the packet actually arrived is not the RPF interface. The RPF check fails and the packet is discarded. ■ Multicast Static Route A multicast packet from Source arrives to POS5/1/1 of Switch C, and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C. The device performs an RPF check, and finds in its unicast routing table that the outgoing interface to 192.168.0.
Configuration Task List 507 multicast information from Source travels from Switch A to Switch B and then to Switch C.
CHAPTER 38: MULTICAST ROUTING AND FORWARDING CONFIGURATION Before configuring multicast routing and forwarding, prepare the following data: Configuring Multicast Static Routes ■ The maximum number of downstream nodes for a single route in a multicast forwarding table ■ The maximum number of routing entries in a multicast forwarding table ■ The multicast forwarding range Based on the application environment, a multicast static route has the following two functions: ■ Changing an RPF route.
Configuring Multicast Routing and Forwarding ■ 509 If the device is not configured to use longest match for route selection, then: 1 The route with a higher priority will be selected; 2 If these routes have the same priority, the multicast static route will be selected. Follow these steps to configure a multicast route match rule: To do... Use the command...
CHAPTER 38: MULTICAST ROUTING AND FORWARDING CONFIGURATION n Currently, Switch 8800s support multicast forwarding boundary configuration in VLAN interface view and POS interface view. Configuring Multicast Forwarding Table Size Too many multicast routing entries can exhaust the device’s memory and thus result in lower device performance. Therefore, the number of multicast routing entries should be limited.
Configuration Examples 511 To do... Use the command...
CHAPTER 38: MULTICAST ROUTING AND FORWARDING CONFIGURATION Network diagram Figure 164 Network diagram for multicast route configuration OSPF domain Receiver External network Vlan -int200 192.168 .5.1/24 Switch C Switch B Vlan-int300 192.168.3.1/24 Vlan -int300 192 .168 .3.2 /24 Switch D Vlan -int100 10.110 .1.2/24 Vlan -int100 10.110 .1.1/24 Switch A Source 2 10 .220 .5.100 /24 Source 1 10 .110 .5 .
Troubleshooting Multicast Routing and Forwarding 513 The configuration on Switch A, Switch B and Switch D is similar to the configuration on Switch C. The specific configuration steps are omitted here. 3 Configure a multicast static route # Configure a multicast static route on Switch C, specifying Switch D as its RPF neighbor on the route to Source 2. [SwitchC] ip rpf-route-static 10.220.5.0 255.255.255.0 192.168.3.
CHAPTER 38: MULTICAST ROUTING AND FORWARDING CONFIGURATION Solution 1 In the configuration, you can use the display multicast routing-table static config command to view the detailed configuration information of multicast static routes to verify that the multicast static route has been correctly configured and the route entry exists.
IPV6 MULTICAST ROUTING AND FORWARDING CONFIGURATION 39 When configuring IPv6 multicast routing and forwarding, go to the following sections for information you are interested in: n ■ “IPv6 Multicast Routing and Forwarding Overview” on page 515 ■ “Configuring IPv6 Multicast Routing and Forwarding” on page 518 ■ “Displaying and Maintaining IPv6 Multicast Routing and Forwarding” on page 520 ■ “Troubleshooting IPv6 Multicast Policy Configuration” on page 521 ■ The term "router" in this document ref
CHAPTER 39: IPV6 MULTICAST ROUTING AND FORWARDING CONFIGURATION The RPF mechanism enables routers to correctly forward IPv6 multicast packets based on the multicast route configuration. In addition, the RPF mechanism also helps avoid data loops caused by various reasons.
Configuration Task List 517 ■ For a packet traveling along the shortest path tree (SPT) from the multicast source to the receivers or the source-based tree from the multicast source to the rendezvous point (RP), "packet source" means the multicast source. ■ For a packet traveling along the rendezvous point tree (RPT) from the RP to the receivers, "packet source" means the RP. ■ For a bootstrap message from the bootstrap device (BSR), "packet source" means the BSR.
CHAPTER 39: IPV6 MULTICAST ROUTING AND FORWARDING CONFIGURATION Task Remarks “Configuring an IPv6 Multicast Forwarding Range” on page 518 Optional “Configuring the IPv6 Multicast Forwarding Table Size” on page 519 Optional Configuring IPv6 Multicast Routing and Forwarding Enabling IPv6 Multicast Routing Before configuring any Layer 3 IPv6 multicast functionality, you must enable IPv6 multicast routing. Follow these steps to enable IPv6 multicast routing: Configuration Prerequisites To do...
Configuring IPv6 Multicast Routing and Forwarding 519 Presently, you can define an IPv6 multicast forwarding range by specifying boundary interfaces, which form a closed IPv6 multicast forwarding area. You can configure the forwarding boundary for a specific IPv6 multicast group on all interfaces that support IPv6 multicast forwarding. A multicast forwarding boundary sets the boundary condition for the IPv6 multicast groups in the specified range.
CHAPTER 39: IPV6 MULTICAST ROUTING AND FORWARDING CONFIGURATION Displaying and Maintaining IPv6 Multicast Routing and Forwarding To do... Use the command... Remarks Configure the maximum number of routing entries in the IPv6 multicast forwarding table multicast ipv6 forwarding-table route-limit limit Optional To do... Use the command...
Troubleshooting IPv6 Multicast Policy Configuration To do... Use the command...
CHAPTER 39: IPV6 MULTICAST ROUTING AND FORWARDING CONFIGURATION
IGMP CONFIGURATION 40 When configuring IGMP, go to the following sections for the information you are interested in: n IGMP Overview IGMP Versions ■ “IGMP Overview” on page 523 ■ “Configuring IGMP” on page 527 ■ “Configuring Basic Functions of IGMP” on page 528 ■ “Configuring IGMP Performance Parameters” on page 530 ■ “Displaying and Maintaining IGMP” on page 534 ■ “IGMP Configuration Examples” on page 534 ■ “Troubleshooting IGMP” on page 536 The term "router" in this document refers to a
CHAPTER 40: IGMP CONFIGURATION For more information about DR, refer to “PIM Configuration” on page 563. Figure 166 Joining multicast groups DR Router A Router B Ethernet Host A (G2) Host B (G1) Host C (G1) Query Report Assume that Host B and Host C are expected to receive multicast data addressed to multicast group G1, while Host A is expected to receive multicast data addressed to G2, as shown in Figure 166.
IGMP Overview 525 As IGMPv1 does not specifically define a Leave Group mechanism, upon leaving a multicast group, an IGMPv1 host stops sending reports with the destination address being the address of that multicast group. If no member of a multicast group exists on the subnet, the IGMP routers will not receive any report addressed to that multicast group, so the routers will delete the multicast forwarding entries corresponding to that multicast group after a period of time.
CHAPTER 40: IGMP CONFIGURATION Enhancements in IGMPv3 Enhancements in control capability of hosts In addition to group-specific queries, IGMPv3 has introduced source filtering modes (Include and Exclude), so that a host not only can join a designated multicast group but also can specify to receive or reject multicast data from a designated multicast source. When a host joins a multicast group: ■ If it needs to receive multicast data from specific sources like S1, S2, ...
Configuring IGMP ■ 527 A group-and-source-specific query carries a group address and one or more source addresses. 2 Reports containing multiple group records Unlike an IGMPv1 or IGMPv2 report message, an IGMPv3 report message is destined to 224.0.0.22 and contains one or more group records. Each group record contains a multicast group address and an uncertain number of source addresses.
CHAPTER 40: IGMP CONFIGURATION ■ If a feature is not configured for an interface in interface view, the global configuration performed in IGMP view will apply to that interface. If a feature is configured in both IGMP view and interface view, the configuration performed in interface view will be given priority.
Configuring Basic Functions of IGMP To do... Use the command... Description Enter system view system-view - Enter IGMP view igmp - Configure an IGMP version globally version version-number Optional 529 IGMPv2 by default Configuring an IGMP version for an interface Follow these steps to configure an IGMP version on an interface: To do... Use the command...
CHAPTER 40: IGMP CONFIGURATION To do... Use the command...
Configuring IGMP Performance Parameters 531 case, IGMP messages are directly passed to the upper layer protocol, no matter whether the IGMP messages carry the Router-Alert option or not. To enhance the device performance and avoid unnecessary costs, and also for the consideration of protocol security, you can configure the device to discard IGMP messages that do not carry the Router-Alert option. Configuring IGMP packet options globally Follow these steps to configure IGMP packet options globally: To do..
CHAPTER 40: IGMP CONFIGURATION ■ For IGMP general queries, you can configure the maximum response time to fill their Max Response time field. ■ For IGMP group-specific queries, you can configure the IGMP last-member query interval to fill their Max Response time field. Namely, for IGMP group-specific queries, the maximum response time equals the IGMP last-member query interval. When multiple multicast routers exist on the same subnet, the IGMP querier is responsible for sending IGMP queries.
Configuring IGMP Performance Parameters n c Configuring IGMP Fast Leave To do... Use the command... Description Configure the other querier present interval igmp timer other-querier-present interval Optional 533 For the system default, see "Note" below ■ If not statically configured, the other querier present interval is [ IGMP general query interval ] times [ IGMP robustness variable ] plus [ maximum response time for IGMP general queries ] divided by two.
CHAPTER 40: IGMP CONFIGURATION n Displaying and Maintaining IGMP To do... Use the command... Description Enter system view system-view - Enter POS interface view interface interface-type interface-number - Enable IGMP fast leave igmp fast-leave [ group-policy acl-number ] Required Disabled by default The IGMP fast leave feature is effective only if the device is running IGMPv2 or IGMPv3. To do... Use the command...
IGMP Configuration Examples 535 ■ Switch A connects to N1 through Vlan-interface100, and to other devices in the PIM-DM network through Vlan-interface101. ■ Switch B and Switch C connect to N2 through their respective Vlan-interface200, and to other devices in the PIM-DM network through Vlan-interface201 and Vlan-interface202 respectively. ■ IGMPv2 is required between Switch A and N1. IGMPv2 is required between the other two switches and N2, with Switch B as the IGMP querier.
CHAPTER 40: IGMP CONFIGURATION system-view [SwitchA] multicast routing-enable [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] igmp enable [SwitchA-Vlan-interface100] igmp version 2 [SwitchA-Vlan-interface100] pim dm [SwitchA-Vlan-interface100] quit # Enable IP multicast routing on Switch B, and enable IGMP (version 2) and PIM-DM on Vlan-interface200.
Troubleshooting IGMP 537 Analysis ■ The correctness of networking and interface connections directly affects the generation of group member information. ■ Multicast routing must be enabled on the device. ■ If the igmp group-policy command has been configured on the POS interface, the POS interface cannot receive report messages that fail to pass filtering. Solution 1 Check that the networking is correct and interface connections are correct. 2 Check that multicast routing is enabled.
CHAPTER 40: IGMP CONFIGURATION 3 Use the display igmp interface command to check whether the devices are running the same version of IGMP.
IGMP SNOOPING CONFIGURATION 41 When configuration IGMP Snooping, go to the following sections for information you are interested in: n IGMP Snooping Overview Principle of IGMP Snooping ■ “IGMP Snooping Overview” on page 539 ■ “Configuring Basic Functions of IGMP Snooping” on page 544 ■ “Configuring IGMP Snooping Port Functions” on page 546 ■ “Configuring IGMP-Related Functions” on page 549 ■ “Configuring a Multicast Group Policy” on page 552 ■ “Displaying and Maintaining IGMP Snooping” on pa
CHAPTER 41: IGMP SNOOPING CONFIGURATION Figure 169 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission without IGMP Snooping Multicast packet transmission when IGMP Snooping runs Multicast router Source Multicast router Source Layer 2 switch Host A Receiver Host C Receiver Layer 2 switch Host A Receiver Host B Host C Receiver Host B Multicast packets Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 170, Router A connects
IGMP Snooping Overview 541 and Ethernet 1/0 of Switch B are router ports. A switch registers all its local router ports in its router port list. n ■ Member port: Also known as a listener port, a member port is a port on the multicast group member side of the Ethernet switch. In the figure, Ethernet 1/1/1 and Ethernet 1/1/2 of Switch A and Ethernet1/1/1 of Switch B are member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table.
CHAPTER 41: IGMP SNOOPING CONFIGURATION ■ Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. ■ When intended to join a multicast group, a host sends an IGMP report to the multicast router to announce that it is interested in the multicast information addressed to that group.
IGMP Snooping Configuration Task List 543 exist under the port: the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires. Processing of Multicast Protocol Messages Under different conditions, an IGMP Snooping-capable switch processes multicast protocol messages differently, specifically as follows: 1 If only IGMP is enabled, or both IGMP and PIM are enabled on the switch, the switch handles multicast protocol messages in the normal way.
CHAPTER 41: IGMP SNOOPING CONFIGURATION Task Remarks “Configuring IGMP-Related Functions” on page 549 “Configuring a Multicast Group Policy” on page 552 n “Enabling IGMP Snooping Querier” on page 550 Optional “Configuring IGMP Timers” on page 550 Optional “Configuring Source IP Address of IGMP Queries” on page 551 Optional “Configuring Port Aging Timers” on page 549 Optional “Configuring a Multicast Group Filter” on page 552 Optional “Configuring Maximum Multicast Groups that Can Be Joi
Configuring Basic Functions of IGMP Snooping n Configuring the Version of IGMP Snooping To do... Use the command... Remarks Enable IGMP Snooping globally and enter IGMP Snooping view igmp-snooping Required Return to system view quit - Enter VLAN view vlan vlan-id - Enable IGMP Snooping in the VLAN igmp-snooping enable Required 545 Disabled by default Disabled by default ■ IGMP Snooping must be enabled globally before it can be enabled in a VLAN.
CHAPTER 41: IGMP SNOOPING CONFIGURATION n To do... Use the command... Remarks Enter system view system-view - Enter IGMP Snooping view igmp-snooping - Enable the function of dropping unknown multicast data drop-unknown Required Disabled by default A Switch 8800 still forwards unknown multicast data to other router ports in the VLAN even if enabled to drop unknown multicast data.
Configuring IGMP Snooping Port Functions To do... Use the command...
CHAPTER 41: IGMP SNOOPING CONFIGURATION To do... n Enabling the Fast Leave Feature Use the command... Remarks Configure simulated (*, G) or (S, G) joining igmp-snooping host-join group-address [ source-ip source-address ] vlan vlan-id Required Disabled by default ■ Each simulated host is equivalent to an independent host. For example, when receiving an IGMP query, the simulated host corresponding to each configuration responds respectively.
Configuring IGMP-Related Functions 549 to the port and interested in the same multicast group will fail to receive multicast data for that group. Configuring Port Aging Timers If the switch does not receive an IGMP general query or a PIM hello message before the aging timer of a router port expires, the switch deletes this port from the router port list when the aging timer times out.
CHAPTER 41: IGMP SNOOPING CONFIGURATION Enabling IGMP Snooping Querier ■ Source address of IGMP general queries ■ Source address of IGMP group-specific queries ■ Whether to enable IGMP report suppression In an IP multicast network running IGMP, a Layer 3 multicast device acts as the IGMP querier, which periodically sends IGMP queries so that all Layer 3 multicast devices can create and maintain multicast forwarding entries at the network layer, thus to forward multicast traffic correctly at the
Configuring IGMP-Related Functions 551 group-specific queries, the maximum response time equals to the IGMP last-member query interval. Configuring IGMP timers globally Follow these steps to configure IGMP timers globally: To do... Use the command...
CHAPTER 41: IGMP SNOOPING CONFIGURATION To do... Use the command... Remarks Configure the source IP address of IGMP group-specific queries igmp-snooping special-query source-ip { current-interface | ip-address } Optional 0.0.0.0 by default c CAUTION: The source address of IGMP query messages may affect IGMP querier election within the segment.
Configuring a Multicast Group Policy 553 the report against the ACL rule configured on the receiving port. If the receiving port can join this multicast group, the switch adds this port to the IGMP Snooping multicast group list; otherwise the switch drops this report message. Any multicast data that has failed the ACL check will not be sent to this port. In this way, the service provider can control the VOD programs provided for multicast users.
CHAPTER 41: IGMP SNOOPING CONFIGURATION n Configuring Multicast Group Replacement ■ When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes this port from all the related IGMP Snooping forwarding entries, and hosts on this port need to join the multicast groups again.
Displaying and Maintaining IGMP Snooping c Displaying and Maintaining IGMP Snooping n 555 CAUTION: Be sure to configure the maximum number of multicast groups allowed on a port to be in the range of 1 to 511 before configuring multicast group replacement. Otherwise, the multicast group replacement functionality will not take effect. To do... Use the command...
CHAPTER 41: IGMP SNOOPING CONFIGURATION Network diagram Figure 171 Network diagram for simulated joining configuration Receiver Host A Source Eth1/1/2 1 .1.1.2/24 1.1.1.1/24 Eth1 /1/1 10 .1 .1.1/24 Router A IGMP querier Eth1/1 /3 Eth1 /1/4 Switch A Multicast packets Receiver Eth1 /1/2 Eth1/1 /1 Host B Host C Configuration procedure 1 Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 171.
IGMP Snooping Configuration Examples 557 # Assign Ethernet1/1/1 through Ethernet1/1/4 to this VLAN. [SwitchA-vlan100] port ethernet 1/1/1 to ethernet 1/1/4 [SwitchA-vlan100] quit # Enable IGMP Snooping in VLAN 100 and set the version to 3. [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit [SwitchA] vlan 100 [SwitchA-vlan100] igmp-snooping enable [SwitchA-vlan100] igmp-snooping version 3 [SwitchA-vlan100] quit # Enable simulated (S, G) joining on Ethernet 1/1/2 and Ethernet 1/1/3 respectively.
CHAPTER 41: IGMP SNOOPING CONFIGURATION Configuration procedure 1 Configure switch A. # Enable IGMP Snooping globally. system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100 and add Ethernet1/1/3 and Ethernet1/1/1 to VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] port ethernet 1/1/1 [SwitchA-vlan100] port ethernet 1/1/3 # Enable IGMP Snooping in VLAN 100 and enable the IGMP-Snooping querier feature.
IGMP Snooping Configuration Examples ■ 559 While no multicast protocol runs on Router B, perform the following configuration so that Switch A can forward all received multicast data to Router B. Network diagram Figure 173 Network diagram for static router port configuration Router B Internet Source Eth1/1/2 1 .1.1.2/24 1.1.1.1/24 Eth1 /1/1 10 .1 .1.
CHAPTER 41: IGMP SNOOPING CONFIGURATION [SwitchA-vlan100] port ethernet 1/1/1 to ethernet 1/1/4 [SwitchA-vlan100] quit # Enable IGMP Snooping in VLAN 100 and configure the version as 2. [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit [SwitchA] vlan 100 [SwitchA-vlan100] igmp-snooping enable [SwitchA-vlan100] igmp-snooping version 2 [SwitchA-vlan100] quit # Configure Ethernet1/1/3 as a static router port.
Troubleshooting IGMP Snooping Configuration 561 Solution 1 Use the display acl command to check the configured ACL rule. Make sure that the ACL rule conforms to the multicast group policy to be implemented. 2 Use the display this command in IGMP Snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied. If not, use the group-policy or igmp-snooping group-policy command to apply the correct multicast group policy.
CHAPTER 41: IGMP SNOOPING CONFIGURATION
PIM CONFIGURATION 42 When configuring PIM, go to these sections for information you are interested in: n PIM Overview ■ “PIM Overview” on page 563 ■ “Configuring PIM-DM” on page 575 ■ “Configuring PIM-SM” on page 577 ■ “Configuring PIM-SSM” on page 586 ■ “Configuring PIM Common Information” on page 587 ■ “Displaying and Maintaining PIM” on page 592 ■ “PIM Configuration Examples” on page 593 ■ “Troubleshooting PIM Configuration” on page 604 The term "router" in this document refers to a r
CHAPTER 42: PIM CONFIGURATION Introduction to PIM-DM PIM-DM is a type of dense mode multicast protocol. It uses the "push mode" for multicast forwarding, and is suitable for small-sized networks with densely distributed multicast members. The basic implementation of PIM-DM is as follows: ■ PIM-DM assumes that at least one multicast group member exists on each subnet of a network, and therefore multicast data is flooded to all nodes on the network.
PIM Overview n 565 ■ An (S, G) entry contains the multicast source address S, multicast group address G, outgoing interface list, and incoming interface. ■ For a given multicast stream, the interface that receives the multicast stream is referred to as "upstream", and the interfaces that forward the multicast stream are referred to as "downstream". A prune process is first initiated by a leaf router.
CHAPTER 42: PIM CONFIGURATION Assert If multiple multicast routers exist on a multi-access subnet, duplicate packets may flow to the same subnet. To shutoff duplicate flows, the assert mechanism is used for election of a single multicast forwarder on a multi-access network.
PIM Overview 567 forwarding is to build and maintain rendezvous point trees (RPTs). An RPT is rooted at a router in the PIM domain as the common node, or rendezvous point (RP), through which the multicast data travels along the RPT and reaches the receivers. n How PIM-SM Works ■ When a receiver is interested in the multicast data addressed to a specific multicast group, the router connected to this receiver sends a join message to the RP corresponding to that multicast group.
CHAPTER 42: PIM CONFIGURATION ■ IGMP must be enabled on a device that acts as a DR before receivers attached to this device can join multicast groups through this DR. For details about IGMP, refer to “IGMP Configuration” on page 523. DR DR Ethernet Figure 176 DR election Ethernet 568 Receiver RP Source Receiver Hello message Register message Join message As shown in Figure 176, the DR election process is as follows: 1 Routers on the multi-access network send hello messages to one another.
PIM Overview 569 A PIM-SM domain (or an administratively scoped region) can have only one BSR, but can have multiple candidate-BSRs (C-BSRs). Once the BSR fails, a new BSR is automatically elected from the C-BSRs through the bootstrap mechanism to avoid service interruption. Similarly, multiple C-RPs can be configured in a PIM-SM domain, and the position of the RP corresponding to each multicast group is calculated through the BSR mechanism.
CHAPTER 42: PIM CONFIGURATION As shown in Figure 178, host B and host C are receivers of multicast data. The process of building an RPT is as follows: 1 When a receiver joins a multicast group G, it uses an IGMP message to inform the directly connected DR. 2 Upon getting the receiver information, the DR sends a join message, which is hop by hop forwarded to the RP corresponding to the multicast group. 3 The routers along the path from the DR to the RP form an RPT branch.
PIM Overview 571 receiving the multicast packet, encapsulates the packet in a PIM register message, and sends the message to the corresponding RP by unicast. 2 When the RP receives the register message, on one hand, it extracts the multicast packet from the register message and forwards the multicast packet down the RPT, and, on the other hand, it sends an (S, G) join message hop by hop toward the multicast source.
CHAPTER 42: PIM CONFIGURATION Relationship between BSR admin-scope regions and the global scope zone A better understanding of the global scope zone and BSR admin-scope regions should be based on two aspects: geographical space and group address range. 1 Geographical space BSR admin-scope regions are logical regions specific to particular multicast groups, and each BSR admin-scope region must be geographically independent of another, as shown in Figure 180.
PIM Overview 573 Figure 181 Relationship between BSR admin-scope regions and the global scope zone in group address ranges BSR 1 BSR 3 G1 address G3 address Global BSR 2 G-G1-G2 address G2 address In Figure 181, the group address ranges of admin-scope-scope regions BSR1 and BSR2 have no intersection, whereas the group address range of BSR3 is a subset of the address range of BSR1.
CHAPTER 42: PIM CONFIGURATION need of using the multicast source discovery protocol (MSDP) for discovering sources in other PIM domains. Compared with the ASM model, the SSM model only needs the support of IGMPv3 and some subsets of PIM-SM. The operation mechanism of PIM-SSM can be summarized as follows: ■ Neighbor discovery ■ DR election ■ SPT building Neighbor discovery PIM-SSM uses the same neighbor discovery mechanism as in PIM-DM and PIM-SM.
Configuring PIM-DM n Protocols and Standards 575 ■ If so, the DR sends a subscribe message for channel subscription hop by hop toward the multicast source S. An (Include S, G) is created on all routers on the path from the DR to the source. Thus, an SPT is built in the network, with the source S as its root and receivers as its leaves. This SPT is the transmission channel in PIM-SSM.
CHAPTER 42: PIM CONFIGURATION Enabling PIM-DM ■ TTL value of state refresh messages ■ Graft retry period With PIM-DM enabled, a device sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors. When deploying a PIM-DM domain, you are recommended to enable PIM-DM on all interfaces of non-border devices (border devices are PIM-enabled routers or PIM-enabled switches located on the boundary of BSR admin-scope regions).
Configuring PIM-SM 577 will accept a new state refresh message, refresh its own PIM state, and reset the waiting timer. The TTL value of a state refresh message decrements by 1 whenever it passes a device before it is forwarded to the downstream node until the TTL value comes down to 0. In a small network, a state refresh message may cycle in the network. To effectively control the propagation scope of state refresh messages, you need to configure an appropriate TTL value based on the network size.
CHAPTER 42: PIM CONFIGURATION Task Remarks “Enabling PIM-SM” on page 579 Required “Configuring a BSR” on page 579 “Performing basic C-BSR configuration” on page 579 Optional “Configuring a global-scope C-BSR” on page 580 Optional “Configuring an admin-scope Optional C-BSR” on page 581 “PIM Configuration” on page 563 “Configuring a BSR admin-scope region boundary” on page 581 Optional “Configuring global C-BSR parameters” on page 582 Optional “Configuring a C-RP” on page 583 Optional “
Configuring PIM-SM Enabling PIM-SM 579 With PIM-SM enabled, a device sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors. When deploying a PIM-SM domain, you are recommended to enable PIM-SM on all interfaces of non-border devices (border devices are PIM-enabled routers or PIM-enabled switches located on the boundary of BSR admin-scope regions). Follow these steps to enable PIM-SM: To do... Use the command...
CHAPTER 42: PIM CONFIGURATION message. The C-BSR with a higher priority wins. If there is a tie in the priority, the C-BSR with a higher IP address wins. The loser uses the winner’s BSR address to replace its own BSR address and no longer assumes itself to be the BSR, while the winner keeps its own BSR address and continues assuming itself to be the BSR.
Configuring PIM-SM 581 To do... Use the command... Remarks Enter system view system-view - Enter PIM view pim - Configure a global-scope C-BSR c-bsr global [ hash-length Required hash-length | priority priority No global-scope C-BSRs by ]* default Configuring an admin-scope C-BSR By default, a PIM-SM domain has only one BSR. The entire network should be managed by this one BSR.
CHAPTER 42: PIM CONFIGURATION To do... Use the command... Remarks Enter VLAN/POS interface view interface interface-type interface-number - Configure a BSR admin-scope pim bsr-boundary region boundary Required No BSR admin-scope region boundary by default Configuring global C-BSR parameters The BSR election winner advertises its own IP address and RP-Set information throughout the region it serves through bootstrap messages.
Configuring PIM-SM To do... Use the command... Remarks Enter system view system-view - Enter PIM view pim - Configure a static RP static-rp rp-address [ acl-number ] [ preferred ] Optional 583 No static RP by default Configuring a C-RP In a PIM-SM domain, you can configure devices that intend to become the RP into C-RPs.
CHAPTER 42: PIM CONFIGURATION To do... Use the command... Remarks Enter system view system-view - Enter PIM view pim - Enable auto-RP auto-rp enable Optional Disabled by default Configuring C-RP timers To enable the BSR to distribute the RP-Set information within the PIM-SM domain, C-RPs must periodically send C-RP-Adv messages to the BSR.
Configuring PIM-SM 585 multicast group), or when the RP formally starts receiving multicast data from the multicast source, the RP sends a register-stop message to the source-side DR. Upon receiving this message, the DR stops sending register messages encapsulated with multicast data and enters the register suppression state.
CHAPTER 42: PIM CONFIGURATION To do... Use the command... Disable RPT-to-SPT switchover spt-switch-threshold infinity [ group-policy acl-number [ order order-value ] ] n Remarks Optional By default, the device switches to the SPT immediately after it receives the first multicast packet along the RPT. To avoid forwarding failure, do not disable RPT-to-SPT switchover on a switch that may become an RP (namely, a static RP or a C-RP).
Configuring PIM Common Information c Configuring the SSM Group Range 587 CAUTION: ■ All the interfaces of the same router must work in the same PIM mode. ■ After PIM-SM is enabled on a VLAN interface, IGMP snooping cannot be enabled in the VLAN corresponding to the VLAN interface, and vice versa.
CHAPTER 42: PIM CONFIGURATION Configuration Prerequisites Task Remarks “Configuring Join/Prune Message Limits” on page 592 Optional Before configuring PIM common information, complete the following tasks: ■ Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer.
Configuring PIM Common Information Configuring PIM Hello Options 589 No matter in a PIM-DM domain or a PIM-SM domain, the hello messages sent among devices contain many configurable options, including: ■ DR_Priority (for PIM-SM only): priority for DR election. The device with the highest priority wins the DR election. You can configure this parameter on all the devices in a multi-access network directly connected to multicast sources or receivers.
CHAPTER 42: PIM CONFIGURATION To do... Use the command...
Configuring PIM Common Information 591 A PIM device periodically sends join/prune messages to its upstream for state update. A join/prune message contains the join/prune timeout time. The upstream device sets a join/prune timeout timer for each pruned downstream interface, and resumes the forwarding state of the pruned interface when this timer times out.
CHAPTER 42: PIM CONFIGURATION Configuring Join/Prune Message Limits A larger join/prune message size will result in loss of a larger amount of information when a message is lost; with a reduced join/message size, the loss of a single message will bring relatively minor impact. By controlling the maximum number of (S, G) entries in a join/prune message, you can effectively reduce the number of (S, G) entries sent per unit of time.
PIM Configuration Examples To do... Use the command...
CHAPTER 42: PIM CONFIGURATION Network diagram Figure 183 Network diagram for PIM-DM configuration Ethernet N1 Receiver Switch A Host A 10 3 Vlan -int100 03 Vl an -in t Host B Vlan -int101 Switch D Vlan -int200 Vlan -int101 Switch B 02 - in an Vl 02 t1 10.110 .5.
PIM Configuration Examples 595 # Enable IP multicast routing on Switch A, enable PIM-DM on each interface, and enable IGMPv3 on VLAN-interface 100, which connects Switch A to the stub network.
CHAPTER 42: PIM CONFIGURATION Neighbor 192.168.1.1 192.168.2.1 192.168.3.1 Interface Vlan103 Vlan101 Vlan102 Uptime 00:02:22 00:00:22 00:00:23 Expires 00:01:27 00:01:29 00:01:31 Dr-Priority 1 3 5 Assume that Host A needs to receive the information addressed to a multicast group G (225.1.1.1/24). After multicast source S (10.110.5.100/24) sends multicast packets to the multicast group G, an SPT is established through traffic flooding.
PIM Configuration Examples 597 Protocol: pim-dm, UpTime: 00:03:27, Expires: never 2: Vlan-interface101 Protocol: pim-dm, UpTime: 00:03:27, Expires: never 3: Vlan-interface102 Protocol: pim-dm, UpTime: 00:03:27, Expires: never Network requirements ■ Receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network.
CHAPTER 42: PIM CONFIGURATION Switch A Switch B Switch C Vlanint100 10.110.1.1/24 Vlanint300 10.110.5.1/24 Vlanint101 192.168.1.1/24 Switch D Vlanint101 192.168.1.2/24 Vlanint102 192.168.9.1/24 Vlanint105 192.168.4.2/24 Vlanint200 10.110.2.1/24 Vlanint104 192.168.3.2/24 Vlanint103 192.168.2.1/24 Vlanint103 192.168.2.2/24 Vlanint200 10.110.2.2/24 Vlanint102 192.168.9.2/24 Vlanint104 192.168.3.1/24 Vlanint105 192.168.4.
PIM Configuration Examples 599 system-view [SwitchE] acl number 2005 [SwitchE-acl-basic-2005] rule permit source 225.1.1.0 0.0.0.255 [SwitchE-acl-basic-2005] quit [SwitchE] pim [SwitchE-pim] c-bsr vlan-interface 102 [SwitchE-pim] c-rp vlan-interface 102 group-policy 2005 [SwitchE-pim] return 4 Verify the configuration Carry out the display pim interface command to view the PIM configuration and running status on each interface. For example: # View the PIM configuration information on Switch A.
CHAPTER 42: PIM CONFIGURATION Priority: 0 HoldTime: 150 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:48 To view the RP information discovered on a switch, use the display pim rp-info command. For example: # View the RP information on Switch A. display pim rp-info Vpn-instance: public net PIM-SM BSR RP information: Group/MaskLen: 225.1.1.0/24 RP: 192.168.9.
PIM Configuration Examples 601 The information on Switch B and Switch C is similar to that on Switch A. # View the PIM routing table information on Switch D. display pim routing-table Vpn-instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 225.1.1.1), RP: 192.168.9.2 Protocol: pim-sm, Flag: SPT LOC UpTime: 00:00:42 Upstream interface: Vlan-interface300 Upstream neighbor: 10.110.5.100, RPF prime neighbor: 10.110.5.
CHAPTER 42: PIM CONFIGURATION Network diagram Figure 185 Network diagram for PIM-SSM configuration (on switches) Ethernet N1 Receiver Switch A Vlan -int102 Host A Host B Source N2 la nin t1 01 V la nin t1 01 Vlan -int100 Vlan -int102 V Ethernet Vlan -int105 Vlan -int300 Vlan -int105 Vlan -int103 Switch E Vlan -int104 Switch D Receiver Vlan -int200 Vlan -int103 Switch B Ethernet 602 10.110 .5.
PIM Configuration Examples 603 # Enable IP multicast routing on Switch A, enable PIM-SM on each interface, and enable IGMPv3 on Vlan-interface 100, which connects Switch A to the stub network.
CHAPTER 42: PIM CONFIGURATION D for example) generates (S, G) entries, while Switch E, which is not on the SPT path does not have multicast routing entries. You can use the display pim routing-table command to view the PIM routing table information on each switch. For example: # View the PIM routing table information on Switch A. display pim routing-table Vpn-instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 232.1.1.
Troubleshooting PIM Configuration 605 a device, no matter which device is, it creates (S, G) entries only if it has a route to the multicast source. If the device does not have a route to the multicast source, or if PIM-DM is not enabled on the device’s RPF interface to the multicast source, the device cannot create (S, G) entries. ■ When PIM-SM runs on the entire network, and when a device is to join the SPT, the device creates (S, G) entries only if it has a route to the multicast source.
CHAPTER 42: PIM CONFIGURATION Multicast Data Abnormally Terminated on an Intermediate Device Symptom An intermediate device can receive multicast data successfully, but the data cannot reach the last hop device. An interface on the intermediate device receives data but no corresponding (S, G) entry is created in the PIM routing table.
Troubleshooting PIM Configuration No Unicast Route Between BSR and C-RPs in PIM-SM 607 Symptom C-RPs cannot unicast advertise messages to the BSR. The BSR does not advertise bootstrap messages containing C-RP information and has no unicast route to any C-RP. An RPT cannot be established correctly, or the DR cannot perform source register with the RP. Analysis ■ The C-RPs periodically send C-RP-Adv messages to the BSR by unicast.
CHAPTER 42: PIM CONFIGURATION
MSDP CONFIGURATION 43 When configuring MSDP, go to these sections for information you are interested in: n ■ “MSTP Overview” on page 609 ■ “Configuring Basic Functions of MSDP” on page 616 ■ “Configuring an MSDP Peer Connection” on page 618 ■ “Configuring SA Messages Related Parameters” on page 619 ■ “Displaying and Maintaining MSDP” on page 622 ■ “MSDP Configuration Examples” on page 623 ■ “Troubleshooting MSDP” on page 635 ■ The term "router" in this document refers to a router in a gen
CHAPTER 43: MSDP CONFIGURATION n How MSDP Works ■ MSDP is applicable only if the intra-domain multicast protocol is PIM-SM. ■ MSDP is meaningful only for the any-source multicast (ASM) model. MSDP peers As shown in Figure 186, an active multicast source (Source) exists in the domain PIM-SM 1, and RP 1 has learned the existence of Source through multicast source registration.
MSTP Overview ■ 611 Intermediate MSDP peer: an MSDP peer with multicast remote MSDP peers, like RP 2 in Figure 186. An intermediate MSDP peer forwards SA messages received from one remote MSDP peer to other remote MSDP peers, functioning as a relay of multicast source information. 2 MSDP peers created on common multicast routers (other than RPs) Router A and Router B are MSDP peers on common multicast routers. Such MSDP peers just forward received SA messages.
CHAPTER 43: MSDP CONFIGURATION and sends the register message to RP 1. Then, RP 1 gets aware of the information related to the multicast source. 2 As the source-side RP, RP 1 creates SA messages and periodically sends the SA messages to its MSDP peer. An SA message contains the source address (S), the multicast group address (G), and the address of the RP which has created this SA message (namely RP 1).
MSTP Overview 613 Figure 188 Diagram for RPF check for SA messages Source RP 1 RP 5 RP 9 AS 1 (1) (7) RP 8 (3) AS 5 (4) (2) Mesh group RP 2 (6) AS 3 RP 3 AS 2 MSDP peers (3) (5) RP 4 (4) Static RPF peers RP 6 RP 7 AS 4 SA message As illustrated in Figure 188, these MSDP peers dispose of SA messages according to the following RPF check rules: 1 When RP 2 receives an SA message from RP 1 Because the source-side RP address carried in the SA message is the same as the MSDP peer address, wh
CHAPTER 43: MSDP CONFIGURATION An EBGP route exists between two MSDP peers in different ASs. Because the SA message is from an MSDP peer (RP 7) in a different AS, and the MSDP peer is the next hop on the EBGP route to the source-side RP, RP 8 accepts the message and forwards it to its other peer (RP 9). 7 When RP 9 receives the SA message from RP 8 Because RP 9 has only one MSDP peer, RP 9 accepts the SA message.
MSDP Configuration Task List 615 from Source encapsulated in the SA message. When the SA message reaches RP 2, RP 2 decapsulates the message. 4 Receivers receive the multicast data along the RPT and directly join the SPT rooted at the multicast source. In this example, RP 2 forwards the multicast data down the RPT. When Receiver receives the multicast data from Source, it directly joins the SPT rooted at Source.
CHAPTER 43: MSDP CONFIGURATION Task Remarks “Configuring SA Messages Related Parameters” on page 619 “Configuring SA Message Content” on page 620 Optional “Configuring SA Request Messages” on page 620 Optional “Configuring an SA Message Filtering Rule” on page 621 Optional “Configuring SA Message Cache” on page 622 Optional Configuring Basic Functions of MSDP n Configuration Prerequisites All the configuration tasks should be carried out on RPs in PIM-SM domains, and each of these RPs act
Configuring Basic Functions of MSDP n Configuring a Static RPF Peer To do... Use the command... Remarks Create an MSDP peer connection peer peer-address connect-interface interface-type interface-number Required 617 No MSDP peer connection created by default If an interface of the device is shared by an MSDP peer and a BGP peer at the same time, you are recommended to configuration the same IP address for the MSDP peer and BGP peer. Configuring static RPF peers avoids RPF check of SA messages.
CHAPTER 43: MSDP CONFIGURATION Configuring an MSDP Peer Connection Configuration Prerequisites Before configuring MSDP peer connection, complete the following tasks: ■ Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer.
Configuring SA Messages Related Parameters c Configuring MSDP Peer Connection Control To do... Use the command... Remarks Create an MSDP peer as a mesh group member peer peer-address mesh-group name Required 619 An MSDP peer does not belong to any mesh group by default CAUTION: ■ Before grouping multiple devices into an MSDP mesh group, make sure that these devices are interconnected with one another. ■ Make sure to configure the same mesh group name on each peer.
CHAPTER 43: MSDP CONFIGURATION Configuring SA Message Content ■ ACL as an SA message creation rule ■ ACL as a filtering rule for receiving or forwarding SA messages ■ Minimum TTL value of multicast packets encapsulated in SA messages ■ Maximum SA message cache size Some multicast sources send multicast data at an interval longer than the aging time of (S, G) entries.
Configuring SA Messages Related Parameters n c Configuring an SA Message Filtering Rule To do... Use the command...
CHAPTER 43: MSDP CONFIGURATION Configuring SA Message Cache To do... Use the command...
MSDP Configuration Examples To do... Use the command... Remarks Clear (S, G) entries in the MSDP cache reset msdp sa-cache [ group-address ] Available in user view Clear all statistics information of an MSDP peer reset msdp statistics [ peer-address ] Available in user view 623 MSDP Configuration Examples Network requirements ■ Two ISPs maintains their ASs, AS 100 and AS 200 respectively. OSPF is running within each AS, and BGP is running between the two ASs.
CHAPTER 43: MSDP CONFIGURATION Switch C Switch F Vlan-int100 10.110.1.1/24 Vlan-int300 10.110.4.1/24 Vlan-int200 10.110.2.1/24 Switch D Vlan-int102 192.168.3.1/24 Vlan-int101 192.168.1.1/24 Vlan-int101 192.168.1.2/24 Loop0 1.1.1.1/32 Loop0 2.2.2.2/32 Vlan-int400 10.110.3.1/24 Vlan-int102 192.168.3.2/24 Loop0 3.3.3.3/32 Configuration procedure n Only the commands related to the MSDP configuration leveraging a BGP route are listed in this example.
MSDP Configuration Examples 625 [SwitchC] interface loopback 0 [SwitchC-LoopBack0] ip address 1.1.1.1 255.255.255.255 [SwitchC-LoopBack0] pim sm [SwitchC-LoopBack0] quit [SwitchC] pim [SwitchC-pim] c-bsr loopback 0 [SwitchC-pim] c-rp loopback 0 [SwitchC-pim] quit The configuration on Switch D and Switch F is similar to the configuration on Switch C. 4 Configure inter-AS BGP and configure mutual route redistribution between BGP and OSPF # Configure EBGP on Switch C, and import OSPF routes.
CHAPTER 43: MSDP CONFIGURATION [SwitchC] display bgp peer BGP local router ID : 1.1.1.1 Local AS number : 100 Total number of peers : 1 Peer V AS MsgRcvd MsgSent 192.168.1.2 4 200 24 21 Peers in established state : 1 OutQ PrefRcv Up/Down State 0 6 00:13:09 Established # View the information about BGP peering relationship on Switch D. [SwitchD] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 200 Total number of peers : 2 Peer V AS MsgRcvd MsgSent 192.168.1.1 4 100 18 16 192.168.3.
MSDP Configuration Examples 627 # View the brief information about MSDP peering relationship on Switch D. [SwitchD] display msdp brief Configured Up Listen Connect 2 2 0 0 MSDP Peer Brief Information Peer’s Address State Up/Down time AS 192.168.3.2 Up 00:15:32 200 192.168.1.1 UP 00:06:39 100 Shutdown 0 SA Count 8 13 Down 0 Reset Count 0 0 # View the brief information about MSDP peering relationships on Switch F.
CHAPTER 43: MSDP CONFIGURATION ■ On Switch C and Switch F, the interface Loopback 1 is configured as a C-BSR, and Loopback 10 is configured as a C-RP. ■ The router ID of Switch C is 1.1.1.1, while the router ID of Switch F is 2.2.2.2. Network diagram Figure 191 Network diagram for anycast RP configuration Source 3 Receiver Lo op 1 Loop 10 Switch F Loo p0 Vlan -int200 Vlan-i nt1 02 Switch B Switch A 0 10 la V in n0 t1 Vlan -int101 0 10.110.5.
MSDP Configuration Examples 629 # Enable IP multicast routing on Switch C, and enable PIM-SM on each interface.
CHAPTER 43: MSDP CONFIGURATION RPF prime neighbor: 10.110.1.2 Downstream interface(s) information: Total number of downstreams: 1 1: Vlan-interface101 Protocol: pim-sm, UpTime: 00:10:20, Expires: 00:03:10 # View the PIM routing information on Switch F. [SwitchF] display pim routing-table Vpn-instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 225.1.1.1) RP: 10.1.1.1 Protocol: pim-sm, Flag: SPT ACT UpTime: 00:03:32 Upstream interface: Vlan-interface102 Upstream neighbor: 192.168.
MSDP Configuration Examples Peer’s Address 2.2.2.2 State Up Up/Down time 00:10:17 AS ? SA Count 0 631 Reset Count 0 # View the brief MSDP peer information on Switch F. [SwitchF] display msdp brief MSDP Peer Brief Information Configured Up Listen 1 1 0 Peer’s Address 1.1.1.1 Static RPF Peer Configuration Example State Up Connect 0 Up/Down time 00:10:18 AS ? Shutdown 0 SA Count 0 Down 0 Reset Count 0 Network requirements ■ Two ISPs maintains their ASs, AS 100 and AS 200 respectively.
CHAPTER 43: MSDP CONFIGURATION Network diagram Figure 192 Network diagram for static RPF peer configuration AS 100 AS 200 Receiver Receiver Loop 0 Switch G t1 0 2 Source 1 nin Switch F Vl a Switch A PIM-SM 3 Source 3 Receiver -in t 10 2 Switch B Switch D V la n 632 Vlan -int101 Switch C Loop 0 Loop 0 PIM-SM 2 PIM-SM 1 Switch E Vlan -int101 Source 2 Static RPF peers Device Interface IP address Device Interface IP address Switch D Vlan-int101 192.168.1.
MSDP Configuration Examples 633 Configure the IP address and subnet mask for each interface as per Figure 192. Detailed configuration steps are omitted. 2 Enable IP multicast routing, and enable PIM-SM on each interface # Enable IP multicast routing on Switch C, and enable PIM-SM on each interface.
CHAPTER 43: MSDP CONFIGURATION [SwitchC-msdp] static-rpf-peer 192.168.1.2 rp-policy list-df [SwitchC-msdp] quit # Configure Switch C as MSDP peer and static RPF peer of Switch D. system-view [SwitchD] ip ip-prefix list-c permit 192.168.0.0 16 greater-equal 16 less-equal 32 [SwitchD] msdp [SwitchD-msdp] peer 192.168.1.1 connect-interface vlan-interface 101 [SwitchD-msdp] static-rpf-peer 192.168.3.
Troubleshooting MSDP 1 1 Peer’s Address 192.168.3.1 0 State UP 0 Up/Down time 00:16:40 0 AS ? SA Count 13 635 0 Reset Count 0 Troubleshooting MSDP MSDP Peers Stay in Down State Symptom The configured MSDP peers stay in the down state. Analysis ■ A TCP connection-based MSDP peering relationship is established between the local interface address and the MSDP peer after the configuration.
CHAPTER 43: MSDP CONFIGURATION 3 Check configuration of the import-source command and its acl-number argument and make sure that ACL rule can filter appropriate (S, G) entries. Inter-RP Communication Faults in Anycast RP Application Symptom RPs fail to exchange their locally registered (S, G) entries with one another in the Anycast RP application. Analysis ■ In the Anycast RP application, RPs in the same PIM-SM domain are configured to be MSDP peers to achieve load balancing among the RPs.
MLD CONFIGURATION 44 n The term "router" in this document refers to a router in a generic sense or a Switch 8800 running the MLD protocol.
CHAPTER 44: MLD CONFIGURATION ■ General query: an IPv6 multicast router or routing switch sends periodical general queries to determine what IPv6 multicast addresses have active listeners on the local subnet. ■ Multicast-address-specific query: an IPv6 multicast router or routing switch sends multicast-address-specific queries to determine whether any listeners for particular IPv6 multicast addresses exist on the local subnet.
MLD Overview 639 multicast data addressed to G2, as shown in Figure 193. The basic process that the hosts join the IPv6 multicast groups is as follows: 1 The MLD querier (Router B in the figure) periodically multicasts MLD queries (with the destination address of FF02::1) to all hosts and routers on the local subnet. 2 Upon receiving a query message, Host B or Host C (the delay timer of whichever expires first) sends an MLD report to the IPv6 multicast group address of G1, to announce its interest in G1.
CHAPTER 44: MLD CONFIGURATION Figure 194 Format of MLDv1 query message 0 3 4 7 Type = 130 15 31 Code Checksum Maximum Response Delay Reserved Multicast Address (128 bits) Table 29 describes the fields in Figure 194. Table 29 Description on fields in an MLD query message Protocols and Standards Configuration Task List Field Description Type Message type. 130 stands for query message; 131 stands for report message; 132 for leave group message.
Configuring Basic Functions of MLD n 641 ■ Configurations performed in MLD view are globally effective, while configurations performed in interface view are effective on the current interface only. ■ If no configuration is performed in interface view, the global configurations performed in MLD view will apply to that interface. Configurations performed in interface view take precedence over those performed in MLD view.
CHAPTER 44: MLD CONFIGURATION To do... Use the command... Remarks Configure the MLD version globally version version-number Optional MLDv1 by default Configure an MLD version on an interface Follow these steps to configure the MLD version on an interface: To do... Use the command...
Adjusting MLD Performance 643 By default, in consideration of compatibility, the device does not check the Router-Alert option, that is, it processes all received MLD messages. In this case, the device passes MLD messages to the upper layer protocol for processing, no matter whether the MLD messages contain the Router-Alert option.
CHAPTER 44: MLD CONFIGURATION 0, the host sends an MLD membership report message to the corresponding IPv6 multicast group. Proper setting of the maximum response delay of MLD query messages not only allows hosts to respond to MLD query messages quickly, but also avoids bursts of MLD traffic on the network caused by reports simultaneously sent by a large number of hosts when corresponding timers expire simultaneously.
Displaying and Maintaining MLD Configuration n c Displaying and Maintaining MLD Configuration To do... Use the command...
CHAPTER 44: MLD CONFIGURATION MLD Configuration Example Network requirements ■ Receivers receive VOD information in the multicast mode. Receivers of different organizations form stub networks N1 and N2, and Host A and Host C are multicast receivers in N1 and N2 respectively. ■ Switch A in the IPv6 PIM network connects to N1, and Switch B and Switch C connect to N2. ■ Switch A connects to N1 through VLAN-interface 100, and to other devices in the IPv6 PIM-DM network through VLAN-interface 101.
Troubleshooting MLD 647 The detailed configuration steps are omitted here. 2 Enable the IPv6 multicast routing and enable MLD on the host interfaces. # Enable IPv6 multicast routing on Switch A, enable MLD and IPv6 PIM-DM on VLAN-interface 100, and set the MLD version number to 1.
CHAPTER 44: MLD CONFIGURATION Analysis ■ The correctness of networking and interface connections directly affects the generation of IPv6 group member information. ■ IPv6 multicast routing must be enabled on the device. Solution 1 Check that the networking is correct and that interface connections are correct. 2 Check that the IPv6 multicast routing is enabled. Carry out the display current-configuration command to check whether the multicast ipv6 routing-enable command has been executed.
MLD SNOOPING CONFIGURATION 45 When configuring MLD Snooping, go to these sections for information you are interested in: n MLD Snooping Overview How MLD Snooping Works ■ “MLD Snooping Overview” on page 649 ■ “MLD Snooping Configuration Task List” on page 653 ■ “Displaying and Maintaining MLD Snooping” on page 664 ■ “MLD Snooping Configuration Examples” on page 664 ■ “Troubleshooting MLD Snooping” on page 669 For details about MLD and IPv6 PIM, refer to “MLD Configuration” on page 637 and “IPv
CHAPTER 45: MLD SNOOPING CONFIGURATION Figure 196 Before and after MLD Snooping is enabled on a Layer 2 device IPv6 multicast packet transmission without MLD Snooping IPv6 multicast packet transmission when MLD Snooping runs Multicast router Source Multicast router Source Layer 2 switch Host A Receiver Host C Receiver Layer 2 switch Host A Receiver Host B Host C Receiver Host B IPv6 multicast packets Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 197, Router
MLD Snooping Overview n 651 ■ Member port: A member port (also known as IPv6 multicast group member port or Listener Port) is a port on a Layer 2 switch that leads the switch to an IPv6 multicast group member. In the figure, Ethernet 1/1/1 and Ethernet 1/1/2 of Switch A and Ethernet1/1/1 of Switch B are member ports. The switch records all member ports on the local device in the MLD Snooping forwarding table.
CHAPTER 45: MLD SNOOPING CONFIGURATION ■ Upon receiving an MLD query, an IPv6 multicast group member host responds with an MLD report. ■ When intended to join an IPv6 multicast group, a host sends an MLD report to the multicast router to announce that it is interested in the multicast information addressed to that IPv6 multicast group.
MLD Snooping Configuration Task List Processing of IPv6 Multicast Protocol Messages 653 Under different conditions, an MLD Snooping-capable switch processes IPv6 multicast protocol messages differently, specifically as follows: 1 If only MLD is enabled, or both MLD and IPv6 PIM are enabled on the switch, the switch handles IPv6 multicast protocol messages in the normal way. 2 In only IPv6 PIM is enabled on the switch: ■ The switch broadcasts MLD messages as unknown messages in the VLAN.
CHAPTER 45: MLD SNOOPING CONFIGURATION Task Remarks “Configuring an IPv6 Multicast Group Policy” on page 661 “Configuring an IPv6 Multicast Group Filter” on page 662 Optional “Configuring Maximum Multicast Groups that Can Pass Ports” on page 663 Optional “Configuring IPv6 Multicast Optional Group Replacement” on page 663 n ■ Configurations made in MLD Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN.
Configuring Basic Functions of MLD Snooping n Configuring Port Aging Timers To do... Use the command... Remarks Enable MLD Snooping in the VLAN mld-snooping enable Required 655 Disabled by default ■ MLD Snooping must be enabled globally before it can be enabled in a VLAN. ■ When you enable MLD Snooping in a specified VLAN, this function takes effect for Ethernet ports in this VLAN only.
CHAPTER 45: MLD SNOOPING CONFIGURATION Configuring MLD Snooping Port Functions Configuration Prerequisites Before configuring MLD Snooping port functions, complete the following task: ■ Enable MLD Snooping in the VLAN or enable MLD on the desired VLAN interface Before configuring MLD Snooping port functions, prepare the following data: Configuring Static Ports ■ IPv6 multicast source addresses ■ Whether to enable the fast leave function or not ■ Whether to enable the MLD membership report su
Configuring MLD Snooping Port Functions 657 member of this IPv6 multicast group exists on the network segment, and therefore will remove the corresponding forwarding path. To avoid this situation from happening, you can enable simulated joining on a port, namely configure a port of the switch as a simulated member of the IPv6 multicast group. When an MLD query arrives, that member port will give a response. As a result, the switch can continue receiving IPv6 multicast data.
CHAPTER 45: MLD SNOOPING CONFIGURATION Configuring the fast leave feature globally Follow these steps to configure the fast leave feature globally: To do... Use the command...
Configuring MLD-Related Functions 659 Configuring MLD-Related Functions Configuration Prerequisites Before configuring MLD-related functions, complete the following task: ■ Enable MLD Snooping in the VLAN Before configuring MLD-related functions, prepare the following data: Enabling MLD Snooping Querier ■ MLD general query interval ■ MLD last-member query interval ■ Maximum response time for MLD general queries ■ Source IPv6 address of MLD general queries ■ Source IPv6 address of MLD group-s
CHAPTER 45: MLD SNOOPING CONFIGURATION Upon receiving an MLD query (general query or group-specific query), a host starts a timer for each IPv6 multicast group it has joined. This timer is initialized to a random value in the range of 0 to the maximum response time (the host obtains the value of the maximum response time from the Max Response Time field in the MLD query it received). When the timer value comes down to 0, the host sends an MLD report to the corresponding IPv6 multicast group.
Configuring an IPv6 Multicast Group Policy Configuring a Source IPv6 Address for MLD Queries 661 This configuration allows you to change the source IPv6 address of MLD queries. When a port receives an MLD general query with an all-zero IPv6 address, the switch does not put it in its router port list. In a multicast network with only Layer 2 devices, therefore, it is recommended to configure a normal link-local IPv6 address as the source address of MLD query messages.
CHAPTER 45: MLD SNOOPING CONFIGURATION ■ Enable MLD Snooping in the VLAN or enable MLD on the desired VLAN interface Before configuring an IPv6 multicast group filtering policy, prepare the following data: Configuring an IPv6 Multicast Group Filter ■ IPv6 ACL rule for IPv6 multicast group filtering ■ The maximum number of IPv6 multicast groups that can pass the ports ■ Whether enable the IPv6 multicast group replacement function.
Configuring an IPv6 Multicast Group Policy Configuring Maximum Multicast Groups that Can Pass Ports 663 By configuring the maximum number of IPv6 multicast groups that can pass a port or a group of ports, you can limit the maximum number of multicast programs available to users, thus to control the traffic on the port. Follow these steps configure the maximum number of IPv6 multicast groups that can pass a port or a group of ports: To do... Use the command...
CHAPTER 45: MLD SNOOPING CONFIGURATION Configuring IPv6 multicast group replacement on a port or a group ports Follow these steps to configure IPv6 multicast group replacement on a port or a group ports: To do... Use the command...
MLD Snooping Configuration Examples 665 ■ MLD runs between Router A and Switch A, MLD Snooping runs on Switch A, and Router A acts as the MLD querier. ■ Router A runs IPv6 PIM-SM, and the Ethernet1/1/2 serves as C-BSR and C-RP. ■ Perform the following configuration so that multicast data (1::1, FE1E::101:101) can be forwarded through Ethernet1/2 and Ethernet1/3 even if the receivers Host A and Host B attached to on Switch A temporarily stop receiving IPv6 multicast data for some unexpected reasons.
CHAPTER 45: MLD SNOOPING CONFIGURATION n The above configuration on Router A is for reference only. Refer to the specific situation of your device when performing the configuration. 3 Configure Switch A # Create VLAN 100. system-view [SwitchA] vlan 100 # Add ports Ethernet1/1/1 through Ethernet1/1/4 to VLAN 100. [SwitchA-vlan100] port ethernet 1/1/1 to ethernet 1/1/4 [SwitchA-vlan100] quit # Enable MLD Snooping.
MLD Snooping Configuration Examples Examples 2 (Static Router Port Configuration) 667 Network requirements As shown in Figure 199, Router A, which acts as the MLD querier on the subnet, connects to the IPv6 multicast source through Ethernet1/1/2 and to Switch A (a Switch 8800) through Ethernet1/1/1. While no IPv6 multicast protocol is running on Router B, perform the following configuration so that Switch A can forward all the received IPv6 multicast data to Router B.
CHAPTER 45: MLD SNOOPING CONFIGURATION system-view [SwitchA] vlan 100 # Add the ports, Ethernet1/1/1 to Ethernet1/1/4, to VLAN 100. [SwitchA-vlan100] port ethernet 1/1/1 to ethernet 1/1/4 [SwitchA-vlan100] quit # Enable MLD Snooping. [SwitchA] mld-snooping [SwitchA-mld-snooping] quit [SwitchA] vlan 100 [SwitchA-vlan100] mld-snooping enable [SwitchA-vlan100] quit # Configure Ethernet1/1/3 to be a static router port.
Troubleshooting MLD Snooping 669 system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100 and add Ethernet1/1/3 and Ethernet1/1/1 to VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] port ethernet 1/1/3 ethernet 1/1/1 # Enable MLD Snooping in VLAN 100 and enable the MLD-Snooping querier function. [SwitchA-vlan100] mld-snooping enable [SwitchA-vlan100] mld-snooping querier 2 Configure Switch B # Enable MLD Snooping globally.
CHAPTER 45: MLD SNOOPING CONFIGURATION Solution 1 Enter the display current-configuration command to view the running status of MLD Snooping. 2 If MLD Snooping is not enabled, use the mld-snooping command to enable MLD Snooping globally and then use mld-snooping enable command to enable MLD Snooping in VLAN view. 3 If MLD Snooping is disabled only for the corresponding VLAN, just use the mld-snooping enable command in VLAN view to enable MLD Snooping in the corresponding VLAN.
IPV6 PIM CONFIGURATION 46 When configuring IPv6 PIM, go to these sections for information you are interested in: n IPv6 PIM Overview ■ “IPv6 PIM Overview” on page 671 ■ “Configuring IPv6 PIM-DM” on page 681 ■ “Configuring IPv6 PIM-SM” on page 684 ■ “Displaying and Maintaining IPv6 PIM” on page 696 ■ “IPv6 PIM Configuration Examples” on page 697 ■ “Troubleshooting IPv6 PIM Configuration” on page 705 ■ The term "router" in this document refers to a router in a generic sense or a Switch 8800
CHAPTER 46: IPV6 PIM CONFIGURATION Based on the forwarding mechanism, IPv6 PIM falls into two modes: ■ Protocol Independent Multicast-Dense Mode for IPv6 (IPv6 PIM-DM), and ■ Protocol Independent Multicast-Sparse Mode for IPv6 (IPv6 PIM-SM). n To facilitate description, a network comprising IPv6 PIM routers or IPv6 PIM routing switches is referred to as an "IPv6 PIM domain" in this document. Introduction to IPv6 PIM-DM IPv6 PIM-DM is a type of dense mode IPv6 multicast protocol.
IPv6 PIM Overview 673 (S, G) entry and forwards the packet to all downstream nodes in the network. In the flooding process, an (S, G) entry is created on all the routers in the IPv6 PIM-DM domain.
CHAPTER 46: IPV6 PIM CONFIGURATION Graft When a host attached to a pruned node joins an IPv6 multicast group, to reduce the join latency, IPv6 PIM-DM uses the graft mechanism to resume IPv6 multicast data forwarding to that branch. The process is as follows: 1 The node that needs to receive IPv6 multicast data sends a graft message hop by hop toward the source, as a request to join the SPT again.
IPv6 PIM Overview 675 3 If there is a tie in the route metric to the source, the router with a higher IP address of the local interface wins. Introduction to IPv6 PIM-SM IPv6 PIM-DM uses the "flood and prune" principle to build SPTs for IPv6 multicast data distribution. Although an SPT has the shortest path, it is built with a low efficiency. Therefore the PIM-DM mod is not suitable for large- and medium-sized networks. IPv6 PIM-SM is a type of sparse mode IPv6 multicast protocol.
CHAPTER 46: IPV6 PIM CONFIGURATION Neighbor discovery IPv6 PIM-SM uses exactly the same neighbor discovery mechanism as IPv6 PIM-DM does. Refer to “Neighbor discovery” on page 672. DR election IPv6 PIM-SM also uses hello messages to elect a designated router (DR) for a multi-access network. The elected DR will be the only multicast forwarder on this multi-access network. In the case of a multi-access network, a DR must be elected, no matter this network connects to IPv6 multicast sources or to receivers.
IPv6 PIM Overview 677 When the DR works abnormally, a timeout in receiving hello message triggers a new DR election process among the other routers. RP discovery The RP is the core of an IPv6 PIM-SM domain. For a small-sized, simple network, one RP is enough for forwarding IPv6 multicast information throughout the network, and the position of the RP can be statically specified on each router in the IPv6 PIM-SM domain.
CHAPTER 46: IPV6 PIM CONFIGURATION based on the BSR mechanism. The DR does not need to know the RP address beforehand. The specific process is as follows. ■ At the receiver side: 1 A receiver host initiates an MLD report to announce joining an IPv6 multicast group. 2 Upon receiving the MLD report, the receiver-side DR resolves the RP address embedded in the IPv6 multicast address, and sends a join message to the RP.
IPv6 PIM Overview 679 prefix: The prefix of the embedded RP unicast address extracted from the IPv6 multicast address. The number of bits extracted is determined by the plen field of the IPv6 multicast address. zero: These bits are zeroed. RIID: The RIID field of the IPv6 multicast address is extracted as the interface ID of the IPv6 unicast address of the RP.
CHAPTER 46: IPV6 PIM CONFIGURATION upstream node deletes its link with this downstream node from the outgoing interface list and checks whether it itself has receivers for that IPv6 multicast group. If not, the router continues to forward the prune message to its upstream router. Multicast source registration The purpose of IPv6 multicast source registration is to inform the RP about the existence of the IPv6 multicast source.
Configuring IPv6 PIM-DM 681 initiates an RPT-to-SPT switchover process upon receiving the first multicast packet along the RPT by default. The RPT-to-SPT switchover process is as follows: 1 First, the receiver-side DR sends an (S, G) join message hop by hop to the multicast source S. When the join message reaches the source-side DR, all the routers on the path have installed the (S, G) entry in their forwarding table, and thus an SPT branch is established.
CHAPTER 46: IPV6 PIM CONFIGURATION Configuration Prerequisites Task Remarks “Configuring IPv6 PIM-DM Graft Retry Period” on page 683 Optional “Configuring IPv6 PIM Common Information” on page 691 Optional Before configuring IPv6 PIM-DM, complete the following task: ■ Configure any IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer.
Configuring IPv6 PIM-DM Configuring State Refresh Parameters To do... Use the command...
CHAPTER 46: IPV6 PIM CONFIGURATION To do... Use the command... Remarks Configure graft retry period pim ipv6 timer graft-retry interval Optional 3 seconds by default n For the configuration of other timers in IPv6 PIM-DM, refer to “Configuring IPv6 PIM Common Timers” on page 694. n A device can serve as a C-RP and a C-BSR at the same time.
Configuring IPv6 PIM-SM Enabling IPv6 PIM-SM 685 ■ An IPv6 ACL rule defining a legal C-RP address range and the range of IPv6 multicast groups to be served ■ C-RP-Adv interval ■ C-RP timeout time ■ The IPv6 address of a static RP ■ An IPv6 ACL rule for register message filtering ■ Register suppression timeout time ■ Probe time ■ Whether to disable RPT-to-SPT switchover With IPv6 PIM-SM enabled, a device sends hello messages periodically to discover IPv6 PIM neighbors and processes message
CHAPTER 46: IPV6 PIM CONFIGURATION ■ Initially, every C-BSR assumes itself to be the BSR of this IPv6 PIM-SM domain, and uses its interface IPv6 address as the BSR address to send bootstrap messages. ■ When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own priority with the other C-BSR’s priority carried in the message. The C-BSR with a higher priority wins. If there is a tie in the priority, the C-BSR with a higher IPv6 address wins.
Configuring IPv6 PIM-SM 687 Configuring a BSR admin-scope region boundary A BSR has its specific service scope. A number of BSR boundary interfaces divide a network into different BSR admin-scope regions. Bootstrap messages cannot cross the admin-scope region boundary, while other types of IPv6 PIM messages can. Follow these steps to configure a BSR admin-scope region boundary: To do... Use the command...
CHAPTER 46: IPV6 PIM CONFIGURATION ■ By default, the bootstrap timeout time is determined by this formula: Bootstrap interval = (Bootstrap timeout - 10) ÷ 2. The default bootstrap timeout is 130 seconds, so the default bootstrap interval = (130 - 10) ÷ 2 = 60 (seconds). ■ If this parameter is manually configured, the system will use the configured value. c CAUTION: In configuration, make sure that the bootstrap interval is smaller than the bootstrap timeout time.
Configuring IPv6 PIM-SM To do... n Use the command... 689 Remarks Configure an interface to be a c-rp ipv6-address [ C-RP group-policy acl6-number | priority priority | holdtime hold-interval | advertisement-interval adv-interval ] * Optional Configure a legal C-RP crp-policy acl6-number address range and the range of IPv6 multicast groups to be served Optional No C-RPs are configured by default.
CHAPTER 46: IPV6 PIM CONFIGURATION To do... Use the command... Remarks Configure the C-RP-Adv interval c-rp advertisement-interval Optional interval 60 seconds by default Configure C-RP timeout time c-rp holdtime interval Optional 150 seconds by default n Configuring IPv6 PIM-SM Register Messages ■ The commands introduced in this section are to be configured on C-RPs. ■ For the configuration of other timers in IPv6 PIM-SM, refer to “Configuring IPv6 PIM Common Timers” on page 694.
Configuring IPv6 PIM Common Information To do... Use the command...
CHAPTER 46: IPV6 PIM CONFIGURATION Configuration Prerequisites Task Remarks “Configuring an IPv6 PIM filter” on page 692 Optional “Configuring IPv6 PIM Hello Options” on page 693 Optional “Configuring IPv6 PIM Common Timers” on page 694 Optional “Configuring Join/Prune Message Limits” on page 696 Optional Before configuring IPv6 PIM common information, complete the following tasks: ■ Configure any IPv6 unicast routing protocol so that all devices in the domain are interoperable at the netw
Configuring IPv6 PIM Common Information n Configuring IPv6 PIM Hello Options 693 ■ Generally, a smaller distance from the filter to the IPv6 multicast source results in a more remarkable filtering effect. ■ This filter works not only on independent IPv6 multicast data but also on IPv6 multicast data encapsulated in register messages.
CHAPTER 46: IPV6 PIM CONFIGURATION suppression feature should be enabled or disable on all IPv6 PIM devices on the same subnet. Configuring hello options globally Follow these steps to configure hello options globally: To do... Use the command...
Configuring IPv6 PIM Common Information 695 sending out a hello message. This avoids collisions that occur when multiple IPv6 PIM devices send hello messages simultaneously. Any device that has lost assert election will prune its downstream interface and maintain the assert state for a period of time. When the assert state times out, the assert losers will resume IPv6 multicast forwarding. An IPv6 PIM device periodically sends join/prune messages to its upstream device for state update.
CHAPTER 46: IPV6 PIM CONFIGURATION To do... Use the command... Remarks Configure the join/prune interval pim ipv6 timer join-prune interval Optional Configure the join/prune timeout time pim ipv6 holdtime join-prune interval Optional 60 seconds by default 210 seconds by default n If there are no special networking requirements, we recommend that you use the default settings.
IPv6 PIM Configuration Examples To do... Use the command...
CHAPTER 46: IPV6 PIM CONFIGURATION ■ Switch A is the MLD querier on the multi-access subnet.
IPv6 PIM Configuration Examples 699 [SwitchA-Vlan-interface101] quit [SwitchA] interface vlan-interface 102 [SwitchA-Vlan-interface102] pim ipv6 dm [SwitchA-Vlan-interface102] quit The configuration on Switch B and Switch C is similar to the configuration on Switch A. 3 Enable MLD on the host-side interfaces of Switch B and Switch C # Enable IPv6 multicast routing on Switch B, and enable MLDv1 on VLAN-interface 200.
CHAPTER 46: IPV6 PIM CONFIGURATION command to view the IPv6 PIM routing table information on each switch. For example: # View the IPv6 PIM multicast routing table information on Switch A.
IPv6 PIM Configuration Examples 701 exist in each stub network. The entire PIM domain operates in the sparse mode. ■ Host A and Host C are IPv6 multicast receivers in two stub networks N1 and N2. ■ Switch A connects to the network where the source resides through VLAN-interface 100. ■ Switch B connect to N1 through VLAN-interface 200, and to Switch A and Switch D through VLAN-interface 101 and VLAN-interface 103 respectively.
CHAPTER 46: IPV6 PIM CONFIGURATION Configuration procedure 1 Configure the interface IPv6 addresses and unicast routing protocol for each switch Configure the IP address and prefix length for each interface as per Figure 210. Configure OSPFv3 for interoperation among the switches in the IPv6 PIM-SM domain. Detailed configuration steps are omitted here.
IPv6 PIM Configuration Examples 703 Use the display pim ipv6 interface command to view the IPv6 PIM configuration and running status on each interface. For example: # View the IPv6 PIM information on all interfaces of Switch B.
CHAPTER 46: IPV6 PIM CONFIGURATION [SwitchB] display pim ipv6 rp-info Vpn-instance: public net PIM-SM BSR RP information: prefix/prefix length: FF0E::101:101/64 RP: 2004::2 Priority: 0 HoldTime: 130 Uptime: 00:05:19 Expires: 00:02:11 Assume that Host A needs to receive information addressed to the IPv6 multicast group G (FF0E::101:101). An RPT will be built between Switch D and Switch B. A (*, G) entry is created on Switch D and Switch B on the RPT path.
Troubleshooting IPv6 PIM Configuration 705 # View the IPv6 PIM multicast routing table information on Switch D.
CHAPTER 46: IPV6 PIM CONFIGURATION Solution 1 Check IPv6 unicast routes. Use the display ipv6 routing-table command to check whether a unicast route exist to the IPv6 multicast source or the RP. 2 Check that the RPF interface supports IPv6 PIM. Use the display pim ipv6 interface command to view the IPv6 PIM information on each interface. If IPv6 PIM is not enabled on the interface, use the pim ipv6 dm or pim ipv6 sm command to enable IPv6 PIM. 3 Check that the RPF neighbor is an IPv6 PIM neighbor.
Troubleshooting IPv6 PIM Configuration 707 C-RP. An RPT cannot be established correctly, or the DR cannot perform source register with the RP. Analysis ■ C-RPs periodically send advertisement messages to the BSR by unicast. If a C-RP does not have a route to the BSR, the BSR will be unable to receive the advertisements from the C-RP, and therefore will not advertise bootstrap messages. ■ The RP is the core of an IPv6 PIM-SM domain.
CHAPTER 46: IPV6 PIM CONFIGURATION
CENTRALIZED MODE FOR IPV6 47 Centralization is used when an IPv4 hardware module needs to forward IPv6 traffic. This accomplished through the use of Link Aggregation service ports, which creates a loopback group, on an IPv6 hardware ready module.
CHAPTER 47: CENTRALIZED MODE FOR IPV6 ■ Configuring a Service Loop Group for IPv6 Multicast and IPv6 Unicast 3C17532 3Com Switch 8800 48-port 10/100/1000BASE-T Access (XFP) IP6 Configure an IPv6 multicast and/or an IPv6 unicast service loop group to implement Centralized Mode IPv6 multicast and/or IPv6 unicast. For details about a loop group, refer to “Configuring a Service Loop Group” on page 79.
Configuring IPv6 Multicast and IPv6 Unicast Centralized Mode Example 711 Network diagram Figure 211 Network diagram for Centralized Mode for IPv6 multicast and IPv6 unicast Switch B Host A 10 1 Vlan -int200 Ethernet N1 Receiver Vl an -i n t1 Switch A Ethernet N2 Vlan -int100 t1 -i n an Vl 2001::5 /64 Ethernet 01 V la n -in t Host B 02 V in nla Host C 02 t1 Source Receiver Vlan -int300 IPv6 PIM-DM Switch C Host D Device Interface IP address Device Interface IP address Switch
CHAPTER 47: CENTRALIZED MODE FOR IPV6 [SwitchA-Vlan-interface102] pim ipv6 dm [SwitchA-Vlan-interface102] quit The configuration on Switch B and Switch C is similar to the configuration on Switch A. 3 Enable MLD on the host-side VLAN interfaces of Switch B and Switch C # Enable IPv6 multicast routing on Switch B and enable MLDv1 on VLAN-interface 200.
UDP HELPER CONFIGURATION 48 When configuring UDP Helper, go to these sections for information you are interested in: n Introduction to UDP Helper ■ “Introduction to UDP Helper” on page 713 ■ “Configuring UDP Helper” on page 713 ■ “Displaying and Maintaining UDP Helper” on page 714 ■ “UDP Helper Configuration Examples” on page 715 UDP Helper can be currently configured on VLAN interfaces only.
CHAPTER 48: UDP HELPER CONFIGURATION To do... Use the command...
UDP Helper Configuration Examples UDP Helper Configuration Examples 715 Network requirements The interface VLAN-interface 1 on the UDP Helper enabled Switch A has the IP address of 10.110.1.1/16, connecting to the network segment 10.110.0.0/16. Enable the forwarding of broadcast packets with the UDP destination port number 55 to the destination server 202.38.1.2/24. Network diagram Figure 212 Network diagram for UDP Helper configuration Vlan- int1 10.110 .1.1 /16 Vlan-int1 202 .38 .1 .
CHAPTER 48: UDP HELPER CONFIGURATION
49 Introduction to DHCP DHCP OVERVIEW The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts. Meanwhile, with the wide application of the wireless network, the frequent movement of laptops across the network requires that the IP addresses be changed accordingly. Therefore, related configurations on hosts become more complex.
CHAPTER 49: DHCP OVERVIEW Dynamic IP Address Allocation Procedure For dynamic allocation, a DHCP client obtains an IP address from a DHCP server via four steps: 1 The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2 A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.
Protocols and Standards 719 Figure 214 DHCP message format 0 7 op (1) 23 15 htype (1) hlen (1) 31 hops (1) xid (4) secs (2) flags (2) ciaddr (4) yiaddr (4) siaddr (4) giaddr (4) chaddr (16) sname (64) file (128) options (variable) Protocols and Standards ■ op: Message type defined in option field. 1 = REQUEST, 2 = REPLY ■ htype,hlen: Hardware address type and length of a DHCP client. ■ hops: Number of relay agents a request message traveled.
CHAPTER 49: DHCP OVERVIEW ■ RFC 3046: DHCP Relay Agent Information Option
DHCP SERVER CONFIGURATION 50 When configuring the DHCP server, go to these sections for information you are interested in: n ■ “Introduction to DHCP Server” on page 721 ■ “DHCP Server Configuration Task List” on page 723 ■ “Enabling DHCP” on page 723 ■ “Enabling the DHCP Server on an Interface” on page 723 ■ “Configuring an Address Pool for the DHCP Server” on page 724 ■ “Configuring the DHCP Server Security Functions” on page 730 ■ “Enabling the DHCP Server to Support Option 82” on page 73
CHAPTER 50: DHCP SERVER CONFIGURATION At the very beginning, subnetworks inherit network parameters and clients inherit subnetwork parameters. Therefore, common parameters, for example the domain name, should be configured at the highest (network or subnetwork) level of the tree.
DHCP Server Configuration Task List DHCP Server Configuration Task List 723 To configure the DHCP server feature, perform the tasks described in the following sections: Task Remarks “Enabling DHCP” on page 723 Required “Enabling the DHCP Server on an Interface” on page Optional 723 Enabling DHCP “Configuring an Address Pool for the DHCP Server” on page 724 Optional “Configuring the DHCP Server Security Functions” on page 730 Optional “Enabling the DHCP Server to Support Option 82” on page 731
CHAPTER 50: DHCP SERVER CONFIGURATION ■ Without subaddress specified, assign an IP address from the address pool of the subnet which the primary IP address of the server’s interface (connected to the client) belongs to.
Configuring an Address Pool for the DHCP Server 725 When the client with the MAC address or ID requests an IP address, the DHCP server will find the IP address from the binding for the client. A DHCP address pool now supports only one static binding, which can be a MAC-to-IP or ID-to-IP binding. To configure the static binding in a DHCP address pool, use the following commands: To do... Use the command...
CHAPTER 50: DHCP SERVER CONFIGURATION n Configuring a Domain Name for the Client Configuring DNS Servers for the Client To do... Use the command...
Configuring an Address Pool for the DHCP Server 727 server should assign a WINS server address when assigning an IP address to the client. You can specify up to eight WINS servers in a DHCP address pool. You need to specify in a DHCP address pool a NetBIOS node type for the client to approach name resolution. There are four NetBIOS node types: ■ b (broadcast)-node: The b-node client sends the destination name in a broadcast message.
CHAPTER 50: DHCP SERVER CONFIGURATION Configuring Gateways for the Client To do... Use the command... Remarks Enter DHCP address pool view dhcp server ip-pool pool-name - Specify the BIMS server IP address, port number, and shared key bims-server ip ip-address [ port port-number ] sharekey key Required Not specified by default DHCP clients wanting to access hosts outside the local subnet request gateways to forward data. You can specify gateways in each address pool for clients.
Configuring an Address Pool for the DHCP Server To do... Use the command... Remarks Specify the TFTP server tftp-server ip-address ip-address Optional tftp-server domain-name domain-name Optional Specify the name of the TFTP server Specify the bootfile name bootfile-name bootfile-name 729 Not specified by default Not specified by default Optional Not specified by default Configuring Self-Defined DHCP Options By configuring self-defined DHCP options, you can ■ Define new DHCP options.
CHAPTER 50: DHCP SERVER CONFIGURATION Table 32 Description of common options Configuring the DHCP Server Security Functions Option Corresponding Name in RFC Corresponding command Command option 59 Rebinding (T2) Time Value expired hex 66 TFTP server name tftp-server ascii 67 Bootfile name bootfile-name ascii This configuration is necessary to secure DHCP services on the DHCP server.
Enabling the DHCP Server to Support Option 82 To do... Use the command... 731 Remarks Specify the number of ping dhcp server ping packets packets number Optional One ping packet by default. The value "0" indicates that no ping operation is performed. Configure a timeout waiting for ping responses dhcp server ping timeout milliseconds Optional 500 ms by default. The value "0" indicates that no ping operation is performed.
CHAPTER 50: DHCP SERVER CONFIGURATION Displaying and Maintaining the DHCP Server n DHCP Server Configuration Example To do... Use the command...
DHCP Server Configuration Example n 733 ■ In the address pool 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name aabbcc.com, DNS server address 10.1.1.2, gateway 10.1.1.126, and WINS server 10.1.1.4. ■ In the address pool 10.1.1.128/25, the address lease duration is five days, domain name aabbcc.com, DNS server address 10.1.1.2, and gateway address 10.1.1.254, and there is no WINS server address. ■ The domain name and DNS server address on the subnets 10.1.1.
CHAPTER 50: DHCP SERVER CONFIGURATION [Sysname] dhcp server [Sysname-dhcp-pool-0] [Sysname-dhcp-pool-0] [Sysname-dhcp-pool-0] [Sysname-dhcp-pool-0] ip-pool 0 network 10.1.1.0 mask 255.255.255.0 domain-name aabbcc.com dns-list 10.1.1.2 quit # Configure DHCP address pool 1 (address range, gateway, lease duration, and WINS server). [Sysname] dhcp server [Sysname-dhcp-pool-1] [Sysname-dhcp-pool-1] [Sysname-dhcp-pool-1] [Sysname-dhcp-pool-1] [Sysname-dhcp-pool-1] ip-pool 1 network 10.1.1.0 mask 255.255.
DHCP RELAY AGENT CONFIGURATION 51 When configuring the DHCP relay agent, go to these sections for information you are interested in: n ■ “Introduction to DHCP Relay Agent” on page 735 ■ “Configuring DHCP Relay Agent” on page 736 ■ “Displaying and Maintaining DHCP Relay Agent Configuration” on page 741 ■ “DHCP Relay Agent Configuration Example” on page 742 ■ “Troubleshooting DHCP Relay Agent Configuration” on page 743 The DHCP relay agent configuration is supported only on VLAN interfaces.
CHAPTER 51: DHCP RELAY AGENT CONFIGURATION No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see “Dynamic IP Address Allocation Procedure” on page 718). The following describes the forwarding process on the DHCP relay agent. 1 After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent forwards the message to the designated DHCP server in unicast mode.
Configuring DHCP Relay Agent To do... Use the command... Remarks Enable the DHCP relay agent dhcp select relay Required on the current interface 737 With DHCP enabled, interfaces work in the DHCP server mode. n If the DHCP client obtains an IP address via the DHCP relay agent, the address pool of the subnet which the IP address of the DHCP relay agent belongs to must be configured on the DHCP server. Otherwise, the DHCP client cannot obtain a correct IP address.
CHAPTER 51: DHCP RELAY AGENT CONFIGURATION receiving the DHCP-RELEASE request, the DHCP server then releases the IP address for the client. With this feature enabled in system view, the DHCP-RELEASE request will be sent to those DHCP servers correlated with the DHCP relay agent interfaces. To configure the DHCP relay agent in system view to send a DHCP-RELEASE request, use the following commands: Configuring the DHCP Relay Agent Security Functions To do... Use the command...
Configuring DHCP Relay Agent 739 Configure dynamic binding update interval Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys the message to the DHCP server, thus it does not remove the IP address from its bindings. To solve this, the DHCP relay agent can update dynamic bindings at a specified interval.
CHAPTER 51: DHCP RELAY AGENT CONFIGURATION Configuring the DHCP Relay Agent to Support Option 82 Introduction to Option 82 Option 82 is the relay agent option in the Options field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent receives a client’s request, it adds Option 82 to the request message so that the administrator can locate the DHCP client to further implement security control and accounting. Option 82 involves at most 255 sub-options.
Displaying and Maintaining DHCP Relay Agent Configuration If a client’s request Handling message has... strategy Padding format no Option 82 - Normal Forward the message after adding the Option 82 padded in normal format. - Verbose Forward the message after adding the Option 82 padded in verbose format. 741 The DHCP relay agent will... Prerequisites You need to complete the following tasks before configuring the DHCP relay agent to support Option 82.
CHAPTER 51: DHCP RELAY AGENT CONFIGURATION DHCP Relay Agent Configuration Example To do... Use the command...
Troubleshooting DHCP Relay Agent Configuration 743 # Enable the DHCP relay agent on Vlan-interface1. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] dhcp select relay [Sysname-Vlan-interface1] quit # Configure DHCP server group 1 with the DHCP server 10.1.1.1, and correlate the DHCP server group 1 with Vlan-interface1. [Sysname] dhcp relay server-group 1 ip 10.1.1.
CHAPTER 51: DHCP RELAY AGENT CONFIGURATION
52 DNS CONFIGURATION When configuring DNS, go to these sections for information you are interested in: DNS Overview ■ “DNS Overview” on page 745 ■ “Configuring Static Domain Name Resolution” on page 747 ■ “Configuring Dynamic Domain Name Resolution” on page 747 ■ “Displaying and Maintaining DNS” on page 747 ■ “DNS Configuration” on page 745 ■ “Troubleshooting DNS Configuration” on page 751 Domain name system (DNS) is a distributed database used by TCP/IP applications to translate domain name
CHAPTER 52: DNS CONFIGURATION Figure 218 Dynamic domain name resolution Request User program Request Resolver Response Response DNS server Read Save Cache DNS client Figure 218 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client can run on the same machine or different machines, while the DNS server and the DNS client usually must run on different machines.
Configuring Static Domain Name Resolution Configuring Static Domain Name Resolution 747 Follow these steps to configure static domain name resolution: n To do... Use the command... Remarks Enter system view system-view -- Configure a mapping between host name and IP address in the static DNS database ip host hostname ip-address Required No mapping between host name and IP address is configured in the static DNS database by default.
CHAPTER 52: DNS CONFIGURATION To do... Use the command... Remarks Clear the information in the dynamic domain name cache reset dns dynamic-host Available in user view DNS Configuration Example Static DNS Configuration Example Network requirements Device uses the static domain name resolution to access Host with IP address 10.1.1.2 through domain name host.com. Network diagram Figure 219 Network diagram for static domain name resolution 10.1 .1.1/24 10 .1 .1.2/24 host.
DNS Configuration Example 749 Network diagram Figure 220 Network diagram for dynamic domain name resolution IP network 2.1.1.2 /16 2.1.1.1/16 DNS server 1.1.1.1 /16 Device DNS client 3.1.1 .1/16 host.com Host Configuration procedure n ■ Before performing the following configuration, make sure that there is a route between the device and the host, and configurations are done on both the device and the host. For the IP addresses of the interfaces, see Figure 220.
CHAPTER 52: DNS CONFIGURATION Figure 221 Create a zone # Create a mapping between host name and IP address. Figure 222 Add a host In Figure 222, right click zone com, and then select New Host to bring up a dialog box as shown in Figure 223. Enter host name host and IP address 3.1.1.1.
Troubleshooting DNS Configuration 751 Figure 223 Add a mapping between domain name and IP address 2 Configure DNS client Device # Enable dynamic domain name resolution. system-view [Sysname] dns resolve # Configure IP address 2.1.1.2 for the DNS server [Sysname] dns server 2.1.1.
CHAPTER 52: DNS CONFIGURATION ■ If there is no defined domain name, check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server. ■ Check the mapping between the domain name and IP address is correct on the DNS server.
53 DNS CONFIGURATION When configuring DNS, go to these sections for information you are interested in: DNS Overview ■ “DNS Overview” on page 753 ■ “Configuring Static Domain Name Resolution” on page 755 ■ “Configuring Dynamic Domain Name Resolution” on page 755 ■ “Displaying and Maintaining DNS” on page 755 ■ “DNS Configuration” on page 753 ■ “Troubleshooting DNS Configuration” on page 759 Domain name system (DNS) is a distributed database used by TCP/IP applications to translate domain name
CHAPTER 53: DNS CONFIGURATION Figure 224 Dynamic domain name resolution Request User program Request Resolver Response Response DNS server Read Save Cache DNS client Figure 224 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client can run on the same machine or different machines, while the DNS server and the DNS client usually must run on different machines.
Configuring Static Domain Name Resolution Configuring Static Domain Name Resolution 755 Follow these steps to configure static domain name resolution: n To do... Use the command... Remarks Enter system view system-view -- Configure a mapping between host name and IP address in the static DNS database ip host hostname ip-address Required No mapping between host name and IP address is configured in the static DNS database by default.
CHAPTER 53: DNS CONFIGURATION To do... Use the command... Remarks Clear the information in the dynamic domain name cache reset dns dynamic-host Available in user view DNS Configuration Example Static DNS Configuration Example Network requirements Device uses the static domain name resolution to access Host with IP address 10.1.1.2 through domain name host.com. Network diagram Figure 225 Network diagram for static domain name resolution 10.1 .1.1/24 10 .1 .1.2/24 host.
DNS Configuration Example 757 Network diagram Figure 226 Network diagram for dynamic domain name resolution IP network 2.1.1.2 /16 2.1.1.1/16 DNS server 1.1.1.1 /16 Device DNS client 3.1.1 .1/16 host.com Host Configuration procedure n ■ Before performing the following configuration, make sure that there is a route between the device and the host, and configurations are done on both the device and the host. For the IP addresses of the interfaces, see Figure 226.
CHAPTER 53: DNS CONFIGURATION Figure 227 Create a zone # Create a mapping between host name and IP address. Figure 228 Add a host In Figure 228, right click zone com, and then select New Host to bring up a dialog box as shown in Figure 229. Enter host name host and IP address 3.1.1.1.
Troubleshooting DNS Configuration 759 Figure 229 Add a mapping between domain name and IP address 2 Configure DNS client Device # Enable dynamic domain name resolution. system-view [Sysname] dns resolve # Configure IP address 2.1.1.2 for the DNS server [Sysname] dns server 2.1.1.
CHAPTER 53: DNS CONFIGURATION ■ If there is no defined domain name, check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server. ■ Check the mapping between the domain name and IP address is correct on the DNS server.
VRRP CONFIGURATION 54 When configuring VRRP, go to these sections for information you are interested in: n Introduction to VRRP Overview ■ “Introduction to VRRP” on page 761 ■ “Configuring VRRP for IPv4” on page 767 ■ “Configuring VRRP for IPv6” on page 771 ■ “IPv4-Based VRRP Configuration Example” on page 774 ■ “IPv6-Based VRRP Configuration Example” on page 783 ■ “Troubleshooting VRRP” on page 791 ■ The term router and the icon router in this document refer to a router in a generic sense
CHAPTER 54: VRRP CONFIGURATION There are two VRRP versions: VRRPv2 and VRRPv3. VRRPv2 is based on IPv4, while VRRPv3 is based on IPv6. The two versions implement the same functions but provide different commands.
Introduction to VRRP c 763 CAUTION: ■ The IP address of the virtual router can be either an unused IP address on the segment where the standby group resides or the IP address of an interface on a router in the standby group. In the latter case, the router is called the IP address owner. ■ In a VRRP standby group, there can only be one IP address owner. VRRP priority VRRP determines the role (master or backup) of each router in the standby group by priority.
CHAPTER 54: VRRP CONFIGURATION Format of VRRP Packets VRRP uses multicast packets. The router acting as the master sends VRRP packets periodically to declare its existence. VRRP packets are also used for checking the parameters of the virtual router and electing the master. IPv4-based VRRP packet format Figure 231 IPv4-based VRRP packet format 0 3 Version 7 Type Auth Type 15 Virtual Rtr ID 23 Priority Adver Int 31 Count IP Addrs Checksum IP address 1 ...
Introduction to VRRP 765 IPv6-based VRRP packet format Figure 232 IPv6-based VRRP packet format 0 3 Version 7 Type Auth Type 15 Virtual Rtr ID 23 Priority Adver Int 31 Count IPv6 Addrs Checksum IPv6 address 1 ... IPv6 address n Authentication data 1 Authentication data 2 As shown in Figure 232, an IPv6-based VRRP packet consists of the following fields: ■ Version: Version number of the protocol, 3 for VRRPv3. ■ Type: Type of the VRRP packet.
CHAPTER 54: VRRP CONFIGURATION Principles of VRRP 1 With VRRP enabled, the routers determine their respective roles in the standby group by priority. The router with the highest priority becomes the master, while the others are the backups. The master sends VRRP advertisement packets periodically to notify the backups that it is working properly, and each of the backups starts a timer to wait for advertisement packets from the master.
Configuring VRRP for IPv4 767 In load balancing mode, multiple routers provide services at the same time. This mode requires two or more standby groups, each of which includes a master and one or more backups. The masters of the standby groups can be assumed by different routers, as shown in Figure 234.
CHAPTER 54: VRRP CONFIGURATION Task Remarks “Creating Standby Group and Configuring Virtual IP Address” on page 769 Required “Configuring Priority, Preemption Mode and Interface Tracking for a Optional Standby Group” on page 769 “Configuring VRRP Packet Attributes” on page 770 Optional c CAUTION: VRRP is not supported on the VLAN interfaces of Super VLAN. Do not configure VRRP on this type of interfaces.
Configuring VRRP for IPv4 Creating Standby Group and Configuring Virtual IP Address 769 Configuration prerequisites Before creating standby group and configuring virtual IP address, you should first configure the IP address of the interface and ensure that the virtual IP address to be configured is in the same network segment as the IP address of the interface. Configuration procedure Follow these steps to create standby group and configure virtual IP address: To do... Use the command...
CHAPTER 54: VRRP CONFIGURATION To do... Use the command... Remarks Configure the switch in the standby group to work in preemption mode and configure preemption delay vrrp vrid virtual-router-id preempt-mode [ timer delay delay-value ] Optional The switch in the standby group works in preemption mode and the preemption delay is 0 seconds by default. If the switch in the standby group works in non preemption mode, the preemption delay changes to zero seconds automatically.
Configuring VRRP for IPv6 771 solve this problem, you can prolong the time interval to send VRRP packets and configure a preemption delay. Displaying and Maintaining VRRP for IPv4 Configuring VRRP for IPv6 To do... Use the command...
CHAPTER 54: VRRP CONFIGURATION c Configuring the Association Between MAC Address and Virtual IPv6 Address CAUTION: You should configure this function before creating a standby group. Otherwise, you cannot ping the virtual IPv6 addresses of standby groups.
Configuring VRRP for IPv6 ■ Configuring Priority, Preemption Mode and Interface Tracking for a Standby Group 773 A standby group is removed after you remove all the virtual IPv6 addresses in it. In addition, configurations on that standby group no longer take effect. Configuration prerequisites Before configuring these features, you should first create the standby group and configure the virtual IPv6 address.
CHAPTER 54: VRRP CONFIGURATION Configuration procedure Follow these steps to configure VRRP packet attributes: To do... Use the command...
IPv4-Based VRRP Configuration Example ■ 775 If Switch A operates normally, packets sent from Host A to Host B are forwarded by Switch A; if Switch A fails, packets sent from Host A to Host B are forwarded by Switch B. Network diagram Figure 235 Network diagram for single VRRP standby group configuration Virtual IP address: 202.38.160.111/24 Vlan -int2 202 .38.160.1/24 Switch A 203.2.3 .1/24 Internet 202.38.160 .3/24 Host B Host A Vlan-int2 202 .38 .160 .
CHAPTER 54: VRRP CONFIGURATION [SysnameB-vlan2] quit [SysnameB] interface vlan-interface 2 [SysnameB-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 # Create standby group 1 and configure its virtual IP address as 202.38.160.111. [SysnameB-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Configure Switch A to work in preemption mode and configure the preemption delay to five seconds.
IPv4-Based VRRP Configuration Example 777 # If Switch A fails, the detailed information of standby group 1 on Switch B is displayed. display vrrp verbose IPv4 Standby Information: Run Method : VIRTUAL-MAC Virtual IP Ping : Enable Interface : Vlan-interface2 VRID : 1 Admin Status : UP Config Pri : 100 Preempt Mode : YES Auth Type : NONE Virtual IP : 202.38.160.111 Virtual MAC : 0000-5e00-0101 Master IP : 202.38.160.2 Adver.
CHAPTER 54: VRRP CONFIGURATION Configuration procedure 1 Configure Switch A # Configure VLAN 2. system-view [SysnameA] vlan 2 [SysnameA-vlan2] port ethernet 2/1/4 [SysnameA-vlan2] quit [SysnameA] interface vlan-interface 2 [SysnameA-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 # Create standby group 1 and configure its virtual IP address as 202.38.160.111. [SysnameA-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority of Switch A in the standby group to 110.
IPv4-Based VRRP Configuration Example 779 3 Verify the configuration After the configuration, Host B can be pinged through on Host A. You can use the display vrrp command to verify the configuration. # Display detailed information of standby group 1 on Switch A.
CHAPTER 54: VRRP CONFIGURATION Auth Type Track IF Virtual IP Master IP : : : : SIMPLE TEXT Vlan-interface3 202.38.160.111 202.38.160.2 Key : hello Pri Reduced : 30 # If Vlan-interface3 on Switch A is not available, the detailed information of standby group 1 on Switch B is displayed.
IPv4-Based VRRP Configuration Example 781 Network diagram Figure 237 Network diagram for multiple VRRP standby groups configuration Virtual IP address 2: 202.38.160.112/24 Virtual IP address 1: 202.38.160.111/24 Gateway: 202 .38 .160 .111 /24 Vlan-int2 202 .38 .160 .1 /24 Host A Switch A Gateway: 202 .38 .160 .112 /24 Host B Internet Vlan -int2 202 .38.160.2/24 Gateway: 202 .38 .160 .111 /24 Switch B Host C Configuration procedure 1 Configure Switch A # Configure VLAN 2.
CHAPTER 54: VRRP CONFIGURATION # Create standby group 1 and configure its virtual IP address as 202.38.160.111. [SysnameB-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Create standby group 2 and configure its virtual IP address as 202.38.160.112. [SysnameB-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 # Set the priority of Switch B in standby group 2 to 110.
IPv6-Based VRRP Configuration Example VRID Admin Status Config Pri Preempt Mode Auth Type Virtual IP Virtual MAC Master IP : : : : : : : : 2 UP 110 YES NONE 202.38.160.112 0000-5e00-0102 202.38.160.2 Adver. Timer State Run Pri Delay Time : : : : 783 1 Master 110 0 The above information indicates that in standby group 1 Switch A is the master, Switch B is the backup and the host with the default gateway of 202.38.160.
CHAPTER 54: VRRP CONFIGURATION Configuration procedure 1 Configure Switch A # Configure VLAN 2. system-view [SysnameA] ipv6 [SysnameA] vlan 2 [SysnameA-vlan2] port ethernet 2/1/6 [SysnameA-vlan2] quit [SysnameA] interface vlan-interface 2 [SysnameA-Vlan-interface2] ipv6 address fe80::1 link-local [SysnameA-Vlan-interface2] ipv6 address 1::1 64 # Create a standby group 1 and set its virtual IP address to fe80::10.
IPv6-Based VRRP Configuration Example 785 # Display detailed information of standby group 1 on Switch A. display vrrp ipv6 verbose IPv6 Standby Information: Run Method : VIRTUAL-MAC Virtual IP Ping : Enable Interface : Vlan-interface2 VRID : 1 Admin Status : UP Config Pri : 110 Preempt Mode : YES Auth Type : NONE Virtual IP : FE80::10 Virtual MAC : 0000-5e00-0201 Master IP : FE80::1 Adver.
CHAPTER 54: VRRP CONFIGURATION The above information indicates that if Switch A fails, Switch B becomes the master, and packets sent from Host A to Host B are forwarded by Switch B. VRRP Interface Tracking Configuration Example Network requirements ■ Host A needs to access Host B on the Internet, using FE80::10 as its default gateway. ■ Switch A and Switch B belong to standby group 1 with the virtual IP address of FE80::10.
IPv6-Based VRRP Configuration Example 787 # Set the authentication mode for standby group 1 to SIMPLE and authentication key to hello. [SysnameA-Vlan-interface2] vrrp ipv6 vrid 1 authentication-mode simple hello # Set the VRRP advertisement interval to 500 centiseconds. [SysnameA-Vlan-interface2] vrrp ipv6 vrid 1 timer advertise 500 # Set Switch A work in preemption mode. The preemption delay is five seconds.
CHAPTER 54: VRRP CONFIGURATION Config Pri Preempt Mode Auth Type Track IF Virtual IP Virtual MAC Master IP : : : : : : : 110 YES SIMPLE TEXT Vlan-interface3 FE80::10 0000-5e00-0201 FE80::1 Run Pri Delay Time Key Pri Reduced : : : : 110 5 hello 30 : : : : : 500 Backup 100 5 hello # Display detailed information of standby group 1 on Switch B.
IPv6-Based VRRP Configuration Example Admin Status Config Pri Preempt Mode Auth Type Virtual IP Virtual MAC Master IP : : : : : : : UP 100 YES SIMPLE TEXT FE80::10 0000-5e00-0201 FE80::2 State Run Pri Delay Time Key : : : : 789 Master 100 5 hello The above information indicates that if Vlan-interface3 on Switch A is not available, the priority of Switch A reduces to 80 and it becomes the backup. Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B.
CHAPTER 54: VRRP CONFIGURATION # Create standby group 1 and set its virtual IP address to FE80::10. [SysnameA-Vlan-interface2] vrrp ipv6 vrid 1 virtual-ip fe80::10 link-local # Set the priority of Switch A in standby group 1 to 110. [SysnameA-Vlan-interface2] vrrp ipv6 vrid 1 priority 110 # Create standby group 2 and set its virtual IP address to FE80::20.
Troubleshooting VRRP VRID Admin Status Config Pri Preempt Mode Auth Type Virtual IP Master IP : : : : : : : 2 UP 100 YES NONE FE80::20 FE80::2 Adver. Timer State Run Pri Delay Time 791 : : : : 100 Backup 100 0 Adver. Timer State Run Pri Delay Time : : : : 100 Backup 100 0 Adver. Timer State Run Pri Delay Time : : : : 100 Master 110 0 # Display detailed information of the standby group on Switch B.
CHAPTER 54: VRRP CONFIGURATION ■ In the latter case, you have to resort to non-technical measures. Symptom 2: Multiple masters are present in the same standby group. Analysis: ■ If presence of multiple masters only lasts a short period, this is normal and requires no manual intervention. ■ If it lasts long, you must ensure that these masters can receive VRRP packets and the packets received are legitimate.
GR CONFIGURATION 55 When configuring Graceful Restart (GR), go to these sections for information you are interested in: n ■ “Introduction to Graceful Restart” on page 793 ■ “Configuring Graceful Restart” on page 797 ■ “Displaying and Maintaining Graceful Restart” on page 799 ■ “Graceful Restart Configuration Examples” on page 799 Throughout this chapter, the term router in this document refers to a router in a generic sense or a Switch 8800 running routing protocols.
CHAPTER 55: GR CONFIGURATION ■ GR Time: The time taken for the GR Restarter and the GR Helper to establish a session between them. Upon detection of the down state of a neighbor, the GR Helper will preserve the topology and routing information sent from the GR Restarter for a period as specified by the GR Time. Graceful Restart communication procedure Configure a device as GR Restarter in a network. This device and its GR Helper must support GR or be GR capable.
Introduction to Graceful Restart 795 Figure 242 Restarting process for the GR Restarter Router D GR helper Router A GR restarter Router C Router B GR helper GR helper GR capable GR session The administrator restarts GR Restarter or GR Restarter is operating abnormally As illustrated in Figure 242. The GR Helper detects that the GR Restarter has restarted its routing protocol and assumes that it will recover within the GR Time.
CHAPTER 55: GR CONFIGURATION Figure 244 The GR Restarter obtains topology and routing information from the GR Helper Router D GR helper Router A GR restarter Router C Router B GR helper GR helper Signals to establish GR session As illustrated in Figure 244, the GR Restarter obtains the necessary topology and routing information from all its neighbors through the GR sessions between them and calculates its own routing table based on this information.
Configuring Graceful Restart 797 Before the restart, the GR Restarter originates Grace-LSA negotiation GR capability. During the restart, the GR Helper continues to advertise its adjacency with the GR Restarter. After the restart, the GR Restarter will send an OSPF GR signal to its neighbor so that the adjacency is not reset. In this way, the GR Restarter can restore its adjacency with its neighbor upon receiving the responses from the latter.
CHAPTER 55: GR CONFIGURATION To do... Use the command... Remarks Enter system view system-view - Enable OSPF and enter its view ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * Required Enable opaque LSA capability opaque-capability enable Required Disabled by default Disabled by default.
Displaying and Maintaining Graceful Restart Displaying and Maintaining Graceful Restart To do... Use the command...
CHAPTER 55: GR CONFIGURATION system-view [SysnameB] acl number 2000 [SysnameB-acl-basic-2000] rule 10 permit source 192.1.1.1 0.0.0.0 [SysnameB-acl-basic-2000] quit [SysnameB] interface vlan-interface 100 [SysnameB-Vlan-interface100] ip address 192.1.2.1 255.255.255.0 [SysnameB-Vlan-interface100] ospf dr-priority 0 [SysnameB-Vlan-interface100] quit [SysnameB] router id 2.2.2.
ACL OVERVIEW 56 n Unless otherwise stated, ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document. ACLs are sets of rules (or sets of permit or deny statements) that decide what packets can pass and what should be rejected based on matching criteria such as source address, destination address, and port number. They can apply to firewall, QoS, and wherever traffic identification is desired.
CHAPTER 56: ACL OVERVIEW IPv4 ACL Naming ■ Ethernet frame header ACL, based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority, and link layer protocol type. Ethernet frame header ACLs are numbered 4000 through 4999. ■ User-defined ACL, based on customized information of protocol headers such as IP and MPLS. User-defined ACLs are numbered 5000 through 5999. When creating an IPv4 ACL, you can specify a unique name for it.
IPv6 ACL 803 For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to the rule with the source IP address wildcard 0.0.255.255. Depth-first match for an Ethernet frame header IPv4 ACL The following shows how your device performs depth-first match in an Ethernet frame header ACL: 1 Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask prior to other rules.
CHAPTER 56: ACL OVERVIEW ■ IPv6 ACL Naming Advanced IPv6 ACL, based on source IPv6 address, destination IPv6 address, protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields. Advanced ACLs are numbered 3000 through 3999. When creating an IPv6 ACL, you can specify a unique name for it. Afterwards, you can identify the IPv6 ACL by its name. An IPv6 ACL can have only one name. Whether to specify a name for an ACL is up to you.
57 IPV4 ACL CONFIGURATION When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuration Procedure ■ “Creating a Time Range” on page 805 ■ “Configuring a Basic IPv4 ACL” on page 806 ■ “Configuring an Advanced IPv4 ACL” on page 807 ■ “Configuring an Ethernet Frame Header ACL” on page 809 ■ “Configuring a User-Defined ACL” on page 810 ■ “Displaying and Maintaining IPv4 ACLs” on page 811 ■ “IPv4 ACL Configuration Examples” on page
CHAPTER 57: IPV4 ACL CONFIGURATION December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command. ■ Compound time range created using the time-range time-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period.
Configuring an Advanced IPv4 ACL c Configuration Example 807 ■ You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules. ■ When defining ACL rules, you need not always assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps.
CHAPTER 57: IPV4 ACL CONFIGURATION To do... Use the command... Remarks Enter system view system-view -- Create and enter advanced IPv4 ACL view acl number acl-number [ Required match-order { auto | config } The default match order is ] config. Create or modify a rule rule [ rule-id ] { deny | permit Required } protocol [ destination { To create multiple rules, dest-addr dest-wildcard | any } repeat this step.
Configuring an Ethernet Frame Header ACL Configuration Example 809 # Create IPv4 ACL 3000, permitting TCP packets with port number 80 sent from 129.9.0.0 to 202.38.160.0 to pass. system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Verify the configuration. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 1 rule, Acl’s step is 5 rule 0 permit tcp source 129.9.0.0 0.0.255.
CHAPTER 57: IPV4 ACL CONFIGURATION 28, the next rule will be numbered 30. For detailed information about step, refer to the step command in the Switch 8800 Command Reference Guide. You may use the display acl command to verify rules configured in an ACL. If the match order for this ACL is auto, rules are displayed in the depth-first order rather than by rule number.
Displaying and Maintaining IPv4 ACLs To do... Use the command... Remarks Create or modify a rule rule [ rule-id ] { deny | permit } [ { ipv4 | ipv6 | l2 | l4 | l5 ] rule-string rule-mask offset }&<1-8> ] [ time-range time-name ] Required Create an ACL description description text Optional Create a rule description rule rule-id comment text Optional 811 To create multiple rules, repeat this step.
CHAPTER 57: IPV4 ACL CONFIGURATION IPv4 ACL Configuration Examples IPv4 ACL Configuration Examples Network Requirements A company interconnects its departments through the Device. The President’s Office uses IP address 129.111.1.2; the salary server of the Finance Department uses IP address 129.110.1.2. Configure an ACL to deny accesses of all departments but the President’s Office to the salary server during office hours from 8:00 to 18:00 in working days. Network Diagram Presidentÿs office 129.111.
IPv4 ACL Configuration Examples 813 [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule 1 deny ip source any destination 129.110 .1.2 0.0.0.0 time-range trname [Sysname-acl-adv-3001] quit 3 Define and apply a QoS policy on interfaces # Configure traffic classification rules and traffic behaviors.
CHAPTER 57: IPV4 ACL CONFIGURATION
58 IPV6 ACL CONFIGURATION When configuring IPv6 ACLs, go to these sections for information you are interested in: ■ “Creating a Time Range” on page 815 ■ “Configuring a Basic IPv6 ACL” on page 815 ■ “Configuring an Advanced IPv6 ACL” on page 816 ■ “Displaying and Maintaining IPv6 ACLs” on page 818 ■ “IPv6 ACL Configuration Examples” on page 818 Creating a Time Range Refer to section “Creating a Time Range” on page 805 Configuring a Basic IPv6 ACL Basic IPv6 ACLs filter packets based on source
CHAPTER 58: IPV6 ACL CONFIGURATION You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules. When defining ACL rules, you need not assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is greater than the current highest rule ID.
Configuring an Advanced IPv6 ACL 817 To do... Use the command... Create and enter advanced IPv6 ACL view acl ipv6 number acl6-number Required [ match-order { auto | config The default match order is }] config. Remarks Create or modify a rule rule [ rule-id ] { deny | permit Required } protocol [ destination { dest To create multiple rules, dest-prefix | dest/dest-prefix | repeat this step.
CHAPTER 58: IPV6 ACL CONFIGURATION [Sysname-acl6-adv-3000] display acl ipv6 3000 Advanced IPv6 ACL 3000, 1 rule, Acl’s step is 5 rule 0 permit tcp source 2030:5060::9050/64 (5 times matched) Displaying and Maintaining IPv6 ACLs To do... Use the command...
IPv6 ACL Configuration Examples [Sysname] traffic classifier c_deny [Sysname-classifier-c_deny] if-match acl ipv6 2001 [Sysname-classifier-c_deny] quit [Sysname] traffic behavior b_deny [Sysname-behavior-b_deny] filter deny [Sysname-behavior-b_deny] quit # Configure and apply the QoS policy.
CHAPTER 58: IPV6 ACL CONFIGURATION
59 FLOW TEMPLATE CONFIGURATION This chapter covers these topics: Configuring a Flow Template ■ “Configuring a Flow Template” on page 821 ■ “Displaying and Maintaining Flow Templates” on page 824 ■ “Flow Template Configuration Examples” on page 824 Follow these steps to create a flow template and apply it to an interface: To do... Use the command...
CHAPTER 59: FLOW TEMPLATE CONFIGURATION c To do... Use the command... Remarks Apply the flow template to the interface or port group flow-template flow-template-name Optional The default one applies by default. CAUTION: When one of the following situations occurs, you cannot configure user-defined flow templates on interfaces: ■ B-type and C-type modules have IPv6 unicast and mix-insertion enabled on the virtual interfaces of VLANs.
Configuring a Flow Template 823 Table 34 Description on the size of every field Field Byte number Remarks dipv6 10 10 bytes in a flow template dmac 6 - dscp 1 ip-precedence 1 1 byte, no matter these three fields are configured respectively or together tos 1 ethernet-protocol 6 - fragments 0 or 2 0 byte for B-type or C-type modules; In fact, the field is 16-byte long.
CHAPTER 59: FLOW TEMPLATE CONFIGURATION Displaying and Maintaining Flow Templates To do... Use the command... Remarks Display the configuration information of a specified or all user-defined flow templates display flow-template user-defined [ flow-template-name ] Available in any view Display information about the display flow-template flow templates referenced to interface [ interface-type interfaces.
Flow Template Configuration Examples 825 Interface: Ethernet3/2/1 user-defined flow template: extend name:bbb, index:2, total reference counts:1 fields: 14 2 4 15 10 7 # Delete flow template aaa. As it is being referenced by interface Ethernet 1/0, remove it from the interface first.
CHAPTER 59: FLOW TEMPLATE CONFIGURATION
60 QOS OVERVIEW When configuring QoS, go to these sections for information you are interested in: Introduction ■ “Introduction” on page 827 ■ “Traditional Packets Forwarding Application” on page 827 ■ “New Requirements Caused by New Applications” on page 827 ■ “Congestion: Causes, Impact, and Countermeasures” on page 828 ■ “Traffic Management Technologies” on page 829 Quality of Service (QoS) measures the service performance of service providers in terms of client satisfaction.
CHAPTER 60: QOS OVERVIEW the enterprise users expect to connect their regional branches together to develop some operational applications through VPN technology, for instance, to access the database of the company or monitor their remote equipment via Telnet. Those new applications have one thing in common, i.e. high requirements for bandwidth, delay, and jitter. For instance, videoconference and VOD need the assurance of wide bandwidth, low delay and jitter.
Traffic Management Technologies 829 ■ Increase the delay and jitter of packet transmission ■ Packet re-transmission caused by high delay ■ Decrease the efficient throughput of network and lower the utilization of network resources ■ Intensified congestion can occupy too many network resources (especially in memory), and the irrational assignment of resources even can lead to resource block and breakdown for the system It is obvious that congestion will make the traffics unable to obtain the resour
CHAPTER 60: QOS OVERVIEW Among those traffic management technologies, traffic classification is the basis. It is a prerequisite for differentiated services, which identifies the interested packets with certain matching rule. As for traffic policing, traffic shaping, congestion management and congestion avoidance, they implement management to network traffic and allocated resources from different aspects respectively to realize the differentiated service.
TRAFFIC CLASSIFICATION AND TRAFFIC SHAPING CONFIGURATION 61 When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: ■ “Traffic Classification Overview” on page 831 ■ “Traffic Shaping Overview” on page 832 ■ “Traffic Evaluation and Token Bucket” on page 832 ■ “Traffic Shaping Configuration” on page 835 Traffic Classification Overview Traffic classification Traffic classification is the prerequisite and foundation for differentiated s
CHAPTER 61: TRAFFIC CLASSIFICATION AND TRAFFIC SHAPING CONFIGURATION Figure 247 DS field and ToS byte As shown in Figure 247, the ToS byte of IP header contains 8 bits: the first three bits (0 to 2) indicates IP precedence, valued in the range 0 to 7; the following 4 bits (3 to 6) indicates ToS priority, valued in the range 0 to 15.
Traffic Evaluation and Token Bucket 833 Figure 248 Measuring the traffic with Token Bucket Measuring the traffic with Token Bucket Whether or not the token quantity of the Token Bucket can satisfy the packets forwarding is the basis for Token Bucket to measure the traffic specification. If enough tokens are available for forwarding packets, traffic is regarded conforming the specification (generally, one token is associated to the forwarding ability of one bit), otherwise, non-conform or excess.
CHAPTER 61: TRAFFIC CLASSIFICATION AND TRAFFIC SHAPING CONFIGURATION It uses two token buckets, with the token-putting rate of every bucket set as CIR and PIR and the capability of every bucket set as CBS and EBS (CBS < EBS, called C bucket and E bucket), which represents different bursting class permitted.
Traffic Shaping Configuration 835 Figure 249 TS diagram For example, Switch A sends packets to Switch B. Switch B implements TP on those packets, and directly drops exceeding traffic. To reduce unnecessary packet drop, GTS can be applied to the packets on the egress interface of Switch A. The packets beyond the traffic specifications of GTS are stored in Switch A. While sending the next set of packets, GTS takes out those packets from buffer queues and send them.
CHAPTER 61: TRAFFIC CLASSIFICATION AND TRAFFIC SHAPING CONFIGURATION To do... Enter Ethernet interface view or port group view n Enter Ethernet interface view Use the command...
Traffic Shaping Configuration # Enter Ethernet interface view. [Sysname] interface ethernet1/1/1 # Configure traffic shaping parameters.
CHAPTER 61: TRAFFIC CLASSIFICATION AND TRAFFIC SHAPING CONFIGURATION
62 QOS POLICY CONFIGURATION When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: QoS Policy Overview ■ “QoS Policy Overview” on page 839 ■ “QoS Policy Configuration Procedure” on page 840 ■ “Configuring QoS Policy” on page 840 ■ “Displaying and Maintaining QoS Policy” on page 846 A QoS policy includes three elements: class, traffic behavior, and policy.
CHAPTER 62: QOS POLICY CONFIGURATION QoS Policy Configuration Procedure Follow these steps to configure QoS policy: 1 Define the class and define a group of traffic classification rules in class view. 2 Define the traffic behavior and define a group of QoS actions in traffic behavior view. 3 Define the policy, and define the corresponding traffic behavior for the class in use in policy view. 4 Apply QoS policy.
Configuring QoS Policy 841 # Define a class and enter class view. [Sysname] traffic classifier test # Configure the classification rule. [Sysname-classifier-test] if-match destination-mac 0050-ba27-bed3 [Sysname-classifier-test] n Defining a Traffic Behavior With the operator keyword set to and, the if-match statements or the parameters in an if-match statement cannot conflict with each other.
CHAPTER 62: QOS POLICY CONFIGURATION To do... Use the command... Remarks Configure the traffic statistics action accounting Required Configure the traffic policing action Configure corresponding car cir committed-information-rate traffic behaviors as needed.
Configuring QoS Policy 843 with the traffic statistics action, and the action of redirecting traffic to the CPU cannot be used in conjunction with any other traffic actions. ■ The tunnel redirecting policy can be configured only in port view on D-type modules. ■ Only D-type modules support the action of creating an outer VLAN tag and the action of marking service provider network VLAN ID. ■ B-type modules cannot mark one CoS value separately.
CHAPTER 62: QOS POLICY CONFIGURATION system-view # Define a traffic behavior and enter traffic behavior view. [Sysname] traffic behavior test # Configure the traffic behavior. [Sysname-behavior-test] car cir 100 Defining a Policy A policy defines the mapping relationship between a class and a traffic behavior (configured with multiple QoS actions).
Configuring QoS Policy To do... Use the command...
CHAPTER 62: QOS POLICY CONFIGURATION [Sysname] qos policy test [Sysname-qospolicy-test] # Specify the traffic behavior for the class. [Sysname-qospolicy-test] classifier test_class behavior test_behavior [Sysname-qospolicy-test] quit # Enter Ethernet interface view. [Sysname] interface ethernet 1/1/1 # Apply the policy to the port. [Sysname-Ethernet1/1/1] qos apply policy test inbound Displaying and Maintaining QoS Policy Follow these steps to display and maintain QoS policy: To do...
HARDWARE-BASED CONGESTION MANAGEMENT CONFIGURATION 63 When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: Congestion Management Overview ■ “Congestion Management Overview” on page 847 ■ “Configuring SP Queues” on page 848 ■ “Configuring Group-based WRR Queues” on page 849 As to a network device, congestion will occur on the interface where the arrival rate of packets is faster than the sending rate.
CHAPTER 63: HARDWARE-BASED CONGESTION MANAGEMENT CONFIGURATION WRR Queuing n Weighted round robin (WRR) queues include: ■ Basic WRR queues: a basic WRR queue contains multiple queues. You can configure weight, percentage or byte count for each queue and WRR schedules these queues based on the user-defined parameters. ■ Group-based WRR queues: all the queues in a group-based WRR queue are scheduled in the mix of WRR queue scheduling algorithm and SP queue scheduling algorithm.
Configuring Group-based WRR Queues 849 Configuring Group-based WRR Queues With a queue on a port configured as a group-based WRR queue, the queue scheduling algorithm on the current port is the mix of WRR queue scheduling algorithm and SP queue scheduling algorithm. The queues which are not configured as group-based WRR queues are allocated to the SP queue group.
CHAPTER 63: HARDWARE-BASED CONGESTION MANAGEMENT CONFIGURATION
64 PRIORITY MAPPING When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: Priority Mapping Overview ■ “Priority Mapping Overview” on page 851 ■ “Configuring a Priority Mapping Table” on page 852 ■ “Configuring Port Priority” on page 854 ■ “Configuring to Trust Packet Priority” on page 856 When packets enter the switch, the switch allocate a series of parameters including 802.
CHAPTER 64: PRIORITY MAPPING Switch 8800s provide multiple priority mapping tables. All the priority mapping tables and their default values are as follows: n Configuring a Priority Mapping Table ■ dot1p-lp: 802.1p-precedence-to-local-precedence mapping table. ■ dot1p-dp: 802.1p-precedence-to-drop-precedence mapping table. ■ dscp-lp: DSCP-to-local-precedence mapping table. ■ dscp-dp: DSCP-to-drop-precedence mapping table. ■ dscp-dot1p: DSCP-to-802.1p-precedence mapping table.
Configuring a Priority Mapping Table Configuration Prerequisites Configuration Procedure Configuration Examples 853 New priority mapping relationship is determined. Follow these steps to configure a priority mapping table: To do... Use the command... Remarks Enter system view system-view - Enter mapping table view qos map-table { dot1p-lp | Required dot1p-dp | dscp-lp | dscp-dp | Enter the corresponding priority dscp-dot1p | dscp-dscp | exp-rpr | mapping table view as required.
CHAPTER 64: PRIORITY MAPPING Configuration procedure # Enter system view. system-view # Enter 802.1p-precedence-to-local-precedence mapping table view. [Sysname] qos map-table dot1p-lp # Modify the 802.1p-precedence-to-local-precedence mapping table parameters.
Configuring Port Priority To do... Use the command...
CHAPTER 64: PRIORITY MAPPING # Configure port priority for Ethernet 1/1/1. [Sysname] interface ethernet 1/1/1 [Sysname-Ethernet1/1/1] qos priority 1 [Sysname-Ethernet1/1/1] quit # Configure port priority for Ethernet 1/1/2. [Sysname] interface ethernet 1/1/2 [Sysname-Ethernet1/1/2] qos priority 3 [Sysname-Ethernet1/1/2] quit # Configure port priority for Ethernet 1/1/3.
Configuring to Trust Packet Priority Configuration Examples 857 Network requirement ■ All departments in the enterprise network are interconnected through Switch. The network creates different VLANs for different departments. ■ It is required that Switch assign local precedence values to packets through priority mapping on the incoming port. ■ The default priority mapping tables of Switch are adopted in priority mapping.
CHAPTER 64: PRIORITY MAPPING # Configure to trust 802.1p precedence on Ethernet 1/1/3. [Sysname] interface ethernet 1/1/3 [Sysname-Ethernet1/1/3] qos trust dot1p [Sysname-Ethernet1/1/3] quit # Configure to trust 802.1p precedence on Ethernet 1/1/4.
65 CONGESTION AVOIDANCE When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: Congestion Avoidance Overview ■ “Congestion Avoidance Overview” on page 859 ■ “Configuring WRED” on page 861 ■ “Displaying and Maintaining WRED” on page 862 ■ “WRED Configuration Examples” on page 862 Excessive congestion can endanger network resources greatly, so some congestion avoidance measures must be taken.
CHAPTER 65: CONGESTION AVOIDANCE ■ When the queue length exceeds the maximum threshold, all the incoming packets are dropped. ■ When the queue length is between the maximum threshold and the minimum threshold, the packets are dropped randomly. The longer the queue is, the higher the drop probability is, but a maximum drop probability exists. Unlike RED, the random numbers of WRED is generated based on priority.
Configuring WRED 861 Through associating WRED with WFQ, the flow-based WRED can be realized. Because different flow has its own queue during packet classification, the flow with small traffic always has a small queue length, so the packet drop probability is low. The flow with big traffic has bigger queue length, so more packets are dropped. In this way, the benefits of the flow with small traffic are protected.
CHAPTER 65: CONGESTION AVOIDANCE To do... Enter Ethernet interface view or port group view Use the command...
66 AGGREGATION CAR CONFIGURATION When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: Aggregation CAR Overview ■ “Aggregation CAR Overview” on page 863 ■ “Referencing Aggregation CAR in Traffic Behaviors” on page 863 Aggregation CAR means to use the same CAR for traffics of multiple traffic behaviors.
CHAPTER 66: AGGREGATION CAR CONFIGURATION Operation Command Display the information display traffic behavior about the configured user-defined [ behavior-name ] traffic behavior Display the CAR configuration information and statistics information about the specified aggregation CAR n Configuration Examples Description Optional Available in any view display qos car name [ car-name ] ■ For the description on the default value of CBS, refer to the Switch 8800 Command Reference Guide.
VLAN POLICY CONFIGURATION 67 When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: VLAN Policy Overview ■ “VLAN Policy Overview” on page 865 ■ “Applying VLAN Policy” on page 866 ■ “Displaying and Maintaining VLAN Policy” on page 866 ■ “VLAN Policy Configuration Examples” on page 866 QoS policies can be applied in one of the following two modes: ■ Interface-based application: a QoS policy is applied to the incoming packets or out
CHAPTER 67: VLAN POLICY CONFIGURATION Applying VLAN Policy Configuration Prerequisites Configuration Procedure Displaying and Maintaining VLAN Policy ■ The VLAN poly to be applied is defined. Refer to “Configuring QoS Policy” on page 840 “Configuring QoS Policy” on page 840 for details. ■ VLANs where the VLAN policy is to be applied is specified.
TRAFFIC MIRRORING CONFIGURATION 68 When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: Traffic Mirroring Overview ■ “Traffic Mirroring Overview” on page 867 ■ “Configuring Traffic Mirroring” on page 867 ■ “Displaying and Maintaining Traffic Mirroring” on page 868 ■ “Traffic Mirroring Configuration Examples” on page 868 Traffic mirroring means to copy packets matching specific traffic classification rules to the specified destin
CHAPTER 68: TRAFFIC MIRRORING CONFIGURATION ■ Mirroring Traffic to the CPU n Displaying and Maintaining Traffic Mirroring After configuring the action of mirroring traffic to a port in traffic behavior view, configure a policy in policy view to associate the traffic behavior with a traffic class, and then apply the policy to an interface. Follow these steps to mirror traffic to the CPU To do... Use the command...
Traffic Mirroring Configuration Examples 869 Network diagram Figure 255 Network diagram for mirroring traffic to a port Service A Ethernet1/1/2 Ethernet1/1 Ethernet1/1/1 PC Server Configuration procedure Configure Service A: # Enter system view. system-view # Configure ACL 2000 to permit all packets with the source address 1.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 1.1.1.
CHAPTER 68: TRAFFIC MIRRORING CONFIGURATION
OUTBOUND TRAFFIC STATISTICS CONFIGURATION 69 When configuring traffic classification and traffic shaping, go to these sections for information you are interested in: Outbound Traffic Statistics Overview ■ “Outbound Traffic Statistics Overview” on page 871 ■ “Configuring Outbound Traffic Statistics” on page 871 ■ “Displaying and Maintaining Outbound Traffic Statistics” on page 871 A Switch 8800 provides two counters for each module to collect statistics on the outbound traffic.
CHAPTER 69: OUTBOUND TRAFFIC STATISTICS CONFIGURATION To do... Use the command...
70 AAA, RADIUS AND HWTACACS CONFIGURATION When configuring AAA, RADIUS and HWTACACS, go to these sections for information you are interested in: AAA, RADIUS and HWTACACS Configuration Overview Introduction to AAA ■ “AAA, RADIUS and HWTACACS Configuration Overview” on page 879 ■ “Configuration Task List” on page 888 ■ “Configuring AAA” on page 889 ■ “Configuring RADIUS” on page 897 ■ “Configuring HWTACACS” on page 904 ■ “Displaying and Maintaining AAA, RADIUS and HWTACACS” on page 907 ■ “AA
880 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION speed and low cost, but the amount of information that can be stored is limited by the hardware. ■ Remote authentication: Both RADIUS and HWTACACS protocols are supported. In this approach, the device acts as the client to communicate with the RADIUS or HWTACACS server. With respect to RADIUS, you can use the standard RADIUS protocol or extended RADIUS protocol to complete authentication in collaboration with systems like CAMS.
AAA, RADIUS and HWTACACS Configuration Overview Introduction to RADIUS 881 As described previously, AAA is a management framework and can be implemented through multiple protocols. However, RADIUS is usually used in practice. What is RADIUS Remote authentication dial-in user service (RADIUS) is a distributed information interaction protocol in the client/server model.
882 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Basic message exchange process of RADIUS In most cases, the user authentication process of a RADIUS server involves a device that can provide the proxy function, such as the NAS. Information exchanged between the RADIUS client and the RADIUS server is authenticated through a shared key for security. The RADIUS protocol combines the authentication and authorization processes by sending authorization information in the authentication response message.
AAA, RADIUS and HWTACACS Configuration Overview 883 9 The subscriber stops network resource accessing. RADIUS packet structure RADIUS resides at the application layer in TCP/IP protocol suite. It defines the way to exchange user information between the device and the ISP RADIUS server. RADIUS uses UDP to transmit messages.
884 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Table 36 Main values of the Code field Code Packet type Description 5 Accounting-Response From the server to the client. The server sends to the client a packet of this type to notify that it has received the Accounting-Request and has correctly recorded the accounting information. 2 The Identifier field (1-byte long) is for matching request packets and response packets.
AAA, RADIUS and HWTACACS Configuration Overview 885 Table 37 RADIUS attributes Type Attribute type Type Attribute type 18 Reply_Message 40-59 (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-ID 61 NAS-Port-Type 21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port The RADIUS protocol features excellent extensibility.
886 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Table 38 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Suitable for security control Suitable for accounting Supports authorized use of configuration commands Does not support authorized use of configuration commands In a typical HWTACACS application, a terminal user needs to log onto the device for operations. Working as the HWTACACS client, the device sends the username and password to the HWTACACS server for authentication.
AAA, RADIUS and HWTACACS Configuration Overview 887 Figure 261 Basic message exchange process of HWTACACS for a Telnet user HWTACACS server HWTACACS User client The user logs i n Start-authenticati on pack et Authenticati on resp onse re questi ˈ ng for the usern ame Requ est for username Usernam e Authenticati on conti nuaˈ nce pack et with the usern ame Authenticati on resp onse re questi ng for the log in pass word Requ est for password Password Authenticati on conti nua nce pack et with the log in
888 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION 8 The HWTACACS server sends back the authorization response, indicating that the user is authorized now. 9 Knowing that the user is now authorized, the HWTACACS client pushes the configuration interface of the router or switch to the user. 10 The HWTACACS client sends a start-accounting request to the HWTACACS server. 11 The HWTACACS server sends back an accounting response, indicating that it has received the start-accounting request.
Configuring AAA Task Remarks “Setting the Maximum Number of RADIUS Request Retransmission Attempts” on page 900 Optional 889 “Setting the Supported RADIUS Server Type” Optional on page 900 “Setting the Status of RADIUS Servers” on page 901 Optional “Configuring Attributes Related to the Data Sent to the RADIUS Server” on page 902 Optional “Configuring Local RADIUS Server” on page Optional 903 “Setting Timers Regarding RADIUS Servers” on page 903 Optional HWTACACS configuration task list Task Re
890 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Follow these steps to create an ISP domain: To do... Use the command...
Configuring AAA 891 do not perform any authentication configuration, the system-default ISP domain uses the local authentication scheme. Before configuring an authentication scheme, complete these three tasks: ■ For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication modes do not require any scheme. ■ Determine the access mode or service type to be configured.
892 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION HWTACACS server is available, local authentication is not used. Otherwise, local authentication is used. ■ Configuring an AAA Authorization Scheme for an ISP Domain If the primary authentication scheme is local or none, the system performs local authentication or does not perform any authentication, rather than uses the RADIUS or HWTACACS scheme. In AAA, authorization is a separate process at the same level as authentication and accounting.
Configuring AAA n Configuring an AAA Accounting Scheme for an ISP Domain To do... Use the command...
894 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Follow these steps to configure an AAA accounting scheme for an ISP domain: n To do... Use the command...
Configuring AAA ■ Configuring Local User Attributes 895 With the access mode of login, accounting is not supported for FTP services. For local authentication, you must create a local user and configure the attributes. A local user represents a set of users configured on a device, which are uniquely identified by the username. For a user requesting network service to pass local authentication, you must add an entry as required in the local user database of the device.
896 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION To do... Use the command... Remarks Specify the Specify the service service types for the user types for the user Authorize the user to use the FTP service service-type { lan-access | { ssh | telnet | terminal }* [ level level ] } Required service-type ftp Optional No service is authorized to a user by default By default, no service is authorized to a user and anonymous access to FTP service is not allowed.
Configuring RADIUS Tearing down User Connections Forcibly Configuring RADIUS 897 ■ Local authentication checks the service types of a local user. If the service types are not available, the user cannot pass authentication. During authorization, a user with no service type configured is authorized with no service by default.
898 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION include IP addresses of primary and secondary servers, shared key, and RADIUS server type. Actually, the RADIUS protocol configurations only set the parameters necessary for the information interaction between a NAS and a RADIUS server. For these settings to take effect, you must reference the RADIUS scheme containing those settings in ISP domain view. For information about the commands for referencing a scheme, refer to “Configuring AAA” on page 889.
Configuring RADIUS Configuring the RADIUS Accounting Servers and Relevant Parameters 899 Follow these steps to specify the RADIUS accounting servers and perform related configurations: To do... Use the command...
900 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Setting the Shared Key for RADIUS Packets The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets exchanged between them and a shared key to verify the packets. Only when the same key is used can they properly receive the packets and make responses. Follow these steps to set the shared key for RADIUS packets: To do... Use the command...
Configuring RADIUS n Setting the Status of RADIUS Servers To do... Use the command... Remarks Create a RADIUS scheme and enter RADIUS scheme view radius scheme radius-scheme-name Required Specify the RADIUS server type supported by the device server-type { extended | standard } Optional 901 By default, a RADIUS scheme named "system" has been created in the system. By default, the supported RADIUS server type is standard. In the default system scheme, the default RADIUS server type is extended .
902 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION To do... Use the command...
Configuring RADIUS Configuring Local RADIUS Server 903 ■ For the default scheme named "system", the username contains no domain name. ■ The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.
904 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION n To do... Use the command... Remarks Set the quiet timer for the primary server timer quiet minutes Optional Set the real-time accounting interval timer realtime-accounting minutes 5 minutes by default Optional 12 minutes by default ■ The product of the maximum number of retransmission attempts of RADIUS packets and the RADIUS server response timeout period cannot be greater than 75.
Configuring HWTACACS ■ Specifying the HWTACACS Authorization Servers 905 You can remove an authentication server only when no active TCP connection for sending authentication packets is using it. Follow these steps to specify the HWTACACS authorization servers: To do... Use the command...
906 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION n Setting the Shared Key for HWTACACS Packets ■ The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails. ■ You can remove an accounting server only when no active TCP connection for sending accounting packets is using it. ■ Currently, neither RADIUS nor HWTACACS supports keeping accounts on FTP users.
Displaying and Maintaining AAA, RADIUS and HWTACACS c Setting Timers Regarding HWTACACS Servers n CAUTION: ■ If a HWTACACS server does not support a username with the domain name, you can configure the device to remove the domain name before sending the username to the server. ■ The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes.
908 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION Displaying and Maintaining RADIUS To do... Use the command...
AAA, RADIUS and HWTACACS Configuration Examples Displaying and Maintaining HWTACACS To do... Use the command...
910 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION configure the username sent to the RADIUS server to contain domain name information. ■ Configure the shared key whereby to exchange packets with the switch to "expert" on the RADIUS server, set the number of the port for authentication and accounting, and add a Telnet username and login password (the format of the username is "userid@isp-name").
AAA, RADIUS and HWTACACS Configuration Examples 911 # Apply the AAA schemes to the domain. Here all the three schemes of authentication, authorization, and accounting schemes are configured. system-view [Sysname] domain 1 [Sysname-isp-1] authentication login radius-scheme rad [Sysname-isp-1] authorization login radius-scheme rad [Sysname-isp-1] accounting login radius-scheme rad [Sysname-isp-1] quit # You can achieve the same purpose by setting default AAA schemes for all types of users.
912 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION system-view [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple aabbccddeeff [Sysname-luser-telnet] quit # Configure the AAA schemes the ISP domain as local authentication, authorization and accounting.
AAA, RADIUS and HWTACACS Configuration Examples 913 [Sysname-luser-telnet] password simple aabbccddeeff [Sysname-luser-telnet] quit # Configure the RADIUS scheme. [Sysname] radius scheme rad [Sysname-radius-rad] primary authentication 127.0.0.1 1645 [Sysname-radius-rad] primary accounting 127.0.0.1 1646 [Sysname-radius-rad] key authentication aabbcc [Sysname-radius-rad] key accounting aabbcc [Sysname-radius-rad] server-type extended # Configure the AAA scheme for the domain.
914 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION system-view [Sysname] telnet server enable # Configure AAA for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure the HWTACACS scheme. system-view [Sysname] hwtacacs scheme hwtac [Sysname-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Sysname-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Sysname-hwtacacs-hwtac] primary accounting 10.1.1.
Troubleshooting AAA, RADIUS, and HWTACACS 915 Symptom 2: RADIUS packets cannot reach the RADIUS server. Analysis: ■ The device fails to communicate with the RADIUS server (on physical layer or link layer). ■ No IP address is assigned to the RADIUS server on the device. ■ The UDP ports for authentication/authorization and accounting are not configured correctly. Symptom 3: A user is authenticated and authorized, but accounting for the user is not normal.
916 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION
71 802.1X CONFIGURATION When configuring 802.1x, go to these sections for information you are interested in: 802.1x Overview ■ “802.1x Overview” on page 917 ■ “Configuring 802.1x” on page 926 ■ “Configuring a Guest VLAN” on page 928 ■ “Displaying and Maintaining 802.1x” on page 929 ■ “802.1x Configuration Example” on page 929 ■ “Guest VLAN Configuration Example” on page 932 The 802.1x protocol was proposed by IEEE802 LAN/WAN committee for security problems on wireless LANs (WLAN).
918 CHAPTER 71: 802.1X CONFIGURATION Figure 265 Architecture of 802.1x Supplicant system Supplicant PAE Authentication server system Authenticator system Services offered by authenticator ÿs system Authenticator PAE Port unauthorized EAP protocol exchanges carried in higher layer protocol Authentication server LAN/ WLAN ■ Supplicant system: A system at one end of the LAN segment, which is authenticated by the system at the other end.
802.1x Overview 919 Control direction In the unauthorized state, the controlled port can be set to deny traffic to and from the supplicant or just the traffic from the supplicant. n Currently, the Switch 8800 supports only denying the traffic from the supplicant. Operation of 802.1x The 802.1x authentication system employs the extensible authentication protocol (EAP) to support authentication information exchange between the supplicant PAE, authenticator PAE, and authentication server.
920 CHAPTER 71: 802.1X CONFIGURATION Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender. Type: Type of the packet. The following types are defined: ■ EAP-Packet (a value of 0x00), frame for carrying authentication information. ■ EAPOL-Start (a value of 0x01), frame for initiating authentication. ■ EAPOL-Logoff (a value of 0x02), frame for logoff request. ■ EAPOL-Key (a value of 0x03), frame for carrying key information.
802.1x Overview 921 Figure 269 Format of the Data field in an EAP request/response packet 0 N 7 Type Type data Type: EAP authentication type. A value of 1 represents Identity, indicating that the packet is for querying the identity of the supplicant. A value of 4 represents MD5 Challenge, which corresponds closely to the PPP CHAP protocol. EAP Encapsulation over RADIUS Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and Message-Authenticator.
922 CHAPTER 71: 802.1X CONFIGURATION EAP relay EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in a high layer protocol, such as RADIUS, so that they can go through complex networks and reach the authentication server. Generally, EAP relay requires that the RADIUS server support the EAP attributes of EAP-Message and Message-Authenticator. See Figure 272 for the message exchange procedure.
802.1x Overview 923 5 When receiving the RADIUS Access-Request packet, the authentication server compares the identify information against its user information table to obtain the corresponding password information. Then, it encrypts the password information using a randomly generated challenge, and sends the challenge information through a RADIUS Access-Challenge packet to the authenticator.
924 CHAPTER 71: 802.
802.1x Overview Implementation of 802.1x in the Devices 925 ■ Supplicant timeout timer (supp-timeout): Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. ■ Server timeout timer (server-timeout): Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer.
926 CHAPTER 71: 802.1X CONFIGURATION n ■ If the port link type is Access, the authentication server will assign a VLAN successfully. ■ If the port link type is Hybrid or Trunk, the authentication server will fail to assign a VLAN. Guest VLAN Guest VLAN is the default VLAN that a supplicant can access without authentication. After the supplicant passes 802.1x authentication, s/he can access other network resources.
Configuring 802.1x To do... Use the command... Remarks Enable 802.1x globally dot1x Required 927 Disabled by default Enable 802.
928 CHAPTER 71: 802.1X CONFIGURATION ■ 802.1x must be enabled both globally in system view and for the intended ports in system view or Ethernet interface view. Otherwise, it does not function. ■ Generally, it is unnecessary to change 802.1x timers unless in some special or extreme network environments. ■ The 802.1x proxy detection function must be enabled both globally in system view and for intended ports in system view or Ethernet interface view. Otherwise, it does not function. ■ The 802.
Displaying and Maintaining 802.1x n Displaying and Maintaining 802.1x 802.1x Configuration Example 929 ■ A super VLAN cannot be set as the guest VLAN. Similarly, a guest VLAN cannot be set as the super VLAN. For information about super VLAN, refer to “Super VLAN Configuration” on page 167. ■ The guest VLAN function does not apply to non-access ports. ■ Configurations in system view are effective to all ports while configurations in interface view are effective to the current port only. To do...
930 CHAPTER 71: 802.1X CONFIGURATION Network diagram Figure 274 Network diagram for 802.1x configuration Authentication servers (IP address 10.11.1.1 10.11.1.2) Ethernet3 /1/1 Authenticator Internet Supplicant Switch Configuration procedure n The following configuration procedure covers most AAA/RADIUS configuration commands for the authenticator, while configuration on the supplicant and RADIUS server are omitted.
802.1x Configuration Example 931 [Sysname-radius-radius1] key accounting money # Set the interval for the switch to retransmit packets to the RADIUS server and the maximum number of transmission attempts. [Sysname-radius-radius1] timer response-timeout 5 [Sysname-radius-radius1] retry 5 # Set the interval for the switch to send real time accounting packets to the RADIUS server.
932 CHAPTER 71: 802.1X CONFIGURATION Guest VLAN Configuration Example Network requirements As shown in Figure 275: ■ A host is connected to port Ethernet 1/1/3 of the switch and must pass 802.1x authentication to access the Internet. ■ The authentication server run RADIUS and is in VLAN 2. ■ The update server, which is in VLAN 10, is for client software download and upgrade. ■ Port Ethernet 1/1/8 of the switch, which is in VLAN 5, is for accessing the Internet.
Guest VLAN Configuration Example 933 Figure 276 Network diagram with VLAN 10 as the guest VLAN Update server Authenticator server VLAN 10 Eth1/1/5 VLAN 10 VLAN 2 GuestVlan 10 Eth1/1/3 VLAN 5 Eth1/1/8 Switch Internet Supplicant Figure 277 Network diagram when the supplicant passes authentication Update server Authenticator server VLAN 10 Eth1/1/5 VLAN 2 VLAN 5 Eth1 /1/8 VLAN 5 Eth1/1/3 Switch Internet Supplicant VLAN 5 Configuration procedure # Configure RADIUS scheme 2000.
934 CHAPTER 71: 802.1X CONFIGURATION [Sysname] domain system [Sysname-isp-system] authentication lan-access radius-scheme 2000 [Sysname-isp-system] authorization lan-access radius-scheme 2000 [Sysname-isp-system] accounting lan-access radius-scheme 2000 [Sysname-isp-system] quit # Enable 802.1x globally. [Sysname] dot1x # Enable 802.1x for port Ethernet 1/1/3. [Sysname] interface ethernet 1/1/3 [Sysname-ethernet1/1/3] dot1x # Set the port access control method to portbased.
72 CONFIGURING SSH VERSION 2.0 When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview ■ “SSH2.
936 CHAPTER 72: CONFIGURING SSH VERSION 2.0 Figure 279 Establish an SSH channel through WAN Laptop Host A Switch Local LAN Laptop Host B WAN Server SSH client Remote LAN SSH server Host C n Algorithm and Key Server ■ Currently, when acting as an SSH server, the device supports two SSH versions: SSH2 and SSH1. When acting as an SSH client, the device supports SSH2 only. ■ Unless otherwise noted, the “SSH” term in this document refers to SSH2.
SSH2.0 Overview 937 You can also use the asymmetric key algorithm for digital signature. For example, user 1 adds his signature to the data using the private key, and then sends the data to user 2. User 2 verifies the signature using the public key of user 1. If the signature is correct, this means that the data originates from user 1. Revest Shamir and Adleman (RSA) is an asymmetric key algorithms. RSA can be used for both data encryption and signature.
938 CHAPTER 72: CONFIGURING SSH VERSION 2.0 ■ The server and the client use the DH key exchange algorithm and parameters such as the host key pair to generate the session key and session ID. Through the above steps, the server and the client get the same session key, which is to be used to encrypt and decrypt data exchanged between the server and the client later. The server and the client use session ID in the authentication stage.
SSH2.0 Overview n 939 Besides password authentication and RSA authentication, SSH2.0 provides another two authentication methods: ■ password-publickey: Performs both password authentication and publickey authentication of the client. A client running SSH1 client only needs to pass either type of the two, while a client running SSH2 client must pass both of them to login. ■ all: Set the authentication mode to either "password" or "RSA". Clients will attempt to log in through RSA first.
940 CHAPTER 72: CONFIGURING SSH VERSION 2.
Configuring the SSH Server c Creating/Destroying/Exp orting RSA Keys 941 CAUTION: ■ If you configure a user interface to support SSH, be sure to configure the corresponding authentication method with the authentication-mode scheme command. ■ For a user interface configured to support SSH, you cannot configure the authentication-mode password command and the authentication-mode none command. For successful SSH login, you must create the RSA key pairs first.
942 CHAPTER 72: CONFIGURING SSH VERSION 2.0 c Configuring Service Type for SSH Users c Setting the SSH Management Parameters To do... Use the command... Remarks Configure an authentication mode for SSH users ssh user username authentication-type { password | rsa | password-publickey | all } Optional By default, the system specifies the authentication mode as "RSA". CAUTION: If a user uses the RSA authentication mode, this user and its public key must be configured on a switch.
Configuring the SSH Server To do... Use the command...
944 CHAPTER 72: CONFIGURING SSH VERSION 2.0 Exit public key editing view to public key view public-key-code end Exit public key view to system view peer-public-key end Save the entered public key data when exiting the view - Follow these steps to import RSA public key of the client from a public key file. Assigning RSA Public Keys to SSH Users To do... Use the Command...
Configuring the SSH Client Configuring the SSH Client 945 There is a wide range of SSH client software, including PuTTY, and OpenSSH. To establish a connection between the SSH client and the server, you need to configure the SSH client as follows: ■ Assign an IP address to the server. ■ Set the remote connection protocol to SSH. Usually, the client can support a great variety of remote connection protocols, like Telnet, Rlogin, and SSH.
946 CHAPTER 72: CONFIGURING SSH VERSION 2.0 Figure 281 Generate a client key (1) You need issue the rsa local-key-pair create command on the switch once as shown below. 1 Enter the system view and issue the following bold commands. [SW8800] rsa local-key-pair create The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 1024]:1024 Generating keys... ...................++++++ .......++++++ ...........
Configuring the SSH Client 947 2 To generate the RSA keys, on the SSH client, generate the public and private keys using the puttygen application by clicking the Generate button on the PuTTY Key Generator dialog box (see Figure 282). Figure 282 Generate a client key (2) 3 Move the mouse over the blank area as instructed by the prompt in the Key section of the dialog box. When the key is generated, the dialog box in Figure 283 appears.
948 CHAPTER 72: CONFIGURING SSH VERSION 2.0 Figure 283 Generate a client key (3) 4 You can optionally specify a passphrase in the Key passphrase field and repeat that key in the Confirm passphrase field as shown above. Make sure to remember this phrase because you will need it later in this procedure. 5 Click the Save private key button. The Save private key as: dialog box is displayed as shown in Figure 284. Enter a name for that key and click Save.
Configuring the SSH Client n Importing the Client Public Key Using Method One 949 The private key has a .ppk extension the public key as a .pub extension. This section describes how to import the client public key to the Switch 8800 file system using FTP. 1 Enable the FTP server on the Switch 8800 from the system view as follows: sys System View: return to User View with Ctrl+Z.
950 CHAPTER 72: CONFIGURING SSH VERSION 2.0 n If you display the directory’s contents (using the dir command it displays the aaa.pub file. 5 To remove the user ftp: [SW8800] undo local-user ftp Updating user(s) information, please wait......... [SW8800] Importing the Client Public Key Using Method Two When using this method, the SSH client uses the application sshkey.exe to convert the public key, creating a large hex string to be entered on the Switch 8800. From the sshkey.
Configuring the SSH Client 2EC143 [SW8800-rsa-key-code]93641847 48A6C8 [SW8800-rsa-key-code]B6548A1A 83C19D [SW8800-rsa-key-code]C9B18A69 F81A37 [SW8800-rsa-key-code]71E98F26 525B63 [SW8800-rsa-key-code]4EDD5D95 n 951 BEE01DC3 F0FA786E 020DA052 C208ED41 05 84319325 22D0894C AC55B7DE 7C34F91F C3 66D3AF34 C43B1D04 42D0199C B5086D15 19 CDD105A6 5E328E77 2D6CCEEB C0F7826B 3F BE10613D F9259B5B A0CB0201 25 You may have to hit the "enter" key if the key code does not end at the end of the line.
952 CHAPTER 72: CONFIGURING SSH VERSION 2.0 client002 stelnet|sftp Assigning an IP Address to the Server rsa SWSW8800002 To configure the IP address: 1 Execute PuTTY.exe. The system displays a client configuration interface. 2 Specify the IP address in the Host Name field. 3 If you wish to save the configuration, enter a session name in the Saved Sessions field as shown in Figure 286. Figure 286 SSH client configuration (1) 4 Point the private key by clicking on the SSH > Auth in the Category tree.
Configuring the SSH Client 953 Figure 287 SSH client configuration (2) 6 Check the SSH version by clicking on SSH. This example is using Version 2 as shown in Figure 288. Figure 288 SSH client configuration (3) 7 Save by profile by clicking on the session then Save. Communicating with the Switch ITo communicate with the switch, click Open. A dialog box with the switch’s IP address in the title bar is displayed.
954 CHAPTER 72: CONFIGURING SSH VERSION 2.0 the first time, this message is not displayed unless you generate new keys. If you are using SSH with a client using only a passwork, this is not displayed Figure 289 PuTTY Security Alter Click Yes to continue. You are then prompted for login id (client002 in this example) and the passphrase. Specify the passphrase you created earlier in this chapter and you should be successfully connected and logged into the switch as shown in Figure 290.
Configuring the Device as an SSH Client 955 Opening an SSH Connection Using a Password 1 Click Open. Then the system displays an SSH client interface, as shown in Figure 288. If the connection is normal, the system will prompt you to enter a username and password. Figure 291 SSH client 2 Enter the correct username and password to log into the server successfully. 3 To log out of the SSH server, execute the quit command.
956 CHAPTER 72: CONFIGURING SSH VERSION 2.0 and specify the name of the host public key of the server to be connected, so that the client can authenticate the server to be connected. In addition, you can configure the client to access the SSH server using a specified IP address or port address. Configure the SSH client that supports first authentication Follow these steps to configure the SSH client that supports first authentication. To do... Use the command...
Configuring the Device as an SSH Client To do... Use the command...
958 CHAPTER 72: CONFIGURING SSH VERSION 2.0 To do... Establish a connection between the SSH client and server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server Displaying and Maintaining SSH Use the command...
SSH Server Configuration Examples SSH Server Configuration Examples 959 Network requirements As shown in Figure 292, establish a local connection between the terminal (SSH client) and the Ethernet switch. The terminal logs into the switch through SSH, so as to ensure security of data exchange. For the SSH client, the username is “client001”, and the password is “aabbccddeeff”. Network diagram SSH client 192.168.0.2/24 SSH server Vlan -int1 192 .168 .0.
960 CHAPTER 72: CONFIGURING SSH VERSION 2.0 Configure the authentication timeout time, number of attempts, and server key update interval as default values. Then, you need to run the SSH2.0-capable client software on the terminal connected to the switch, configure the IP address of the reachable interface of the SSH server (switch) to 192.168.0.1, configure the protocol type as SSH, and configure the protocol version to 2.
[Switch-rsa-ke y-code] public -key-code end [Switch-rsa-public-key] peer-public-key end # If the server stores the public key of the client through a file named "Switch001", you can import the public key directly from the file. [Switch] rsa peer-public-key Switch001 import sshkey Switch001 # Specify the public key "Switch001" for the user "client001".
962 CHAPTER 72: CONFIGURING SSH VERSION 2.0 system-view [SwitchB] rsa local-key-pair create [SwitchB] ssh server enable # Assign an IP address to the Vlan-interface 1. The client will be connected to the SSH server through this address. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.
SSH Client Configuration Examples 963 [SwitchA-rsa-key-code]1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [SwitchA-rsa-key-code]D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [SwitchA-rsa-key-code]0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [SwitchA-rsa-key-code]C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [SwitchA-rsa-key-code]BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [SwitchA-rsa-key-code] public-key-code end [SwitchA-rsa-public-key] peer-public-key end [SwitchA] ssh client authentication serve
964 CHAPTER 72: CONFIGURING SSH VERSION 2.
SFTP SERVICE 73 When configuring SFTP, go to these sections for information you are interested in: SFTP Overview ■ “SFTP Overview” on page 965 ■ “Configuring an SFTP Server” on page 965 ■ “Configuring an SFTP Client” on page 966 ■ “SFTP Configuration Examples” on page 970 The secure file transfer protocol (SFTP) is a new feature in SSH 2.0. SFTP uses the SSH connection to provide secure data transfer.
966 CHAPTER 73: SFTP SERVICE Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down. Follow these steps to configure the SFTP connection idle timeout period: To do... Use the command...
Configuring an SFTP Client To do... Establish a connection to the remote SFTP server, and enter SFTP Client view Working with the SFTP Directories 967 Use the command...
968 CHAPTER 73: SFTP SERVICE Working with SFTP Files To do... Use the command... Remarks Display the current working directory of the remote SFTP server pwd Optional Display files under a specified directory dir [ -a | -l ] [ remote-path ] Optional ls [ -a | -l ] [ remote-path ] The dir command functions the same as the ls command.
Configuring an SFTP Client Displaying Help Information 969 To do... Use the command... Remarks Delete a file from the SFTP server delete remote-file&<1-10> Optional remove remote-file&<1-10> The delete command functions the same as the remove command. This configuration task is to display a list of all commands or the help information of an SFTP client command, such as the command format and parameters.
970 CHAPTER 73: SFTP SERVICE SFTP Configuration Examples Network requirements As shown in Figure 294, an SSH connection is established between Switch A and Switch B. Switch A, an SFTP client, uses the username client001 and password aabbcc to login to Switch B for file management and file transfer. Network diagram Figure 294 Network diagram for SFTP configuration (on routers) SFTP server Vlan -int1 192 .168 .0 .1/24 SFTP client Vlan -int1 192.168.0.
SFTP Configuration Examples n 971 If configuring RSA authentication for the SSH user, you need to configure a host public key for Switch A. For details, refer to related section in “SSH Server Configuration Examples” on page 959. # Enable the SFTP server. [SwitchB] sftp server enable # Specify the service type as SFTP for the user.
972 CHAPTER 73: SFTP SERVICE drwxrwxrwx -rwxrwxrwx 1 noone 1 noone nogroup nogroup 0 Sep 01 06:22 new 225 Sep 01 06:55 pub # Create a directory named "new1", and check whether the new directory is created successfully.
PASSWORD CONTROL CONFIGURATION 74 When configuring password control, go to these sections for information you are interested in: Password Control Overview ■ “Password Control Overview” on page 973 ■ “Password Control Configuration Task List” on page 975 ■ “Configuring Password Control” on page 975 ■ “Displaying and Maintaining Password Control” on page 978 ■ “Password Control Configuration Example” on page 978 Password control refers to a set of functions provided by the local authentication s
974 CHAPTER 74: PASSWORD CONTROL CONFIGURATION 4 Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones to see whether it was used before and, if so, displays an error message. You can set the maximum number of history password records for the system to maintain for each user.
Password Control Configuration Task List 975 Depending on the system security requirements, you can set the minimum number of categories a password must contain and the minimum number of characters of each category. There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories that a password must at least contain. Level 1 means that a password must contain characters of one category, level 2 at least two categories, and so on.
976 CHAPTER 74: PASSWORD CONTROL CONFIGURATION ■ Enabling Password Control For super passwords, the settings for super password override those in system view unless the former are not provided. Among the nine password control functions, you can enable or disable the following four functions as desired: ■ Password aging ■ Minimum password length ■ Password history ■ Password composition You must enable a function for its relevant configurations to take effect.
Configuring Password Control c Setting Local User Password Control Parameters To do... Use the command... Remarks Set the authentication timeout time password-control authentication-timeout authentication-timeout Optional 977 60 seconds by default CAUTION: Configuration for the action to be taken when a user fails to login after the specified number of attempts takes effect immediately, and can thus affect the users already in the blacklist.
978 CHAPTER 74: PASSWORD CONTROL CONFIGURATION Setting a Local User Password in Interactive Mode Displaying and Maintaining Password Control n Password Control Configuration Example To do... Use the command...
Password Control Configuration Example 979 system-view # Prohibit the user from logging in after two successive login failures. [Sysname] password-control login-attempt 2 exceed lock # Set the password aging time to 30 days for all passwords. [Sysname] password-control aging 30 # Set the minimum number of composition types for super passwords to 3 and the minimum number of characters of each composition type to 5.
980 CHAPTER 74: PASSWORD CONTROL CONFIGURATION
MAC AUTHENTICATION CONFIGURATION 75 When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview ■ “MAC Authentication Overview” on page 981 ■ “Related Concepts” on page 981 ■ “Configuring MAC Authentication” on page 982 ■ “Displaying and Maintaining MAC Authentication” on page 983 ■ “MAC Authentication Configuration Example” on page 983 MAC authentication provides a way for authenticating users based on ports and MAC addresses, w
982 CHAPTER 75: MAC AUTHENTICATION CONFIGURATION to the RADIUS server has timed out and forbids the user from accessing the network. Quiet MAC Address When a user fails MAC authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the device until the quiet timer expires. This prevents an invalid user from being authenticated repeatedly in a short time.
Displaying and Maintaining MAC Authentication To do... Use the command...
984 CHAPTER 75: MAC AUTHENTICATION CONFIGURATION system-view [Sysname] local-user 00e0fc010101 [Sysname-luser-00e0fc010101] password simple 00e0fc010101 [Sysname-luser-00e0fc010101] service-type lan-access [Sysname-luser-00e0fc010101] quit # Configure ISP domain aabbcc.net, and specify to perform local authentication. [Sysname] domain aabbcc.net [Sysname-isp-aabbcc.net] authentication lan-access local [Sysname-isp-aabbcc.net] quit # Enable centralized MAC authentication globally.
NAT CONFIGURATION 76 When configuring NAT, go to these sections for information you are interested in: ■ “NAT Overview” on page 985 ■ “NAT Configuration Task List” on page 989 ■ “Configuring Address Translation” on page 990 ■ “Configuring Internal Server” on page 991 ■ “Configuring the Binding” on page 992 ■ “Configuring NAT Log” on page 993 ■ “Configuring User Resource Limit” on page 995 ■ “Configuring Connection-limit” on page 996 ■ “Displaying and Maintaining NAT” on page 997 ■ “NAT
986 CHAPTER 76: NAT CONFIGURATION Figure 296 A basic NAT operation IP packet 1 IP packet 1 Source IP : 192.168.1.3 Destination IP : 10.1.1.2 Source IP : 20.1.1.1 Destination IP : 10 .1 .1.2 Server B 10 .1 .1.2 Host 192 .168 .1.1 192.168.1.3 20.1.1.1 Internet IP packet 2 IP packet 2 Source IP : 10 .1.1.3 Destination IP :192.168 .1.2 Source IP : 10.1.1.3 Destination IP : 20 .1 .1.1 Server A Host 192 .168 .1 .2 10.1.1.3 ■ NAT gateway lies between the private network and the public network.
NAT Overview 987 transmission rate. However, when the bandwidth is higher than 1.5 Gbps, NAT could affect the switch performance to a certain extent. NAT Functionalities Many-to-many NAT and NAT control As depicted in Figure 296, when an internal network user accesses an external network, NAT uses an external or public IP address to replace the original internal IP address. In Figure 296, this address is the outbound interface address (a public IP address) of the NAT gateway.
988 CHAPTER 76: NAT CONFIGURATION Figure 297 depicts an NAPT process. Figure 297 An NAPT process IP packet 1 IP packet 1 Source IP : 192.168.1.3 Source port : 1537 Source IP : 20.1.1.1 Source port : 12300 IP packet 2 IP packet 2 Source IP : 192.168.1.3 Source port : 2468 Source IP : 20.1.1.1 Source port : 13005 Server B 10 .1 .1.2 Host 192 .168 .1.1 192.168.1.3 20.1.1.1 Internet IP packet 3 IP packet 3 Source IP : 192.168.1.1 Source port : 1111 Source IP : 20.1.1.
NAT Configuration Task List 989 scalability. The special protocols supported by the Switch 8800s include: Internet control message protocol (ICMP), domain name system (DNS), Internet locator service (ILS), and NetBIOS over TCP/IP (NBT). NAT multiple-instance This feature allows users from different MPLS VPNs to access external networks through the same outbound interface. It also allows them to have the same internal network address.
990 CHAPTER 76: NAT CONFIGURATION n ■ The addresses in the address pool referenced by NAT must be different from the interface address. Otherwise, the service can be implemented. To use the interface address as the translation address, Easy IP must be used. Configuring Address Translation Introduction to Address Translation Address translation is implemented by associating an ACL with an address pool (or an interface address in case of Easy IP).
Configuring Internal Server To do... Use the command... Remarks Enter VLAN interface view interface interface-type interface-number - Enable Easy IP by associating the ACL with the interface IP address nat outbound acl-number Required 991 Configuring many-to-many NAT Follow these steps to configure many-to-many NAT: To do... Use the command...
992 CHAPTER 76: NAT CONFIGURATION If an internal server belongs to an MPLS VPN instance, you should specify the vpn-instance-name argument. With this argument not provided, the internal server is considered belonging to a private network. Configuring an Internal Server Follow the following steps to configure an internal server: To do... Use the command...
Configuring NAT Log 993 packets that pass through the VLAN interface have been redirected to the L3+NAT module, causing the QoS redirection function ineffective. Configuring NAT Log Introduction to NAT Log NAT log is a type of system information generated by the NAT gateway during the IP address translation.
994 CHAPTER 76: NAT CONFIGURATION Figure 298 Export NAT logs NAT logs NAT logs Internet User Device Generate NAT log NAT log server Exporting NAT logs to the information center Follow these steps to export NAT logs to the information center: n To do... Use the command...
Configuring User Resource Limit n To do... Use the command...
996 CHAPTER 76: NAT CONFIGURATION Configuring Connection-limit Introduction to Connection-limit The connection-limit function allows you to limit user connections in three ways: connection number, connection rate or both. This can avoid the situation where a single user establishes too many connections in a short time as to affect other users in using the network.
Displaying and Maintaining NAT To do... Use the command...
998 CHAPTER 76: NAT CONFIGURATION To do... Use the command...
NAT Configuration Example ■ 999 Configure a connection-limit policy and bind it to the NAT module. Configure the upper limit of connections as 1000 (based on the source address) respectively, which means the number of connections initiated from internal user cannot exceed 1000. Network diagram Figure 299 NAT network diagram 10.110.10.1/16 10.110.10.2/16 10 .110 .10.3/16 10.110.10.4/16 FTP server WWW server 1 WWW server 2 SMTP server Host A 10.110.10.
1000 CHAPTER 76: NAT CONFIGURATION [Switch-Vlan-interface10] nat server protocol tcp global 202.38.160. 100 8081 inside 10.110.10.2 www # Configure the internal WWW server 2. [Switch-Vlan-interface10] nat server protocol tcp global 202.38.160. 100 8080 inside 10.110.10.3 www # Configure the internal SMTP server. [Switch-Vlan-interface10] nat server protocol tcp global 202.38.160. 100 8025 inside 10.110.10.4 smtp [Switch-Vlan-interface10] quit # Enable the connection-limit function.
NAT Configuration Example 1001 system-view [Sysname] userlog nat syslog # Enable the NAT log function on Device A. [Sysname] nat log enable # View the log buffer to monitor access records. [Sysname] quit dir Directory of cf:/ 0 -rw- 16850028 Aug 07 2009 04:02:42 mainpack.bin 1 drw- Aug 07 2005 05:13:48 logfile 2 -rw1747 Aug 07 2009 04:05:38 config.cfg 3 -rw524288 Aug 13 2009 01:27:40 basicbtm.bin 4 -rw524288 Aug 13 2009 01:27:40 extendbtm.
1002 CHAPTER 76: NAT CONFIGURATION Exporting NAT logs to Log Server Field Description Operator Reasons for generating NAT logs come from: ■ Aged for reset or config-change" refers to logs generated due to configuration change or manual session deletion; ■ Aged for no-pat of NAT" refers to logs generated when the no-pat session ages; ■ Active data flow timeout" refers to logs generated when the duration of NAT session exceeds the active data flow time; ■ Data flow created" refers to logs generat
Troubleshooting NAT 1003 [Sysname] nat log enable You must run XLog on the NAT log server or the system log server to view NAT log information. Troubleshooting NAT Symptom 1: Abnormal Translation of IP Addresses Solution: Enable debugging for NAT. Try to locate the problem based on the debugging display. Use other commands, if necessary, to further identify the problem. Pay special attention to the translated source address and ensure that this address is the address that you intend to change to.
1004 CHAPTER 76: NAT CONFIGURATION
DEVICE MANAGEMENT 77 n File names in this document comply with the following rules: ■ Path + file name (namely, a full file name): File on a specified path. A full file name consists of 1 to 135 characters. ■ File name" (namely, only a file name without a path): File on the current working path. The file name without a path consists of 1 to 91 characters.
1006 CHAPTER 77: DEVICE MANAGEMENT To do... Use the command... Remarks Reboot a card reboot [ slot slot-number ] Optional Available in user view. Enable the scheduled reboot function and specify a specific reboot time and date Enable the scheduled reboot function and specify a reboot waiting time c Specifying a Boot ROM File for the Next Device Boot schedule reboot at hh:mm Optional [ date ] The scheduled reboot function is disabled by default.
Configuring Device Management n Configuring a Detection Interval 1007 Restart the device to validate the upgraded Boot ROM. When detecting an exception on a port, the operation, administration and maintenance (OAM) module will automatically shut down the port. The device will detect the status of the port when a detection interval elapses. If the port is still shut down, the device will recover it. Follow these steps to configure a detection interval: To do... Use the command...
1008 CHAPTER 77: DEVICE MANAGEMENT Clearing the 16-bit Interface Indexes Not Used in the Current System In practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface index in the same device. For the purpose of the stability of an interface index, the system will save the 16bit interface index when a card or logical interface is removed.
Device Management Configuration Example To do... Use the command...
1010 CHAPTER 77: DEVICE MANAGEMENT Configure a route between FTP server and Switch A, Switch A and User. The configuration procedure is omitted here. 2 Configure the username and password on the FTP server. # Set the FTP username to aaa and password to hello and configure the user to have access to the aaa directory. The configuration procedure is omitted here. 3 Telnet from User to Switch A. Perform the operation as needed. The procedure is omitted.
POE CONFIGURATION 78 PoE Overview Introduction to PoE Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power to powered devices (PDs) such as IP telephone, wireless LAN access point, and web camera from Ethernet ports through twisted pair cables. A PoE device can provide 48 VDC power to its PDs and provide power supply monitoring and PD priority management. n Among the interface cards for Switch 8800 Family, the 3C17528 and 3C17532 interface cards support PoE.
1012 CHAPTER 78: POE CONFIGURATION A PD is a device accepting power from a PSE. There are standard PDs and nonstandard PDs. A standard PD refers to the one that complies with IEEE 802.3af. The PD that is being powered by the PSE can be connected to other power supply unit for redundancy backup. Protocol Specification PoE Configuration Task List The protocol specification related to PoE is IEEE 802.3af.
Configuring a PSE Configuring a PSE 1013 Follow these steps to configure a PSE: To do... Use the command... Remarks Enter system view system-view - Enable PoE for a PSE poe enable pse pse-id Required By default, PoE is disabled for a PSE. Configure the maximum PoE power of a PSE n Configuring a PoE Interface poe max-power max-power pse pse-id Optional By default, the maximum PoE power of a PSE is 806 W.
1014 CHAPTER 78: POE CONFIGURATION Configuring PoE Interfaces Through a PoE Configuration File To do... Use the command... Remarks Configure the PoE mode for the PoE interface poe mode signal Optional Configure the PoE priority for the PoE interface poe priority { critical | high | Optional low } By default, the priority is low. Configure a description for the PD connected to the PoE interface poe pd-description string By default, the PoE mode is signal (power over signal cables).
Configuring PoE Power Management c Configuring PoE Power Management Configuring PSE Power Management 1015 CAUTION: ■ Before you can configure another PoE configuration file on a POE interface, you should first remove the original PoE configuration file applied to the PoE interface; otherwise, your configuration will fail.
1016 CHAPTER 78: POE CONFIGURATION Configuring PD Power Management To do... Use the command... Remarks Configure the power priority for the PSE poe priority { critical | high | Optional low } pse pse-id By default, the power priority level of the PSE is low. Configure a PSE power management priority policy poe pse-policy priority Optional By default, no PSE power management priority policy is configured. The power priority of a PD depends on the priority of the PoE interface.
Configuring PoE Monitoring To do... Use the command... 1017 Remarks Configure a PD power management priority poe pd-policy priority Optional policy By default, no PD power management priority policy is configured. Configuring PoE Monitoring The PoE monitoring function involves monitoring of PoE power, PSE and PD. ■ Monitoring PoE power means monitoring the voltage of the PoE power.
1018 CHAPTER 78: POE CONFIGURATION Enabling the PSE to Detect Nonstandard PDs To do... Use the command... Remarks Configure a power alarm threshold for a PSE poe utilization-threshold utilization-threshold-value pse pse-id Optional By default, the power alarm threshold for a PSE is 80%. There are standard PDs and nonstandard PDs. Usually, the PSE can detect only standard PDs and supply power to them.
PoE Configuration Example To do... 1019 Use the command... Display all information of the configurations display poe-profile [ index index | name and applications of the PoE configuration file profile-name ] Display all information of the configurations display poe-profile interface interface-type and applications of the PoE configuration file interface-number applied to the specified PoE interface The display commands are available in any view.
1020 CHAPTER 78: POE CONFIGURATION # Enable PoE on GigabitEthernet3/1/1, GigabitEthernet3/1/2, GigabitEthernet5/1/1, and GigabitEthernet5/1/2.
Troubleshooting PoE ■ 1021 A PoE configuration file is already applied to the PoE interface. Solution: ■ In case 1, you can solve the problem by removing the original configurations of those configurations. ■ In case 2, you need to need to modify some configurations in the PoE configuration file. ■ In case 3, you need to remove the application of the undesired PoE configuration file to the PoE interface.
1022 CHAPTER 78: POE CONFIGURATION
79 SYSTEM MAINTENANCE AND DEBUGGING When maintaining and debugging the system, go to these sections for information you are interested in: ■ “System Maintaining and Debugging Overview” on page 1023 ■ “System Maintaining and Debugging” on page 1025 ■ “System Maintaining Example” on page 1026 System Maintaining and Debugging Overview Introduction to System Maintaining and Debugging You can use the ping command and the tracert command to verify the current network connectivity.
1024 CHAPTER 79: SYSTEM MAINTENANCE AND DEBUGGING The tracert command By using the tracert command, you can trace the switches involved in delivering a packet from source to destination. This is useful for identification of failed node(s) in the event of network failure. The tracert command involves the following steps in its execution: 1 The source device sends a packet with a TTL value of 1 to the destination device.
System Maintaining and Debugging Figure 304 The relationship between the protocol and screen debugging switch 3 ON 3 1 OFF ON 1 1 Screen output switch OFF 3 ON 3 Protocol debugging switch 2 1 Debugging information System Maintaining and Debugging System Maintaining To do... Use the command...
1026 CHAPTER 79: SYSTEM MAINTENANCE AND DEBUGGING n ■ For a low-speed network, you are recommended to set a larger value for the timeout timer (indicated by the -t parameter in the command) when configuring the ping command. ■ Only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument. System Debugging To do... Use the command...
System Maintaining Example 3 4 5 6 7 8 9 10 1027 128.32.136.23 39 ms 40 ms 39 ms 128.32.168.22 39 ms 39 ms 39 ms 128.32.197.4 40 ms 59 ms 59 ms 131.119.2.5 59 ms 59 ms 59 ms 129.140.70.13 99 ms 99 ms 80 ms 129.140.71.6 139 ms 239 ms 319 ms 129.140.81.7 220 ms 199 ms 199 ms 10.1.1.4 239 ms 239 ms 239 ms The above output shows that a packet traverses nine switches from the source to the destination device.
1028 CHAPTER 79: SYSTEM MAINTENANCE AND DEBUGGING
FILE SYSTEM MANAGEMENT CONFIGURATION 80 n Throughout this document, a filename can be entered as either of the following: ■ A fully qualified filename with the path included to indicate a file under a specific path. The filename can be 1 to 135 characters in length. ■ A short filename with the path excluded to indicate a file in the current path. The filename can be 1 to 91 characters in length.
1030 CHAPTER 80: FILE SYSTEM MANAGEMENT CONFIGURATION n File Operations To do... Use the command... Remarks Display the current path pwd Optional Display files or directories dir [ /all ] [ file-url ] Optional Change the current path cd directory Optional ■ The directory to be removed must be empty, meaning before you remove a directory, you must delete all the files and the subdirectory under this directory.
File System Management 1031 this command and go to the next one. Therefore, each configuration command in a batch file must be a standard configuration command, meaning the valid configuration information which can be displayed with the display current-configuration command after this command is configured successfully; otherwise, this command may not be executed correctly.
1032 CHAPTER 80: FILE SYSTEM MANAGEMENT CONFIGURATION File System Prompt Mode Setting ■ Do not remove the storage device or swap the module when mounting or unmounting the device, or when you are processing files on the storage device. Otherwise, the file system could be damaged. ■ When a storage device is connected to a low version system, the system may not be able to recognize the device automatically; you need to use the mount command for the storage device to function normally.
Configuration File Management 1033 cd ..
1034 CHAPTER 80: FILE SYSTEM MANAGEMENT CONFIGURATION To do... Use the command...
Configuration File Management c Specifying a Configuration File for Next Startup CAUTION: This command will permanently delete the configuration file from the device. Use it with caution. Follow the step below to specify a configuration file for next startup: To do... Use the command...
1036 CHAPTER 80: FILE SYSTEM MANAGEMENT CONFIGURATION n Displaying and Maintaining Device Configuration n ■ Before restoring a configuration file, you should ensure that the server is reachable, the server is enabled with TFTP service, and the client has permission to read and write.
FTP CONFIGURATION 81 When configuring FTP, go to these sections for information you are interested in: FTP Overview ■ “FTP Overview” on page 1037 ■ “Configuring the FTP Client” on page 1038 ■ “Configuring the FTP Server” on page 1041 ■ “Displaying and Maintaining FTP” on page 1044 The file transfer protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network. FTP adopts the server/client model.
1038 CHAPTER 81: FTP CONFIGURATION Configuring the FTP Client Establishing an FTP Connection To access an FTP server, the FTP client must connect with it. Two ways are available for the connection: using the ftp command to establish the connection directly; using the open command in FTP client view. Multiple routes may exist for the FTP client to successfully access the FTP server.
Configuring the FTP Client ■ 1039 If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the new source IP address will overwrite the current one, and vice versa. Follow these steps to establish an FTP connection (In IPv6 networking): Configuring the FTP Client To do... Use the command...
1040 CHAPTER 81: FTP CONFIGURATION n FTP Client Configuration Examples To do... Use the command...
Configuring the FTP Server 1041 Configuration procedure # Check files on your device. Remove those redundant to ensure adequate space for the image file to be downloaded. dir Directory of flash:/ 0 1 2 3 drwdrw-rw-rw- 1216 1216 Dec Jan Jan Jan 07 02 02 02 2005 2006 2006 2006 10:00:57 14:27:51 14:28:59 16:27:26 filename logfile config.cfg backup.cfg 2540 KB total (2511 KB free) delete flash:/backup.cfg # Download the image file from the server. ftp 172.16.104.
1042 CHAPTER 81: FTP CONFIGURATION result in file corruption on the router. This mode, however, consumes less memory space than the fast mode. Follow these steps to configure the FTP server: To do... Use the command... Remarks Enter system view system-view - Enable the FTP server ftp server enable Required Disabled by default. Configure the idle-timeout timer ftp timeout minutes Optional 30 minutes by default.
Configuring the FTP Server 1043 Network diagram Figure 307 Smooth upgrading using the FTP server FTP client FTP server 1.1.1.1 /16 Internet Device PC Configuration procedure 1 Configure Device (FTP Server) # Create an FTP user account abc, setting its password to pwd. system-view [Sysname] local-user abc [Sysname-luser-abc] service-type ftp [Sysname-luser-abc] password simple pwd # Specify abc to use FTP, and authorize its access to certain directory.
1044 CHAPTER 81: FTP CONFIGURATION n ■ When upgrading the configuration file with FTP, put the new file under the root directory ■ After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom upgrade command to refresh the system configuration. # Specify the image file for next startup with the boot-loader command. boot-loader file bbb.
TFTP CONFIGURATION 82 When configuring TFTP, go to these sections for information you are interested in: TFTP Overview ■ “TFTP Overview” on page 1045 ■ “Configuring the TFTP Client” on page 1045 ■ “Displaying and Maintaining the TFTP Client” on page 1047 ■ “TFTP Client Configuration Examples” on page 1047 The trivial file transfer protocol (TFTP) provides functions similar to those provided by FTP, but it is not as complex as FTP in interactive access interface and authentication.
1046 CHAPTER 82: TFTP CONFIGURATION You are recommended to use the latter mode or use a filename not existing in the current directory as the target filename when downloading startup file or configuration file. Multiple routes may exist for a TFTP client to successfully access the TFTP server. You can specify one by configuring the source address of the packets from the TFTP client to meet the requirement of the security policy of the TFTP client.
Displaying and Maintaining the TFTP Client ■ Displaying and Maintaining the TFTP Client TFTP Client Configuration Examples 1047 If you use the ftp client source command to first configure the source interface and then the source IP address of the packets of the TFTP client, the new source IP address will overwrite the current one, and vice versa. To do... Use the command...
1048 CHAPTER 82: TFTP CONFIGURATION tftp 1.1.1.2 get aaa.app bbb.app # Upload a configuration file config.cfg to the TFTP server. tftp 1.1.1.2 put config.cfg config.cfg # Specify the image file for next startup with the boot-loader command boot-loader file bbb.app reboot c CAUTION: The image file specified by the boot-loader command for next startup must be saved under the root directory.
83 SNMP CONFIGURATION When configuring SNMP, go to these sections for information you are interested in: SNMP Overview SNMP Mechanism ■ “SNMP Overview” on page 1049 ■ “SNMP Configuration” on page 1050 ■ “Trap Configuration” on page 1052 ■ “Displaying and Maintaining SNMP” on page 1054 ■ “SNMP Configuration Examples” on page 1054 Simple network management protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite.
1050 CHAPTER 83: SNMP CONFIGURATION SNMP Protocol Version ■ Get operation: NMS gets the behavior information of the Agent through this operation. ■ Set operation: NMS can reconfigure certain values in the Agent MIB (management information base) to make the Agent perform certain tasks by means of this operation. ■ Trap operation: Agent sends Trap information to the NMS through this operation. ■ Inform operation: NMS sends Trap information to other NMSs through this operation.
SNMP Configuration To do... Use the command... Remarks Enter system view system-view - Enable SNMP Agent snmp-agent Optional 1051 Disabled by default You can enable SNMP Agent through this command or any commands that begin with "snmp-agent". Configure SNMP Agent system information snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v2c | v3 }* }} Optional The defaults are as follows: 3Com Technologies Co.,Ltd.
1052 CHAPTER 83: SNMP CONFIGURATION To do... Use the command... Remarks Configure SNMP Agent system information snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 }* | all } } Required The defaults are as follows: 3Com Technologies Co.,Ltd. for contact, Hangzhou China for location and SNMPv3 for the version.
Trap Configuration To do... Use the command... Set to enable the device to send Trap packets globally snmp-agent trap enable [ Optional bgp | configuration | flash | All types of Trap packets are mpls | ospf [ process-id ] [ allowed by default.
1054 CHAPTER 83: SNMP CONFIGURATION Displaying and Maintaining SNMP To do... Use the command...
SNMP Configuration Examples [Sysname] [Sysname] [Sysname] [Sysname] [Sysname] snmp-agent snmp-agent snmp-agent snmp-agent snmp-agent 1055 community read public community write private mib-view include internet 1.3.6.1 group v3 managev3group write-view internet usm-user v3 managev3user managev3group # Configure VLAN-interface 2 (with the IP address of 129.102.0.1/16) for network management. Add port Ethernet 2/1/3 used for network management to VLAN 2.
1056 CHAPTER 83: SNMP CONFIGURATION
84 RMON CONFIGURATION When configuring RMON, go to these sections for information you are interested in: RMON Overview Introduction ■ “RMON Overview” on page 1057 ■ “Configuring RMON” on page 1059 ■ “Displaying and Maintaining RMON” on page 1060 ■ “RMON Configuration Examples” on page 1061 This section covers these topics: ■ “Introduction” on page 1057 ■ “RMON Groups” on page 1058 Remote Monitoring (RMON) is a type of IETF-defined MIB.
1058 CHAPTER 84: RMON CONFIGURATION information but four groups of information, alarm, event, history, and statistics, in most cases. Switch 8800 adopts the second way. By using RMON agents on network monitors, an NMS can obtain information about traffic size, error statistics, and performance statistics for network management. RMON Groups RMON categorizes objects into ten groups. This section describes only the major implemented five groups.
Configuring RMON 1059 History group The history group controls the periodic statistical sampling of data, such as bandwidth utilization, number of errors, and total number of packets. Note that each value provided by the group is a cumulative sum during a sampling period. Ethernet statistics group The statistics group monitors port utilization.
1060 CHAPTER 84: RMON CONFIGURATION n To do... Use the command... Remarks Create an entry in the private alarm table rmon prialarm entry-number Optional prialarm-formula prialarm-des sampling-interval { absolute | changeratio | delta } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ] ■ Two entries with the same configuration cannot be created.
RMON Configuration Examples RMON Configuration Examples To do... Use the command...
1062 CHAPTER 84: RMON CONFIGURATION Packets received according to length: 64 : 0 , 65-127 : 0 256-511: 0 , 512-1023: 0 , , 128-255 : 0 1024-1518: 0 # Create an event to start logging after the event is triggered. system-view [Sysname] rmon event 1 log owner 1-rmon [Sysname] display rmon event 1 Event table 1 owned by 1-rmon is VALID. Description: null. Will cause log when triggered, last triggered at 2day(s) 03h:56m:06s. # Configure an alarm group. [Sysname] rmon alarm 1 1.3.6.1.2.1.16.1.1.
NTP CONFIGURATION 85 When configuring NTP, go to these sections for information you are interested in: n NTP Overview ■ “NTP Overview” on page 1063 ■ “Configuring the Operation Modes of NTP” on page 1068 ■ “Configuring the Local Clock as a Reference Source” on page 1072 ■ “Configuring Optional Parameters of NTP” on page 1072 ■ “Configuring Access-Control Rights” on page 1073 ■ “Configuring NTP Authentication” on page 1074 ■ “Displaying and Maintaining NTP” on page 1076 ■ “NTP Configuratio
1064 CHAPTER 85: NTP CONFIGURATION An administrator can by no means keep synchronized time among all the devices within a network by changing the system clock on each station, because this is a huge amount of workload and cannot guarantee the clock precision. NTP, however, allows quick clock synchronization within the entire network while it ensures a high clock precision.
NTP Overview 1065 ■ Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The time stamp is 10:00:00am (T1). ■ When this NTP message arrives at Device B, it is timestamped by Device B. The timestamp is 11:00:01am (T2). ■ When the NTP message leaves Device B, Device B timestamps it. The timestamp is 11:00:02am (T3). ■ When Device A receives the NTP message, the local time of Device A is 10:00:03am (T4).
1066 CHAPTER 85: NTP CONFIGURATION Figure 313 Clock synchronization message format 1 0 LI 4 VN 7 Mode 15 Stratum 23 Poll 31 Precision Root delay (32 bits) Root dispersion (32 bits) Reference identifier (32 bits) Reference timestamp (64 bits) Originate timestamp (64 bits) Receive timestamp (64 bits) Transmit timestamp (64 bits) Authenticator (optional 96 bits) Main fields are described as follows: ■ LI: 2-bit leap indicator.
NTP Overview Operation Modes of NTP 1067 ■ Receive Timestamp: the local time at which the request arrived at the service host. ■ Transmit Timestamp: the local time at which the reply departed the service host for the client. ■ Authenticator: authentication information. Devices running NTP can implement clock synchronization in one of the following modes: Server/client mode In server/client mode, a client can be synchronized to a server, but not vice versa.
1068 CHAPTER 85: NTP CONFIGURATION Multiple Instances of NTP n NTP Configuration Task List The server/client mode and symmetric mode support multiple instances of NTP and thus support clock synchronization within an MPLS VPN network. Namely, network devices (CEs and PEs) at different physical location can get their clocks synchronized through MPLS VPN connection, as long as they are in the same VPN.
Configuring the Operation Modes of NTP 1069 during operation. A dynamic association will be removed if the system fails to receive messages from it over a specific long time. In the server/client mode, for example, when you carry out a command to synchronize the time to a server, the system will create a static association, and the server will just respond passively upon the receipt of a message, rather than creating an association (static or dynamic).
1070 CHAPTER 85: NTP CONFIGURATION n Configuring NTP Broadcast Mode To do... Use the command...
Configuring the Operation Modes of NTP To do... Use the command... Remarks Enter system view system-view - Enter interface view interface interface-type interface-number Required Configure the device to work in the NTP broadcast server mode 1071 Enter the interface used to send NTP broadcast messages ntp-service Required broadcast-server [ authentication-keyid keyid | version number ]* n A broadcast server can synchronize broadcast clients only after its clock has been synchronized.
1072 CHAPTER 85: NTP CONFIGURATION Configuring the Local Clock as a Reference Source A network device can get its clock synchronized in one of the following two ways: ■ Synchronized to the local clock, which as the reference source. ■ Synchronized to another device on the network in any of the four NTP operation modes previously described. If you configure two synchronization modes, the device will choose the optimal clock as the reference source.
Configuring Access-Control Rights Configuring the Maximum Number of Dynamic Sessions Allowed Configuring Access-Control Rights 1073 Follow these steps to configure the maximum number of dynamic sessions allowed to be established locally: To do... Use the command...
1074 CHAPTER 85: NTP CONFIGURATION Configuring NTP Authentication Configuration Prerequisites The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.
Configuring NTP Authentication To do... Use the command...
1076 CHAPTER 85: NTP CONFIGURATION Displaying and Maintaining NTP To do... Use the command...
NTP Configuration Examples 1077 Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Specify Device A as the NTP server. system-view [DeviceB] ntp-service unicast-server 1.0.1.11 # (After the above configurations, Device B is synchronized to Device A.) View the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 64.
1078 CHAPTER 85: NTP CONFIGURATION Network diagram Figure 315 Network diagram for NTP symmetric peers mode configuration Device A 3.0 .1.31/24 3.0.1.32/24 3 .0.1.33/24 Device B Device C Configuration procedure 1 Configuration on Device A: # Specify the local clock as the reference source, with the stratum level of 2. system-view [DeviceA] ntp-service refclock-master 2 2 Configuration on Device B: # Specify Device A as the NTP server.
NTP Configuration Examples 1079 Clock precision: 2^7 Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED) As shown above, Device B has been synchronized to Device C, and the clock stratum level of Device B is 2, while that of Device C is 1. # View the NTP session information of Device B, which shows that an association has been set up between Device B and Device C.
1080 CHAPTER 85: NTP CONFIGURATION [SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service broadcast-server 2 Configuration on Switch D: # Enter system view. system-view # Enter VLAN-interface 2 view. [SwitchD] interface vlan-interface 2 # Specify Switch D as the broadcast client. [SwitchD-Vlan-interface2] ntp-service broadcast-client 3 Configuration on Switch A: # Enter system view.
NTP Configuration Examples 1081 ************************************************************************** [1234] 3.0.1.31 127.127.1.0 2 254 64 62 -16.0 32.0 16.6 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuring NTP Multicast Mode Network requirements Switch C’s local clock is to be used as a reference source, with the stratum level of 2, and Switch C sends out multicast messages from VLAN-interface 2.
1082 CHAPTER 85: NTP CONFIGURATION # View the NTP status of Switch D after clock synchronization. [SwitchD-Vlan-interface2] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.
NTP Configuration Examples 1083 [SwitchA-Vlan-interface3] ntp-service multicast-client # View the NTP status of Switch A after clock synchronization. [SwitchA-Vlan-interface3] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 64.0000 Hz Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 40.00 ms Root dispersion: 10.83 ms Peer dispersion: 34.30 ms Reference time: 16:02:49.713 UTC Sep 19 2005 (C6D95F6F.
1084 CHAPTER 85: NTP CONFIGURATION system-view # Enable NTP authentication on Device B. [DeviceB] [DeviceB] [DeviceB] [DeviceB] ntp-service ntp-service ntp-service ntp-service authentication enable authentication-keyid 42 authentication-mode md5 aNiceKey reliable authentication-keyid 42 unicast-server 1.0.1.11 authentication-keyid 42 Before Device B can synchronize its clock to that of Device A, you need to enable NTP authentication for Device A.
NTP Configuration Examples Configuring NTP Broadcast Mode with Authentication 1085 Network requirements Switch C’s local clock is to be used as a reference source, with the stratum level of 2, and Switch C sends out broadcast messages from VLAN-interface 2. Switch D is to receive broadcast client through VLAN-interface 2, with NTP authentication enabled on both the server and client. Network diagram Figure 319 Network diagram for configuration of NTP broadcast mode with authentication Vlan -int2 3.0.1.
1086 CHAPTER 85: NTP CONFIGURATION [SwitchD] interface vlan-interface 2 [SwitchD-Vlan-interface2] ntp-service broadcast-client Now, Switch D can receive broadcast messages through VLAN-interface 2, and Switch C can send broadcast messages through VLAN-interface 2. Upon receiving a broadcast message from Switch C, Switch D synchronizes its clock with that of Switch C. # View the NTP status of Switch D after clock synchronization.
NTP Configuration Examples 1087 Network diagram Figure 320 Network diagram for MPLS VPN time synchronization configuration VPN 1 VPN 1 CE 1 Vlan-int20 CE 2 Vlan-int20 Vlan-int20 10.1.1.1 /24 10 .3 .1.1/24 PE 1 Vlan-int20 172 .1.1.2/24 P Vlan-int21 172 .2.1 .1/24 PE 2 10.1.1 .2/24 10.3.1.2 /24 Vlan-int22 Vlan-int21 Vlan-int21 172 .1 .1.1/24 172 .2.1 .2/24 MPLS backbone 10.2.1 .2/24 CE 3 Vlan-int20 Vlan-int20 Vlan-int20 10.2.1 .1/24 10 .4 .1.1/24 VPN 2 Vlan-int22 10 .4 .1.
1088 CHAPTER 85: NTP CONFIGURATION [CE2] display ntp-service trace server 127.0.0.1,stratum 2, offset -0.013500, synch distance 0.03154 server 10.1.1.1,stratum 1, offset -0.506500, synch distance 0.03429 refid 127.127.1.0 Configuring MPLS VPN Time Synchronization in Symmetric Peers Mode Network requirements It is required that PE 2 can get synchronized to PE 1 in the symmetric peers mode, with PE 1 synchronized to the local reference source, having a clock stratum level of 1.
NQA CONFIGURATION 86 n The term router and the icon router in this document refer to a router in a generic sense or an Ethernet switch running routing protocols.
1090 CHAPTER 86: NQA CONFIGURATION Figure 321 Relationship between NQA client and NQA server IP network NQA client NQA server The NQA server listens to test requests originated by the NQA client and makes a response to these requests. The NQA server can respond to requests originated by the NQA client only when the NQA server is enabled and the corresponding destination address and port number are configured on the server.
Configuring NQA Tests Configuring the ICMP Test ■ “Configuring the DHCP Test” on page 1093 ■ “Configuring the FTP Test” on page 1094 ■ “Configuring the HTTP Test” on page 1096 ■ “Configuring the Jitter Test” on page 1098 ■ “Configuring the SNMP Query Test” on page 1101 ■ “Configuring the TCP Test” on page 1103 ■ “Configuring the UDP Test” on page 1105 ■ “Configuring the DLSw Test” on page 1107 1091 The ICMP test is mainly used to test whether an NQA client can send packets to a specified
1092 CHAPTER 86: NQA CONFIGURATION To do... Use the command... Remarks View the test results display nqa results [ admin-name operation-tag ] Required You can execute the command in any view. Configuration example 1 Network requirements Use the NQA ICMP function to test whether the NQA client (Switch 1) can send packets to the specified destination (Switch 2) and test the roundtrip time of packets. ■ Switch 1 serves as the NQA client, with the IP address being 10.1.1.1/16.
Configuring NQA Tests 1093 Extend result: Packet lost in test: 0% Failures due to Timeout: 0 Failures due to System Busy: 0 Failures due to Disconnect: 0 Failures due to No Connection: 0 Failures due to Sequence Error: 0 Failures due to Internal Error: 0 Failures due to Other Errors: 0 Configuring the DHCP Test The DHCP test is mainly used to test the existence of a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the
1094 CHAPTER 86: NQA CONFIGURATION Figure 323 Network diagram for the DHCP test NQA client Vlan -int2 10.1.1.1/16 Switch A DHCP server Vlan -int2 10 .1 .1.2/16 Switch B 3 Configuration procedure n For the configuration of DHCP Server, refer to “DHCP Server Configuration” on page 721. Perform the following configurations on Switch A: # Enable the NQA client, create a DHCP test group, and configure related test parameters.
Configuring NQA Tests 1095 Configuration procedure Follow these steps to configure the FTP test: To do... Use the command...
1096 CHAPTER 86: NQA CONFIGURATION 2 Network diagram Figure 324 Network diagram for the FTP test NQA client FTP server 10 .1 .1.1/16 10.2.2 .2/16 IP network Device A Device B 3 Configuration procedure n For the configuration of FTP Server, refer to “FTP Configuration” on page 1037. Perform the following configurations on Device A: # Enable the NQA client, create an FTP test group, and configure related test parameters.
Configuring NQA Tests 1097 Configuration procedure Follow these steps to configure the HTTP test: To do... Use the command... Remarks Enter system view system-view - Enable the NQA client nqa-agent enable Required Create an NQA test group and enter its view nqa admin-name operation-tag - Set the test type to HTTP test-type http Required Configure a destination address for a test destination-ip ip-address Required Here it is the IP address of the HTTP server.
1098 CHAPTER 86: NQA CONFIGURATION [Switch-nqa-admin-http] http-operation get [Switch-nqa-admin-http] http-string /index.htm HTTP/1.0 # Enable the HTTP test. [Switch-nqa-admin-http] test-enable # View the test results with the display nqa results command. [Switch-nqa-admin-http] display nqa results admin http NQA entry(admin admin, tag http) test result: Destination ip address: 10.2.2.
Configuring NQA Tests 1099 Configuration procedure 1 Configure the NQA server Follow these steps to configure the NQA server for a jitter test: To do... Use the command... Remarks Enter system view system-view - Enable the NQA server nqa-server enable Required Configure the UDP listening function on the NQA server nqa-server udpecho ip-address port-number Disabled by default Required The listening IP address and port number must be the destination IP address and port on the NQA client.
1100 CHAPTER 86: NQA CONFIGURATION n The number of probes made in a jitter test depends on the count command, while the number of test packets sent in each probe depends on the jitter-packetnum command. Configuration example 1 Network requirements Use the NQA jitter function to test the delay jitter of packet transmission between the local port (Device A) and the specified destination port (Device B). 2 Network diagram Figure 326 Network diagram for the jitter test NQA client NQA server 10 .1.1.
Configuring NQA Tests Failures due to Sequence Error: 0 Failures due to Internal Error: 0 Failures due to Other Errors: 0 Jitter result: RTT Number: 10 SD Maximal delay: 4 Min Positive SD: 1 Max Positive SD: 1 Positive SD Number: 1 Positive SD Sum: 1 Positive SD average: 0 Positive SD Square Sum: 1 Min Negative SD: 1 Max Negative SD: 6 Negative SD Number: 2 Negative SD Sum: 7 Negative SD average: 4 Negative SD Square Sum: 37 SD lost packets number: 0 Unknown result lost packet number: 0 Configuring the SN
1102 CHAPTER 86: NQA CONFIGURATION Figure 327 Network diagram for the SNMP query test NQA client SNMP agent 10 .1.1.1/8 10 .2.2.2/8 IP network Switch 1 Switch 2 3 Configuration procedure ■ Configure Switch 2. # Enable the SNMP agent service and set the SNMP version to v2c, the read community to public, and the write community to private.
Configuring NQA Tests 1103 Failures due to Internal Error: 0 Failures due to Other Errors: 0 Configuring the TCP Test c CAUTION: You are not recommended to perform an NQA TCP test on ports from 1 to 1023 (known ports). Otherwise, the NQA test will fail or the corresponding services of this port will be unavailable. The TCP test is used to test the TCP connection between the client and the specified server and the setup time for the connection. The TCP test includes TCP-Public test and TCP-Private test.
1104 CHAPTER 86: NQA CONFIGURATION To do... Use the command...
Configuring NQA Tests 1105 # Enable the TCP test. [Switch-nqa-admin-tcpprivate] test-enable # View the test results with the display nqa results command. [Switch-nqa-admin-tcpprivate] display nqa results admin tcpprivate NQA entry(admin admin, tag tcpprivate) test result: Destination ip address: 10.2.2.2 Send operation times: 1 Receive response times: 1 Min/Max/Average Round Trip Time: 1/1/1 Square-Sum of Round Trip Time: 1 Last succeeded test time: 2009-08-15 15:24:34.
1106 CHAPTER 86: NQA CONFIGURATION To do... Use the command... Remarks Configure the UDP listening function on the NQA server nqa-server udpecho ip-address port-number Required The listening IP address and port number must be the destination IP address and port on the NQA client. If the test type is UDP-Public, the port number must be set to 7. 2 Configure the NQA client Follow these steps to configure the NQA client for the UDP test: To do... Use the command...
Configuring NQA Tests 1107 2 Network diagram Figure 329 Network diagram for the UDP-Private test NQA client NQA server 10 .1.1.1/8 10 .2 .2.2/8 IP network Switch 1 Switch 2 3 Configuration procedure ■ Configuration on Switch 2 # Enable the NQA server and configure the listening IP address and port number. system-view [Switch] nqa-server enable [Switch] nqa-server udpecho 10.2.2.
1108 CHAPTER 86: NQA CONFIGURATION (SNA) traffic over a TCP/IP network. The DLSw test is used to test the response time of the DLSw device. Configuration prerequisites Before the DLSw test, a TCP connection can be set up between the NQA client and the specified device. Configuration procedure Follow these steps to configure the DLSw test: To do... Use the command...
Configuring Optional Parameters for NQA Tests 1109 # View the test results with the display nqa results command. [Switch-nqa-admin-dlsw] display nqa results admin dlsw NQA entry(admin admin, tag dlsw) test result: Destination ip address: 10.2.2.2 Send operation times: 1 Receive response times: 1 Min/Max/Average Round Trip Time: 5/5/5 Square-Sum of Round Trip Time: 25 Last succeeded test time: 2006-06-07 13:25:45.
1110 CHAPTER 86: NQA CONFIGURATION To do... Use the command... Remarks Configure the interval of performing a cyclic test frequency interval Optional No cyclic test is performed by default. This command is invalid for the DHCP test. Configure the number of probes in a test count times Configure the NQA probe time-out time timeout time Optional 1 by default. For the TCP test, a probe means a connection.
Configuring Optional Parameters for NQA Tests To do... Use the command... Configure the source port of a source-port port-number test request packet 1111 Remarks Optional You can specify a port as the source port of a test request packet. Otherwise, the system automatically assigns a port to serve as the source port of the test request packet. This command is only valid for jitter, UDP, and SNMP tests. Enable the routing table bypass function sendpacket passroute Optional Disabled by default.
1112 CHAPTER 86: NQA CONFIGURATION Displaying and Maintaining NQA To do... Use the command... Remarks Configure the number of consecutive probe failures in an NQA test before a trap message is sent to indicate a probe failure probe-failtimes times Optional To do... Use the command...
87 HIGH AVAILABILITY CONFIGURATION When configuring HA, go to these sections for information you are interested in: Introduction to HA ■ “Introduction to HA” on page 1113 ■ “Configuring HA” on page 1113 ■ “Displaying and Maintaining HA” on page 1114 ■ “HA Configuration Example” on page 1114 High Availability (HA for short) feature can be used to achieve a higher degree of system availability.
1114 CHAPTER 87: HIGH AVAILABILITY CONFIGURATION To do... c Displaying and Maintaining HA Use the command... Remarks Manually configure slave switchover switchover between the active card and standby card Optional Manually configure the standby card restart slave restart Optional Enable Full Mesh forwarding enhance mode fullmesh-enhance { enable | Optional disable } Disabled by default. CAUTION: ■ The standby card does not support any system configuration commands.
HA Configuration Example 1115 Configuration procedure 1 Download the update software Through remote online update commands, download new application program to the active card. Use the FTP, TFTP, or XModem to download the application program to the active card and save it in the flash. 2 Copy the software to the standby card Assume the update application is platform.app, slot0 is the active card, and slot1 is the standby card. copy platform.app slot1#flash:/platform.
1116 CHAPTER 87: HIGH AVAILABILITY CONFIGURATION [Sysname] xbar load-balance # Enable Full Mesh mode. [Sysname] fullmesh-enhance enable # Check whether Full Mesh mode is activated.
INFORMATION CENTER CONFIGURATION 88 When configuring information center, go to these sections for information you are interested in: ■ “Information Center Overview” on page 1117 ■ “Configuring Information Center” on page 1123 ■ “Displaying and Maintaining Information Center” on page 1129 ■ “Information Center Configuration Examples” on page 1129 Information Center Overview Introduction to Information Center n Acting as the system information hub, information center classifies and manages system
1118 CHAPTER 88: INFORMATION CENTER CONFIGURATION Table 42 Severity description Severity Severity value Description errors 3 Error information warnings 4 Warnings notifications 5 Normal errors with important information informational 6 Informational information to be recorded debugging 7 Information generated during debugging Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering.
Information Center Overview 1119 Table 43 Information channels and output directions n Information channel number Default channel name Default output direction 7 Not specified Not specified (Receives log, trap, and debug information) 8 Not specified Not specified (Receives log, trap, and debug information) 9 channel9 Log file (Receives log, trap, and debug information) Configurations for the seven output directions function independently and take effect only after the information center is e
1120 CHAPTER 88: INFORMATION CENTER CONFIGURATION Table 44 Module name list Module name Description HABP 3Com Authentication Bypass Protocol module Switch ClusteringS 3Com Group Management Protocol Service module HWCM 3Com Configuration Management MIB module IFNET Interface management module IGSP IGMP Snooping module IP Internet Protocol module ISIS Intermediate System-to-Intermediate System intra-domain routing information exchange protocol module L2INF Interface management module L2V
Information Center Overview 1121 Table 44 Module name list Module name Description RPR Resilient Packet Ring module RSA Revest, Shamir and Adleman module RTPRO Routing protocol module SHELL User interface module SNMP Simple Network Management Protocol module SOCKET Socket module SSH Secure Shell module SYSM System Manage veneer module SYSMIB System MIB module TAC Terminal Access Controller module TELNET Telnet module UDPH UDP Helper module USERLOG USER Calling Logging module VF
1122 CHAPTER 88: INFORMATION CENTER CONFIGURATION Timestamp Timestamp records the time when system information is generated to allow users to check and identify system events. Note that there is a space between the timestamp and sysname (host name) fields. The timestamp is in the format of Mmm dd hh:mm:ss yyyy, where ■ Mmm" represents the month, and the available values are: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.
Configuring Information Center 1123 Configuring Information Center Setting to Output System Information to the Console Setting to output system information to the console To do... Use the command...
1124 CHAPTER 88: INFORMATION CENTER CONFIGURATION Table 45 Default output rules for different output directions LOG TRAP DEBUG Output Modules direction allowed Enabled/ disabled Severity Enabled/ disabled Severity Enabled/ disabled Severity Log file Enabled Enabled Disabled default (all modules) debuggin g debuggin g debuggin g Enabling the display of system information on the console After setting to output system information to the console, you need to enable the associated display functi
Configuring Information Center 1125 To do... Use the command...
1126 CHAPTER 88: INFORMATION CENTER CONFIGURATION Setting to Output System Information to the Trap Buffer To do... Use the command...
Configuring Information Center Setting to Output System Information to the SNMP NMS 1127 To do... Use the command...
1128 CHAPTER 88: INFORMATION CENTER CONFIGURATION Setting to Save System Information to a Log File With the log file feature enabled, the log information generated by system can be saved to a specified directory with a predefined frequency. This allows you to check the operation history at any time to ensure that the device functions properly. Follow these steps to set to save system information to a log file: To do... Use the command...
Displaying and Maintaining Information Center n Displaying and Maintaining Information Center To do... Use the command... Remarks Enter system view system-view - Enable synchronous information output info-center synchronous Required 1129 Disabled by default ■ If you do not input any information following the current command line prompt, the system does not display any command line prompt after system information output. ■ In the interaction mode, you are prompted for some information input.
1130 CHAPTER 88: INFORMATION CENTER CONFIGURATION Network diagram Figure 331 Network diagram for outputting log information to a Unix log host 1 .1.0.1/16 Internet Device 1.2.0 .1/16 PC Configuration procedure 1 Configuring the device # Enable information center. system-view [Sysname] info-center enable # Specify the channel to output log information to the log host (loghost by default, optional). [Sysname] info-center loghost 1.2.0.
Information Center Configuration Examples 1131 # 3Com configuration messages local4.info /var/log/3Com/information n Be aware of the following issues while editing the /etc/syslog.conf file: ■ Comments must be on a separate line and must begin with the # sign. ■ The selector/action pair must be separated with a tab key, rather than a space. ■ No redundant spaces are allowed in the file name. ■ The device name and the accepted severity of log information specified by the /etc/syslog.
1132 CHAPTER 88: INFORMATION CENTER CONFIGURATION # Disable the output of log, trap, and debug information of all modules to the log host.
Information Center Configuration Examples Outputting Log Information to the Console 1133 Network requirements ■ Log information with a severity higher than informational will be output to the console; ■ The source modules are ARP and IP. Network diagram Figure 333 Network diagram for sending log information to the console Console PC Device Configuration procedure # Enable information center.
