Configuration Guide Gigabit Ethernet L3 Stackable Managed Switch with 10GbE Uplink SGS-6341 Series www.PLANET.com.
Trademarks Copyright © PLANET Technology Corp. 2017. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.
Configuration Guide of SGS-6341-Series Contents CHAPTER 1 INTRODUCTION .......................................................................................1-20 1.1 PACKET CONTENTS ........................................................................................................................... 1-20 1.2 PRODUCT DESCRIPTION ..................................................................................................................... 1-21 1.3 PRODUCT FEATURES ...............................
Configuration Guide of SGS-6341-Series 4.4.4 SNMP Configuration ............................................................................................................... 4-9 4.4.5 Typical SNMP Configuration Examples ................................................................................ 4-11 4.4.6 SNMP Troubleshooting ......................................................................................................... 4-13 4.5 SWITCH UPGRADE ...............................................
Configuration Guide of SGS-6341-Series 10.2 ULDP CONFIGURATION TASK SEQUENCE ......................................................................................... 10-2 10.3 ULDP FUNCTION TYPICAL EXAMPLES .............................................................................................. 10-5 10.4 ULDP TROUBLESHOOTING .............................................................................................................. 10-6 CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION ............
Configuration Guide of SGS-6341-Series 15.3 DOT1Q-TUNNEL CONFIGURATION ................................................................................................... 15-21 15.3.1 Introduction to Dot1q-tunnel .............................................................................................. 15-21 15.3.2 Dot1q-tunnel Configuration ............................................................................................... 15-22 15.3.3 Typical Applications of the Dot1q-tunnel ..............
Configuration Guide of SGS-6341-Series 18.1.1 QoS Terms .......................................................................................................................... 18-1 18.1.2 QoS Implementation ........................................................................................................... 18-2 18.1.3 Basic QoS Model ................................................................................................................ 18-3 18.2 QOS CONFIGURATION TASK LIST ...............
Configuration Guide of SGS-6341-Series 22.3.1 Introduction to IP Forwarding ............................................................................................ 22-44 22.3.2 IP Route Aggregation Configuration Task ......................................................................... 22-44 22.4 URPF ........................................................................................................................................... 22-44 22.4.1 Introduction to URPF...........................
Configuration Guide of SGS-6341-Series 27.1 INTRODUCTION TO GRATUITOUS ARP ............................................................................................. 27-62 27.2 GRATUITOUS ARP CONFIGURATION TASK LIST ............................................................................... 27-62 27.3 GRATUITOUS ARP CONFIGURATION EXAMPLE ................................................................................ 27-63 27.4 GRATUITOUS ARP TROUBLESHOOTING ..........................................
Configuration Guide of SGS-6341-Series 32.3 DHCPV6 OPTION37, 38 EXAMPLES................................................................................................ 32-14 32.3.1 DHCPv6 Snooping option37, 38 Example ........................................................................ 32-14 32.3.2 DHCPv6 Snooping option37, 38 Example ........................................................................ 32-15 32.4 DHCPV6 OPTION37, 38 TROUBLESHOOTING ..................................................
Configuration Guide of SGS-6341-Series 37.1 INTRODUCTION TO RIPNG ................................................................................................................ 37-1 37.2 RIPNG CONFIGURATION TASK LIST................................................................................................... 37-2 37.3 RIPNG CONFIGURATION EXAMPLES .................................................................................................. 37-7 37.3.1 Typical RIPng Examples .....................
Configuration Guide of SGS-6341-Series CHAPTER 42 BLACK HOLE ROUTING MANUAL .......................................................42-1 42.1 INTRODUCTION TO BLACK HOLE ROUTING ........................................................................................ 42-1 42.2 IPV4 BLACK HOLE ROUTING CONFIGURATION TASK ......................................................................... 42-1 42.3 IPV6 BLACK HOLE ROUTING CONFIGURATION TASK ..................................................................
Configuration Guide of SGS-6341-Series 47.3 OSPF GR EXAMPLE ..................................................................................................................... 47-18 47.4 OSPF GR TROUBLESHOOTING ...................................................................................................... 47-19 CHAPTER 48 IPV4 MULTICAST PROTOCOL ..............................................................48-1 48.1 IPV4 MULTICAST PROTOCOL OVERVIEW .................................................
Configuration Guide of SGS-6341-Series 48.8 DCSCM ........................................................................................................................................ 48-37 48.8.1 Introduction to DCSCM ..................................................................................................... 48-37 48.8.2 DCSCM Configuration Task List........................................................................................ 48-38 48.8.3 DCSCM Configuration Examples ...............
Configuration Guide of SGS-6341-Series 49.5.1 Introduction to IPv6 DCSCM ............................................................................................. 49-20 49.5.2 IPv6 DCSCM Configuration Task Sequence ..................................................................... 49-21 49.5.3 IPv6 DCSCM Typical Examples ........................................................................................ 49-23 49.5.4 IPv6 DCSCM Troubleshooting .....................................................
Configuration Guide of SGS-6341-Series 52.3.3 Examples of IPv6 Radius Application ............................................................................... 52-18 52.4 802.1X TROUBLESHOOTING ........................................................................................................... 52-19 CHAPTER 53 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP CONFIGURATION ..........................................................................................................53-1 53.
Configuration Guide of SGS-6341-Series CHAPTER 58 IPV6 SECURITY RA CONFIGURATION .................................................58-1 58.1 INTRODUCTION TO IPV6 SECURITY RA.............................................................................................. 58-1 58.2 IPV6 SECURITY RA CONFIGURATION TASK SEQUENCE ...................................................................... 58-1 58.3 IPV6 SECURITY RA TYPICAL EXAMPLES ..........................................................................
Configuration Guide of SGS-6341-Series CHAPTER 64 VRRP CONFIGURATION ......................................................................64-28 64.1 INTRODUCTION TO VRRP ............................................................................................................... 64-28 64.2 VRRP CONFIGURATION TASK LIST ................................................................................................. 64-29 64.3 VRRP TYPICAL EXAMPLES .........................................................
Configuration Guide of SGS-6341-Series 69.1 INTRODUCTION TO MIRROR............................................................................................................... 69-5 69.2 MIRROR CONFIGURATION TASK LIST................................................................................................. 69-5 69.3 MIRROR EXAMPLES ......................................................................................................................... 69-6 69.4 DEVICE MIRROR TROUBLESHOOTING.........
Configuration Guide of SGS-6341-Series CHAPTER 76 MONITOR AND DEBUG .........................................................................76-1 76.1 PING ............................................................................................................................................... 76-1 76.2 PING6 ............................................................................................................................................. 76-1 76.3 TRACEROUTE ................................
Configuration Guide of SGS-6341-Series 80.4 POE TROUBLESHOOTING HELP ........................................................................................................ 80-4 CHAPTER 81 SWITCH OPERATION ............................................................................81-5 81.1 ADDRESS TABLE .............................................................................................................................. 81-5 81.2 LEARNING ..........................................................
Configuration Guide of SGS-6341-Series Chapter 1 INTRODUCTION Thank you for purchasing PLANET Industrial L3 Managed Gigabit/10 Gigabit Ethernet Switch. The description of this model is shown below: SGS-6341-24T4X Layer 3 24-Port 10/100/1000T + 4-Port 10G SFP+ Stackable Managed Switch SGS-6341-24P4X Layer 3 24-Port 10/100/1000T 802.3at PoE + 4-Port 10G SFP+ Stackable Managed Switch (370W) SGS-6341-48T4X Layer 3 48-Port 10/100/1000T + 4-Port 10G SFP+ Stackable Managed Switch 1.
Configuration Guide of SGS-6341-Series 1.2 Product Description Powerful Layer 3 Gigabit Routing and Power over Ethernet Solution PLANET SGS-6341 Series is a Layer 3 Stackable Managed Gigabit Switch that provides high-density performance, Layer 3 static routing, RIP (Routing Information Protocol) and OSPF (Open Shortest Path First).
Configuration Guide of SGS-6341-Series Full IPv6 Support The SGS-6341 Series provides IPv6 management and enterprise-level secure features such as SSH, ACL, WRR and RADIUS authentication. It thus helps the enterprises to step in the IPv6 era with the lowest investment. In addition, you don’t need to replace the network facilities when the IPv6 FTTx edge network is built.
Configuration Guide of SGS-6341-Series Intelligent SFP Diagnosis Mechanism The SGS-6341 Series supports SFP-DDM (Digital Diagnostic Monitor) function that greatly helps network administrator to easily monitor real-time parameters of the SFP and SFP+ transceivers, such as optical output power, optical input power, temperature, laser bias current, and transceiver supply voltage.
Configuration Guide of SGS-6341-Series including VoIP and wireless LAN. Under the trend of energy saving worldwide and contributing to the environmental protection on the Earth, the SGS-6341-24P4X can effectively control the power supply besides its capability of giving high watts power. The “PoE schedule” function helps you to enable or disable PoE power feeding for each PoE port during specified time intervals and it is a powerful function to help SMBs or enterprises save energy and budget.
Configuration Guide of SGS-6341-Series 1.3 Product Features Physical Port SGS-6341-24T4X 24-port 10/100/1000BASE-T Gigabit Ethernet RJ45 4 10GBASE-SR/LR SFP+ slots, compatible with 1000BASE-SX/LX/BX SFP RJ45 to DB9 console interface for switch basic management and setup SGS-6341-24P4X 24-port 10/100/1000BASE-T Gigabit Ethernet RJ45 with 24-port IEEE 802.
Configuration Guide of SGS-6341-Series Multicast Routing Features Supports PIM-DM (Protocol Independent Multicast – Dense Mode) and PIM-SM (Protocol Independent Multicast – Sparse Mode) and PIM-SSM (Protocol Independent Multicast – Source Specific Multicast) Supports DVMRP (Distance Vector Multicast Routing Protocol) Supports IGMP v1/v2/v3 and MLD v1/v2 Layer 2 Features Complies with the IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.
Configuration Guide of SGS-6341-Series - Port-based WRR Strict priority and WRR CoS policies Multicast Supports IPv4 IGMP snooping v1, v2 and v3; IPv6 MLD v1 and v2 snooping Querier mode support Supports Multicast VLAN Register (MVR) Security IEEE 802.
Configuration Guide of SGS-6341-Series 1.
Configuration Guide of SGS-6341-Series Supports MIB and TRAP Supports IPv4/IPv6 FTP/TFTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 four groups Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and password Supports IPv4/IPv6 SSH The right configuration for users to adopt RADIUS server’s shell management Supports CLI, console, Telnet Supports SNMP v1, v2c and v3 Supports Security IP safety net management function: avoid unlawful landing at nonrestrictive area Supports Syslog server for
Configuration Guide of SGS-6341-Series IP subnet VLAN Bandwidth Control TX/RX/Both Link Aggregation IEEE 802.3ad LACP/static trunk Supports 12 groups with 8 ports per trunk group QoS 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin (WRR) CoS policies Traffic classification: - IEEE 802.
Configuration Guide of SGS-6341-Series IEEE 802.3u 100BASE-TX IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ab Gigabit 1000BASE-T IEEE 802.3ae 10Gb/s Ethernet IEEE 802.3x flow control and back pressure IEEE 802.3ad port trunk with LACP IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1p Class of Service IEEE 802.1Q VLAN tagging IEEE 802.1X port authentication network control IEEE 802.1ab LLDP IEEE 802.
Configuration Guide of SGS-6341-Series Chapter 2 INSTALLATION This section describes the hardware features and installation of the Managed Switch on the desktop or rack mount. For easier management and control of the Managed Switch, familiarize yourself with its display indicators, and ports. Front panel illustrations in this chapter display the unit LED indicators. Before connecting any network device to the Managed Switch, please read this chapter completely. 2.1 Hardware Description 2.1.
Configuration Guide of SGS-6341-Series setting, factory reset, port management, link status and system setting. Users can use the attached RS232 cable in the package and connect to the console port on the device. After the connection, users can run any terminal emulation program (Hyper Terminal, ProComm Plus, Telix, Winterm and so on) to enter the startup screen of the device. ■ USB Interface The USB port is a USB2.0 type; it is an interface for uploading/restoring the configuration/firmware.
Configuration Guide of SGS-6341-Series Lights to indicate the link through that port is successfully established Green MGMT Off Blinks to indicate that the port is activity No connection ■ 10/100/1000BASE-T Interfaces (Port-1 to Port-24) LED Color Function Lights: To indicate the link through that port is successfully established. LNK/ACT Green Blinks: To indicate that the switch is actively sending or receiving data over that port.
Configuration Guide of SGS-6341-Series Blinks: PoE To indicate that the switch is actively sending or receiving data over that port. Lights: To indicate the port is providing DC in-line power with PoE+. Green ■ 1/10G SFP+ Interfaces (Port-25 to Port-28) LED Color Function Lights: To indicate the link through that port is successfully established. LNK/ACT Green Blinks: To indicate that the switch is actively sending or receiving data over that port. 2.1.
Configuration Guide of SGS-6341-Series 2.2 Switch Installation This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. 2.2.
Configuration Guide of SGS-6341-Series Step 5: Supply power to the Managed Switch. Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable to a standard wall outlet. When the Managed Switch receives power, the Power LED should remain solid Green. 2.2.
Configuration Guide of SGS-6341-Series Figure 2-2-3 Mounting SGS-6341 Series in a Rack Step 6: Proceed with Steps 4 and 5 of Session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. 2.2.3 Installing the SFP/SFP+ Transceiver The sections describe how to insert an SFP/SFP+ transceiver into an SFP/SFP+ slot. The SFP/SFP+ transceivers are hot-pluggable and hot-swappable.
Configuration Guide of SGS-6341-Series Approved PLANET SFP/SFP+ Transceivers PLANET Managed Switch supports both single mode and multi-mode SFP/SFP+ transceivers.
Configuration Guide of SGS-6341-Series 10Gbps SFP+ (10G Ethernet/10GBASE) Model Speed (Mbps) Connector Interface Fiber Mode Distance MTB-SR 10G LC Multi Mode Up to 300m 850nm 0 ~ 60 degrees C MTB-LR 10G LC Single Mode 10km 1310nm 0 ~ 60 degrees C Wavelength (nm) Operating Temp. 10Gbps SFP+ (10GBASE-BX, Single Fiber Bi-directional SFP) Model Speed (Mbps) Connector Interface Fiber Mode Distance Wavelength Wavelength (TX) (RX) Operating Temp.
Configuration Guide of SGS-6341-Series Figure 2-17: How to Pull Out the SFP/SFP+ Transceiver Never pull out the module without lifting up the lever of the module and turning it to a horizontal position. Directly pulling out the module could damage the module and the SFP/SFP+ module slot of the Managed Switch.
Configuration Guide of SGS-6341-Series Chapter 3 Switch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Configuration Guide of SGS-6341-Series Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection is established. The example below is based on the HyperTerminal included in Windows XP. 1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal. Figure 3-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”.
Configuration Guide of SGS-6341-Series 3) In the “Connecting using” field, select the RS232 serial port used by the PC, e.g. COM1, and click “OK”. Figure 3-4 Opening HyperTerminal 4) COM1 property appears, select “115200” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”.
Configuration Guide of SGS-6341-Series Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Switch. Testing RAM... 0x077C0000 RAM OK Loading MiniBootROM... Attaching to file system ... Loading nos.img ... done. Booting...... Starting at 0x10000... Attaching to file system ... …… --- Performing Power-On Self Tests (POST) --DRAM Test....................PASS! PCI Device 1 Test............PASS! FLASH Test......
Configuration Guide of SGS-6341-Series such as a router. The switch is a Layer 3 switch that can be configured with several IPv4/IPv6 addresses, the configuration method refers to the relative chapter. The following example assumes the shipment status of the switch where only VLAN1 exists in the system.
Configuration Guide of SGS-6341-Series Figure 3-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise the switch will reject Telnet access. This is a method to protect the switch from unauthorized access.
Configuration Guide of SGS-6341-Series Figure 3-8 Telnet Configuration Interface 3-48
Configuration Guide of SGS-6341-Series 3.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; 3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
Configuration Guide of SGS-6341-Series Switch>enable Switch#config Switch(config)#username admin privilege 15 password 0 admin Switch(config)#authentication line web login local The Web login interface of SGS-6341-24T4X, SGS-6341-48T4X and SGS-6341-24P4X is shown below: Figure 3-10 Web Login Interface Input the right username and password, and then the main Web configuration interface is shown below.
Configuration Guide of SGS-6341-Series When configuring the switch, the name of the switch is composed of English letters. 3.1.2.
Configuration Guide of SGS-6341-Series 3.2 CLI Interface The switch provides these management interfaces for users: CLI (Command Line Interface) interface, Web interface and SNMP network management software. We will introduce the CLI interface and Web configuration interface in details. Web interface is familiar with CLI interface function and will not be covered. Please refer to “SNMP network management software user manual”. CLI interface is familiar to most users.
Configuration Guide of SGS-6341-Series 3.2.1.1 User Mode On entering the CLI interface, enter user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run in Admin Mode, it will also return to the User Mode. In User Mode, no configuration to the switch is allowed, only clock time and version information of the switch can be queried. 3.2.1.
Configuration Guide of SGS-6341-Series VLAN Mode Use the vlan command in Global Mode to enter the corresponding VLAN Mode. In VLAN Mode the user can configure all member ports of the corresponding VLAN. Run the exit command to exit the VLAN Mode to Global Mode. DHCP Address Pool Mode Type the ip dhcp pool command in Global Mode to enter the DHCP Address Pool Mode prompt “Switch(Config--dhcp)#”. DHCP address pool properties can be configured in DHCP Address Pool Mode.
Configuration Guide of SGS-6341-Series Here are examples for some actual configuration commands: show version, no parameters required. This is a command with only a keyword and no parameter, just type in the command to run. vlan , parameter values are required after the keyword. firewall {enable | disable}, user can enter firewall enable or firewall disable for this command.
Configuration Guide of SGS-6341-Series 3.2.3 Shortcut Key Support The switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and Blank Space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead. Key(s) Function Back Space Delete a character before the cursor, and the cursor moves back. Up “↑” Show previous command entered. Up to ten recently entered commands can be shown. Down “↓” Show next command entered.
Configuration Guide of SGS-6341-Series 3.2.5 Input Verification 3.2.5.1 Returned Information: successful All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user entered a correct command in corresponding modes and the execution is successful. Returned Information: error Output error message Explanation Unrecognized command or illegal The entered command does not exist, or there is an error in parameter! parameter scope, type or format.
Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, entering and exiting interface mode, configuring and displaying the switch clock, displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode enable disable The User uses enable command to step into admin mode from normal user mode. The disable command is for exiting admin mode.
4.2 Telnet Management 4.2.1 Telnet 4.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation. Telnet can send the user’s keystrokes to the remote host and send the remote host output to the user’s screen through TCP connection. This is a transparent service, as to the user, the keyboard and monitor seems to be connected to the remote host directly.
no authentication securityipv6 switch through Telnet: the no command deletes the authorized Telnet secure address. authentication ip access-class Binding standard IP ACL protocol to login with {|} Telnet/SSH/Web; the no form command will no authentication ip access-class cancel the binding ACL.
4.2.2.2 SSH Server Configuration Task List SSH Server Configuration Command Explanation Global Mode ssh-server enable no ssh-server enable ssh-user password {0 | 7} no ssh-user ssh-server timeout no ssh-server timeout Enable SSH function on the switch; the “no ssh-server enable” command disables SSH function. Configure the username and password of SSH client software for logging on the switch; the “no ssh-user ” command deletes the username.
Switch(Config-if-Vlan1)#exit Switch(config)#ssh-user test password 0 test In IPv6 networks, the terminal should run IPv6-supported SSH client software, such as putty6. Users should make no modification to configurations on the switch except allocating an IPv6 address for the local host. 4.3 Configuration of Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding.
[secondary] ip address [secondary]” no ip address command deletes VLAN interface IP address. [secondary] ipv6 address [eui-64] unicast address, local site address and local link no ipv6 address address. 3.
The communication between NMS and Agent functions in Client/Server mode by exchanging standard messages. NMS sends request and the Agent responds. There are seven types of SNMP message: Get-Request Get-Response Get-Next-Request Get-Bulk-Request Set-Request Trap Inform-Request NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and Set-Request messages; and the Agent, upon receiving the requests, replies with Get-Response message.
Figure 4-1 ASN.1 Tree Instance In this figure, the OID of the object A is 1.2.1.1. NMS can locate this object through this unique OID and gets the standard variables of the object. MIB defines a set of standard variables for monitored network devices by following this structure. If the variable information of Agent MIB needs to be browsed, the MIB browse software needs to be run on the NMS. MIB in the Agent usually consists of public MIB and private MIB.
Alarm depends on the implementation of Event. Statistics and History display some current or history subnet statistics. Alarm and Event provide a method to monitor any integer data change in the network, and provide some alerts upon abnormal events (sending Trap or record in logs). 4.4.4 SNMP Configuration 4.4.4.1 SNMP Configuration Task List 1. Enable or disable SNMP Agent server function 2. Configure SNMP community string 3. Configure IP address of SNMP management base 4. Configure engine ID 5.
3. Configure IP address of SNMP management base Command Explanation Global Mode snmp-server securityip { | Configure the secure IPv4/IPv6 address which is } allowed to access the switch on the NMS; the no no snmp-server securityip { | command deletes configured secure address. } snmp-server securityip enable Enable or disable secure IP address check function snmp-server securityip disable on the NMS. 4.
7. Configure view Command Explanation Global Mode snmp-server view {include|exclude} Configure view on the switch. This command is used no snmp-server view for SNMP v3. [] 8. Configuring TRAP Command Explanation Global Mode snmp-server enable traps Enable the switch to send Trap message. This no snmp-server enable traps command is used for SNMP v1/v2/v3.
Scenario 2: NMS will receive Trap messages from the switch (Note: NMS may have community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification community string of usertrap). The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch.
Switch(config)#snmp-server host 2004:1:2:3::2 v1 dcstrap Switch(config)#snmp-server enable traps 4.4.6 SNMP Troubleshooting When users configure the SNMP, the SNMP server may fail to run properly due to physical connection failure and wrong configuration, etc. Users can troubleshoot the problems by following the guide below: Good condition of the physical connection.
4.5.2 BootROM Upgrade There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings. cable Console cable connection connection Figure 4-2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch.
Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server. If ping succeeds, run “load” command in the BootROM mode from the switch; if it fails, perform troubleshooting to find out the cause. The following is the configuration for the system update image file. [Boot]: load nos.img Loading...
Step 8: The following update file config.rom, the basic environment is the same as Step 4. [Boot]: load config.rom Loading... Loading file ok! Step 9: Execute write flash:/config.rom in BootROM mode. The following saves the update file. [Boot]: write flash:/config.rom [Boot]: write flash:/config.rom File exists, overwrite? (Y/N)[N] y Writing flash:/config.rom... Write flash:/config.rom OK.
4.5.3 FTP/TFTP Upgrade 4.5.3.1 Introduction to FTP/TFTP FTP(File Transfer Protocol)/TFTP(Trivial File Transfer Protocol) are both file transfer protocols that belonging to fourth layer(application layer) of the TCP/IP protocol stack, used for transferring files between hosts, hosts and switches. Both of them transfer files in a client-server model. Their differences are listed below. FTP builds upon TCP to provide reliable connection-oriented data stream transfer service.
System file: including system image file and boot file. System image file: refers to the compressed file for switch hardware driver and software support program, usually refer to as IMAGE upgrade file. In switch, the system image file is allowed to save in FLASH only. Switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos.img, other IMAGE system files will be rejected.
(3) Modify FTP server connection idle time (4) Shut down FTP server 3. TFTP server configuration (1) Start TFTP server (2) Configure TFTP server connection idle time (3) Configure retransmission times before timeout for packets without acknowledgement (4) Shut down TFTP server 1. FTP/TFTP client configuration (1)FTP/TFTP client upload/download file Command Explanation Admin Mode copy FTP/TFTP client upload/download file.
(3)Modify FTP server connection idle time Command Explanation Global Mode ftp-server timeout Set connection idle time. 3. TFTP server configuration (1)Start TFTP server Command Explanation Global Mode tftp-server enable no tftp-server enable Start TFTP server, the no command shuts down TFTP server and prevents TFTP user from logging in.
4.5.3.3 FTP/TFTP Configuration Examples It is the same configuration switch for IPv4 addresses and IPv6 addresses. The example only for the IPv4 addresses configuration. 10.1.1.2 10.1.1.1 Figure 4-3 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP client, the IP address of the switch management VLAN is 10.1.1.2.
The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy tftp: //10.1.1.1/12_30_nos.img nos.img Scenario 2: The switch is used as FTP server. The switch operates as the FTP server and connects from one of its ports to a computer, which is a FTP client. Transfer the “nos.
FTP Configuration PC side: Start the FTP server software on the PC and set the username “Switch”, and the password “Admin”. Switch: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch#copy ftp: //Switch: superuser@10.1.1.1 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready... 331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful.
4.5.3.4 FTP/TFTP Troubleshooting 4.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is what the message displays when files are successfully transferred.
4.5.3.4.2 TFTP Troubleshooting When upload/download system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is the message displays when files are successfully transferred.
Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or Bootrom mode. 5.2 File System Operation Configuration Task list 1. The formatting operation of storage devices 2.
4. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Configuration Mode pwd Display the current working directory. 6.
5.4 Troubleshooting If errors occur when users try to implement file system operations, please check whether they are caused by the following reasons Whether file names or paths are entered correctly. When renaming a file, whether it is in use or the new file name is already used by an existing file or directory.
Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches.
5) Clear the list of candidate switches maintained by the switch 4. Configure attributes of the cluster in the candidate switch 1) Set the time interval of keep-alive messages of the cluster 2) Set the max number of lost keep-alive messages that can be tolerated in the cluster 5. Remote cluster network management 1) Remote configuration management 2) Remotely upgrade member switch 3) Reboot member switch 6. Manage cluster network with web 1) Enable http 7. Manage cluster network with snmp 1) Enable snmp ser
Set cluster keepalive loss-count the max number of lost keep-alive messages that can be no cluster keepalive loss-count tolerated in the cluster. Admin mode clear cluster nodes [nodes-sn Clear nodes in the list of candidate | mac-address switches maintained by the switch. ] 4.
6. Manage cluster network with web Command Explanation Global Mode Enable http function in commander switch and member switch. Notice: must insure the http function be enabled in member switch when ip http server commander switch visiting member switch by web. The commander switch visit member switch via beat member node in member cluster topology. 7. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch and member switch.
6.3 Examples of Cluster Administration Scenario: The four switches SW1-SW4, amongst the SW1 is the command switch and other switches are member switch. The SW2 and SW4 is directly connected with the command switch, SW3 connects to the command switch through SW2. E1 E2 E1 SW1 E2 SW2 E1 SW3 E1 SW4 Figure 6-1 Examples of Cluster Configuration Procedure 1. Configure the command switch Configuration of SW1: Switch(config)#cluster run Switch(config)#cluster ip-pool 10.2.3.
Chapter 7 Port Configuration 7.1 Introduction to Port SGS-6341 Series switches contain Cable ports and Combo ports. The Combo ports can be configured to as either 1000TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
2. Configure the properties for the Ethernet ports Command Explanation Port Mode combo-forced-mode {copper-forced | copper-preferred-auto | sfp-forced | Sets the combo port mode (combo ports only). sfp-preferred-auto } shutdown no shutdown name no name mdi {auto | across | normal} no mdi Enables/Disables specified ports. Names or cancels the name of specified ports. Sets the cable type for the specified port; this command is not supported by combo port and fiber port of switch.
Set the max packet reception rate of a port. If rate-violation <200-2000000> [recovery <0-86400>|] the rate of the received packet violates the packet reception rate, shut down this port and configure the recovery time, the default is no rate-violation 300s. The no command will disable the rate-violation function of a port. Global Mode port-rate-statistics interval [] 3.
The configurations are listed below: Switch1: Switch1(config)#interface ethernet 1/0/7 Switch1(Config-If-Ethernet1/0/7)#bandwidth control 50 both Switch2: Switch2(config)#interface ethernet 1/0/9 Switch2(Config-If-Ethernet1/0/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/0/9)#exit Switch2(config)#interface ethernet 1/0/10 Switch2(Config-If-Ethernet1/0/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/0/10)#exit Switch2(config)#monitor session 1 source interface ethernet1/0/8;1/0/9 Switc
Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
3. Specify the flow to be isolated Command Explanation Global Mode Apply the port isolation configuration to isolate-port apply [] isolate layer-2 flows, layer-3 flows or all flows. 4. Display the configuration of port isolation Command Explanation Admin Mode and global Mode Display the configuration of port isolation, show isolate-port group [ ] including all configured port isolation groups and Ethernet ports in each group. 8.
port normally.
Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
1.Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time Configure the time interval of loopback detection. no loopback-detection interval-time 2.Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan Enable and disable the function of port no loopback-detection specified-vlan loopback detection.
5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode loopback-detection control-recovery timeout <0-3600> Configure the loopback-detection control mode (automatic recovery enabled or not) or recovery time. 9.
If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured. Switch(config)#spanning-tree Switch(config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 9.
Chapter 10 ULDP Function Configuration 10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found.
ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above. In a switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can disable the port automatically or manually according to users’ configuration.
3. Configure aggressive mode globally Command Explanation Global configuration mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4. Configure aggressive mode on a port Command Explanation Port configuration mode uldp aggressive-mode no uldp aggressive-mode Set the working mode of the port. 5.
Reset all ports in global configuration mode; uldp reset Rest the specified port in port configuration mode. 9. Display and debug the relative information of ULDP Command Explanation Admin mode Display ULDP information. No parameter means to display global ULDP information. show uldp [interface ethernet IFNAME] The parameter specifying a port will display global information and the neighbor information of the port.
10.3 ULDP Function Typical Examples Switch A g1/0/1 g1/0/2 g1/0/3 g1/0/4 Switch B PC2 PC1 Figure 10-3 Fiber Cross Connection In the network topology in Graph, port g1/0/1 and port g1/0/2 of SWITCH A as well as port g1/0/3 and port g1/0/4 of SWITCH B are all fiber ports. And the connection is cross connection. The physical layer is connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link.
%Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/1 need to be shut down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/1 shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/2 need to be shut down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/2 shut down! Port g1/0/3, and port g1/0/4 of SWITCH B are all shut down by ULDP, and there is notification information on the CRT terminal of PC2.
ports shut down manually by users or by other modules won’t be reset by ULDP.
Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs.
11.2 LLDP Function Configuration Task Sequence 1. Globally enable LLDP function 2. Configure the port-based LLDP function switch 3. Configure the operating state of port LLDP 4. Configure the intervals of LLDP updating messages 5. Configure the aging time multiplier of LLDP messages 6. Configure the sending delay of updating messages 7. Configure the intervals of sending Trap messages 8. Configure to enable the Trap function of the port 9.
5. Configure the aging time multiplier of LLDP messages Command Explanation Global Mode Configure the aging time multiplier of lldp msgTxHold LLDP messages as the specified value or no lldp msgTxHold default value. 6. Configure the sending delay of updating messages Command Explanation Global Mode Configure the sending delay of updating lldp transmit delay messages as the specified value or no lldp transmit delay default value. 7.
10. Configure the size of space to store Remote Table of the port Command Explanation Port Configuration Mode Configure the size of space to store lldp neighbors max-num < value > Remote Table of the port as the no lldp neighbors max-num specified value or default value. 11.
11.3 LLDP Function Typical Example Figure 11-1 LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
For Port Channel to work properly, member ports of the Port Channel must have the same properties as follows: All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports , then their “Allowed VLAN” and “Native VLAN” property should also be the same.
12.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol. When configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group. 12.2.2 Dynamic LACP Aggregation 1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation.
1. Creating a port group Command Explanation Global Mode port-group Create or delete a port group. no port-group 2. Add physical ports to the port group Command Explanation Port Mode port-group mode Add the ports to the port group and set their {active | passive | on} mode. no port-group 3. Enter port-channel configuration mode. Command Explanation Global Mode interface port-channel Enter port-channel configuration mode.
7. Set the timeout mode of the current port in LACP protocol Command Explanation Port mode lacp timeout {short | long} Set the timeout mode in LACP protocol. The no lacp timeout no command restores the default value. 12.4 Port Channel Examples Scenario 1: Configuring Port Channel in LACP. S1 S2 Figure 12-2 Configuring Port Channel in LACP The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode.
The configuration steps are listed below: Switch1#config Switch1(config)#interface ethernet 1/0/1-4 Switch1(Config-If-Port-Range)#port-group 1 mode active Switch1(Config-If-Port-Range)#exit Switch1(config)#interface port-channel 1 Switch1(Config-If-Port-Channel1)# Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/0/6 Switch2(Config-If-Ethernet1/0/6)#port-group 2 mode passive Switch2(Config-If-Ethernet1/0/6)#exit Switch2(config)#interface ethernet 1/0/8-10 Switch2(Config-If-P
As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode.
12.5 Port Channel Troubleshooting If problems occur when configuring port aggregation, please first check the following for causes. Ensure all ports in a port group have the same properties, i.e., whether they are in full-duplex mode, forced to the same speed, and have the same VLAN properties, etc. If inconsistency occurs, make corrections. Some commands cannot be used on a port in port-channel, such as arp, bandwidth, ip, ip-forward, etc.
Chapter 13 Jumbo Configuration 13.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU.
Chapter 14 EFM OAM Configuration 14.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
1. Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs. EFM OAM can operate in two modes: active mode and passive mode. One session can only be established by the OAM entity working in the active mode and ones working in the passive mode need to wait until it receives the connection request.
Link Fault: The number of unidirectional operation or fault can not be less than the high threshold in local. Unidirectional Operation means unidirectional link can not work normally on full-duplex link without auto-negotiation. EFM OAM can detect the fault and inform the remote OAM peers through sending Information OAMPDU. Dying Gasp: There is no definition present. Although device does not generate Dying Gasp OAMPDU, it still receives and processes such OAMPDU sent by its peer. 4.
1. Enable EFM OAM function of port Command Explanation Port mode Configure work mode of EFM OAM, default is ethernet-oam mode {active | passive} active mode. ethernet-oam Enable EFM OAM of port, no command no ethernet-oam disables EFM OAM of port. Configure transmission period of OAMPDU ethernet-oam period (optional), no command restores the default no ethernet-oam period value.
3. Configure remote failure Command Explanation Port mode Enable remote failure detection of EFM OAM ethernet-oam remote-failure (failure means no ethernet-oam remote-failure event of the local), no command disables the critical-event or link-fault function. (optional) ethernet-oam errored-symbol-period Configure the high threshold of errored threshold high {high-symbols | none} symbol period event, no command restores no ethernet-oam errored-symbol-period the default value.
14.3 EFM OAM Example Example: CE and PE devices with point-to-point link enable EFM OAM to monitor “the First Mile” link performance. It will report the log information to network management system when occurring fault event and use remote loopback function to detect the link in necessary instance Ethernet 1/0/1 CE Ethernet 1/0/1 802.
14.4 EFM OAM Troubleshooting When using EFM OAM, it occurs the problem, please check whether the problem is resulted by the following reasons: Check whether OAM entities of two peers of link in passive mode. If so, EFM OAM connection can not be established between two OAM entities. Ensuring SNMP configuration is correct, or else errored event can not be reported to network management system.
Chapter 15 VLAN Configuration 15.1 VLAN Configuration 15.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
SGS-6341 Series Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer. The ports of Trunk type allow multi-VLANs to pass, can receive and send the packets of multi-VLANs. Usually they are used to connect between the switches.
3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface no switchport interface Assign Switch ports to VLAN. 4. Set the Switch Port Type Command Explanation Port Mode switchport mode {trunk | access | hybrid} Set the current port as Trunk, Access Hybrid port. 5. Set Trunk port Command Explanation switchport trunk allowed vlan {WORD | all Set/delete VLAN allowed to be crossed | add WORD | except WORD|remove by Trunk.
8. Disable/Enable VLAN Ingress Rules Command Explanation Port Mode vlan ingress enable Enable/Disable VLAN ingress rules. no vlan ingress enable 9. Configure Private VLAN Command Explanation VLAN mode private-vlan {primary | isolated | Configure current VLAN to Private VLAN. community} The no command deletes private VLAN. no private-vlan 10. Set Private VLAN association Command Explanation VLAN mode private-vlan association Set/delete Private VLAN association.
15.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC PC VLAN2 PC Workstation VLAN100 Workstation PC VLAN200 Figure 15-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs are cross two different location A and B.
Switch A: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/5-7 Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/0/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)#exit Switch(config)# Switch B: Switch(
15.1.4 Typical Application of Hybrid Port Scenario: internet Switch A Switch B PC1 PC2 Figure 15-3 Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA.
The configuration steps are listed below: Switch A: Switch (config)#vlan 10 Switch (Config-Vlan10)#switchport interface ethernet 1/0/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/0/7 Switch(Config-If-Ethernet1/0/7)#switchport mode hybrid Switch(Config-If-Ethernet1/0/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/0/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/0/7)#exit Switch(Config)#interface Ethernet 1/0/9 Switch(Config-If-Ethernet1/0
15.2 GVRP Configuration 15.2.1 Introduction to GVRP GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute Registration Protocol). GARP is mainly used to establish an attribute transmission mechanism to transmit attributes, so as to ensure protocol entities registering and deregistering the attribute. According to different transmission attributes, GARP can be divided to many application protocols, such as GMRP and GVRP.
15.2.2 GVRP Configuration Task List GVRP configuration task list: 1. Configure GVRP timer 2. Configure port type 3. Enable GVRP function 1. Configure GARP timer Command Explanation Global Mode garp timer join <200-500> garp timer leave <500-1200> Configure leaveall, join and garp timer leaveall <5000-60000> leave timer for GVRP. no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port mode gvrp Enable/ disable GVRP function no gvrp of port. 3.
15.2.3 Example of GVRP GVRP application: PC Switch A Switch B Switch C PC Figure 15-5 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
The configuration steps are listed below: Switch A: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit Switch B: Switch(config)#gvrp Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#switchport mode trunk Switch(Config-If-Ethernet1
15.3 Dot1q-tunnel Configuration 15.3.1 Introduction to Dot1q-tunnel Dot1q-tunnel is also called Q-in-Q (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). Carrying the two VLAN tags the packet is transmitted through the backbone network of the ISP internet, so to provide a simple layer-2 tunnel for the users.
The user network is considerably independent. When the ISP internet is upgrading their network, the user networks do not have to change their original configuration. Detailed description on the application and configuration of dot1q-tunnel will be provided in this section. 15.3.2 Dot1q-tunnel Configuration Configuration Task Sequence of Dot1q-Tunnel: 1. Configure the dot1q-tunnel function on port 2. Configure the protocol type (TPID) on port 1.
Configuration procedure is as follows: PE1: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/0/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-Ethernet1/0/1)# dot1q-tunnel enable Switch(Config-Ethernet1/0/1)# exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-Ethernet1/0/1)#switchport mode trunk Switch(Config-Ethernet1/0/1)#dot1q-tunnel tpid 0x9100 Switch(Config-Ethernet1/0/1)#exit Switch(Config)# PE2: Switch(config)#vlan 3 Switch(Config-V
15.4 VLAN-translation Configuration 15.4.1 Introduction to VLAN-translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. VLAN translation is classified to ingress translation and egress translation, this switch only supports switchover of ingress for VLAN ID. Application and configuration of VLAN translation will be explained in detail in this section. 15.4.
4. Show the related configuration of vlan-translation Command Explanation Admin mode Show the related configuration of show vlan-translation vlan-translation. 15.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network; port1 of PE2 is connected to CE2, port10 is connected to public network.
Configuration procedure is as follows: PE1、PE2: switch(Config)#interface ethernet 1/0/1 switch(Config-Ethernet1/0/1)#switchport mode trunk switch(Config-Ethernet1/0/1)# vlan-translation enable switch(Config-Ethernet1/0/1)# vlan-translation 20 to 3 in switch(Config-Ethernet1/0/1)# vlan-translation 3 to 20 out switch(Config-Ethernet1/0/1)# exit switch(Config)#interface ethernet 1/0/1 switch(Config-Ethernet1/0/1)#switchport mode trunk switch(Config-Ethernet1/0/1)#exit switch(Config)# 15.4.
Notice: Dynamic VLAN needs to associate with Hybrid attribute of the ports to work, so the ports that may be added to a dynamic VLAN must be configured as Hybrid port. 15.5.2 Dynamic VLAN Configuration Dynamic VLAN Configuration Task Sequence: 1. Configure the MAC-based VLAN function on the port 2. Set the VLAN to MAC VLAN 3. Configure the correspondence between the MAC address and the VLAN 4. Configure the IP-subnet-based VLAN function on the port 5.
5. Configure the correspondence between the IP subnet and the VLAN Command Explanation Global Mode subnet-vlan ip-address Add/delete the correspondence between mask vlan the IP subnet and the VLAN, namely priority no subnet-vlan {ip-address mask |all} specified IP subnet joins/leaves specified VLAN. 6.
SwitchA SwitchB SwitchC VLAN100 VLAN200 VLAN300 M Figure 15-8 Typical topology application of dynamic VLAN Configuration Items MAC-based VLAN Configuration Explanation Global configuration on Switch A, Switch B, Switch C.
15.5.4 Dynamic VLAN Troubleshooting On the switch configured with dynamic VLAN, if the two connected equipment (e.g. PC) are both belongs to the same dynamic VLAN, first communication between the two equipments may not go through. The solution will be letting the two equipments positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipments will be able to communicate freely within the dynamic VLAN. Ping 192.168.1.200 Ping 192.168.1.
Notice: Voice VLAN needs to associate with Hybrid attribute of the ports to work, so the ports that may be added to Voice VLAN must be configured as Hybrid port. 15.6.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: 1. Set the VLAN to Voice VLAN 2. Add a voice equipment to Voice VLAN 3. Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan Set/cancel the VLAN as a Voice VLAN no voice-vlan 2.
15.6.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN. IP-phone1 and IP-phone2 can be connected to any port of the switch, namely normal communication and interconnected with other switches through the uplink port. IP-phone1 MAC address is 00-30-4f-11-22-33, connect port 1/0/1 of the switch, IP-phone2 MAC address is 00-30-4f-11-22-55, connect port 1/0/2 of the switch,.
15.6.4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC-base VLAN. The Voice VLAN on the port is enabled by default. If the configured data can no longer enter the Voice VLAN during operation, please check if the Voice VLAN function has been disabled on the port.
Chapter 16 MAC Table Configuration 16.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch. The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 as an example, the MAC address learning process is as follow: 1.
Three types of frames can be forwarded by the switch: Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames: Broadcast frame: The switch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the switch are in the same broadcast domain. When the switch receives a broadcast frame, it forwards the frame in all ports.
2. Configure static MAC forwarding or filter entry Command Explanation Global Mode mac-address-table {static | blackhole} address vlan [interface [ethernet | portchannel] ] | Configure static MAC forwarding or filter [source|destination|both] entry. no mac-address-table {static | blackhole | dynamic} [address ] [vlan ] [interface [ethernet | portchannel] ] 3.
Scenario: Four PCs as shown in the above figure connect to port 1/0/5、1/0/7、1/0/9、1/0/11 of switch, all the four PCs belong to the default VLAN1. As required by the network environment, dynamic learning is enabled. PC1 holds sensitive data and can not be accessed by any other PC that is in another physical segment; PC2 and PC3 have static mapping set to port 7 and port 9, respectively. The configuration steps are listed below: 1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address.
16.5.1.2 MAC Address Binding Configuration Task List 1. Enable MAC address binding function for the ports 2. Lock the MAC addresses for a port 3. MAC address binding property configuration 4. mac-notification trap configuration 1. Enable MAC address binding function for the ports Command Explanation Port Mode Enable MAC address binding function for the port and lock the port.
3. MAC address binding property configuration Command Explanation Port Mode switchport port-security maximum Set the maximum number of secure MAC addresses for a port; the “no switchport no switchport port-security maximum port-security maximum” command restores the default value.
Chapter 17 MSTP Configuration 17.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Root A Root A B M E MST D F D REGION C Figure 17-1 Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 17.1.1.
17.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port On top of those roles, each MSTI port has one new role: Master Port. The port roles in the CIST (Root Port, Designated Port, Alternate Port and Backup Port) are defined in the same ways as those in the RSTP. 17.1.3 MSTP Load Balance In a MSTP region, VLANs can by mapped to various instances. That can form various topologies.
2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority Set bridge priority for specified instance. no spanning-tree mst priority spanning-tree priority Configure the spanning-tree priority of the no spanning-tree priority switch. Port Mode spanning-tree mst cost Set port path cost for specified instance.
3. Configure MSTP region parameters Command Explanation Global Mode spanning-tree mst configuration Enter MSTP region mode. The no no spanning-tree mst configuration command restores the default setting. MSTP region mode Display the information of the current show running system. instance vlan Create Instance and set mapping no instance [vlan ] between VLAN and Instance. name Set MSTP region name.
5. Configure the fast migrate feature for MSTP Command Explanation Port Mode spanning-tree link-type p2p {auto|force-true|force-false} Set the port link type. no spanning-tree link-type Set and cancel the port to be an boundary port. bpdufilter receives the spanning-tree portfast [bpdufilter| BPDU discarding; bpduguard receives bpduguard] [recovery <30-3600>] the BPDU will disable port; no parameter no spanning-tree portfast receives the BPDU, the port becomes a non-boundary port. 6.
8. Configure the snooping attribute of authentication key Command Explanation Port Mode Set the port to use the authentication spanning-tree digest-snooping string of partner port. The no restores no spanning-tree digest-snooping to use the generated string. 9. Configure the FLUSH mode once topology changes Command Explanation Global Mode Enable: the spanning-tree flush once the topology changes. Disable: the spanning tree don’t flush when the topology changes.
17.3 MSTP Example The following is a typical MSTP application example: Switch1 2 1 Switch2 1 4 5 5 x 2 2 x 1 3 3 x 4 6 x Switch3 6 7 7x Switch4 Figure 17-2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in Switch2, Switch3 and Switch4. Set ports 1-7 as trunk ports in Switch2 Switch3 and Switch4. Step 2: Set Switch2, Switch3 and Switch4 in the same MSTP: Set Switch2, Switch3 and Switch4 to have the same region name as mstp. Map VLAN 20 and VLAN 30 in Switch2, Switch3 and Switch4 to Instance 3; Map VLAN 40 and VLAN 50 in Switch2, Switch3 and Switch4 to Instance 4.
Switch3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/0/1-7 Switch3(Config-Port-Range)#switchport mod
After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network. In the MSTP region which Switch2, Switch3 and Switch4 belong to, Switch2 is the region root of the instance 0, Switch3 is the region root of the instance 3 and Switch4 is the region root of the instance 4. The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3. The traffic of VLAN 40 and VLAN 50 is sent through the topology of the instance 4.
2 Switch2 5X 4 2X 3 3X 4 6 7X Switch3 6 5 7 Switch4 Figure 17-5 The Topology Of the Instance 4 after the MSTP Calculation 17.4 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.
Chapter 18 QoS Configuration 18.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Drop Precedence: When processing the packets, firstly drop the packets with the bigger drop precedence, the ranging is 0-1. It’s shortening is Drop-Prec or DP. Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs. Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets.
18.1.3 Basic QoS Model The basic QoS consists of four parts: Classification, Policing, Remark and Scheduling, where classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are QoS egress actions. Figure 18-3 Basic QoS Model Classification: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information.
Start N tag packet Y L2 COS value obtained by the packet as the default COS(*1) L2 COS value of the packet is its own L2 COS Trust DSCP (*2) Y IP packet N N N Trust COS (*2) Y Y N Set Int-Prio as the default ingress IntPrio tag packet Y COS -to-Int-Prio conversion according to L2 COS value of the packet DSCP-to-Int-Prio conversion according to DSCP value of the packet Enter the policing flow Figure 18-4 Classification process Note 1: L2 CoS value is considered a property of the packets,
Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be single bucket dual color or dual bucket three color. The traffic, will be assigned with different color, can be discarded or passed, for the passed packets, add the remarking action.
Note 1: Int-Prio will be covered with the after setting, Set Int-Prio of the specific color action will cover Set Int-Prio of the unrelated action with the color. Note 2: Drop the internal priority of the packets according to IntP-to-IntP map. Source Int-Prio means to the obtainable Int-Prio in Classification flow or Int-Prio set by the unrelated action with the color.
18.2 QoS Configuration Task List 1. Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. 2. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode.
2. Configure a policy map Command Explanation Global Mode Create a policy map and enter policy policy-map map mode; the no command deletes the no policy-map specified policy map. After a policy map is created, it can be associated to a class. Different policy or class [insert-before new DSCP value can be applied to ] different data streams in class mode; no class the no command deletes the specified class.
are three colors(green, red and yellow) of the packets. Policy class map configuration mode drop Drop or transmit the traffic that match no drop the class, the no command cancels the assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Interface Configuration Mode mls qos trust {cos | dscp} Configure port trust; the no command no mls qos trust {cos | dscp} disables the current trust status of the port.
5. Configure QoS mapping Command Explanation Global Mode mls qos map (cos-dp | dscp-dscp Set the priority mapping for QoS, the to | dscp-intp no command restores the default to | dscp-dp mapping value. to ) no mls qos map (cos-dp | dscp-dscp | dscp-intp | dscp-dp) mls qos map intp-dscp no mls qos map intp-dscp 6.
18.3 QoS Example Example 1: Enable QoS function, change the queue out weight of port ethernet 1/0/1 to 1:1:2:2:4:4:8:8, set the port in trust CoS mode without changing DSCP value, and set the default CoS value of the port to 5.
Example 3: Server QoS area Switch3 Switch2 Trunk Switch1 Figure 18-7 Typical QoS topology As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/0/1(set the internal priority to 40, set the default intp-dscp mapping to 40-40, the corresponding IP precedence to 5). The port connecting to switch2 is a trunk port.
QoS configuration in Switch2: Switch#config Switch(config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#mls qos trust cos 18.4 QoS Troubleshooting trust cos and EXP can be used with other trust or Policy Map. trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets. trust exp, trust dscp and trust cos may be configured at the same time, the priority is: EXP>DSCP>COS.
Chapter 19 Flow-based Redirection 19.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
19.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6. Modification of configuration: 1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111; 2: Apply the redirection based on this flow to port 1.
Chapter 20 Egress QoS Configuration 20.1 Introduction to Egress QoS In traditional IP networks, all packets are treated in the same way. All network equipments treat them by the first-in-first-out policy and try best effort to send them to the destination. However, it does not guarantee the performance like reliability and transmission delay. Network develops so fast that new demand has been raised for the quality of service on IP network with the continual emergence of new applications.
20.1.
Description of action that modify QoS attribute according to egress remark table: cos-cos:for cos value of packets, modify cos value of packets according to cos table of QoS remarking cos-dscp:for cos value of packets, modify dscp value of packets according to cos table of QoS remarking dscp-cos:for dscp value of packets, modify cos value of packets according to dscp table of QoS remarking dscp-dscp: for dscp value of packets, modify dscp value of packets according to dscp table of QoS remarking 20.
2. Configure a policy-map Command Explanation Global Mode Create a policy-map and enter policy-map policy-map mode, no command deletes the specific no policy-map policy-map. class [insert-before Create a policy map to associate with a ] class map and enter policy class map no class mode, then different data streams can apply different policies and be assigned a new DSCP value.
bucket mode, packets can only red or green when passing policy. In the print information, in-profile means green and out-profile means red. In dual bucket mode, there are three colors of packets in-profile means green and out-profile means red and yellow. 3.
5. Clear accounting data of the specific ports or VLANs Command Explanation Admin Mode clear mls qos statistics [interface Clear accounting data of the specified | vlan ] ports or VLAN Policy Map. If there are no parameters, clear accounting data of all policy map. 6. Show QoS configuration Command Explanation Admin Mode show mls qos {interface [] Show QoS configuration of the port.
Example2: On the egress of vlan10, change cos value as 4 for the packet with ipv6 dscp value of 7.
Set Egress remark to take effect for green packets switch(config)#mls qos egress green remark Set trust dscp mode on ingress switch(config-if-port-range)#mls qos trust dscp Bind policy to egress of port1 switch(config-if-ethernet1/0/1)#service-policy output p1 20.4 Egress QoS Examples Not all equipments support Egress QoS presently, so please make sure the current device supports this function.
Chapter 21 Flexible Q-in-Q Configuration 21.1 Introduction to Flexible Q-in-Q 21.1.1 Q-in-Q Technique Dot1q-tunnel is also called Q-in-Q (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
1. Configure class map Command Explanation Global mode class-map Create a class-map and enter class-map no class-map mode, the no command deletes the specified class-map.
3. Bind flexible Q-in-Q policy-map to port Command Explanation Port mode service-policy input Apply a policy-map to a port, the no no service-policy input command deletes the specified policy-map applied to the port. Global mode service-policy input Apply a policy-map to a VLAN, the no vlan command deletes the specified no service-policy input policy-map applied to the VLAN. vlan 4.
The packet with tag 1001 will be packed an external tag 1001 directly(This tag is unique in public network), enter Broad Band Network-VLAN1001 and classfied to BRAS device. The packet with tag 2001(or 3001) will be packed an external tag 2001(or 3001) and classfied to SR device according to the flow rules. The second user can be assigned different VLAN tags for different VLANs in DSLAM2.
If the data flow of DSLAM2 enters the switch’s downlink port1, the configuration is as follows: Switch(config)#class-map c1 Switch(config-classmap-c1)#match vlan 1001 Switch(config-classmap-c1)#exit Switch(config)#class-map c2 Switch(config-classmap-c2)#match vlan 2001 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match vlan 3001 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)# set
Chapter 22 Layer 3 Forward Configuration Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result. If the IP packet is destined to another subnet reachable from this switch, then the packet will be forwarded to the appropriate interface.
1. Create Layer 3 Interface Command Explanation Global Mode Creates a VLAN interface (VLAN interface interface vlan is a Layer 3 interface); the no command no interface vlan deletes the VLAN interface (Layer 3 interface) created in the switch. Creates a Loopback interface then enter interface loopback the loopback Port Mode; the no command no interface loopback deletes the Loopback interface created in the switch. 2.
5. VRF configuration (1) Create VRF instance and enter VPN view (2) Configure RD of VRF instance (optional) (3) Configure RT of VRF instance (optional) (4) Configure the relation between VRF instance and the interface Command Explanation Global Mode ip vrf Create VRF instance; VRF instance is not no ip vrf created by default. VRF Mode Configure RD of VRF instance. RD is not rd created by default.
The most important problem IPv6 has solved is to add the amount of IP addresses. IPv4 addresses have nearly run out, whereas the amount of Internet users has been increasing in geometric series. With the greatly and continuously boosting of Internet services and application devices (Home and Small Office Network, IP phone and Wireless Service Information Terminal which make use of Internet,) which require IP addresses, the supply of IP addresses turns out to be more and more tense.
Avoid the use of Network Address Translation. The purpose of the introduction of NAT mechanism is to share and reuse same address space among different network segments. This mechanism mitigates the problem of the shortage of IPv4 address temporally; meanwhile it adds the burden of address translation process for network device and application.
(3) Enable and disable router advertisement (4) Configure router lifespan (5) Configure router advertisement minimum interval (6) Configure router advertisement maximum interval (7) Configure prefix advertisement parameters (8) Configure static IPv6 neighbor entries (9) Delete all entries in IPv6 neighbor table (10) Set the hoplimit of sending router advertisement (11) Set the mtu of sending router advertisement (12) Set the reachable-time of sending router advertisement (13) Set the retrans-timer of sendin
(2) Set IPv6 Static Routing Command Explanation Global mode ipv6 route {| | { }} [distance] Configure IPv6 static routing. The no no ipv6 route command cancels IPv6 static routing. {| |{ }} [distance] 2.
(4) Configure Router Lifespan Command Explanation Interface Configuration Mode Configure Router advertisement Lifespan. ipv6 nd ra-lifetime The NO command resumes default value no ipv6 nd ra-lifetime (1800 seconds). (5) Configure router advertisement Minimum Interval Command Explanation Interface Configuration Mode Configure the minimum interval for router ipv6 nd min-ra-interval advertisement. The NO command no ipv6 nd min-ra-interval resumes default value (200 seconds).
(9) Delete all entries in IPv6 neighbor table Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. (10) Set the hoplimit of sending router advertisement Command Explanation Interface Configuration Mode Set the hoplimit of sending router ipv6 nd ra-hoplimit advertisement. (11) Set the mtu of sending router advertisement Command Explanation Interface Configuration Mode Set the mtu of sending router ipv6 nd ra-mtu advertisement.
3. IPv6 Tunnel Configuration (1) Add/Delete tunnel Command Explanation Global mode interface tunnel Create a tunnel. The NO command no interface tunnel deletes a tunnel. (2) Configure tunnel description Command Explanation Tunnel Configuration Mode description Configure tunnel description. The NO no description command deletes the tunnel description.
(6) Configure Tunnel Mode Command Explanation Global mode ipv6 route { | tunnel } Configure tunnel routing. The NO no ipv6 route command clears tunnel routing. { | tunnel } 22.2.3 IP Configuration Examples 22.2.3.
The configuration procedure is as follows: Switch1(config)#interface vlan 1 Switch1(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 Switch1(config)#interface vlan 2 Switch1(Config-if-Vlan2)#ip address 192.168.2.1 255.255.255.0 Switch1(Config-if-Vlan2)#exit Switch1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.2 Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ip address 192.168.2.2 255.255.255.0 Switch2(config)#interface vlan 3 Switch2(Config-if-Vlan3)#ip address 192.168.3.1 255.255.
Note: First make sure PC1 and Switch1 can access each other by ping, and PC2 and Switch2 can access each other by ping.
Switch2#show run interface Vlan2 ipv6 address 2002::2/64 ! interface Vlan3 ipv6 address 2003::1/64 ! interface Loopback mtu 3924 ! ipv6 route 2001::/64 2002::1 ! no login ! End Example 2: SwitchC SwitchA SwitchB PC-A PC-B Figure 22-3 IPv6 tunnel This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported. SwitchC only runs IPv4, PC-A and PC-B communicate. Configuration Description: 1.
configure IPv4 address 203.203.203.1 on VLAN3. 5. Configure tunnel on SwitchA, the source IPv4 address of the tunnel is 202.202.202.1, the tunnel routing is ::/0 6. Configure tunnel on SwitchB, the source IPv4 address of the tunnel is 203.203.203.1, and the tunnel routing is ::/0 7. Configure two VLANs on SwitchC, namely, VLAN2 and VLAN3. Configure IPv4 address 202.202.202.202 on VLAN2 and configure IPv4 address 203.203.203.203 on VLAN3. 8.
22.2.4 IP Configuration Examples The router lifespan configured should not be smaller than the Send Router advertisement Interval. If the connected PC has not obtained IPv6 address, you should check RA announcement switch (the default is turned off). 22.3 IP Forwarding 22.3.1 Introduction to IP Forwarding Gateway devices can forward IP packets from one subnet to another; such forwarding uses routes to find a path.
For applications based on IP address verification, such attacks may allow unauthorized users to access the system as some authorized ones, or even the administrator. Even if the response messages can’t reach the attackers, they will also damage the targets. 1.1.1.8/8 2.2.2.1/8 Source IP:2.2.2.1/8 Router A Router B Router C Figure 22-4 URPF application situation In the above figure, Router A sends requests to the server Router B by faking messages whose source address are 2.2.2.1/8 .
22.4.3 URPF Typical Example SW3 E1/0/2 SW1 E1/0/8 SW2 E1/0/8 Globally enable URPF Vlan3 E3/2 10.1.1.10/24 Vlan4 vlan1 E1/0/3 E1/0/2 Enable URPF Pretending to be SW2 by using 10.1.1.10 to launch a vicious attack PC PC 2002::4/64 Vicious access host In the network, topology shown in the graph above, IP URPF function is enabled on SW3.
22.5.2 ARP Configuration Task List ARP Configuration Task List: 1. Configure static ARP 2. Configure proxy ARP 3. Clear dynamic ARP 4. Clear the statistic information of ARP messages 1. Configure static ARP Command Explanation VLAN Interface Mode arp Configures a static ARP entry; the no {interface [ethernet] } command deletes a ARP entry of the no arp specified IP address. 2.
22.5.3 ARP Troubleshooting If ping from the switch to directly connected network devices fails, the following can be used to check the possible cause and create a solution. Check whether the corresponding ARP has been learned by the switch. If ARP has not been learned, then enabled ARP debugging information and view the sending/receiving condition of ARP packets. Defective cable is a common cause of ARP problems and may disable ARP learning. 22.6 Hardware Tunnel Capacity Configuration 22.6.
Chapter 23 ARP Scanning Prevention Function Configuration 23.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-traffic-attack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth.
1. Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode anti-arpscan enable Enable or disable the ARP Scanning no anti-arpscan enable Prevention function globally. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Explanation Global configuration mode anti-arpscan port-based threshold Set the threshold of the port-based no anti-arpscan port-based ARP Scanning Prevention.
6. Display relative information of debug information and ARP scanning Command Explanation Global configuration mode anti-arpscan log enable Enable or disable the log function of ARP no anti-arpscan log enable scanning prevention. anti-arpscan trap enable Enable or disable the SNMP Trap function no anti-arpscan trap enable of ARP scanning prevention. show anti-arpscan [trust | prohibited ] configuration of ARP scanning prevention.
SWITCH A configuration task sequence: SwitchA(config)#anti-arpscan enable SwitchA(config)#anti-arpscan recovery time 3600 SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.
Chapter 24 Prevent ARP, ND Spoofing Configuration 24.1 Overview 24.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4F-FD-1D-2B.
What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.
24.3 Prevent ARP, ND Spoofing Example Switch A B C Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; IP:192.168.1.4; A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some mac: 00-00-00-00-00-04 1 There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing.
Chapter 25 ARP GUARD Configuration 25.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
25.2 ARP GUARD Configuration Task List 1.
Chapter 26 ARP Local Proxy Configuration 26.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid ARP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch. 192.168.1.1 192.168.1.200 192.168.1.
26.2 ARP Local Proxy Function Configuration Task List 1.Enable/disable ARP local proxy function Command Explanation Interface vlan mode ip local proxy-arp Enable or disable ARP local proxy function. no ip local proxy-arp 26.3 Typical Examples of ARP Local Proxy Function As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is layer-2 access switches supporting interface isolation. Considering security, interface isolation function is enabled on S2.
26.4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default. Users can view the current configuration with display command. With correct configuration, by enabling debug of ARP, users can check whether the ARP proxy is normal and send proxy ARP messages. In the process of operation, the system will show corresponding prompts if any operational error occurs.
Chapter 27 Gratuitous ARP Configuration 27.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for SGS-6341 Series switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally. The purpose of gratuitous ARP is as below: 1.
27.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 Interface vlan1 192.168.14.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Figure 27-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are connected to the interface. The IP address of interface VLAN 1 is 192.168.14.
Chapter 28 Keepalive Gateway Configuration 28.1 Introduction to Keepalive Gateway Ethernet port is used to process backup or load balance, for the reason that it is a broadcast channel, it may not detect the change of physical signal and fails to get to down when the gateway is down. Keepalive Gateway is introduced to detect the connectivity to the higher-up gateway, in the case that an Ethernet port connects with a higher-up gateway to form a point-to-point network topology.
2. Show keepalive gateway and IPv4 running status of interface Command Explanation Admin and configuration mode Show show keepalive gateway [interface-name] keepalive running status of the specified interface, if there is no interface is specified, show keepalive running status of all interfaces. Show IPv4 running status of the specified show ip interface [interface-name] interface, if there is no interface is specified, show IPv4 running status of all interfaces. 28.
2. Configure the interval that ARP packet is sent and the retry-count after detection is failing manually. Switch(config)#interface vlan 100 Switch(config-if-vlan100)#keepalive gateway 1.1.1.1 3 3 Switch(config-if-vlan100)#exit Send ARP detection once 3 seconds to detect whether gateway A is reachable, after 3 times detection is failing, gateway A is considered to be unreachable. 28.
Chapter 29 DHCP Configuration 29.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period. The differences and relations between dynamic IP address allocation and manual IP address binding are: 1) IP address obtained dynamically can be different every time; manually bound IP address will be the same all the time.
default-router [[[… ]]] Configure default gateway for DHCP clients. The no operation cancels the default gateway. no default-router dns-server [[[… ]]] Configure DNS server for DHCP clients. The no command deletes DNS server configuration. no dns-server Configure Domain name for DHCP clients; domain-name the “no domain-name” command deletes no domain-name the domain name.
(3) Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware-address [{Ethernet | IEEE802|}] Specify/delete the hardware address when assigning address manually. no hardware-address host [ | Specify/delete the IP address to be ] assigned to the specified client when no host binding address manually.
1. The client broadcasts a DHCPDISCOVER packet, and DHCP relay inserts its own IP address to the relay agent field in the DHCPDISCOVER packet on receiving the packet, and forwards the packet to the specified DHCP server (for DHCP frame format, please refer to RFC2131). 2. On the receiving the DHCPDISCOVER packets forwarded by DHCP relay, the DHCP server sends the DHCPOFFER packet via DHCP relay to the DHCP client. 3.
PoolA(network 10.16.1.0) PoolB(network 10.16.2.0) Device IP address Device IP address Default gateway 10.16.1.200 Default gateway 10.16.1.200 10.16.1.201 10.16.1.201 DNS server 10.16.1.202 DNS server 10.16.1.202 WINS server 10.16.1.209 WWW server 10.16.1.209 WINS node type H-node Lease 3 days Lease 1day In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.210 and named as “management”.
Scenario 2: E1/1 DHCP Client 192.168.1.1 E1/2 10.1.1.1 DHCP Relay DHCP Client DHCP Server 10.1.1.10 DHCP Client Figure 29-3 DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.
Verify the DHCP server is running, start the related DHCP server if not running. If the DHCP clients and servers are not in the same physical network, verify the router responsible for DHCP packet forwarding has DHCP relay function. If DHCP relay is not available for the intermediate router, it is recommended to replace the router or upgrade its software to one that has a DHCP relay function.
Chapter 30 DHCPv6 Configuration 30.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
4. The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message. The above four steps finish a Dynamic host configuration assignment process. However, if the DHCPv6 server and the DHCPv6 client are not in the same network, the server will not receive the DHCPv6 broadcast packets sent by the client, therefore no DHCPv6 packets will be sent to the client by the server.
(2)To configure parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode network-address { | } [eui-64] To configure the range of IPv6 address assignable of address pool. no network-address dns-server To configure DNS server address for no dns-server DHCPv6 client. domain-name no domain-name To configure DHCPv6 client domain name.
2. To configure DHCPv6 relay delegation on port Command Explanation Interface Configuration Mode ipv6 dhcp relay destination {[] [interface To specify the destination address of { | vlan <1-4096>}]} DHCPv6 relay transmit; The no form of no ipv6 dhcp relay destination this command delete the configuration. {[] [interface { | vlan <1-4096>}]} 30.
3. To configure DHCPv6 address pool (1)To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
4. To enable DHCPv6 prefix delegation server function on port Command Explanation Interface Configuration Mode ipv6 dhcp server [preference ] [rapid-commit] [allow-hint] no ipv6 dhcp server To enable DHCPv6 server function on specified port, and binding used DHCPv6 address pool. 30.5 DHCPv6 Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuration task list as below: 1. To enable/disable DHCPv6 service 2.
Usage guide: Switch3 configuration: Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.
Switch2 configuration: Switch2>enable Switch2#config Switch2(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64 Switch2(Config-if-Vlan1)#exit Switch2(config)#interface vlan 10 Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64 Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd man
Usage guide: Switch2 configuration Switch2>enable Switch2#config Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 address 2001:da8:1100::1/64 Switch2(Config-if-Vlan2)#exit Switch2(config)#service dhcpv6 Switch2(config)#ipv6 local pool client-prefix-pool 2001:da8:1800::/40 48 Switch2(config)#ipv6 dhcp pool dhcp-pool Switch2(dhcpv6-dhcp-pool-config)#prefix-delegation pool client-prefix-pool 1800 600 Switch2(dhcpv6-dhcp-pool-config)#exit Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#i
Switch1 configuration Switch1>enable Switch1#config Switch1(config)#service dhcpv6 Switch1(config)#interface vlan 2 Switch1(Config-if-Vlan2)#ipv6 dhcp client pd prefix-from-provider Switch1(Config-if-Vlan2)#exit Switch1(config)#interface vlan 3 Switch1(Config-if-Vlan3)#ipv6 address prefix-from-provider 0:0:0:1::1/64 Switch1(Config-if-Vlan3)#exit Switch1(config)#ipv6 dhcp pool foo Switch1(dhcpv6-foo-config)#dns-server 2001:4::1 Switch1(dhcpv6-foo-config)#domain-name www.ipv6.
Chapter 31 DHCP option 82 Configuration 31.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
31.1.2 option 82 Working Mechanism DHCP RelayAgent DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge. The DHCP protocol follows the procedure below: 1)DHCP client sends a request broadcast message while initializing.
1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global mode Set this command to enable the option 82 ip dhcp relay information option no ip dhcp relay information option function of the switch Relay Agent. The “no ip dhcp relay information option” is used to disable the option 82 function of the switch Relay Agent. 2.
Set the suboption2 (remote ID option) ip dhcp relay information option content of option 82 added by DHCP request remote-id {standard | } packets (They are received by the interface). no ip dhcp relay information option The remote-id suboption2 (remote ID option) format of no command sets the additive option 82 as standard. 3. Enable the DHCP option 82 of server.
6. Configure creation method of option82 Command Explanation Global mode ip dhcp relay information option self-defined remote-id {hostname | mac | Set creation method for option82, users string WORD} can define the parameters of remote-id no ip dhcp relay information option suboption by themselves self-defined remote-id ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82.
31.3 DHCP option 82 Application Examples DHCP Relay Agent Vlan2:ethernet1/3 Switch3 DHCP Client PC1 Switch1 Vlan3 Vlan2:ethernet1/2 DHCP Server Switch2 DHCP Client PC2 Figure 31-1 A DHCP option 82 typical application example In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent.
Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddns-update-style interim; ignore client-updates; class "Switch3Vlan2Class1" { match if option agent.circuit-id = "Vlan2+Ethernet1/0/2" and option agent.remote-id=00:03:4f:02:33:01; } class "Switch3Vlan2Class2" { match if option agent.circuit-id = "Vlan2+Ethernet1/0/3" and option agent.remote-id=00:03:4f:02:33:01; } subnet 192.168.102.0 netmask 255.255.255.0 { option routers 192.168.102.2; option subnet-mask 255.255.255.
To implement the option 82 function of DHCP Relay Agent, the “debug dhcp relay packet” command can be used during the operating procedure, including adding the contents of option 82, the retransmitting policy adopted, the option 82 contents of the server peeled by the Relay Agent and etc., such information can help users to do troubleshooting.
Chapter 32 DHCPv6 option37, 38 32.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
This ipv6 dhcp snooping remote-id option no ipv6 dhcp snooping remote-id option ipv6 dhcp snooping subscriber-id enables DHCPv6 SNOOPING to support option 37 option, no command disables it. This option command command enables DHCPv6 SNOOPING to support option 38 option, no no ipv6 dhcp snooping subscriber-id command disables it.
ipv6 dhcp snooping subscriber-id select Configures user configuration options to (sp | sv | pv | spv) delimiter WORD generate (delimiter WORD |) restores to its original default configuration, no ipv6 dhcp snooping subscriber-id i.e. enterprise number together with vlan select delimiter MAC. ipv6 dhcp snooping subscriber-id select (sp|sv|pv|spv) delimiter WORD subscriber-id, no command Configures user configuration options to generate subscriber-id.
Configures user configuration options to ipv6 dhcp relay remote-id delimiter generate remote-id. The no command WORD restores to its original default configuration, no ipv6 dhcp relay remote-id delimiter i.e. enterprise number together with vlan MAC. ipv6 dhcp relay subscriber-id select (sp | sv | pv | spv) delimiter WORD (delimiter WORD |) no ipv6 dhcp relay subscriber-id select delimiter Configures user configuration options to generate subscriber-id.
This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment, the no form of this no ipv6 dhcp use class command disables it without removing the relative DHCPv6 class information that has been configured. This command defines a DHCPv6 class ipv6 dhcp class and enters DHCPv6 class mode, the no no ipv6 dhcp class form of this command removes this DHCPv6 class.
32.3 DHCPv6 option37, 38 Examples 32.3.1 DHCPv6 Snooping option37, 38 Example Figure 32-1 DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to entrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.
server supports both tasteful and stateless DHCPv6. Network topology: In access layer, layer2 access device Switch1 connects users in dormitory; in first-level aggregation layer, aggregation device Switch2 is used as DHCPv6 relay agent; in second-level aggregation layer, aggregation device Switch3 is used as DHCPv6 server and connects with backbone network or devices in higher aggregation layer; in user side, PCs are generally loaded with Windows Vista system, thus having DHCPv6 client.
Snooping option37,38 can process one of the following operations for DHCPv6 request packets with option37,38: replace the original option37,38 with its own; discard the packets with option37,38; do not execute adding, discarding or forwarding operation. Therefore, please check policy configuration of snooping option37,38 on second device when obtaining the false address or no address is obtained according to option37,38.
Chapter 33 DHCP Snooping Configuration 33.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET.
33.2 DHCP Snooping Configuration Task Sequence 1. Enable DHCP Snooping 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping binding ARP function 4. Enable DHCP Snooping option82 function 5. Set the private packet version 6. Set DES encrypted key for private packets 7. Set helper server address 8. Set trusted ports 9. Enable DHCP Snooping binding DOT1X function 10. Enable DHCP Snooping binding USER function 11. Adding static list entries function 12. Set defense actions 13.
4. Enable DHCP Snooping option82 function Command Explanation Globe mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable DHCP Snooping option 82 function. 5. Set the private packet version Command Explanation Globe mode ip user private packet version two no ip user private packet version two To configure/delete the private packet version.
10. Enable or disable the DHCP SNOOPING binding USER function Command Explanation Port mode ip dhcp snooping binding user-control Enable or disable the DHCP snooping binding no ip dhcp snooping binding user function. user-control 11. Add static binding information Command Explanation Globe mode ip dhcp snooping binding user address vlan interface (ethernet|) no ip dhcp snooping binding user Add/delete DHCP snooping static binding list entries.
15. Configure DHCP Snooping option 82 attributes Command Explanation Globe mode ip dhcp snooping information option subscriber-id format {hex | acsii | vs-hp} This command is used to set subscriber-id format of DHCP snooping option82. ip dhcp snooping information Set the suboption2 (remote ID option) content of option remote-id {standard | option 82 added by DHCP request packets (they } are received by the port).
Port mode ip dhcp snooping information Set the suboption1 (circuit ID option) content of option subscriber-id {standard | option 82 added by DHCP request packets (they } are received by the port). The no command sets no ip dhcp snooping information the additive suboption1 (circuit ID option) format option subscriber-id of option 82 as standard. 33.
33.4 DHCP Snooping Troubleshooting Help 33.4.1 Monitor and Debug Information The “debug ip dhcp snooping” command can be used to monitor the debug information. 33.4.
33.
33.6 DHCPv6 Snooping Troubleshooting 33.6.1 Monitor and Debug Information The “debug ipv6 dhcp snooping” command can be used to monitor the debug information. 33.6.
Chapter 34 Routing Protocol Overview To communicate with a remote host over the Internet, a host must choose a proper route via a set of routers or Layer3 switches. Both routers and layer3 switches calculate the route using CPU, the difference is that layer3 switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router always store the calculated route in the route table or route buffer, and data forwarding is performed by the CPU.
Destination address: used to identify the destination address or destination network of an IP packet. Network mask: used together with destination address to identify the destination host or the network the layer3 switch resides. Network mask consists of several consecutive binary 1's, and usually in the format of dotted decimal (an address consists of 1 to 4 255’s.
To achieve routing policy, first we have to define the characteristics of the routing messages to be applied with routing policies, namely define a group matching rules. We can configure by different properties in the routing messages such as destination address, the router address publishing the routing messages. The matching rules can be previously configured to be applied in the routing publishing, receiving and distributing policies.
4. Autonomic system path information access-list as-path The autonomic system path information access-list as-path is only used in BGP. In the BGP routing messages packet there is an autonomic system path field (in which autonomic system path the routing messages passes through is recorded). As-path is specially for specifying matching conditions for autonomic system path field. As for relevant as-path configurations, please refer to the ip as-path command in BGP configuration. 5.
Match a community property access-list. The match community [exact-match] [ community-list-num > [exact-match]] [exact-match]] command deletes match condition. Match by ports; The no match interface match interface [] no match interface [] command deletes match condition.
3. Define the set clause in route-map Command Explanation Route-map configuration mode Distribute an AS No. for set aggregator as BGP aggregator; The no no set aggregator as [ ] command deletes the configuration set as-path prepend Add a specified AS No.
set origin Set BGP routing origin; no set origin [] The no command deletes the configuration set originator-id Set routing originator ID; no set originator-id [ ] The no command deletes the configuration set tag Set OSPF routing tag no set tag [ ] value; The no command deletes the configuration set vpnv4 next-hop Set BGP VPNv4 no set vpnv4 next-hop [ ] next-hop address; the no comman
If the path 2 is wished, which is through EBGP path, we can add two extra AS path numbers into the AS-PATH messages from SwitchA to SwitchD so as to change the determination SwitchC take to 192.68.11.0/24. AS1 AS2 192.68.11.1 VLAN1 VLAN3 192.68.10.1 VLAN2 192.68.6.1 SwitchB SwitchA VLAN3 172.16.20.1 VLAN2 192.68.6.2 VLAN3 172.16.20.2 VLAN1 192.68.5.2 AS3 VLAN1 192.68.5.1 SwitchC VLAN2 172.16.1.
Chapter 35 Static Route 35.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup. However, it also has its own defects.
2. VRF configuration Command Explanation Global mode ip route vrf { |} {|} Configure the static route, the [] no command will delete the no ip route vrf { static route. |} [|] [] 35.
Configuration steps: Configuration of layer3 SwitchA Switch#config Switch (config) #ip route 10.1.5.0 255.255.255.0 10.1.2.2 Configuration of layer3 SwitchC Switch#config Next hop use the partner IP address Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.
Chapter 36 RIP 36.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: • Number of hops to reach the destination network, or metrics to use or number of networks to pass.
(simple plaintext password and MD5 password authentication are supported), and support variable length subnet mask. RIP-II used some of the zero field of RIP-I and require no zero field verification. switch send RIP-II packets in multicast by default, both RIP-I and RIP-II packets will be accepted. Each layer3 switch running RIP has a route database, which contains all route entries for reachable destination, and route table is built based on this database.
4) Configure and apply route filter 5) Configure Split Horizon (3) Configure other RIP protocol parameters 1) Configure the managing distance of RIP route 2) Configure the RIP route capacity limit in route table 3) Configure the RIP update, timeout, holddown and other timer. 4) Configure the receiving buffer size of RIP UDP 3.
Command Explanation Router Configuration Mode Specify the IP address of the neighbor router neighbor needs point-transmitting; the no neighbor no neighbor command cancels the appointed router. Block the RIP broadcast on specified pot and the passive-interface no passive-interface RIP data packet is only transmittable among Layer 3 switch configured with neighbor. The no passive-interface command cancels the function.
ip rip authentication key-chain Sets the key chain used in authentication, the no ip no ip rip authentication key-chain [] command means the key [] chain is not used. ip rip authentication cisco-compatible no ip rip authentication cisco-compatible rip authentication key-chain After configure this command, configure MD5 authentication, then can receive RIP packet of cisco, the no command restores the default configuration.
4)Configure and apply the route filtering Command Explanation Router configuration mode distribute-list {< access-list-number Configure and apply the access table and prefix |access-list-name >|prefix
Command Explanation RIP configuration mode Configure the versions of all the RIP data version { 1 | 2 } no version packets transmitted/received by the Layer 3 switch port sending/receiving the no version command restores the default configuration, version 2. (2)Configure the RIP version to send/receive in all ports.
5. Configure the RIP routing aggregation (1) Configure IPv4 aggregation route globally Command Explanation Router Configuration Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address A.B.C.D/M globally. (2) Configure IPv4 aggregation route on interface Command Explanation Interface Configuration Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address on interface. A.B.C.
7. Configure VRF address family mode for RIP Command Explanation Router RIP configuration mode address-family ipv4 vrf no address-family ipv4 vrf The command configures a RIP address family on the VRF of the PE router; the no command deletes the configured address family. Address family configuration mode exit-address-family This command exits the address family mode. 36.3 RIP Examples 36.3.1 Typical RIP Examples Interface Interface vlan1:10.1.1.1/24 vlan1:10.1.1.
a) Layer 3 SwitchA: Configure the IP address of interface vlan 1 SwitchA#config SwitchA(config)# interface vlan 1 SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)# Configure the IP address of interface vlan 2 SwitchA(config)# vlan 2 SwitchA(Config-Vlan2)# switchport interface ethernet 1/0/2 Set the port Ethernet1/0/1 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.
c) Layer 3 SwitchC Configure the IP address of interface vlan 1 SwitchC#config SwitchC(config)# interface vlan 1 Configure the IP address of interface vlan 1 SwitchC(Config-if-Vlan1)# ip address 20.1.1.2 255.255.255.0 SwitchC(Config-if-Vlan1)#exit Initiate RIP protocol and configure the RIP segments SwitchC(config)#router rip SwitchC(config-router)#network vlan 1 SwitchC(config-router)#exit 36.3.2 Typical Examples of RIP aggregation function The application topology as follows: S1 vlan1:192.168.10.1 192.
S1 configuration list: S1(config)#router rip S1(config-router) #network vlan 1 S2 configuration list: S2(config)#router rip S2(config-router) #network vlan 1 S2(config-router) #exit S2(config)#in vlan 1 S2(Config-if-Vlan1)# ip rip agg 192.168.20.0/22 36.4 RIP Troubleshooting The RIP protocol may not be working properly due to errors such as physical connection and configuration error when configuring and using the RIP protocol.
Chapter 37 RIPng 37.1 Introduction to RIPng RIPng is first introduced in ARPANET; this is a protocol dedicated to small, simple networks. RIPng is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send 2 kinds of information to the neighboring devices regularly: • Number of hops to reach the destination network, or metrics to use or number of networks to pass.
Each layer3 switch running RIPng has a route database, which contains all route entries for reachable destination, and route table is built based on this database. When a RIPng layer3 switch sent route update packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large network, routing data to be transferred and processed for each layer3 switch is quite large, causing degraded network performance.
4) 3. Configure split horizon Configure other RIPng parameters (1) Configure timer for RIPng update, timeout and hold-down 4. Delete the specified route in RIPng route table 5. Configure RIPng route aggregation 6.
(2)Configure RIP routing parameters 1) Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP) Command Explanation Router configuration mode default-metric no default-metric Configure the default metric of distributed route; the no default-metric command restores the default configuration 1.
4)Configure split horizon Command Explanation Interface configuration mode Configure that take the split-horizon when the IPv6 rip split-horizon [poisoned] port sends data packets, poisoned means with poison reverse. no IPv6 rip split-horizon Cancel the split-horizon. 3.
(2) Configure IPv6 aggregation route on interface Command Explanation Interface Configuration Mode ipv6 rip aggregate-address X:X::X:X/M To configure or delete IPv6 aggregation route no ipv6 rip aggregate-address on interface. X:X::X:X/M (3) Display IPv6 aggregation route information Command Explanation Admin Mode and Configuration Mode To display IPv6 aggregation route information, show ipv6 rip aggregate such as aggregation interface, metric, numbers of aggregation route, times of aggregation.
37.3 RIPng Configuration Examples 37.3.1 Typical RIPng Examples Interface VLAN1: Interface VLAN1: 2000:1:1::1/64 2000:1:1::2/64 SwitchC SwitchB SwitchA Interface VLAN2: Interface VLAN1: 2001:1:1::1/64 2001:1:1::2/64 Figure 37-1 RIPng Example As shown in the above figure, a network consists of three layer 3 switches. SwitchA and SwitchB connect to SwitchC through interfaces vlan1 and vlan2. All the three switches are running RIPng.
Layer 3 SwitchB Enable RIPng protocol SwitchB (config)#router IPv6 rip SwitchB (config-router-rip)#exit Configure the IPv6 address and interfaces of Ethernet port vlan1 to run RIPng SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if)# IPv6 address 2001:1:1::2/64 SwitchB(config-if)#IPv6 router rip SwitchB(config-if)exit Layer 3 SwitchC Enable RIPng protocol SwitchC(config)#router IPv6 rip SwitchC(config-router-rip)#exit Configure the IPv6 address and interfaces of Ethernet port vlan1 to run
As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 2001:1::20:0/112, 2001:1::21:0/112, 2001:1::22:0/112, 2001:1::23:0/112. S2 supports route aggregation, and to configure aggregation route 2001:1::20:0/110 in interface vlan1 of S2, after that, sending router messages to S2 through vlan1, and put the four subnet routers aggregated to one router as 2001:1::20:0/110, and send to S1, and not send subnet to neighbor.
After that, a RIPng protocol feature should be noticed ---the Layer 3 switch running RIPng transmits the route updating messages every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch are received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIPng route, this route item is assured to be deleted from route table after 300 seconds.
Chapter 38 OSPF 38.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database. Autonomous system (AS) is a self-managed interconnected network.
One major advantage of link-state routing protocols is the fact that infinite counting is impossible; this is because the way link-state routing protocols build up their routing table. The second advantage is that converging in a link-state interconnected network is very fast, once the routing topology changes, updates will be flooded throughout the network very soon. Those advantages release some Layer3 switch resources, as the process ability and bandwidth used by bad route information are minor.
In conclusion, LSA can only be transferred between neighboring Layer3 switches, OSPF protocol includes 5 types of LSA: router LSA, network LSA, network summary LSA to the other areas, ASBR summary LSA and AS external LSA. They can also be called type1 LSA, type2 LSA, type3 LSA, type4 LSA, and type5 LSA.
38.2 OSPF Configuration Task List The OSPF configuration for SGS-6341 Series switch may be different from the configuration procedure to switches of the other manufacturers. It is a two-step process: 1) Enable OSPF in the Global Mode; 2) Configure OSPF area for the interfaces. The configuration task list is as follows: 1. 2.
Command Explanation Global Mode Enables OSPF protocol; the “no router [no] router ospf [process ] ospf” command disables OSPF protocol. (required) OSPF Protocol Configuration Mode Configures the ID number for the layer3 router-id no router-id switch running OSPF; the “no router id” command cancels the ID number. The IP address of an interface is selected to be the layer3 switch ID.
4)Configure OSPF packet sending timer parameter (timer of broadcast interface sending HELLO packet to poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay and timer of LSA retransmission. Command Explanation Interface Configuration Mode ip ospf hello-interval
2)Display relative information Command Explanation Admin Mode or Configure Mode Display the configuration information of the show ip ospf [] OSPF process importing other outside redistribute routes. 3)Debug Command Explanation debug ospf redistribute message send Enable or disable debugging of sending no debug ospf redistribute message command from OSPF process redistributed send to other OSPF process routing.
4)Configure the priority of the interface when electing designated layer3 switch (DR). Command Explanation Interface Configuration Mode ip ospf priority no ip ospf priority Sets the priority of the interface in “designated layer3 switch” election; the no ip ospf priority command restores the default setting.
SwitchA E1/1:100.1.1.1 SwitchE vlan2 E1/2:30.1.1.1 SwitchD vlan3 E1/2:10.1.1.1 E1/1:100.1.1.2 E1/1:30.1.1.2 vlan1 vlan2 vlan3 Area 0 E1/1:10.1.1.2 vlan1 E1/1:20.1.1.2 vlan3 E1/2:20.1.1.1 SwitchB SwitchC vlan3 Area 1 Figure 38-1 Network topology of OSPF autonomous system The configuration for layer3 Switch1 and Switch5 is shown below: Layer 3 Switch1 Configuration of the IP address for interface vlan1 Switch1#config Switch1(config)# interface vlan 1 Switch1(config-if-vlan1)# ip address 10.
Layer 3 Switch2: Configure the IP address for interface vlan1 and vlan2. Switch2#config Switch2(config)# interface vlan 1 Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 Switch2(config-if-vlan1)#no shutdown Switch2(config-if-vlan1)#exit Switch2(config)# interface vlan 3 Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.
Layer 3 Switch4: Configuration of the IP address for interface vlan3 Switch4#config Switch4(config)# interface vlan 3 Switch4(config-if-vlan3)# ip address30.1.1.2 255.255.255.0 Switch4(config-if-vlan3)#no shutdown Switch4(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfaces vlan3 resides in. Switch4(config)#router ospf Switch4(config-router)# network 30.1.1.
Scenario 2: Typical OSPF protocol complex topology. N11 N1 N12 N13 SwitchD SwitchA N3 N2 SwitchB SwitchE SwitchF SwitchC Area1 N4 Area0 N10 N14 SwitchK SwitchI N8 SwitchJ N7 Area2 N9 N15 SwitchL Area3 SwitchG N5 SwitchH N6 Figure 38-2 Typical complex OSPF autonomous system This scenario is a typical complex OSPF autonomous system network topology.
Take area 1 as an example. Assume the IP address of Layer3 SwitchA is 10.1.1.1, IP address of Layer3 SwitchB interface VLAN2 is 10.1.1.2, IP address of Layer3 SwitchC interface VLAN2 is 10.1.1.3, IP address of Layer3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP address 20.1.2.
2)SwitchB: Configure IP address for interface vlan2 SwitchB#config SwitchB(config)# interface vlan 2 SwitchB(config-If-Vlan2)# ip address 10.1.1.2 255.255.255.0 SwitchB(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2. SwitchB(config)#router ospf SwitchB(config-router)#network 10.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#interface vlan 2 Configure simple key authentication.
Configure simple key authentication SwitchC(config)#interface vlan 2 SwitchC(config-If-Vlan2)#ip ospf authentication SwitchC(config-If-Vlan2)#ip ospf authentication-key DCS SwitchC(config-If-Vlan2)#exit Configure IP address and area number for interface vlan3 SwitchC(config)# interface vlan 3 SwitchC(config-If-Vlan3)#ip address 20.1.3.1 255.255.255.0 SwitchC(config-If-Vlan3)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 20.1.3.
Configure simple key authentication. SwitchD(config)#interface vlan 2 SwitchD(config-If-Vlan2)#ip ospf authentication SwitchD(config-If-Vlan2)#ip ospf authentication-key DCS SwitchD(config-If-Vlan2)#exit Configure the IP address and the area number for the interface vlan 1 SwitchD(config)# interface vlan 1 SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255.255.255.0 SwitchD(config-If-Vlan1)exit SwitchD(config)#router ospf SwitchD(config-router)#network 10.1.6.
We can configure as follows: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 1.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 2.2.2.2 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#router ospf 10 Switch(config-router)#network 2.2.2.0/24 area 1 Switch(config-router)#exit Switch(config)#router ospf 20 Switch(config-router)#network 1.1.1.
Associate the vlan 1 and vlan 2 respectively with vpnb and vpnc while configuring IP address SwitchA(config)#in vlan1 SwitchA(config-if-Vlan1)#ip vrf forwarding vpnb SwitchA(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)#exit SwitchA(config)#in vlan2 SwitchA(config-if-Vlan2)#ip vrf forwarding vpnc SwitchA(config-if-Vlan2)#ip address 20.1.1.1 255.255.255.
Initiate OSPF protocol and configuring OSPF segments SwitchC(config)#router ospf SwitchC(config-router)#network 20.1.1.0/24 area 0 SwitchC(config-router)#exit 38.4 OSPF Troubleshooting The OSPF protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the OSPF protocol.
Chapter 39 OSPFv3 39.1 Introduction to OSPFv3 OSPFv3(Open Shortest Path First) is the third version for Open Shortest Path First, and it is the IPv6 version of OSPF Protocol. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is because of the way link-state routing protocols build up their routing table. The second advantage is that converging in a link-state interconnected network is very fast, once the routing topology changes, updates will be flooded throughout the network very soon. Those advantages release some Layer3 switch resources, as the process ability and bandwidth used by bad route information are minor.
In one word, LSA can only be transferred between neighboring Layer3 switches, and OSPFv3 protocol includes seven kinds of LSA: link LSA, internal-area prefix LSA, router LSA, network LSA, inter-area prefix LSA, inter-area router LSA and autonomic system exterior LSA.
39.2 OSPFv3 Configuration Task List OSPFv3 Configuration Task List: 1. 2.
Commands Explanation Global Mode The command initializes OSPFv3 routing process [no] router IPv6 ospf and enter OSPFv3 mode to configure OSPFv3 routing process. The [no] router IPv6 ospf command stops relative process. (required) OSPFv3 Protocol Configure Mode Configure router for OSPFv3 process. The router-id no router-id no router-id command returns ID to 0.0.0.0 .(required) Configure an interface receiving without sending.
3)Configure OSPFv3 packet sending timer parameter (timer of broadcast interface sending HELLO packet to poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay and timer of LSA retransmission. Commands Explanation Interface Configuration Mode IPv6 ospf hello-interval
(3)Configure OSPFv3 importing the routes of other OSPFv3 processes 1)Enable the function of OSPFv3 importing the routes of other OSPFv3 processes Command Explanation Router IPv6 OSPF Mode redistribute ospf [] [metric] [metric-type {1|2}][route-map] no redistribute ospf [] [metric] [metric-type Enable or disable the function of OSPFv3 importing the routes of other OSPFv3 processes.
(4) Configure Other Parameters of OSPFv3 Protocol 1) Configure OSPFv3 STUB Area & Default Routing Cost 2) Configure OSPFv3 Virtual Link Commands Explanation OSPFv3 Protocol Configuration Mode Configure OSPFv3 SPF timer. The no timers spf timers spf command recovers default no timers spf value. area stub [no-summary] no area stub [no-summary] area default-cost Configure parameters in OSPFv3 area no area default-cost area virtual-link A.B.C.
E1/0/1: SwitchA SwitchE 2100:1:1::1/64 E1/0/2: SwitchD 2030:1:1::1/64 E1/0/2: 2010:1:1::1/64 E1/0/1:2100:1:1::2/6 E1/0/1: 2030:1:1::2/64 vlan1 4 vlan3 l 2 Area 0 E1/0/1: 2010:1:1::2/64 E1/0/1:2020:1:1::2/64 vlan1 vlan3 E1/0/2: SwitchB SwitchC 2020:1:1::1/64 l 3 Area 1 Figure 39-1 Network topology of OSPF autonomous system The configuration for layer3 SwitchA and SwitchE is shown below: Layer3 SwitchA: Enable OSPFv3 protocol, configure router ID SwitchA(config)#router IPv6 ospf Switc
Configure interface vlan1 address, VLAN2 IPv6 address and affiliated OSPFv3 area SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(config-if-vlan1)# IPv6 address 2010:1:1::2/64 SwitchB(config-if-vlan1)# IPv6 router ospf area 0 SwitchB(config-if-vlan1)#exit SwitchB(config)# interface vlan 3 SwitchB(config-if-vlan3)# IPv6 address 2020:1:1::1/64 SwitchB(config-if-vlan3)# IPv6 router ospf area 1 SwitchB(config-if-vlan3)#exit SwitchB(config)#exit SwitchB# Layer 3 SwitchC: Enable OSPFv3 protocol, configure
Layer 3 SwitchE: Startup OSPFv3 protocol, configure router ID SwitchE(config)#router IPv6 ospf SwitchE(config-router)#router-id 192.168.2.
Chapter 40 BGP 40.1 Introduction to BGP BGP stands for a Border Gateway Protocol. It’s a dynamic routing protocol inter-autonomous system. Its basic function is automatically exchanging routing information without loops. By exchanging routing reachable information with autonomous number of AS sequence attributes, BGP could create autonomous topological map to eliminate routing loop and implement policies configured by users.
2. The Overview of BGP-4 operation Unlike RIP and OSPF protocols, BGP protocol is connection oriented. BGP switches must establish connection to exchange routing information. The operation of BGP protocol is driven by messages and the messages can be divided into four kinds: Open message----It’s the first message which is sent after a TCP connection is established. It is used to create BGP connecting relation among BGP peers.
IBGP are used in the AS. It sends message to all the BGP neighbors in the AS. IBGP exchanges AS routing information in a big organization. Attention, the switches in the AS needn’t be connected physically. Only if the switches are in the same AS, they can be neighbors each other. Because BGP can’t detect route, the route tables of other inner route protocols (such as static route, direct route, OSPF and RIP) need contain neighbor IP addresses and these routes are used to exchange information among BGPs.
9. If it’s still the same by now, BGP router ID (router ID)is used to break the balance. The best route is the one from the least router ID. 40.2 BGP Configuration Task List The BGP configuration tasks include basic and advanced tasks.
Ⅰ. Basic BGP configuration tasks 1. Enable BGP Routing Command Explanation Global mode router bgp Enable BGP, the “no router no router bgp ”command disenable BGP process. bgp Router configuration mode bgp asnotation asdot no bgp asnotation asdot network no network Show AS number and match the regular expression with ASDOT method. The no command cancels this method.
(3)Configure inbound soft reconfiguration. Command Explanation BGP configuration mode This command can store routing information from neighbors and neighbor { | } peers; soft-reconfiguration inbound { no neighbor { | } the no | neighbor soft-reconfiguration soft-reconfiguration inbound } inbound command cancels the storage of routing information.
2)Cancel default Next-Hop through route map Command Explanation Route mapped configuration command set ip next-hop no set ip next-hop Set the Next-Hop attribute of outbound route. The no set ip next-hop command cancels this setting. 7. Configure EGBP Multi-Hop If the connections with outer neighbors are not direct, the following command can configure neighbor Multi-Hop.
Ⅱ.Advanced BGP configuration tasks 1.Use Route Maps to Modify Route Command Explanation BGP configuration mode Apply a route map to incoming or neighbor { | } route-map outgoing routes; the no neighbor {in | out} { no neighbor { | } route-map {in | route-map {in | out} out} | command cancels } the settings of routing maps.
4.Configure BGP Confederation Command Explanation BGP configuration mode Configure a BGP AS confederation identifier; the bgp confederation identifier no bgp confederation no bgp confederation identifier identifier deletes the command BGP AS confederation identifier. Configure the AS affiliated to the AS confederation; the no bgp bgp confederation peers [..] confederation peers no bgp confederation peers [..] [..
(3) If the route reflector from clients to clients is needed, the following commands can be used. Command Explanation BGP configuration mode Configure the allowance of the route bgp client-to-client reflection reflector from clients to clients; the no bgp no bgp client-to-client reflection client-to-client reflection command forbids this allowance.
no neighbor { | } { default-originate [route-map ] default-originate ] | } [route-map command cancels sending default route. neighbor { | } Configure the community attributes send-community sent to the neighbor.
command deletes a client. When sending route, configure neighbor { | } next-hop-self Next-Hop as its address; the no no neighbor { | } neighbor next-hop-self } next-hop-self command { | cancels the setting.
(2) Configure the timer value of a particular neighbor Command Explanation BGP configuration mode Configure the keep alive and neighbor { | } timers holdtime timer of a particular neighbor; the no neighbor { | } no neighbor { | } timers timers command recovers the default value.
12. Configure BGP’s MED Value (1) Configure MED value Command Explanation Route map configuration command (2) set metric Configure metric value; the no set metric no set metric command recovers the default value.
neighbor {|} route update, dynamic capability, outgoing capability orf prefix-list route filtering capability and the address {||} family’s no neighbor {|} negotiation. Use these command to enable capability orf prefix-list these capabilities, its format “no” close these {||} capabilities .
no bgp bestpath confederation as-path length, compare the compare-confed-aspath route bgp bestpath compare-routerid confederation MED etc. no bgp bestpath compare-routerid recovers the default route path-selected bgp bestpath med {[confed] rules. identifier and compare the Its format “no” [missing-is-worst]} no bgp bestpath med {[confed] [missing-is-worst]} 18.
40.3 Configuration Examples of BGP 40.3.1 Examples 1: configure BGP neighbor SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100. SwitchA and SwitchB share the same network segment. SwitchB and SwitchD are not connected physically. SwitchC Vlan1: 12.1.1.3 Vlan1:11.1.1.1 Vlan1:11.1.1.2 SwitchA Vlan2: 13.1.1.3 Vlan2: 12.1.1.2 Vlan1: 13.1.1.
The configurations of SwitchD are as following: SwitchD(config)#router bgp 200 SwitchD(config-router-bgp)#network 13.0.0.0 SwitchD(config-router-bgp)#neighbor 12.1.1.2 remote-as 200 SwitchD(config-router-bgp)#neighbor 13.1.1.3 remote-as 200 SwitchD(config-router-bgp)#exit Presently, the connection between SwitchB and SwitchA is EBGP, and other connections with SwitchC and SwitchD are IBGP. SwitchB and SwitchD may have BGP connection without physical connection.
Switch(config)#router bgp 100 Switch(config-router-bgp)#neighbor 16.1.1.6 remote-as 200 Switch(config-router-bgp)#neighbor 16.1.1.
40.3.4 Examples 4: configure BGP confederation The following is the configuration of an AS. As the picture illustrated, SwitchB and SwitchC establish IBGP connection. SwitchD is affiliated to AS 20.SwitchB and SwitchC establish EBGP of inner AS confederation. AS10 and AS20 form AS confederation with the AS number AS200; SwitchA belongs to AS100, SwitchB may create EBGP connection by AS200. SwitchA vlan1:11.1.1.1 AS300 AS100 SwitchB vlan1:11.1.1.2 vlan3:12.1.1.2 vlan1:12.1.1.3 Vlan2:13.1.1.
SwitchB(config-router-bgp)#neighbor 11.1.1.1 remote-as 100 SwitchC: SwitchC(config)#router bgp 10 SwitchC(config-router-bgp)#bgp confederation identifier 200 SwitchC(config-router-bgp)#bgp confederation peers 20 SwitchC(config-router-bgp)#neighbor 12.1.1.2 remote-as 10 SwitchD: SwitchD(config)#router bgp 20 SwitchD(config-router-bgp)#bgp confederation identifier 200 SwitchD(config-router-bgp)#bgp confederation peers 10 SwitchD(config-router-bgp)#neighbor 13.1.1.2 remote-as 10 40.3.
AS200 SwitchH vlan1:8.8.8.8 SwitchG(RR) AS100 vlan1:7.7.7.7 SwitchD(RR) vlan1:3.3.3.4 vlan1:3.3.3.3 SwitchC(RR) SwitchE vlan1:1.1.1.1 vlan1:6.6.6.6 vlan1:5.5.5.5 vlan1:2.2.2.2 SwitchA SwitchF SwitchB AS300 SwitchI vlan1:9.9.9.9 Figure 40-3 the Topological Map of Route Reflector The configurations are as following: The configurations of SwitchC: SwitchC(config)#router bgp 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 remote-as 100 SwitchC(config-router-bgp)#neighbor 1.1.1.
SwitchD(config-router-bgp)#neighbor 6.6.6.6 remote-as 100 SwitchD(config-router-bgp)#neighbor 6.6.6.6 route-reflector-client SwitchD(config-router-bgp)#neighbor 3.3.3.3 remote-as 100 SwitchD(config-router-bgp)#neighbor 7.7.7.7 remote-as 100 The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 1.1.1.2 remote-as 100 SwitchA(config-router-bgp)#neighbor 9.9.9.
The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 2.2.2.1 remote-as 300 SwitchA(config-router-bgp)#neighbor 3.3.3.2 remote-as 300 SwitchA(config-router-bgp)#neighbor 4.4.4.3 remote-as 400 The configurations of SwitchC: SwitchC(config)#router bgp 300 SwitchC (config-router-bgp)#neighbor 2.2.2.2 remote-as 100 SwitchC (config-router-bgp)#neighbor 2.2.2.2 route-map set-metric out SwitchC (config-router-bgp)#neighbor 1.1.1.
40.3.7 Examples 7: example of BGP VPN For the configuration of MPLS VPN, BGP is part of the core routing system and it is also an important utility to support ILM and FTN entries on the edge devices. For DCNOS, the BGP protocol together with the LDP protocol, constructs the foundation of the MPLS VPN application. The LDP protocol works at the WLAN side and for the routers which are not on the edge of the network, the BGP protocol does not function.
CE-A1(config)#interface vlan 2 CE-A1(config-if-Vlan2)#ip address 192.168.101.2 255.255.255.0 CE-A1(config-if-Vlan2)#exit CE-A1(config)#interface vlan 1 CE-A1(config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0 CE-A1(config-if-Vlan2)#exit CE-A1(config)#router bgp 60101 CE-A1(config-router)#neighbor 192.168.101.1 remote-as 100 CE-A1(config-router)#exit Configurations on CE-A2: CE-A2#config CE-A2(config)#interface vlan 2 CE-A2(config-if-Vlan2)#ip address 192.168.102.2 255.255.255.
CE-B2(config-router)#neighbor 192.168.202.1 remote-as 100 CE-B2(config-router)#exit Configurations on PE1: PE1#config PE1(config)#ip vrf VRF-A PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target both 100:10 PE1(config-vrf)#exit PE1(config)#ip vrf VRF-B PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target both 100:20 PE1(config-vrf)#exit PE1(config)#interface vlan 1 PE1(config-if-Vlan1)#ip vrf forwarding VRF-A PE1(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.
Configurations on PE2: PE2#config PE2(config)#ip vrf VRF-A PE2(config-vrf)#rd 100:10 PE2(config-vrf)#route-target both 100:10 PE2(config-vrf)#exit PE2(config)#ip vrf VRF-B PE2(config-vrf)#rd 100:20 PE2(config-vrf)#route-target both 100:20 PE2(config-vrf)#exit PE2(config)#interface vlan 1 PE2(config-if-Vlan1)#ip vrf forwarding VRF-A PE2(config-if-Vlan1)#ip address 192.168.102.1 255.255.255.
40.4 BGP Troubleshooting In the process of configuring and implementing BGP protocol, physical connection, configuration false probably leads to BGP protocol doesn’t work.
Chapter 41 MBGP4+ 41.1 Introduction to MBGP4+ MBGP4+ is multi-protocol BGP (Multi-protocol Border Gateway Protocol) extension to IPv6, referring to BGP protocol chapter about BGP protocol introduction in this manual. Different from RIPng and OSPFv3, BGP has no corresponding independent protocol for IPv6, instead, it takes extensions to address families on the original BGP. The extensions to BGP by MBGP4+ are mostly embodied: a. neighbor address configured can be IPv6 address; b.
3. Configure redistribution of OSPFv3 routing to MBGP4+ (1) Enable redistribution of OSPFv3 routing to MBGP4+ Command Explanation Router IPv6 BGP Configuration Mode redistribute ospf [] [route-map] To enable or disable redistribution of OSPFv3 no redistribute ospf routing to MBGP4+.
Accordingly SwitchA configuration as follows: SwitchA(config)#router bgp 100 SwitchA(config-router)#bgp router-id 1.1.1.1 SwitchA(config-router)#neighbor 2001::2 remote-as 200 SwitchA(config-router)#address-family IPv6 unicast SwitchA(config-router-af)#neighbor 2001::2 activate SwitchA(config-router-af)#exit-address-family SwitchA(config-router-bgp)#exit SwitchA(config)# SwitchB configuration as follows: SwitchB(config)#router bgp 200 SwitchA(config-router)#bgp router-id 2.2.2.
SwitchD(config-router-af)#exit-address-family SwitchD(config-router)#exit Here the connection between SwitchB and SwitchA is EBGP, and the connection between SwitchC and SwitchD is IBGP. The BGP connection can be processed between SwitchB and SwitchD without physical link, but the premise is a route which reaches from one switch to the other switch. The route can be obtained by static routing or IGP. 41.4 MBGP4+ Troubleshooting It is the same as corresponding section of BGP.
Chapter 42 Black Hole Routing Manual 42.1 Introduction to Black Hole Routing Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule. 42.2 IPv4 Black Hole Routing Configuration Task 1. Configure IPv4 Black Hole Routing Command Explanation Global Configuration Mode ip route { |/} null0 [] no ip route { |/} To configure the static Black Hole Routing.
42.4 Black Hole Routing Configuration Examples Example 1: IPv4 Black Hole Routing function. 192.168.0.1/21 SWITCH1 192.168.0.2/21 SWITCH2 192.168.1.0/24 ……… 192.168.7.0/24 Figure 42-1 IPv4 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces. The network addresses are 192.168.1.0/24 ~ 192.268.7.0/24. A default routing is configured on Switch 2 to connect to Switch 1.
Example 2: IPv6 Black Hole Routing function. 2004:1:2:3::1/64 SWITCH1 2004:1:2:3::2/64 SWITCH2 2004:1:2:3:1::/80 ……… 2004:1:2:3:7::/80 Figure 41-2 IPv6 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces. The network addresses are 2004:1:2:3:1/80~2004:1:2:3:7/80. A default routing is configured on Switch 2 to connect to Switch 1.
For problems that cannot be fixed through above methods, please issue the command show ip route distance and show ip route fib, and show l3. And copy and paste the output of the commands, and send to the technical service center of our company.
Chapter 43 GRE Tunnel Configuration 43.1 Introduction to GRE Tunnel GRE (General Routing-protocol Encapsulation) was referred to IETF by Cisco and Net-smiths companies in 1994, in RFC1701 and RFC1702. At present, the network devices of the most manufacturers support the GRE tunnel protocol. GRE set how to encapsulate a kind of network protocol in other kind of network protocol.
1. Configure tunnel mode Command Explanation Tunnel interface configuration mode Configure the tunnel mode as GREv4 tunnel. tunnel mode gre ip After the data packet is encapsulated with GRE, no tunnel mode it has a head of IPv4 packets, and passes the IPv4 network. Configure the tunnel mode as GREv6 tunnel. tunnel mode gre ipv6 After the data packet is encapsulated with GRE, no tunnel mode it has the head of IPv6 packets, and passes the IPv6 network. 2.
ip route tunnel Configure the egress interface of the IPv4 static no ip route route to GRE tunnel. tunnel ipv6 route tunnel Configure the egress interface of the IPv6 static no ipv6 route route to GRE tunnel. tunnel 43.
Configuration steps Instruction: the topology environment of this chapter may be different to the actual environment. To ensure the effect of the configuration, please make sure the current configuration of the device does not conflict with the following configuration. (1) The configuration of device A 1. The configuration step Enable IPv6 function. SwitchA(config)#ipv6 enable Create the interface VLAN 11 and its address.
SwitchA(config)#interface vlan 10 SwitchA(config-if-vlan10)# ip address 10.1.1.2 255.255.255.0 SwitchA(config-if-vlan10)#exit Configure OSPF routing protocol. SwitchA(config)#router ospf SwitchA(config-router)#router-id 1.1.1.1 SwitchA(config-router)#network 100.1.1.0/24 area 0 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#exit After the OSPF protocol of two ends are fully connected through the tunnel, we can see the tunnel route SwitchA(config)#show ip route O 20.1.1.
Tunnel1 gre ipv6 2005:1000:3000::1 2000:1000:3000::1 The configuration of GRE tunnel is successful. Configure the IPv4 address of the tunnel interface. To run OSPF routing protocol, the interface address must be configured. SwitchA (config-if-tunnel1)#ip address 100.1.1.2 255.255.255.0 Configure the interface VLAN20 and its address.
Create the interface VLAN 12 and its address SwitchA(config)#vlan 12 SwitchA(config-vlan12)#switchport interface ethernet 1/0/12 SwitchA(config-vlan12)#exit SwitchA(config)#interface vlan 12 SwitchA(config-if-vlan12)#ipv6 address 2005:3000:1000::2/64 SwitchA(config-if-vlan12)#exit (4) The configuration of PC Configure the IP address of PC1 and the default gateway. PC1: the IP address: 10.1.1.1 255.255.255.0, the default gateway: 10.1.1.2 PC2: the IP address: 20.1.1.1 255.255.255.
Switch C 2000:3000:1000::2/64 V11 2005:3000:1000::2/64 Interface e1/0/12 Interface e1/0/11 V12 2000:3000:1000::1/64 Interface e1/0/11 2005:3000:1000::1/64 Interface e1/0/12 Interface e1/0/12 1 Switch A GRE tunnel Tunnel1 100.1.1.1/24 10.1.1.2/24 Switch B Tunnel 1 100.1.1.2/24 20.1.1.2/24 Interface e1/0/10 Interface e1/0/10 V10 V20 10.1.1.1/24 20.1.1.
(1) The configuration of device A 1. The configuration step Enable IPv6 function. SwitchA(config)#ipv6 enable Create the interface VLAN 11 and its address. SwitchA(config)#vlan 11 SwitchA(config-vlan11)#switchport interface ethernet 1/0/11 SwitchA(config-vlan11)#exit SwitchA(config)#interface vlan 11 SwitchA(config-if-vlan11)#ipv6 address 2000:3000:1000::1/64 Configure the IPv6 static route to switch B from interface Vlan11.
SwitchA (config-if-tunnel1)# loopback-group 1 Configure OSPF routing protocol. SwitchA(config)#router ospf SwitchA(config-router)#router-id 1.1.1.1 SwitchA(config-router)#network 100.1.1.0/24 area 0 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#exit After the OSPF protocol of two ends are fully connected through the tunnel, we can see the tunnel route SwitchA(config)#show ip route O 20.1.1.0/24 [110/2] via 100.1.1.
Configure the IPv4 address of the tunnel interface. To run OSPF routing protocol, the interface address must be configured. SwitchA (config-if-tunnel1)#ip address 100.1.1.2 255.255.255.0 Configure the interface VLAN20 and its address. SwitchA(config)#vlan 20 SwitchA(config-vlan20)#switchport interface ethernet 1/0/10 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(config-if-vlan20)# ip address 20.1.1.2 255.255.255.
SwitchA(config-vlan12)#exit SwitchA(config)#interface vlan 12 SwitchA(config-if-vlan12)#ipv6 address 2005:3000:1000::2/64 SwitchA(config-if-vlan12)#exit (4) The configuration of PC Configure the IP address of PC1 and the default gateway. PC1: the IP address: 10.1.1.1 255.255.255.0, the default gateway: 10.1.1.2 PC2: the IP address: 20.1.1.1 255.255.255.0, the default gateway: 20.1.1.2 43.
Chapter 44 ECMP Configuration 44.1 Introduction to ECMP ECMP (Equal-cost Multi-path Routing) works in the network environment where there are many different links to arrive at the same destination address. If using the traditional routing technique, only a link can be used to send the data packets to the destination address, other links at the backup state or the invalidation state, and it needs some times to process the mutual switchover under the static routing environment.
2. Configure load-balance mode for port-group Command Explanation Global mode load-balance {dst-src-mac | Set load-balance for switch, it takes effect for dst-src-ip | dst-src-mac-ip } port-group and ECMP function at the same time. 44.3 ECMP Typical Example Figure 44-3 the application environment of ECMP As it is shown in the figure, the R1 connect to R2 and R3 with the interface address 100.1.1.1/24 and 100.1.2.1/24. The R2 and R3 connect to R1 with the interface address 100.1.1.2/24 and 100.1.2.
C 1.1.1.1/32 is directly connected, Loopback1 tag:0 S 5.5.5.5/32 [1/0] via 100.1.1.2, Vlan100 tag:0 [1/0] via 100.1.2.2, Vlan200 tag:0 C 100.1.1.0/24 is directly connected, Vlan100 tag:0 C 100.1.2.0/24 is directly connected, Vlan200 tag:0 C 127.0.0.0/8 is directly connected, Loopback tag:0 Total routes are : 6 item(s) 44.3.2 OSPF Implements ECMP R1 configuration: R1(config)#interface Vlan100 R1(Config-if-Vlan100)# ip address 100.1.1.1 255.255.255.
R3(config-router)# ospf router-id 3.3.3.3 R3(config-router)# network 100.1.2.0/24 area 0 R3(config-router)# network 100.2.2.0/24 area 0 R4 configuration: R4(config)#interface Vlan100 R4(Config-if-Vlan100)# ip address 100.2.1.1 255.255.255.0 R4(config)#interface Vlan200 R4(Config-if-Vlan200)# ip address 100.2.2.1 255.255.255.0 R4(config)#interface loopback 1 R4(Config-if-loopback1)# ip address 5.5.5.5 255.255.255.255 R4(config)#router ospf 1 R4(config-router)# ospf router-id 4.4.4.
Chapter 45 BFD 45.1 Introduction to BFD BFD (Bidirectional Forwarding Detection) provides a detection mechanism to quickly detect and monitor the connectivity of links in networks. To improve network performance, between protocol neighbors must quickly detect communication failures to restore communication through backup paths as soon as possible. BFD provides a general-purpose, standard, medium-independent and protocol-independent fast failure detection mechanism.
bfd interval min_rx multiplier no bfd interval bfd Configure the minimum transmission interval and the multiplier of session detection for BFD control packets, no command restores the default detection multiplier. min-echo-receive-interval Configure the minimum receiving interval for BFD control packets, no command restores its no bfd min-echo-receive-interval default value. bfd echo Enable bfd echo, no command disables the no bfd echo function.
ipv6 route {vrf | } prefix bfd Configure BFD for the static IPv6 route, no no ipv6 route {vrf command cancels the configuration. | } prefix bfd 4. Configure BFD for VRRP (v3) Command Explanation VRRP(v3) Group Configuration Mode bfd enable no bfd enable Enable BFD for VRRP(v3) protocol and enable BFD detection on this group, no command disables the function. 45.3 Examples of BFD 45.3.
Switch(config)#interface vlan 14 Switch(config-if-vlan15)#ip address 14.1.1.1 255.255.255.0 Switch(config)#ip route 15.1.1.0 255.255.255.0 12.1.1.1 bfd When the link between Switch B and layer 2 switch is failing, Switch A can detect the change of Switch B immediately, here the static routing is at inactive state. 45.3.2 Example for Linkage of BFD and RIP Route Example: Switch A and Switch B are connected and run RIP protocol, both of them enable BFD function.
Switch (config-router)#network vlan 300 Switch(config)#interface vlan 100 Switch(config-if-vlan100) #rip bfd enable When the link between Switch A and Switch B is failing, BFD can detect it immediately and notifies RIP to delete the learnt route. 45.3.3 Example for Linkage of BFD and VRRP Example: When the master is failing, the backup cannot become the master until the configured timeout timer expires. The timeout is generally three to four seconds and therefore the switchover is slow.
Switch(config-router)#enable Switch(config-router)#bfd enable # Configure Switch B Switch#config Switch(config)#bfd mode passive Switch(config)#interface vlan 2 Switch(config-ip-vlan2)#ip address 192.16.0.102 255.255.255.0 Switch(config)#router vrrp 1 Switch(config-router)#virtual-ip 192.168.0.10 Switch(config-router)#interface vlan 1 Switch(config-router)#enable Switch(config-router)#bfd enable 45.
Chapter 46 BGP GR 46.1 Introduction to GR Along with network development, it requires the higher availability, so HA (High Availability) is set, namely, how to ensure packets to be forwarded and does not affect traffic operation when router control layer can not work normally. Usually, when a router does not work normally, neighbor in route protocol layer will detect their relationship to be down, and is up soon. The process is called neighborhood shock.
information and enable selection deferral timer. 5. R1 delays the count process of the local BGP route until it receives all End-of-RIB from BGP neighbors in GR-Aware or until the local selection deferral timer is overtime. 6. Count route and send the update route. After that, it will send End-of-RIB to neighbors. Restarting Speaker(GR-Helper): 1. R1 and R2 negotiate GR capability with the restarted router when they establish the original neighborhood with BGP, R1 is a router that support GR-Capable. 2.
2. Configure whether the specific neighbor supports GR capability Command Explanation BGP protocol unicast address family mode and VRF address family mode neighbor (A.B.C.D | X:X::X:X | WORD) capability graceful-restart Set a label for neighbor, it takes GR parameter no neighbor (A.B.C.D | X:X::X:X | when send OPEN messages. WORD) capability graceful-restart 3.
Stale path-time uses the default value of 360s, bgp graceful-restart stale-path-time <1-3600> which is much longer than restart-time and selection-deferral-time. Because during the time from no bgp graceful-restart stale-path-time <1-3600> Receiving Speaker receives OPEN messages to receives EOR, it sends the initial route update and waits that the initial route update is received completely. 6.
R2 configuresint vlan 12,ip address 12.1.1.2 R1 configuration: R1#config R1(config)#vlan 12 R1(config-vlan12)#int vlan 12 R1(config-if-vlan12)#ip address 12.1.1.1 255.255.255.0 R1(config-if-vlan12)#exit R1(config)#router bgp 1 R1(config-router)#neighbor 12.1.1.2 remote-as 2 R1(config-router)#neighbor 12.1.1.
Chapter 47 OSPF GR 47.1 Introduction to OSPF GR OSPF Graceful-Restart(short for OSPF GR) ,is used to maintain data forwarding correctly and flow of crucial service is not interrupted when routing protocol restarts or switchover of layer 3 switches between active master and standby master. It is one of high availability technologies. So far, the high layer 3 switches usually adopt a design for separating control and forwarding.
protocol while GR helper is layer 3 switch to help GR restarter. In the above example, S1 is GR restarter and S2 is GR helper The advantages of OSPF GR in the following: Increase network reliability Reduce the effect of routing shiver to network Reduce the effect to traffic and avoid that lose packets during switchover 47.2 OSPF GR Configuration OSPF GR configuration task list: 1. Enable GR for OSPF 2. Configure grace-period for OSPF GR restarter (optional) 3.
47.3 OSPF GR Example Example: There are for switches from S1 to S4 (They are two master control board and supports OSPF GR), they enable OSPF to implement the following functions: 1. S1 keeps traffic forwarding during the switchover, S2-S4 ensure that no routing shiver and the continuous network traffic. 2. S1 needs to finish the switchover and restart protocol within 120s, otherwise S2 will quit GR and count routing again. 3.
47.4 OSPF GR Troubleshooting When you have trouble in using OSPF GR, please check the following reasons: Whether GR restarter switch supports OSPF GR and has two main control boards, please ensure that specific GR is not disabled. Whether network topology is changed during OSPF GR process. When it is changed, switch may quit GR and restart OSPF. Please ensure all neighbors of GR restarter support GR. Do not modify the relevant configuration of OSPF during GR.
Chapter 48 IPv4 Multicast Protocol 48.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. All IPs in this chapter are IPv4. 48.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
Multicast group are dynamic, the hosts can join and leave the Multicast group at any time. Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed but its member structure can vary within. The member amount of Permanent Multicast Group can be arbitrary, even zero.
48.1.3 IP Multicast Packet Transmission In Multicast mode, the source host sends packets to the host group indicated by the Multicast group address in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be forwarded to a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast transmission procedure is more complicated than Unicast transmission procedure.
The working process of PIM-DM can be summarized as: Neighbor Discovery, Flooding & Prune, and Graft. 1. Neigh hour Discovery After PIM-DM router is enabled, Hello message is required to discover neighbors. The network nodes which run PIM-DM use Hello message to contact each other. PIM-DM Hello message is sent periodically. 2. Flooding & Prune of process PIM-DM assumes all hosts on the network are ready to receive Multicast data.
48.2.2 PIM-DM Configuration Task List 1. Enable PIM-DM (Required) 2. Configure static multicast routing entries(Optional) 3. Configure additional PIM-DM parameters(Optional) a) Configure the interval for PIM-DM hello messages b) Configure the interval for state-refresh messages c) Configure the boundary interfaces d) Configure the management boundary 4. Disable PIM-DM protocol 1.
ip pim hello-interval < interval> no ip pim hello-interval b) To configure the interval for PIM-DM hello messages. The no form of this command will restore the interval to the default value. Configure the interval for state-refresh messages Command Explanation Interface Configuration Mode ip pim state-refresh origination-interval no ip pim state-refresh origination-interval c) To configure the interval for sending PIM-DM state-refresh packets.
48.2.3 PIM-DM Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding vlan, and enable PIM-DM Protocol on each vlan interface. SwitchB SwitchA Vlan 1 Vlan 2 Vlan 1 Vlan 2 Figure 48-1 PIM-DM Typical Environment The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.
48.2.4 PIM-DM Troubleshooting In configuring and using PIM-DM Protocol, PIM-DM Protocol might not operate normally caused by physical connection or incorrect configuration.
and reach the host. In this way the RPT with RP as root is generated. (2) Multicast Source Registration When a Multicast Source S sends a Multicast packet to Multicast Group G, the PIM-SM Multicast router connected to it directly will take charge of encapsulating the Multicast packet into registered message and unicast it to corresponding RP. If there are more than one PIM-SM Multicast routers on a network segment, then DR (Designated Router) takes charge of sending the Multicast packet.
1. Enable PIM-SM Protocol The PIM-SM protocol can be enabled on SGS-6341 Series Layer 3 switches by enabling PIM in global configuration mode and then enabling PIM-SM for specific interfaces in the interface configuration mode. Command Explanation Global Mode To enable the PIM-SM protocol for all the interfaces (However, in order to make PIM-SM ip pim multicast-routing work for specific interfaces, the following command should be issued).
To configure the value of the holdtime field in the ip pim hello-holdtime PIM-SM hello messages. The no form of this no ip pim hello-holdtime command will restore the hold time to the default value. 3) Configure ACL for PIM-SM neighbors Command Explanation Interface Configuration Mode ip pim neighbor-filter{} To configure ACL to filter PIM-SM neighbors.
Command Explanation Global Configuration Mode This command is the global candidate BSR ip pim bsr-candidate {vlan configuration command, which is used to | configure the information of PIM-SM candidate }[ ][ ] other no ip pim bsr-candidate bsr-candidate” candidate BSR. The command “no ip cancels pim the configuration of BSR.
4. Disable PIM-SM Protocol Command Explanation Interface Configuration Mode no ip pim sparse-mode | no ip pim multicast-routing(Global To disable the PIM-SM protocol. configuration mode) 48.3.3 PIM-SM Configuration Examples As shown in the following figure, add the Ethernet interfaces of SwitchA, SwitchB, SwitchC and SwitchD to corresponding VLAN, and enable PIM-SM Protocol on each VLAN interface.
Switch(Config-if-Vlan1)# ip pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 24.1.1.2 255.255.255.0 Switch(Config-if-Vlan2)# ip pim sparse-mode Switch(Config-if-Vlan2)# exit Switch(config)# ip pim rp-candidate vlan2 (3) Configure SwitchC: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 34.1.1.3 255.255.255.
48.3.4 PIM-SM Troubleshooting In configuring and using PIM-SM Protocol, PIM-SM Protocol might not operate normally caused by physical connection or incorrect configuration.
1 PIM Register Packet RP 3 The multicast date is delivered through the shared tree Multicast Application Server 4 Switching to the shortest path tree and do the delivery 2 The subscriber joins the group Subscriber 48.4.2 Brief Introduction to MSDP Configuration Tasks 1. 2. 3. 4.
48.4.3.
48.4.4 Configuration of MSDP Entities 48.4.4.1 Creation of MSDP Peer Commands Explanation MSDP Configuration Mode peer no peer To create a MSDP Peer. The no form of this command will remove the configured MSDP Peer. 48.4.4.2 Configuration of MSDP parameters Commands Explanation MSDP Peer Configuration Mode connect-source no connect-source To configure the Connect-Source interface for MSDP Peer.
MSDP Configuration Mode or MSDP Peer Configuration Mode sa-filter(in|out)[ list | rp-list ] no sa-filter(in|out)[[ list | rp-list ] MSDP Peer Configuration Mode To configure sending of SA request packets.
4. At the same time, the source RP in the domain, generates a SA – Source Active message, and send it to the MSDP entity – RP2. 5. If there’s another member in the same domain with the MSDP entity which is named as RP3, RP3 will distribute the multicast datagram encapsulated in the SA messages to the members of the shared tree, and send join messages to the multicast source.
Router A in Domain A: Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.2 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#router msdp Switch(router-msdp)#peer 10.1.1.1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 20.1.1.1 Router B in Domain B: Switch#config Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.
Switch(config)#router msdp Switch(router-msdp)#peer 40.1.1.2 Example 2: Application of MSDP Mesh-Group. Mesh-Group can be used to reduce flooding of SA messages. The Peers which are meshed in the same domain can be configured as a Mesh-Group. All the members in the same mesh group use a unique group name. As it is shown in Figure, when Mesh-Group is configured for the four meshed Peers in the same domain, flooding of SA messages reduced remarkably.
Configuration steps are listed as below: Router A: Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 10.1.1.
Switch(router-msdp)#mesh-group SGS6341-1 Router C: Switch#config Switch(config)#interface vlan 4 Switch(Config-if-Vlan4)#ip address 40.1.1.4 255.255.255.0 Switch(Config-if-Vlan4)#exit Switch(config)#interface vlan 5 Switch(Config-if-Vlan5)#ip address 50.1.1.4 255.255.255.0 Switch(Config-if-Vlan5)#exit Switch(config)#interface vlan 6 Switch(Config-if-Vlan6)#ip address 60.1.1.4 255.255.255.0 Switch(Config-if-Vlan6)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.
48.4.8 MSDP Troubleshooting When MSDP is being configured, it may not function because of the physical link not working or configuration mistakes.
48.5.2 ANYCAST RP Configuration Task 1. Enable ANYCAST RP v4 function 2. Configure ANYCAST RP v4 1. Enable ANYCAST RP v4 function Command Explanation Global Configuration Mode Enable ANYCAST RP function. (necessary) ip pim anycast-rp No operation will globally disable ANYCAST no ip pim anycast-rp RP function. 2. Configure ANYCAST RP v4 (1) Configure the RP candidate Command Explanation Global Configuration Mode Now, the PIM-SM has allowed the Loopback interface to be a RP candidate.
of source (S.G). While forwarding the register message, this router will change the source address of it into self-rp-address. 2 Once this router(as a RP) receives a register message from other RP unicast, such as a register message whose destination is the self-rp-address of this router, it will create (S,G) state and send back a register-stop message, whose destination address is the source address of the register message.
communication with local routers. The effect of other-rp-address refers to two respects: 1 Once this router (as a RP) receives the register message from a DR unicast, it should forward it to other RP in the network to notify all the RP in the network of the source (S.G) state. While forwarding, the router will change the destination address of the register message into other-rp-address.
Since there is an ANYCAST list maintained on router RP1 that has been configured with ANYCAST RP, and since this list contains the unicast addresses of all the other RP in the network, when the RP1 receives the register message, it can use the self-r-address, which identifies itself as the source address to forward the register message to RP2. The cloud in the Figure represents the PIM-SM network operation between RP1 and RP2.
Use “show ip pim anycast rp status” command to check whether the configuration information of ANYCAST RP is correct If the problems of ANYCAST still cannot be solved after checking, please use debug commands like “debug pim anycast-rp”, then copy the DEBUG information within three minutes and send it to the technical service center of our company. 48.6 PIM-SSM 48.6.1 Introduction to PIM-SSM Source Specific Multicast (PIM-SSM) is a new kind of multicast service protocol.
Figure 48-7 PIM-SSM typical environment Configurations of SwitchA, SwitchB, SwitchC, and SwitchD are shown as below. (1) Configuration of Switch A Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.
Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-If-Vlan3)# ip pim sparse-mode Switch(Config-If-Vlan3)# exit Switch(config)# ip pim bsr-candidate vlan2 30 10 Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.
commands such debug pim event/debug pim packet please, and then copy DEBUG information in 3 minutes and send to Technology Service Center. 48.7 DVMRP 48.7.1 Introduction to DVMRP DVMRP Protocol, namely, is “Distance Vector Multicast Routing Protocol”. It is a Multicast Routing Protocol in dense mode, which sets up a Forward Broadcast Tree for each source in a manner similar to RIP, and sets up a Truncation Broadcast Tree, i.e.
In DVMRP, source network routing selection message are exchanged in a basic manner same to RIP. That is, routing report message is transmitted among DVMRP neighbors periodically (the default is 60 seconds). The routing information in DVMRP routing selection table is used to set up source distribution tree, i.e. to determine by which neighbor it passes to get to the source transmitting multicast packet; the interface to this neighbor is called upstream interface.
simple. After globally enabling DVMRP Protocol, it is required to turn on DVMRP switch under corresponding interface. Command Explanation Interface Configuration Mode Enable DVMRP Protocol on the interface, the ip dvmrp “no ip dvmrp” command disables DVMRP no ip dvmrp Protocol on the interface. 3.
48.7.3 DVMRP Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding VLAN, and enable DVMRP on each VLAN interface. SwitchA SwitchB Vlan 1 Vlan 1 Vlan 2 Figure 48-8 DVMRP Network Topology Diagram The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch (config)#ip dvmrp multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.
Please check if the correct IP address is configured on the interface (use ip address command); Afterwards, enable DVMRP Protocol on the interface (use ip dvmrp command and ip dv multicast-routing command); Multicast Protocol requires RPF Check using unicast routing; therefore the correctness of unicast routing must be assured beforehand. (DVMRP uses its own unicast table, please use show ip dvmrp route command to look up).
48.8.2 DCSCM Configuration Task List 1. Source Control Configuration 2. Destination Control Configuration 3. Multicast Strategy Configuration 1. Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Configuration Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally.
Command Explanation Port Configuration Mode [no] ip multicast source-control Used to configure the rules source control uses access-group <5000-5099> to port, the NO form cancels the configuration. 2. Destination Control Configuration Like source control configuration, destination control configuration also has three steps. First, enable destination control globally.
Used to configure the rules destination [no] ip multicast destination-control control uses to port, the NO form access-group <6000-7999> cancels the configuration. Global Configuration Mode [no] ip multicast destination-control Used to configure the rules destination <1-4094> access-group control uses to specify VLAN-MAC, the <6000-7999> NO form cancels the configuration.
Firstly enable IGMP snooping in the VLAN it is located (Here it is assumed to be in VLAN2) EC(config)#ip igmp snooping EC(config)#ip igmp snooping vlan 2 After that, configure relative destination control access-list, and configure specified IP address to use that access-list. Switch(config)#access-list 6000 deny ip any 238.0.0.0 0.255.255.255 Switch(config)#access-list 6000 permit ip any any Switch(config)#multicast destination-control Switch(config)#ip multicast destination-control 10.0.0.
Hosts participating IP multicast can join in and exit multicast group at any location, any time and without limit of member total. Multicast switch does not need and not likely to save all relationships of all hosts. It only gets to know if there are receivers of some multicast group, i.e. group member, on the network segment each interface connects to. And the host only needs to save which multicast groups it joined.
flux from 10.1.1.1 and 10.1.1.2; when a host is sending a report of EXCLUDE{192.168.1.1} to some group G, that means the host needs the flux from all sources of group G except 192.168.1.1. This makes a great difference from the previous IGMP. The main improvements of IGMP Version3 over IGMP Version1 and Version2 are: 1. The status to be maintained is group and source list, not only the groups in IGMPv2. 2. The interoperations with IGMPv1 and IGMPv2 are defined in IGMPv3 status. 3.
To enable global multicast protocol is the ip dvmrp multicast-routing | ip pim multicast-routing prerequisite to enable IGMP protocol, the “no ip dvmrp multicast-routing | no ip pim multicast-routing” commands disable multicast protocol and IGMP protocol.
ip igmp query-max-response-time Configure the maximum response time of the interface for IGMP query; the “no ip igmp no ip igmp query-max-response-time” command restores query-max-response-time default value. ip igmp query-timeout no ip igmp query-timeout Configure the time-out of the interface for IGMP query; the “no ip igmp query-timeout” command restores default value.
(1) Configure SwitchA: Switch(config)#ip pim multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 12.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#ip pim dense-mode (2) Configure SwitchB: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan1 Switch(Config-if-Vlan1)#ip address 12.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#ip pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan2 Switch(Config-if-Vlan1)#ip address 20.1.1.1 255.255.255.
forwarding table based on the listening result, and can then decide to forward multicast packets according to the forwarding table. Switch provides IGMP Snooping and is able to send a query from the switch so that the user can use switch in IP multicast. 48.10.2 IGMP Snooping Configuration Task List 1. Enable IGMP Snooping 2. Configure IGMP Snooping 1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping Enables IGMP Snooping.
mrouter-port interface form no ip igmp snooping vlan configuration. of the command cancels this mrouter-port interface ip igmp snooping vlan Enable the function that the specified VLAN mrouter-port learnpim learns no ip igmp snooping vlan packets), the no command will disable the mrouter-port learnpim function. ip igmp snooping vlan mrpt Configure this survive time of mrouter port.
source-address address, The no operation cancels the packet no ip igmp snooping vlan source address. report source-address ip igmp snooping vlan Configure the maximum query response time specific-query-mrsp of the specific group or source, the no no ip igmp snooping vlan command restores the default value. specific-query-mrspt 48.10.
three of four hosts running multicast applications are connected to port 2, 6, 10 plays program1, while the host is connected to port 12 plays program 2. IGMP Snooping listening result: The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1, 2, 6, 10 in Group1 and ports 1, 12 in Group2. All the four hosts can receive the program of their choice: ports 2, 6, 10 will not receive the traffic of program 2 and port 12 will not receive the traffic of program 1.
Multicast Configuration The same as scenario 1 IGMP Snooping listening result: Similar to scenario 1 Scenario 3: To run in cooperation with layer 3 multicast protocols. SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1.
48.11 IGMP Proxy Configuration 48.11.1 Introduction to IGMP Proxy IGMP/MLD proxy which is introduced in rfc4605, is a simplified multicast protocol running at edge boxes. The edge boxes which runs the IGMP/MLD proxy protocol, does not need to run complicated multicast routing protocols such as PIM/DVMRP. However they work with multicast protocol enabled network through IGMP/MLD proxy. They can simplify the implementation of multicasting on edge devices.
3. Configure IGMP Proxy assistant parameter Command Explanation Global Mode To configure the maximum number of groups ip igmp proxy limit {group <1-500>| source that upstream ports can join, and the <1-500>} maximum number of sources in a single no ip igmp proxy limit group. The no form of this command will restore the default value. ip igmp proxy unsolicited-report interval To configure how often the upstream ports <1-5> send out unsolicited report.
48.11.3 IGMP Proxy Examples Example 1: IGMP Proxy function.
Example2: IGMP Proxy for multicast sources from downstream ports. Multicast Router Multicast Multicast Server Router IGMP PROXY Switch 1 IGMP PROXY Switch 2 IGMP PROXY Switch 3 Figure 48-13 IGMP Proxy for multicast sources from downstream ports As it is show in the figure above, IGMP Proxy enabled switches connected to the network in tree topology.
Multicast Configuration: Suppose the server provides programs through the multicast address 224.1.1.1, and some hosts subscribe that program on the edge of the network. The host reports their IGMP multicast group membership to Switch 2 and Switch 3 through downstream ports. Switch 2 and Switch 3 then aggregate and forward them to Switch 1 which then forwards the information to multicast router.
Chapter 49 IPv6 Multicast Protocol 49.1 PIM-DM6 49.1.1 Introduction to PIM-DM6 PIM-DM6(Protocol Independent Multicast, Dense Mode)is the IPv6 version of Protocol Independent Multicast Dense Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of network environment. There is no difference compared with the IPv4 version PIM-DM except that the addresses it uses are IPv6 addresses.
the multicast packet will be discarded as redundant message. The unicast routing message used as path judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any specific unicast routing protocol. 4. Assert Mechanism If two multicast router A and B in the same LAN segment have their own receiving paths to multicast source S, they will respectively forward multicast data packet to LAN after receiving the packet from multicast source S.
ipv6 pim dense-mode To enable PIM-DM for the specified interface (required). 2.Configure static multicast routing entries Command Explanation Global configuration mode ipv6 mroute <.ifname> no ipv6 mroute [ <.ifname>] To configure IPv6 static multicast routing entries. The no form of this command will remove the specified routing entry. 3.
4) Configure the management boundary Command Explanation Interface Configuration Mode To configure PIM-DM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ipv6 pim scope-border <500-599>| no ipv6 pim scope-border ffx0::/13 is considered as the scope of the management group. If ACL is configured, then the scope specified by ACL permit command is the scope of the management group. acl_name should be standard IPv6 ACL name.
(1) Configure SwitchA: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:10:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan2 Switch(Config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64 Switch(Config-if-Vlan2)#ipv6 pim dense-mode (2) Configure SwitchB: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64 Switc
PIM-SM router forwards multicast data packets to a host only on definite request. By setting RP (Rendezvous Point) and BSR (Bootstrap Router), PIM-SM announce multicast packet to all PIM-SM routers and establish, using Join/Prune message of routers, RPT (RP-rooted shared tree) based on RP. Consequently the network bandwidth occupied by data packets and control messages is cut down and the transaction cost of routers is reduced.
configured. With such arrangement, once a BSR fails, another may be switched to. C-BSR determines BSR through automatic selection. Notice: Multicast Routing Protocol is not supported by 5950-28T-L and 5950-52T-L in this chapter. 49.2.
2.Configure static multicast routing entries Command Explanation Global Configuration Mode ipv6 mroute <.ifname> no ipv6 mroute [ <.ifname>] To configure a static multicast routing entry. The no form of this command will remove the specified static multicast routing entry. 3.
To configure the interface as the boundary of PIM-SM6 protocol. On the boundary interface, ipv6 pim bsr-border BSR messages will not be sent or received. The no ipv6 pim bsr-border network connected the interface is considered as directly connected network. The no form of this command will remove the configuration.
ipv6 pim rp-candiate {vlan| loopback|} [] [] no ipv6 pim rp-candiate This command is the global candidate RP configuration command, which is used to configure the information of PIM-SM candidate RP so that it can compete for RP router with other candidate RP. The no operation is to cancel the configuration of RP.
SwitchB SwitchA Vlan 2 Vlan 1 vlan 1 Vlan 2 bsr SwitchC Vlan 2 SwitchD Vlan 3 Vlan 1 Vlan 1 Vlan 3 Vlan 2 rp Figure 49-2 PIM-SM Typical Environment The configuration procedure for SwitchA, SwitchB, SwitchC and SwitchD is as below: (1) Configure SwitchA: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(C
Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:13:1:1::3/64 Switch(Config-if-Vlan2)#ipv6 pim sparse-mode Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)#ipv6 address 2000:30:1:1::1/64 Switch(Config-if-Vlan3)#ipv6 pim sparse-mode Switch(Config-if-Vlan3)#exit Switch(config)#ipv6 pim bsr-candidate vlan2 30 10 (4) Configure SwitchD: Switch(config)#ipv6 pim multicast-routing
49.3 ANYCAST RP v6 Configuration 49.3.1 Introduction to ANYCAST RP v6 Anycast RP v6 is a technology based on PIM protocol, which provides redundancy in order to recover as soon as possible once an RP becomes unusable.
no ipv6 pim rp-candidate protocol can configure the Loopback interface or a regular three-layer VLAN interface to be the RP candidate. In make sure that PIM routers in the network can find where the RP locates, the RP candidate interface should be added into the router. No operation will cancel the RP candidate configured on this router.
(3) Configure other-rp-address (other RP communication addresses) Command Explanation Global Configuration Mode Configure anycast-rp-addr on this router (as a RP). This unicast address is actually the RP address configured on multiple RP in the network, in accordance with the address of RP candidate interface (or Loopback interface).
49.3.
Switch(config)#ipv6 pim anycast-rp self-rp-address 2004::2 Switch(config)#ipv6 pim anycast-rp 2006::1 2003::1 Please pay attention to that, for promulgating loopback interface router, if use MBGP4+ protocol, then can use network command; or use RIPng protocol, then can use route command. 49.3.4 ANYCAST RP v6 Troubleshooting When configuring and using ANYCAST RP v6 function, the ANYCAST RP might work abnormally because of faults in physical connections, configurations or something others.
49.4.2 PIM-SSM6 Configuration Task List Command Explanation Global configuration mode ipv6 pim ssm {default|range } To configure address range for no ipv6 pim ssm pim-ssm multicast group. The no prefix will disable this command. 49.4.3 PIM-SSM6 Configuration Example As it is shown in the below figure, ethernet interfaces of switchA, switchB, switchC, and switchD are separated into different vlan. And PIM-SM6 or PIM-DM6 is enabled on all the vlan interfaces.
Switch(Config-If-Vlan2)#exit Switch(config)#ipv6 access-list 500 permit ff1e::1/64 Switch(config)#ip pim ssm range 500 (2)Configuration of switchB: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:12:1:1::2/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address2000:24:1:1::2/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(Config-If-Vlan2)#
Switch(Config-If-Vlan2)# ipv6 address 2000:24:1:1::4/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-If-Vlan3)# ipv6 address 2000:40:1:1::1/64 Switch(Config-If-Vlan3)# ipv6 pim sparse-mode Switch(Config-If-Vlan3)#exit Switch(config)#ipv6 access-list 500 permit ff1e::1/64 Switch(config)#ip pim ssm range 500 49.4.
controlling according to the IP address sending the message, and controlling according to the input port of the message. MLD snooping can adopts all the three methods at the same time, while the MLD module, at the third layer, can only control the IP address sending the message.
The last is to configure the rules to the specified port. Pay attention: since the configured rules will take up entries of hardware, configuring too many rules might cause failure if the underlying entries are full, so it is recommended that users adopt rules as simple as possible.
Command Explanation Port Mode Used to configure the destination control [no] ipv6 multicast destination-control rule to a port, the no operation of this access-group <9000-10099> command will cancel the configuration. Global Configuration Mode Used to configure the destination control [no] ipv6 multicast destination-control rules to the specified VLAN-MAC, the no <1-4094> access-group operation of this command will cancel <9000-10099> the configuration.
2. Destination control We want to confine that the users of the segment whose address is fe80::203:fff:fe01:228a/64 can not join the ff1e::1/64 group, so we can configure as follows: First, enable MLD Snooping in the VLAN where it locates (in this example, it is VLAN2). Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping vlan 2 Then configure relative destination control access list and configure specified IPv6 address to use this access list.
total number of group members. It is unnecessary and impossible for multicast switch to store the relationship among all host members. Multicast switch simply finds out via MLD protocol if there are receivers of certain multicast group on the network segment connected to each port. The only thing host need to do is to keep the record of which multicast groups it joined.
ipv6 pim dense-mode | ipv6 pim sparse-mode Start MLD Protocol. The NO operation of corresponding command shuts MLD Protocol. (Required) 2. Configure MLD auxiliary parameters (1)Configure MLD group parameters 1) Configure MLD group filter conditions Command Explanation Port Configuration Mode ipv6 mld access-group no ipv6 mld access-group Configure the filter conditions of interface for MLD group; the NO operation of this command cancels filter conditions.
SwitchA SwitchB Vlan 1 Vlan 1 Vlan 2 Figure 49-5 Network Topology Diagram The configuration procedure for SwitchA and SwitchB is as below: (1) Configure SwitchA: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan 1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::1/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode (2) Configure SwitchB: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (conf
If all attempts fail to solve the problems on MLD, please use debug commands such as debug ipv6 MLD event/packet, and copy DEBUG information in 3 minutes and send to Technology Service Center. 49.7 MLD Snooping 49.7.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6.
Configure the number of the groups in which ipv6 mld snooping vlan limit the MLD Snooping can join, and the {group | source } maximum number of sources in each group. no ipv6 mld snooping vlan limit The “no” form of this command restores to the default. ipv6 mld snooping vlan Set the VLAN level 2 general querier, which l2-general-querier is recommended on each segment.
suppression-query-time ipv6 mld snooping vlan static-group [source ] interface [ethernet | port-channel] Configure static-group on specified port of the VLAN. The no form of the command no ipv6 mld snooping vlan static-group [source ] cancels this configuration. interface [ethernet | port-channel] 49.7.
addresses respectively the Group 1, Group 2 and Group 3. Concurrently multicast application is operating on the four hosts. Two hosts connected to port 2 and 5 are playing program 1 while the host connected to port 10 playing program 2, and the one to port 12 playing program 3.
SwitchA(config)#ipv6 mld snooping vlan 60 l2-general-querier SwitchB#config SwitchB(config)#ipv6 mld snooping SwitchB(config)#ipv6 mld snooping vlan 100 SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/0/1 Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 Scenario 3: To run in cooperation with layer 3 multicast protocols SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same.
Chapter 50 Multicast VLAN 50.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
3. Configure the MLD Snooping Command Explanation Global Mode Enable MLD Snooping on multicast VLAN; ipv6 mld snooping vlan the “no” form of this command disables MLD no ipv6 mld snooping vlan Snooping on multicast VLAN. Enable the MLD Snooping function. The “no” ipv6 mld snooping form of this command disables the MLD no ipv6 mld snooping snooping function. 50.
SwitchA(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip pim dense-mode Switch(Config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/0/10 SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ethernet 1/0/15 SwitchB(config-
Chapter 51 ACL Configuration 51.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
51.2 ACL Configuration Task List ACL Configuration Task Sequence: 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit” or “deny” rule entries. c) Exit ACL Configuration Mode (4) Configuring an extended IP access-list based on nomenclature.
5. Clear the filtering information of the specified port 1.
5. Clear the filtering information of the specified port 1. Configuring access-list (1) Configuring a numbered standard IP access-list Command Explanation Global Mode Creates a numbered standard IP access-list, if access-list {deny | permit} {{ } | any-source | {host-source }} no access-list the access-list already exists, then a rule will add to the current access-list; the “no access-list “ command deletes a numbered standard IP access-list.
access-list {deny | permit} udp {{ } | any-source | {host-source }} [s-port { | range }] {{ } | any-destination | {host-destination }} [d-port { | range }] [precedence ] [tos ][time-range] access-list {deny | permit} {eigrp | gre | igrp | ipinip | ip | ospf | } {{ } | any-source | {host-source }} {{ } | any-de
c. Exit name-based standard IP ACL configuration mode Command Explanation Standard IP ACL Mode Exits name-based standard IP exit ACL configuration mode. (4) Configuring an name-based extended IP access-list a.
[ack+fin+psh+rst+urg+syn] [precedence ] [tos ][time-range] [no] {deny | permit} udp {{ } | any-source | {host-source }} [s-port Creates { | range }] name-based UDP IP access {{ } | any-destination | rule; the no form command {host-destination }} [d-port { | deletes range }] [precedence extended IP access rule.
access-list {deny|permit} {any-source-mac| Creates a numbered MAC {host-source-mac}|{}}{any-destination-mac|{host-destination-mac}|{}}[{untagged-eth then a rule will add to the 2 | tagged-eth2 | untagged-802-3 | tagged-802-3} current access-list; the “no [ [ access-list [ [ exists, “ command
[no]{deny|permit} {any-source-mac|{host-source-mac}|{< smac>}} {any-destination-mac |{host-destination-mac}|{}} [vlanid [][ethertype []]] [no]{deny|permit}{any-source-mac|{host-source-ma c}|{}}{any-destin ation-mac|{host-destination-mac}|{}}[untagged-eth2 [ethertype [protocol-mask]]] Creates an extended name-based MAC access rule matching
(8) Configuring a numbered extended MAC-IP access-list Command Explanation Global mode access-list{deny|permit} {any-source-mac| {host-source-mac } | { }} {any-destination-mac | Creates {host-destination-mac } | {}} icmp {{ } |any-source| {host-source }} {{ } | any-destination | {host-destination }} [ []] [precedence a numbe
][time-range] access-list{deny|permit}{any-source-mac| {host-source-mac}|{}}{any-destination-mac|{host-destination-mac }|{}}udp {{}|any-source| {host-source}} [s-port { | range }] {{}|any-destinati on| {host-destination}} [d-port { | range }] Creates a numbered mac-udp exte
b.
[no]{deny|permit}{any-source-mac|{host-source-ma c}|{}} {any-destination-mac|{host-destination-mac }|{}}udp Creates {{}|any-source| name-based {host-source}} [s-port { | access rule; the no form range }] command {{}|any-destinati name-based on| {host-destination }} MAC-UDP access rule.
access-list “ command deletes a numbered standard IPv6 access-list.
(12)Configuring a standard IPV6 access-list based on nomenclature a. Create a standard IPV6 access-list based on nomenclature Command Explanation Global Mode ipv6 access-list standard Creates no ipv6 access-list standard access-list a nomenclature; command standard IP based on the no delete the name-based standard IPV6 access-list. b.
b. Specify multiple permit or deny rules Command Explanation Extended IPV6 ACL Mode [no] {deny | permit} icmp {{} | Creates any-source | {host-source }} name-based { | any-destination | access rule; the no form {host-destination }} [ command []] [dscp ] [flow-label ] name-based extended IPv6 [time-range ] access rule.
c. Exit extended IPv6 ACL configuration mode Command Explanation Extended IPV6 ACL Mode exit Exits extended name-based IPV6 ACL configuration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode Enables firewall enable global packet filtering function. Disables firewall disable global packet filtering function. 3.
[no] absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} to {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} Stop the function of the time range in the week.
51.3 ACL Example Scenario 1: The user has the following configuration requirement: port 1/0/10 of the switch connects to 10.0.0.0/24 segment, ftp is not desired for the user. Configuration description: 1. Create a proper ACL 2. Configuring packet filtering function 3. Bind the ACL to the port The configuration steps are listed below: Switch(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.
The configuration steps are listed as below.
Switch(config)#firewall default permit Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.
Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show ipv6 access-lists Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable.
51.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched. Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode). When binding four ACL and packet matching several ACL at the same time, the priority relations are as follows in a top-down order. If the priority is same, then the priority of configuration at first is higher.
Chapter 52 802.1x Configuration 52.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
system should support EAPOL (Extensible Authentication Protocol over LAN). The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected. An authenticator system usually is a network device supporting 802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided can either be physical or logical. The authentication server system is an entity to provide authentication service for authenticator systems.
52.1.2 The Work Mechanism of 802.1x IEEE 802.1x authentication system uses EAP (Extensible Authentication Protocol) to implement exchange of authentication information between the supplicant system, authenticator system and authentication server system. Figure 52-2 the Work Mechanism of 802.1x EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system and the PAE of the authenticator system in the environment of LAN.
PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Type: represents the type of the EAPOL data packets, including: EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP messages. This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system.
Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte. Data: the content of the EAP packet, depending on the Code type. 52.1.4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-Authenticator. Please refer to the Introduction of RADIUS protocol in “AAA-RADIUS-HWTACACS operation” to check the format of RADIUS messages. 1.
the remote RADIUS server. The following is the description of the process of these two authentication methods, both started by the supplicant system. 52.1.5.1 EAP Relay Mode EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over RADIUS, making sure that extended authentication protocol messages can reach the authentication server through complicated networks.
1. EAP-MD5 Authentication Method EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash function is vulnerable to dictionary attacks. The following figure illustrated the basic operation flow of the EAP-MD5 authentication method. Figure 52-9 the Authentication Flow of 802.1x EAP-MD5 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols.
Figure 52-10 the Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate.
The following figure illustrates the basic operation flow of PEAP authentication method. Figure 52-11 the Authentication Flow of 802.1x PEAP 52.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee-counting. The basic operation flow is illustrated in the next figure.
Figure 52-12 the Authentication Flow of 802.1x EAP Termination Mode 52.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.
resources, which means all users of this port can access limited resources before being authenticated. The user-based advanced control will restrict the access to limited resources, only some particular users of the port can access limited resources before being authenticated. Once those users pass the authentication, they can access all resources. Attention: when using private supplicant systems, user-based advanced control is recommended to effectively prevent ARP cheat.
the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low. Once the 802.
Command Explanation Port Mode dot1x port-control {auto|force-authorized|force- Sets the 802.1x authentication mode; the no command unauthorized } restores the default setting. no dot1x port-control 2) Configure port access management method Command Explanation Port Mode dot1x port-method {macbased | portbased |webbased|userbased advanced} Sets the port access management method; the no command restores MAC-based access management.
dot1x eapor enable no dot1x eapor enable Enables the EAP relay authentication function in the switch; the no command sets EAP local end authentication. 3. Supplicant related property configuration Command Explanation Global Mode dot1x max-req no dot1x max-req Sets the number of EAP request/MD5 frame to be sent before the switch re-initials authentication on no supplicant response, the no command restores the default setting.
52.3 802.1x Application Example 52.3.1 Examples of Guest Vlan Applications Update server Authenticator server E3 VLAN2 VLAN10 SWITCH E2 E6 VLAN100 VLAN5 Internet User Figure 52-13 The Network Topology of Guest VLAN Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3 and E6 means Ethernet 1/0/6. As showed in the next figure, a switch accesses the network using 802.1x authentication, with a RADIUS server as its authentication server.
As illustrated in the up figure, on the switch port Ethernet1/0/2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/0/2 is added into VLAN10, allowing the user to access the Update Server.
# Set the link type of the port as access mode. Switch(Config-If-Ethernet1/0/2)#switch-port mode access # Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/0/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100.
software is installed on the PC and is used in IEEE 802.1x authentication. Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.
The detailed configurations are listed as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ipv6 address 2004:1:2:3::2/64 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#dot1x enable Switch(Confi
Chapter 53 The Number Limitation Function of Port, MAC in VLAN and IP Configuration 53.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
through configuration commands. Limiting the number of dynamic MAC and IP of ports: 1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address by the switch is already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC study function on this port, otherwise, the port can continue its study. 2. Limiting the number of dynamic IP.
2. Enable the number limitation function of MAC、IP in VLAN Command Explanation VLAN configuration mode vlan mac-address dynamic maximum Enable and disable the number limitation no vlan mac-address dynamic function of MAC in the VLAN. maximum Interface configuration mode ip arp dynamic maximum Enable and disable the number limitation no ip arp dynamic maximum function of ARP in the VLAN.
show nd-dynamic count {vlan Display | interface ethernet NEIGHBOUR in corresponding ports and } VLAN. debug switchport mac count All kinds of debug information when no debug switchport mac count limiting the number of MAC on ports. debug switchport arp count All kinds of debug information when no debug switchport arp count limiting the number of ARP on ports.
SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries of the switch, causing successful DOS attacks. Limiting the MAC, ARP, ND list entry can prevent DOS attack. On port 1/0/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20, dynamic ARP address as 20, NEIGHBOR list entry as 10.
Chapter 50 Security Feature Configuration Chapter 54 Operational Configuration of AM Function 54.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
Chapter 50 Security Feature Configuration Enable/disable AM function on the port. am port When the AM function is enabled on the no am port port, no IP or ARP message will be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool Configure the forwarding IP of the port. no am ip-pool 4.
Chapter 50 Security Feature Configuration 54.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC30 Figure 54-1 a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones.
Chapter 51 TACACS+ Configuration Chapter 55 TACACS+ Configuration 55.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the RADIUS protocol for controlling the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
Chapter 51 TACACS+ Configuration 3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs-server timeout TACACS+ server, the “no tacacs-server no tacacs-server timeout timeout” command restores the default configuration. 4.
Chapter 51 TACACS+ Configuration Switch(config)#authentication line vty login tacacs 55.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First good condition of the TACACS+ server physical connection. Second all interface and link protocols are in the UP state (use “show interface” command).
Chapter 56 RADIUS Configuration 56.1 Introduction to RADIUS 56.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network: which one can visit the network device, which access-level the user can have and the accounting for the network resource.
Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords. This field falls into two kinds: the Request Authenticator and the Response Authenticator. Attribute field: used to carry detailed information about AAA.
56.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function. 2. Configure the RADIUS authentication key. 3. Configure the RADIUS server. 4. Configure the parameter of the RADIUS service. 5. Configure the IP address of the RADIUS NAS. 1. Enable the authentication and accounting function. Command Explanation Global Mode To enable the AAA authentication function. aaa enable The no form of this command will disable no aaa enable the AAA authentication function.
radius-server accounting host Specifies the IPv4/IPv6 address and the { | } [port port number, whether be primary server for ] [key ] [primary] RADIUS no radius-server accounting host command deletes the RADIUS accounting { | } server. accounting server; the no 4.
56.3 RADIUS Typical Examples 56.3.1 IPv4 Radius Example 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Figure 56-2 The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RADIUS authentication server without Ethernet1/0/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
56.3.2 IPv6 RADIUS Example 2004:1:2:3::2 2004:1:2:3::1 Radius Server 2004:1:2:3::3 Figure 56-3 The Topology of IPv6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Chapter 57 SSL Configuration 57.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted. SSL handshake is done when the SSL session is being set up. The switch should be able to provide certification keys.
2. Configure/delete port number by SSL used Command Explanation Global Mode Configure port number by SSL used, the “no ip http secure-port ip http secure-port” command deletes the no ip http secure-port port number. 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode ip http secure-ciphersuite {des-cbc3-sha|rc4-128-sha| Configure/delete secure cipher suite by SSL des-cbc-sha} used. no ip http secure-ciphersuite 4.
Web Server Date Acquisition Fails Malicious Users Web Browser https SSLSession Connected PC Users Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 57.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
Chapter 58 IPv6 Security RA Configuration 58.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface ] Display the distrust port and whether globally security RA is enabled. 58.
Chapter 59 VLAN-ACL Configuration 59.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete MAC VLAN-ACL. no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete MAC-IP VLAN-ACL.
59.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique department can access the outside network at timeout, but finance department are not allowed to access the outside network at any time for the security. Then the following policies are configured: Set the policy VACL_A for technique department.
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 3) Configure the extended acl_b of IP, at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.
Chapter 60 MAB Configuration 60.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user.
mac-authentication-bypass enable Enable the port MAB authentication no mac-authentication-bypass enable function. 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass Set the authentication mode of MAB username-format {mac-address | {fixed authentication function. username WORD password WORD}} 3.
mac-authentication-bypass timeout To obtain IP again, set the interval of linkup-period <0-30> down/up when MAB binding is changing no mac-authentication-bypass timeout into VLAN. linkup-period mac-authentication-bypass Enable the spoofing-garp-check function, spoofing-garp-check enable MAB no mac-authentication-bypass spoofing-garp spoofing-garp-check enable command disables the function.
Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/0/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based function and configures guest vlan as vlan8. Ethernet 1/0/2 is a hybrid port, connects to PC2, native vlan of the port is vlan1, and configures guest vlan as vlan8, it joins in vlan1, vlan8 and vlan10 with untag method and enables MAB function. Ethernet 1/0/3 is an access port, connects to the printer and enables MAB function.
Switch(config-if-ethernet1/0/2)# switchport hybrid native vlan 1 Switch(config-if-ethernet1/0/2)# switchport hybrid allowed vlan 1;8;10 untag Switch(config-if-ethernet1/0/2)# mac-authentication-bypass enable Switch(config-if-ethernet1/0/2)# mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/0/2)#exit Switch(config)#interface ethernet 1/0/3 Switch(config-if-ethernet1/0/3)# switchport mode access Switch(config-if-ethernet1/0/3)# mac-authentication-bypass enable Switch(config-if-ethernet1
Chapter 61 PPPoE Intermediate Agent Configuration 61.1 Introduction to PPPoE Intermediate Agent 61.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up.
PADO packet match with the service information needed by client). MAC address of the other end used for session will be known after server is selected, and send PADR (PPPoE Active Discovery Request) packet to it to announce server the session requirement. 4.
PPPoE data Version Type Code Session ID Length Field TLV1 …… TLV N TLV frame Type Length Data Each field means the following: Type field (2 bytes) of Ethernet II frame: The protocol sets type field value of PPPoE protocol packet as 0x8863 (include 5 kinds of packets in PPPoE discovery stage only), type field value of session stage as 0x8864. PPPoE version field (4 bits): Specify the current PPPoE protocol version, the current version must be set as 0x1.
61.1.2.3 PPPoE Intermediate Agent Vendor Tag Frame The following is the format of tag added by PPPoE IA, adding tag is the Uppermost function of PPPoE IA.
client as untrust port, trust port can receive all packets, untrust port can receive only PADI, PADR and PADT packets which are sent to server. To ensure client operation is correct, it must set the port connected server as trust port, each access device has a trust port at least. PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets.
61.3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows: Figure 61-4 PPPoE IA typical application Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f.
Typical configuration (2) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)#pppoe intermediate-agent Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag strip function. Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent vendor-tag strip Step3: Port ethernet1/0/2 of vlan1 and port ethernet1/0/3 of vlan 1234 enable PPPoE IA function of port.
Chapter 62 SAVI Configuration 62.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
1. Enable or disable SAVI function Command Explanation Global Mode savi enable Enable the global SAVI function, no no savi enable command disables the function. 2. Enable or disable application scene function for SAVI Command Explanation Global Mode savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for dhcp-slaac} enable SAVI, no command disables the function. no savi ipv6 {dhcp-only | slaac-only | dhcp-slaac} enable 3.
savi max-dad-prepare-delay Configure the max redetection lifetime period for SAVI binding, no command no savi max-dad-prepare-delay restores the default value. 6. Configure the global max-slaac-life for SAVI Command Explanation Global Mode savi max-slaac-life Configure the lifetime period of the no savi max-slaac-life dynamic slaac binding at BOUND state, no command restores the default value. 7.
savi ipv6 mac-binding-limit Configure the corresponding dynamic no savi ipv6 mac-binding-limit binding number for the same MAC address, no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 11.
15. Configure the binding number Command Explanation Port mode savi ipv6 binding num Configure the binding number of a port, no savi ipv6 binding num no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 62.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link.
Switch3 Ethernet1/0/1 Ethernet1/0/2 Switch2 Switch1 Ethernet1/0/12 Ethernet1/0/13 Client_2 Client_1 Client_1 and Client_2 means two different user’s PC installed IPv6 protocol, respectively connect with port Ethernet1/0/12 of Switch1 and port Ethernet1/0/13 of Switch2, and enable the source address check function of SAVI. Ethernet1/0/1 and Ethernet1/0/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trust functions.
Switch1(config-if-port-range)#savi ipv6 binding num 4 Switch1(config-if-port-range)#exit Switch1(config)#exit Switch1#write 62.4 SAVI Troubleshooting After ensure no problem about SAVI client hardware and cable, please check the status which may exist and the propositional solutions in the following: If IPv6 packets are filtered incorrectly after enable SAVI function, please ensure the global SAVI function enabled.
Chapter 63 Web Portal Configuration 63.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol.
2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication no webportal enable of the port. 3. Configure the max web portal binding number allowed by the port Command Explanation Port Mode webportal binding-limit <1-256> Configure the max web portal binding no webportal binding-limit number allowed by the port 4.
clear webportal binding {mac WORD | Delete the binding information of web interface |} portal authentication. 63.3 Web Portal Authentication Typical Example Internet RADIUS server Portal server 192.168.40.100 192.168.40.99 DHCP server DNS server Switch1 192.168.40.
The configuration of the common web portal authentication is as follows: Switch(config)#interface vlan 1 Switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 Switch(config)#webportal enable Switch(config)#webportal nas-ip 192.168.40.50 Switch(config)#webportal redirect 192.168.40.
Chapter 64 VRRP Configuration 64.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IETF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
64.2 VRRP Configuration Task List Configuration Task List: 1. Create/Remove the Virtual Router (required) 2. Configure VRRP dummy IP and interface (required) 3. Activate/Deactivate Virtual Router (required) 4. Configure VRRP sub-parameters (optional) (1) Configure the preemptive mode for VRRP (2) Configure VRRP priority (3) Configure VRRP Timer intervals (4) Configure VRRP interface monitor 1.
(2) Configure VRRP priority Command Explanation VRRP protocol configuration mode priority Configures VRRP priority. (3) Configure VRRP Timer intervals Command Explanation VRRP protocol configuration mode advertisement-interval
SwitchA(Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchA(Config-Router-Vrrp)# interface vlan 1 SwitchA(Config-Router-Vrrp)# enable Configuration of SwitchB: SwitchB(config)#interface vlan 1 SwitchB (Config-if-Vlan1)# ip address 10.1.1.7 255.255.255.0 SwitchB(config)#router vrrp 1 SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchB(Config-Router-Vrrp)# interface vlan 1 SwitchB(Config-Router-Vrrp)# enable 64.
Chapter 65 IPv6 VRRPv3 Configuration 65.1 Introduction to VRRPv3 VRRPv3 is a virtual router redundancy protocol for IPv6. It is designed based on VRRP (VRRPv2) in IPv4 environment. The following is a brief introduction to it. In a network based on TCP/IP protocol, in order to guarantee the communication between the devices which are not physically connected, routers should be specified.
protocols. Compared with NDP, VRRP provides a fast default gateway switch. In VRRP, backup routers can take up the unavailable master router in about 3 seconds (default parameter), and this process needs no interaction with hosts, which means being transparent to hosts. 65.1.
65.1.2 VRRPv3 Working Mechanism The working mechanism of VRRPv3 is the same with that of VRRPv2, which is mainly implemented via the interaction of VRRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MAC address outwardly, and the format of which is 00-00-5E-00-02-{VRID} (the format of virtual MAC address in VRRPv2 is 00-00-5E-00-01-{VRID}).
65.2 VRRPv3 Configuration 65.2.1 Configuration Task Sequence 1. Create/delete the virtual router (necessary) 2. Configure the virtual IPv6 address and interface of VRRPv3 (necessary) 3. Enable/disable the virtual router (necessary) 4. Configure VRRPv3 assistant parameters (optional) (1) Configure VRRPv3 preempt mode (2) Configure VRRPv3 priority (3) Configure the VRRPv3 advertisement interval (4) Configure the monitor interface of VRRPv3 1.
( 2 ) Configure VRRPv3 priority Command Explanation VRRPv3 Protocol Mode priority < priority > Configure VRRPv3 priority. ( 3 ) Configure the VRRPv3 advertisement interval Command Explanation VRRPv3 Protocol Mode Configure advertisement-interval
IPv6_A and IPv6_B are in the same segment), the virtual IPv6 address of backup group 1 and backup group are “V_IPv6_C” and “V_IPV6_D” respectively, and the default IPv6 gateway address are configured as “V_IPv6_C” and “V_IPv6_D” respectively (in reality, the IPv6 gateway address of hosts are usually learnt automatically via router advertisements, thus, the IPv6 next hop of the hosts will have some randomness). Doing this will not only implement router backup but also the flow sharing function in the LAN.
Chapter 66 MRPP Configuration 66.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown above, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
66.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately. The primary node receives link down packet and immediately releases block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of transfer nodes, refreshing own MAC address forward list. 2.
2) Configure MRPP ring Command Explanation Global Mode mrpp ring Create MRPP ring. The “no” command no mrpp ring deletes MRPP ring and its configuration. MRPP ring mode control-vlan Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID. node-mode {master | transit} hello-timer < timer> no hello-timer Configure node type of MRPP ring (primary node or secondary node).
Clear clear mrpp statistics {} receiving data packet statistic information of MRPP ring. 66.3 MRPP Typical Scenario SWITCH A SWITCH B E1 Master Node E2 E2 E1 MRPP Ring 4000 E1 E12 E11 SWITCH C SWITCH D Figure 66-2 MRPP typical configuration scenario The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring.
Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# SWITCH C configuration Task
66.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring. When the MRPP ring of enabled switch is disabled on MRPP ring, it ensures the ring of the MRPP ring has been disconnected.
Chapter 67 ULPP Configuration 67.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is switched to forwarding state.
method of MSTP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happening, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded.
1. Create ULPP group globally Command Explanation Global mode ulpp group Configure and delete ULPP group no ulpp group globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode Configure the preemption mode of preemption mode ULPP group. The no no preemption mode operation deletes the preemption mode. Configure the preemption delay, the preemption delay no operation restores the default no preemption delay value 30s.
ulpp group master Configure or delete the master port no ulpp group master of ULPP group. ulpp group slave Configure or delete the slave port of no ulpp group slave ULPP group. 3. Show and debug the relating information of ULPP Command Explanation Admin mode show ulpp group [group-id] Show the configuration information of the configured ULPP group.
67.3 ULPP Typical Examples 67.3.1 ULPP Typical Example1 SwitchD SwitchB E1/1 E1/2 E1/1 SwitchC E1/2 SwitchA Figure 67-3 ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group.
Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp group 1 master Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp flush e
ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA configures two ULPP groups: port E1/0/1 is the master port and port 1/0/2 is the slave port in group1, port 1/0/2 is the master port and port 1/0/1 is the slave port in group2. The VLANs protected by group1 are 1-100 and by group2 are 101-200. Here both port E1/0/1 and port E1/0/2 at the forwarding state, the master port and the slave port mutually backup, respectively forward the packets of different VLAN ranges.
Switch(config-If-Ethernet1/0/2)# ulpp flush enable mac Switch(config-If-Ethernet1/0/2)# ulpp flush enable arp 67.4 ULPP Troubleshooting At present, configuration of more than 2 multi-uplinks is allowed, but it may cause loopback, so is not recommended.
Chapter 68 ULSM Configuration 68.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
68.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group no ulsm group Configure and delete ULSM group globally. 2.
68.3 ULSM Typical Example SwitchD SwitchB E1/0/3 E1/0/4 E1/0/1 E1/0/2 E1/0/1 E1/0/2 SwitchC SwitchA Figure 68-2 ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
Switch(config-If-Ethernet1/0/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/3 Switch(config-If-Ethernet1/0/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/0/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/2)#exit Switch(Config)#interface ethernet 1/0/4 Switch(config-If-Ethernet1/0/4)#ulsm group 1 uplink Switch(
Chapter 69 Mirror Configuration 69.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
2. Specify mirror source port Command Explanation Global mode monitor session source {interface | cpu [slot ]} {rx| tx| both} Specifies mirror source port; the no command no monitor session source deletes mirror source port. {interface | cpu [slot ]} 3.
Switch(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255 Switch(config)#monitor session 4 source interface ethernet 1/0/15 access-list 120 rx 69.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Chapter 70 RSPAN Configuration 70.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same VLAN. The destination port and the source ports can be in different VLAN.
1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as remote-span RSPAN VLAN. The no command will no remote-span remove the configuration of RSPAN VLAN. 2. Configure mirror source port Command Explanation Global Mode monitor session source {interface | cpu [slot ]} {rx| tx| both} To configure mirror source port; The no no monitor session source command deletes the mirror source port.
70.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their PCs directly to the switches, in order to check the statistics of the network. However, with the help of RSPAN, the network administrators can configure and supervise the switches remotely, which brings more efficiency. The figure below shows a sample application of RSPAN.
Intermediate switch: Interface ethernet1/0/6 is the source port which is connected to the source switch. Interface ethernet1/0/7 is the destination port which is connected to the intermediate switch. The native VLAN of this port cannot be configured as RSPAN VLAN, or the mirrored data may not be carried by the destination switch. RSPAN VLAN is 5.
Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#switchport mode trunk Switch(Config-If-Ethernet1/0/2)#exit Switch(config)#interface ethernet 1/0/3 Switch(Config-If-Ethernet1/0/3)#switchport mode trunk Switch(Config-If-Ethernet1/0/3)#exit Switch(config)#monitor session 1 source interface ethernet1/0/1 rx Switch(config)#monitor session 1 reflector-port ethernet1/0/3 Switch(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/0/6 is the source port which is
70.4 RSPAN Troubleshooting Due to the following reasons, RSPAN may not function: Whether the destination mirror port is a member of the Port-channel group. If so, please change the Port-channel group configuration; The throughput the destination port is less than the total throughput of the source mirror ports. If so, the destination cannot catch all the datagrams from every source ports.
Chapter 62 ULSM Configuration Chapter 71 sFlow Configuration 71.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Chapter 62 ULSM Configuration 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address Configure the source IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command deletes this address. 3.
Chapter 62 ULSM Configuration Port Mode sflow counter-interval Configure the max interval when sFlow no sflow counter-interval performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Port Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer. 71.
Chapter 62 ULSM Configuration 71.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible.
Chapter 72 SNTP Configuration 72.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
72.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … SWITCH SWITCH SWITCH Figure 72-2 Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.
Chapter 73 NTP Function Configuration 73.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
ntp server { | } [version ] [key ] no ntp server { | To enable the specified time server of time source. } 3. To configure the max number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max number of broadcast or ntp broadcast server count multicast servers supported by the NTP no ntp broadcast server count client.
7. To specified some interface as NTP broadcast/multicast client interface Command Explication Interface Configuration Mode ntp broadcast client To configure specified interface to receive no ntp broadcast client NTP broadcast packets. ntp multicast client To configure specified interface to receive no ntp multicast client NTP multicast packets. ntp ipv6 multicast client To configure specified interface to receive no ntp ipv6 multicast client IPv6 NTP multicast packets. 8.
debug ntp sync To enable debug switch of time synchronize no debug ntp sync information. debug ntp events To enable debug switch of NTP event no debug ntp events information. 73.
Chapter 74 DNSv4/v6 Configuration 74.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
74.2 DNSv4/v6 Configuration Task List 1. To enable/disable DNS function 2. To configure/delete DNS server 3. To configure/delete domain name suffix 4. To delete the domain entry of specified address in dynamic cache 5. To enable DNS dynamic domain name resolution 6. Enable/disable DNS SERVER function 7. Configure the max number of client information in the switch queue 8. Configure the timeout value of caching the client information on the switch 9. Monitor and diagnosis of DNS function 1.
5. To enable DNS dynamic domain name resolution Command Explanation Global Mode dns lookup {ipv4 | ipv6} To enable DNS dynamic domain name resolution. 6. Enable/disable DNS SERVER function Command Explanation Global Mode ip dns server no ip dns server Enable/disable DNS SERVER function. 7.
debug dns {all | packet [send | recv] | events | relay} no debug dns {all | packet [send | recv] To enable/disable DEBUG of DNS function. | events | relay} 74.3 Typical Examples of DNS DNS SERVER IP: 219.240.250.101 IPv6: 2001::1 ip domain-lookup dns-server 219.240.250.
request; otherwise, the switch will relay the request to the real DNS server, pass the reply from the DNS Server to the client and record the domain and its IP address for a faster lookup in the future. Switch configuration for DNS CLIENT: Switch(config)# ip domain-lookup Switch(config)# dns-server 219.240.250.101 Switch(config)# dns-server 2001::1 Switch#ping host www.sina.com.cn Switch#traceroute host www.sina.com.cn Switch#telnet host www.sina.com.
Chapter 75 Summer Time Configuration 75.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel. Configuration procedure is as follows: Switch(config)#clock summer-time time_travel recurring 23:00 first sat apr 00:00 last sun oct 120 75.
Chapter 76 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 76.
address and packet sent time) whose HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a 「ICMPv6 time exceeded」 message (including the source address of the IPv6 packet, all content in the IPv6 packet and the IPv6 address of the router).
Display the operation information and the state show tech-support of each task running on the switch. It is used by the technicians to diagnose whether the switch operates properly. show version Display the version of the switch. show temperature Show CPU temperature of the switch. 76.6 Debug All the protocols switch supports have their corresponding debug commands. The users can use the information from debug commands for troubleshooting.
SDRAM (Synchronous Dynamic Random Access Memory) and NVRAM (Non Vulnerable Random Access Memory) is provided inside the switch as two part of the log buffer zone, The two buffer zone record the log information in a circuit working pattern, namely when log information need to be recorded exceeds the buffer size, the oldest log information will be erased and replaced by the new log information, information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounte
Outputted information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels. Amongst the debugging information can only be sent to the monitor.
3. Enable/disable the log executed-commands Command Description Global Mode logging executed-commands {enable | disable} 4. Enable or disable the logging executed-commands Display the log source Command Description Admin and configuration mode Show the log information source of show logging source mstp 5. MSTP module. Display executed-commands state Command Description Admin mode show logging executed-commands state Show the state of logging executed-commands 76.7.
Chapter 77 Reload Switch after Specified Time 77.1 Introduce to Reload Switch after Specified Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 77.2 Reload Switch after Specified Time Task List 1.
Chapter 78 Debugging and Diagnosis for Packets Received and Sent by CPU 78.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 78.
Chapter 79 VSF 79.1 Overview 79.1.1 Introduction of VSF VSF is using the VSF port to connect several servers and build up a virtual logical facility. The user cans this virtual machine to manage all the physical facilities that link up together. Traditional district and the data center network is using the multiple layer network topology structure design as shown below in the Figure 83-1.
Figure 83-2: VSF Figure 83-3: Enterprise that adopting virtual technology Compare with the trandition L2/L3network design, VSF provides with multiple markedness advantages. All in all, we can conclude with 3 main advantages: 1. VSF can increase the efficiency of operation Only one management point, including configuration documents and gateway IP address (dispense with HSRP/ VRRP/GLBP).
status information. With the help of VSF, if one of the virtual switch members is out of order, no need to continous the reconstringency of L2/L3 can restart the virtual switch recover in short time. 3. VSF can expand the system bandwidth capacity In the vsf switch can activate all the L2 bandwidth, can carry on the equilibrium of load on the multiple members of VSF when expanding the bandwidth. 79.1.2 Basic Concept (1) Role Each of the facilities in the VSF is called member facility.
cannot connect together physically. Therefore, one stracking will divide into two stracking. This process is called split. Figure 83-5: Splitting of tacking (6) Priority of member Priority of member is the member facilities attribute, mainly use for the role selection for confirming the role of each members. If the facility has higher the priority, it will have higher chance to become the Master. The default setting of the facilities is 1.
GR: Graceful restart. In order to transmitting uninterruptedly, require the router confer to extend to support the GR ability. MAD: Multi-Active Detection 79.1.4 VSF Typical Application Figure 83-6: application of VSF in the campus data center Figure 83-6 is the application of VSF in the campus internet. After using the VSF, it groups several facilities together to become the single logic facility and connect to the virtual facility.
Figure 83-7: LACP MAD detection LACP MAD detection is achieved through the extended LACP protocol packets content. It defines a new TLV (Type Length Value) in the extended field of LACP protocol packets and this TLV is used for the ActiveID of the interaction VSF. For VSF system, ActiveID value is unique, and it is expressed by the member number of the master device in VSF.
Construction method: select one port on member1 and select one port on member2. Connect them with a line. Figure 83-8: BFD MAD detection BFD MAD detection is achieved through BFD protocol. For BFD MAD detection function running normally, enable BFD MAD detection function under the layer3 interface and configure MAD IP address on this interface.
Configure the number of VSF members (necessary) Command Explanation Global Mode vsf member no vsf member Configure/delete the number of VSF members. Configure the priority and domain of VSF members (optional) Command Explanation Global Mode vsf priority no vsf priority Configure/delete the priority of VSF members. vsf domain Configure/delete no vsf domain nocommand recovers to be default of 1.
vsf member description Describe the VSF members. This information will be only written in the VSF master no vsf member configuration file. The no command deletes this description information. Configure the down delaying reporting function vsf link delay no vsf link delay of the VSF link, using for avoid link to split and merge due to changing in short period of time. The no command will set the time for delay report to default value.
3. Configure the quick detection Command Explanation Port Mode lacp timeout no lacp timeout 4. Configure/delete the quick detection. Enable LACP MAD Command Explanation Aggregation Port Mode vsf mad lacp Enable/disable LACP MAD on port-group. 79.2.3 BFD MAD Configuration BFD MAD configuration task list: 1. Create the vlan used for BFD MAD 2. Add the port used for BFD MAD into the corresponding vlan 3. Configure IP address for BFD MAD layer3 interface 4.
vsf mad ip address member Configure/delete the IP address used for BFD no vsf mad ip address MAD on the layer3 interface. member 4. Enable BFD MAD function Command Explanation Interface Configuration Mode vsf mad bfd Enable/disable BFD MAD. 79.3 Typical VSF Example Case 1: Configure under the independent operation mode, let two switches create VSF. The member number of these two facilities is 1 and 2.
Case 2: Figure 83-9: lacp mad detection topology As shown in the above picture, use the lacp mad detection function between two vsf. Vsf1 and vsf2 are the devices which are detected and they are also the middle devices. The configuration is same with above. Proposal: uses create the overlapping connection among the devices to avoid that the vsf1 cannot be the middle device to detect vsf2 after it is split.
Switch (config)# interface ethernet 1/1/2 Switch (config-if-ethernet1/1/2)# port-group 1 mode active Switch (config)# interface ethernet 2/1/1 Switch (config-if-ethernet2/1/1)# port-group 1 mode active Switch (config)# interface ethernet 2/1/2 Switch (config-if-ethernet2/1/2)# port-group 1 mode active Switch (config)# interface ethernet 2/1/1 Switch (config-if-ethernet2/1/2)# interface port-channel 1 Switch (config-if-port-channel1)# vsf mad lacp enable Vsf2 configuration: Switch (config)# vsf domain 2 Con
79.4 VSF Troubleshooting For VSF, under the configuration and usage, the command may not be workable, please pay attention to the following items: Whether it is at the operation mode, because some of the commands can only be configured at VSF operation mode, but some of them can operation at both VSF and independent operation mode.
whether the vlan used for bfd mad detection is in this trunk (trunk port belongs to all vlan as default). If it is in, the vlan used for bfd mad detection must be filtered under this port, otherwise, the loop may appears. If there is port configured as hybrid port on this vsf, please ensure that this hybrid port does not belong the vlan used for bfd mad detection, otherwise, the loop may appears.
Chapter 80 PoE Configuration 80.1 Introduction to PoE PoE (Power over Ethernet) is a technology to provide direct currents for some IP-based terminals (such as IP phones, APs of wireless LANs and network cameras) while transmitting data to them. Such DC-receiving devices are called PD (Powered Device). The max distance of reliable power supply provided by PoE is 100 meters. IEEE 802.
2. Globally set the max output power Command Explanation Global Mode power inline max Globally set the max output power of PoE. no power inline max 3. Globally set the power management mode Command Explanation Global Mode power inline police enable Enable/disable the power priority management no power inline police enable policy mode. 4.
8. Set the power priority on specified ports Command Explanation Port Mode power inline priority {critical | high | low} Set the power priority on specified ports. 80.3 Typical Application of PoE Requirements of Network Deployment Set the max output power of DCRS-5960-28T-POE to 370W, assuming that the default max power can satisfy the requirements. Ethernet interface 1/0/2 is connected to an IP phone. Ethernet interface 1/0/4 is connected to a wireless AP.
Configuration Steps: Globally enable PoE: Switch(Config)# power inline enable Globally set the max power to 370W: Switch(Config)# power inline max 370 Globally enable the priority policy of power management: Switch(Config)# power inline police enable Set the priority of Port 1/0/2 to critical: Switch(Config-Ethernet1/0/2)# power inline priority critical Set the max output power of Port 1/0/6 to 9000mW: Switch(Config-Ethernet1/0/6)#power inline max 9000 80.
Chapter 81 SWITCH OPERATION 81.1 Address Table The Switch is implemented with an address table. This address table composed of many entries. Each entry is used to store the address information of some node in network, including MAC address, port no, etc. This in-formation comes from the learning process of Ethernet Switch. 81.2 Learning When one packet comes in from any port, the Switch will record the source address, port no. And the other related information in address table.
The Switch performs "Store and forward" therefore, no error packets occur. More reliably, it reduces the re-transmission rate. No packet loss will occur. 81.5 Auto-Negotiation The STP ports on the Switch have built-in "Auto-negotiation". This technology automatically sets the best possible bandwidth when a connection is established with another network device (usually at Power On or Reset).
Chapter 70 TROUBLE SHOOTING Chapter 82 TROUBLESHOOTING This chapter contains information to help you solve problems. If the Ethernet Switch is not functioning properly, make sure the Ethernet Switch was set up according to instructions in this manual.
Chapter 71 APPENDEX A Chapter 83 APPENDIX A 83.1 A.1 Switch's RJ45 Pin Assignments 1000Mbps, 1000BASE T Contact MDI MDI-X 1 BI_DA+ BI_DB+ 2 BI_DA- BI_DB- 3 BI_DB+ BI_DA+ 4 BI_DC+ BI_DD+ 5 BI_DC- BI_DD- 6 BI_DB- BI_DA- 7 BI_DD+ BI_DC+ 8 BI_DD- BI_DC- Implicit implementation of the crossover function within a twisted-pair cable, or at a wiring panel, while not expressly forbidden, is beyond the scope of this standard. 83.2 A.
Chapter 71 APPENDEX A The standard RJ45 receptacle/connector There are 8 wires on a standard UTP/STP cable and each wire is color-coded.
Chapter 72 GLOSSARY Chapter 84 GLOSSARY Bandwidth Utilization The percentage of packets received over time as compared to overall bandwidth. BOOTP Boot protocol used to load the operating system for devices connected to the network. Distance Vector Multicast Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet. DVMRP combines many of the features of RIP with Reverse Path Broadcasting (RPB).
Chapter 72 GLOSSARY IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign end-stations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Chapter 72 GLOSSARY Multicast Switching A process whereby the switch filters incoming multicast frames for services no attached host has registered for, or forwards them to all ports contained within the designated multicast VLAN group. Open Shortest Path First (OSPF) OSPF is a link state routing protocol that functions better over a larger network such as the Internet, as opposed to distance vector routing protocols such as RIP.
Chapter 72 GLOSSARY Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
