PLANET Layer 3 24-/48-Port 10G SFP+ plus 4-Port 100G QSFP28 XGS-6350-24X4C XGS-6350-48X2Q4C 1
Trademarks Copyright © PLANET Technology Corp. 2022. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.
Contents CHAPTER 1 INTRODUCTION .......................................................................................... 30 1.1 PACKET CONTENTS .............................................................................................................................. 30 1.2 PRODUCT DESCRIPTION ........................................................................................................................ 31 1.3 PRODUCT FEATURES ...................................................................
5.2 CONFIGURATION TASKS ........................................................................................................................ 68 5.2.1 Relationship between Line and Interface ................................................................................. 68 5.3 MONITOR AND MAINTENANCE ................................................................................................................ 69 5.4 BROWSING LOGS .......................................................................
7.4.1 Configuring SDLC as Two-Way and Concurrent Mode ........................................................... 79 7.4.2 Configuring SDLC Timer and Re-Sending Times .................................................................... 79 7.4.3 Configuring the Number of SDLC Frame and Information Frame ........................................... 80 7.4.4 Controlling the Size of Cache .................................................................................................. 80 7.4.
9.4.3 Specifying RADIUS Authentication ......................................................................................... 112 9.4.4 Specifying RADIUS Authorization ........................................................................................... 113 9.4.5 Specifying RADIUS Accounting .............................................................................................. 113 9.5 RADIUS CONFIGURATION EXAMPLES .............................................................................
12.3.2 Navigation Bar...................................................................................................................... 125 12.3.3 Configuration Area ............................................................................................................... 125 12.3.4 Bottom Control Bar............................................................................................................... 126 12.3.5 Configuration Area ...........................................................
15.4.2 IGMP-Snooping VLAN List................................................................................................... 140 15.4.3 Static Multicast Address ....................................................................................................... 141 15.4.4 Multicast List ........................................................................................................................ 141 15.5 SETTING STATIC ARP ...................................................................
15.19 RING PROTECTION CONFIGURATION ................................................................................................ 156 15.19.1 EAPS Ring List................................................................................................................... 156 15.19.2 EAPS Ring Configuration ................................................................................................... 156 15.20 EVC CONFIGURATION .........................................................................
CHAPTER 20 SYSTEM MANAGEMENT ........................................................................ 175 20.1 USER MANAGEMENT ......................................................................................................................... 175 20.1.1 User List ............................................................................................................................... 175 20.1.2 Establishing a New User ...............................................................................
23.1.1 Example for Interface Description ........................................................................................ 187 23.1.2 Example of Interface Shutdown ........................................................................................... 187 CHAPTER 24 INTERFACE RANGE CONFIGURATION ................................................ 188 24.1 INTERFACE RANGE CONFIGURATION TASK ......................................................................................... 188 24.1.
27.3 CONFIGURING THE SECURE PORT ..................................................................................................... 199 27.3.1 Configuring the Secure Port Mode....................................................................................... 199 27.3.2 Configuring the Static MAC Address of the Secure Port ..................................................... 200 CHAPTER 28 CONFIGURING PORT MIRRORING ....................................................... 201 28.
31.4.9 Setting MAC-Based VLAN ................................................................................................... 219 31.4.10 Setting IP Subnet-Based VLAN ......................................................................................... 219 31.4.11 Setting Protocol-Based VLAN ............................................................................................ 220 31.5 CONFIGURATION EXAMPLE .......................................................................................
34.3.2 Disabling/Enabling STP ....................................................................................................... 238 34.3.3 Disabling/Enabling STP on a Port ........................................................................................ 238 34.3.4 Settingthe Bridge Priority ..................................................................................................... 239 34.3.5 Setting the Hello Time .......................................................................
36.3.4 Configuring network root ...................................................................................................... 263 36.3.5 Configuring secondary root .................................................................................................. 264 36.3.6 Configuring Bridge Priority ................................................................................................... 265 36.3.7 Configuring time parameters of STP........................................................
38.3.2 Aggregation of Physical Port ................................................................................................ 283 38.3.3 Selecting Load Balance Method After Port Aggregation ...................................................... 284 38.3.4 Monitoring the Concrete Conditions of Port Aggregation..................................................... 285 CHAPTER 39 PDP OVERVIEW ...................................................................................... 286 39.1 OVERVIEW .......
41.1 OVERVIEW ........................................................................................................................................ 308 41.2 RELATED CONCEPTS OF FAST ETHER-RING PROTECTION .................................................................. 308 41.2.1 Roles of Ring’s Nodes.......................................................................................................... 308 41.2.2 Role of the Ring’s Port ................................................................
42.1.16 Configuring Forward-L3-to-Mrouter of IGMP Snooping to Forward the Data Packets to the Routing Port .................................................................................................................................... 321 42.1.17 Configuring Sensitive mode and Value for IGMP Snooping .............................................. 322 42.1.18 Configuring IGMP Snooping’s v3-leave-check Function ................................................... 322 42.1.
46.1 QOS OVERVIEW ............................................................................................................................... 343 46.1.1 QoS Concept........................................................................................................................ 343 46.1.2 Terminal-To-Terminal QoS Model ......................................................................................... 343 46.1.3 Queue Algorithm of QoS .........................................................
49.2 ATTACK PREVENTION CONFIGURATION .............................................................................................. 368 49.3 CONFIGURING THE ATTACK FILTER PARAMETERS .............................................................................. 368 49.3.1 Configuring the Attack Prevention Type ............................................................................... 369 49.3.2 Enabling the Attack Prevention Function ......................................................................
CHAPTER 53 CHAPTER 3 IP SERVICE CONFIGURATION ......................................... 393 53.1 CONFIGURING IP SERVICE................................................................................................................. 393 53.1.1 Managing IP Connection ...................................................................................................... 393 53.1.2 Configuring Performance Parameters ................................................................................. 397 53.1.
57.4 EXAMPLE OF THE STATIC ROUTING CONFIGURATION ........................................................................... 415 CHAPTER 58 CONFIGURING RIP ................................................................................. 416 58.1 OVERVIEW ........................................................................................................................................ 416 58.2 RIP CONFIGURATION TASK LIST..................................................................................
60.3.4 Configuring One-to-Multiple Broadcast Network ................................................................. 433 60.3.5 Configuring Non-Broadcasting Network............................................................................... 434 60.3.6 Configure OSPF domain ...................................................................................................... 435 60.3.7 Configuring the NSSA Area of OSPF ...................................................................................
CHAPTER 62 CONFIGURING RSVP ............................................................................. 470 62.1 OVERVIEW ........................................................................................................................................ 470 62.2 RSVP CONFIGURATION TASK LIST.................................................................................................... 470 62.3 RSVP CONFIGURATION TASK ................................................................................
65.1 IP HARDWARE SUBNET CONFIGURATION TASK .................................................................................. 483 65.1.1 Overview .............................................................................................................................. 483 65.1.2 Configuring IP Hardware Subnet Routing ............................................................................ 483 65.2 CONFIGURATION EXAMPLE .................................................................................
70.3.4 Configuring VRRP Priority Preemption ................................................................................ 502 70.3.5 Configuring VRRP Protocol Packet MAC Address .............................................................. 502 70.3.6 Configuring VRRP Priority.................................................................................................... 503 70.3.7 Configuring VRRP Clock Value ...........................................................................................
74.2 CONFIGURING PIM-DM ..................................................................................................................... 529 74.2.1 Modifying Timer .................................................................................................................... 529 74.2.2 Designating the Version Number ......................................................................................... 529 74.2.3 Configuring State-Refresh..........................................................
78.3.1 Setting the Static Route ........................................................................................................ 546 78.3.2 Setting the Threshold of Routes in a Routing Table ............................................................. 546 78.3.3 Monitoring and Maintaining the State of the Routing Table .................................................. 547 78.4 STATIC ROUTE'S CONFIGURATION EXAMPLE .....................................................................................
83.1.1 Filtering IPv6 Packets .......................................................................................................... 576 83.1.2 Setting up IPv6 ACL ............................................................................................................. 576 83.1.3 Applying ACL to the Ports .................................................................................................... 577 83.1.4 Examples of IPv6 ACL ................................................................
Chapter 1 INTRODUCTION Thank you for purchasing PLANET Layer 3 24-/48-Port 10G SFP+ plus 4-Port 100G QSFP28 Managed Switch. The descriptions of these models are shown below: XGS-6350-24X4C XGS-6350-48X2Q4C Layer 3 24-Port 10G SFP+ + 4-Port 100G QSFP28 Managed Switch Layer 3 48-Port 10G SFP+ + 2-Port 40G QSFP+ + 4-Port 100G QSFP28 Managed Switch 1.1 Packet Contents Unless specified, “Managed Switch” mentioned in this users manual refers to the XGS-6350-24X4C/XGS6350-48X2Q4C.
1.2 Product Description Powerful 100Gbps Solution for All Long-Reach Networks PLANET XGS-6350-Series is a High-performance Layer 3 Managed Switch that meets the next-generation Metro, Data Center, Campus and Enterprise network requirements. The administrator can flexibly choose the suitable transceivers according to the transmission distance or the transmission speed required to extend the 1G/10G/40G/100G network efficiently.
High Reliability The key components of the XGS-6350-Series are management module, power system and the fan system that support redundancy design. All system modules support hot-swap and seamless switching without manual intervention. It supports In-service Software Upgrade (ISSU) and Graceful Restart (GR) for OSPF/BGP routing protocol, guaranteeing non-stop user data transmission when the system is upgraded.
For reducing product learning time, the XGS-6350-Series offers Cisco-like command via Telnet or console port. Moreover, the XGS-6350-Series offers secure remote management by supporting SSH connection which encrypts the packet content at each session. Centralized Hardware Stacking Management The XGS-6350-Series can be used to build a virtually logical facility.
1.
802.3ad Link Aggregation Control Protocol (LACP) - Cisco ether-channel (static trunk) Supports Spanning Tree Protocol - STP, IEEE 802.1D (Classic Spanning Tree Protocol) - RSTP, IEEE 802.1w (Rapid Spanning Tree Protocol) - MSTP, IEEE 802.
- Four RMON groups (history, statistics, alarms, and events) - SNMP trap for interface Link Up and Link Down notification Built-in Trivial File Transfer Protocol (TFTP) client BOOTP and DHCP for IP address assignment System Maintenance SNMP Management - Firmware upload/download via HTTP - Reset button for system reboot or reset to factory default - Dual images DHCP Functions: - DHCP Relay - DHCP Option 82 - DHCP Server User Privilege levels control Network Time P
1.
LNK/ACT, Green Switching Specifications Switch Architecture Store-and-forward Switch Capacity 800Gbps/non-blocking 1.92Tbps/non-blocking Switch Throughput 960Mpps 1440Mpps@64bytes 32K MAC address table with auto 64K MAC address table with learning function auto learning function 4MB 9MB Address Table Shared Data Buffer Flow Control Jumbo Frame Back pressure for half duplex IEEE 802.
IEEE 802.1Q tag-based VLAN, IEEE 802.1ad Q-in-Q VLAN stacking/tunneling VLAN GVRP for VLAN management Private VLAN Up to 4K VLAN groups IEEE 802.1D Spanning Tree Protocol (STP) Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) BPDU protection, root protection Ring Supports ITU-G G.
Security Function Supports Standard and Expanded ACL Access Control List IP-based ACL/MAC-based ACL Time-based ACL Up to 1K entries Port isolation Port security, supports IP + MAC + port binding Identification and filtering of L2/L3/L4 based ACL Defend against DOS or TCP attacks Security Suppression of broadcast, multicast and unknown unicast packet DHCP Snooping, DHCP Option 82 Command line authority control based on user levels AAA TACACS+ and IPv4/IPv6 over RADIUS Network Access Control IEEE 802.
RFC 1493 Bridge MIB RFC 1643 Ether-like MIB RFC 1907 SNMPv2 RFC 2011 IP/ICMP MIB RFC 2012 TCP MIB RFC 2013 UDP MIB RFC 2096 IP forward MIB RFC 2233 if MIB RFC 2452 TCP6 MIB RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMPv3 notification RFC 2574 SNMPv3 VACM RFC 2674 Bridge MIB Extensions Standard Conformance Regulatory Compliance FCC Part 15 Class A, CE IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ae 10Gb/s Ethernet IEEE 802.3x flow control and back pressure IEEE 802.
RFC 1058 RIP v1 RFC 2453 RIP v2 Environment Operating Temperature: 0 ~ 50 degrees C Relative Humidity: 10 ~ 85% (non-condensing) Storage Temperature: -40 ~ 80 degrees C Relative Humidity: 5 ~ 95% (non-condensing) 42
Chapter 2 Installation This section describes the hardware features and installation of the Managed Switch on the desktop or rack mount. For easier management and control of the Managed Switch, familiarize yourself with its display indicators, and ports. Front panel illustrations in this chapter display the unit LED indicators. Before connecting any network device to the Managed Switch, please read this chapter completely. 2.1 Hardware Description 2.1.
2.1.2 LED Indications The front panel LEDs indicate instant status of port links, data activity, system operation, stack status and system power, and helps monitor and troubleshoot when needed.
XGS-6350-24X4C Figure 2-1-3 XGS-6350-24X4C front panel System LED PWR Color Green Off Function Lights to indicate that the Switch has power. Power is off. Blinks to indicate the system diagnosis is completed; lights to indicate the system is SYS Green normally starting up. Interfaces LED Color Function Blinks to indicate the data is transmitting and receiving through the port; lights to indicate LNK/ACT Green the link on the port is normal.
XGS-6350-48X2Q4C Figure 2-1-4 XGS-6350-48X2Q4C front panel System LED Color Function PWRA Green Lights to indicate that the Switch has power. PWRB Off SYS Green MNG Power is off. Blinks to indicate the system diagnosis is completed; lights to indicate the system is normally starting up. Green Lights to indicate that the Switch has connected the Ethernet cable to management port. Off Lights to indicate that the Switch has not connected the Ethernet cable to management port.
2.2 Switch Installation This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. 2.2.1 Desktop Installation To install the Managed Switch on desktop or shelf, please follow these steps: Step 1: Attach the rubber feet to the recessed areas on the bottom of the Managed Switch.
Step 5: Supply power to the Managed Switch. Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable to a standard wall outlet. When the Managed Switch receives power, the Power LED should remain solid Green. 2.2.2 Rack Mounting To install the Managed Switch in a 19-inch standard rack, please follow the instructions described below: Step 1: Place the Managed Switch on a hard flat surface, with the front panel positioned towards the front side.
Figure 2-2-3 Mounting SGS-6341 Series in a Rack Step 6: Proceed with Steps 4 and 5 of Session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. ■ AC Power Receptacle Compatible with electrical services in most areas of the world, the Managed Switch’s power supply automatically adjusts to line power in the range of 100-240VAC and 50/60 Hz. Plug the female end of the power cord firmly into the receptacle on the rear panel of the Managed Switch.
Chapter 3 Configuration Preparation The chapter mainly describes the following preparatory works before you configure the switch at the first time: Port number of the switch Preparation before switch startup How to get help Command mode Cancelling a command Saving configuration 3.1 Port Number of the Switch The physical port of the switch is numbered in the / form.
Switch> ? Enter several familiar characters and press the space key. The available command list starting with the entered familiar characters is displayed. Switch> s? Enter a command, press the space key and enter the question mark. The command parameter list is displayed. Switch> show ? Press the “up” key and the commands entered before can be displayed. Continue to press the “up” key and more commands are to be displayed.
3.5 Canceling a Command To cancel a command or resume its default properties, add the keyword “no” before most commands. An example is given as follows: no ip routing 3.6 Saving Configuration You need to save configuration in case the system is restarted or the power is suddenly off. Saving configuration can quickly recover the original configuration. You can run write to save configuration in management mode or office configuration mode.
Chapter 4 System Management Configuration 4.1 File Management Configuration 4.1.1 Managing the file system The filename in flash is no more than 20 characters and filenames are case insensitive. GP3616 SWITCH is mainly consisted of MSU. As MSU needs IOS, download BIN file to MSU. Ensure the suffix of the BIN file is .bin. The BIN file name can be arbitrary. In GP3616 file system, IOS file with the suffix .bin is used for MSU startup. The file name is arbitrary.
Description Parameters local_filename Description file name in the flash, the user must enter the file name 54
Example monitor#boot flash switch.bin 4.1.4 Updating software User can use this command to download SWITCH system software locally or remotely to obtain version update or the custom-made function version. There are two ways of software update in monitor mode.
Through TFTP protocol monitor#copy tftp flash [ip_addr] The command is to copy file from the tftp server to the flash in the system. After you enter the command, the system will prompt you to enter the remote server name and the remote filename.
Description Parameters ip_addr Description Means the IP address of the TFTP server. If this parameter is not designated, you are prompted to enter the IP address after the copy command is run.
Example The following example shows a main.bin file is read from the server, written into the SWITCH and changed into the name switch. Bin. monitor#copy tftp flash Prompt: Source file name[]?main.bin Prompt: Remote-server ip address[]?192.168.20.1 Prompt: Destination file name[main.bin]?switch.bin please wait ...
Through TFTP protocol monitor#copy tftp flash startup-config 4.1.6 Using ftp to perform the update of software and configuration switch #copy ftp flash [ip_addr] Use ftp to perform the update of software and configuration in formal program management. Use the copy command to download a file from ftp server to SWITCH, also to upload a file from file system of the SWITCH to ftp server. After you enter the command, the system will prompt you to enter the remote server name and remote filename.
Description Parameters Description login-nam Username of the ftp server If this parameter is not designated, you are prompted to enter the IP address after the copy command is run. login-password Password of the ftp server If this parameter is not designated, you are prompted to enter the IP address after the copy command is run. ip_addr IP address of the ftp server If this parameter is not designated, you are prompted to enter the IP address after the copy command is run.
Example The following example shows a main.bin file is read from the server, written into the SWITCH and changed into the name switch.bin. switch#copy ftp flash Prompt:ftp user name[anonymous]? login-nam Prompt:ftp user password[anonymous]? login-password Prompt:Source file name[]?main.bin Prompt:Remote-server ip address[]?192.168.20.1 Prompt:Destination file name[main.bin]?switch.bin Or switch#copy ftp://login-nam:login-password@192.168.20.1/main.bin flash:switch.
Description Parameters Description ip_addr IP address of the Ethernet net_mask Mask of the Ethernet 62
Example monitor#ip address 192.168.1.1 255.255.255.0 4.2.2 Setting the Default Route monitor#ip route default This command is used to configure the default route. You can configure only one default route.
Description Parameters ip_addr Description IP address of the gateway 64
Example monitor#ip route default 192.168.1.1 4.2.3 Using Ping to Test Network Connection State monitor#ping This command is to test network connection state.
Description Parameters ip_address Description Stands for the destination IP address 66
Example monitor#ping 192.168.20.100 PING 192.168.20.100: 56 data bytes 64 bytes from 192.168.20.100: icmp_seq=0. time=0. ms 64 bytes from 192.168.20.100: icmp_seq=1. time=0. ms 64 bytes from 192.168.20.100: icmp_seq=2. time=0. ms 64 bytes from 192.168.20.100: icmp_seq=3. time=0. ms ----192.168.20.
Chapter 5 Terminal Configuration 5.1 VTY Configuration Overview The system uses the line command to configure terminal parameters. Through the command, you can configure the width and height that the terminal displays. 5.2 Configuration Tasks The system has four types of lines: console, aid, asynchronous and virtual terminal. Different systems have different numbers of lines of these types. Refer to the following software and hardware configuration guide for the proper configuration.
Relationship between Synchronous Interface and VTY Line The virtual terminal line provides a synchronous interface to access to the system. When you connect to the system through VTY line, you actually connects to a virtual port on an interface. For each synchronous interface, there can be many virtual ports. For example, if several Telnets are connecting to an interface (Ethernet or serial interface). Steps for configuring VTY: (1) Log in to the line configuration mode.
Chapter 6 SSH Configuration Commands 6.1 Ssh Overview 6.1.1 SSH Server SSH client can provide a secure and encrypted communication link through SSH server and other devices. This connection has the same functions as those of Telnet. SSH server supports the following encryption algorithms: des, 3des and blowfish. 6.1.2 SSH Client SSH client runs on the basis of the SSH protocol, providing authentication and encryption.
In global configuration mode, the following command can be used to configure the authentication timeout. Command ip sshd timeout <60-65535> Purpose Configure the authentication timeout time. 6.2.4 Configuring the Authentication Retry Times If the times for failed authentications exceed the maximum times, SSH server will not allow you to retry authentication and the system enters the silent period. The maximum times for retrying authentication is 6 by default.
6.2.8 Enabling SSH Server Ssh server is disabled by default. WHEN SSH server is enabled, a RSA key pair will be generated and then listens the connection request from SSH client. The whole process probably requires one or two minutes. The following command can be used in global configuration mode to enable SSH server: Command Purpose ip sshd enable Enable SSH server. The digit of the password is 1024. 6.3 Configuration Example of SSH Server The following configuration allows the host whose IP is 192.
Chapter 7 Network Management Configuration 7.1 SNMP Configuration 7.1.1 Overview The SNMP system includes the following 3 parts: SNMP management server (NMS) SNMP agent (agent) MIB SNMP is a protocol for the application layer.It provides the format for the packets which are transmitted between NMS and agent. SNMP management server is a part of the network management system, such as CiscoWorks.
SNMP Notification When a special event occurs, the system will send an inform to the SNMP management server.For example, when the agent system runs into a incorrect condition, it will send a message to the management server. The SNMP notification can be sent as a trap or a inform request.Because the receiver receives a trap and does not send any response, the transmitter hence cannot confirm whether the trap is received. In this way, the trap is unreliable.
int ethernet1/1 llc2 idle-time 12 7.3.2 Configuring the Time Value of Waiting for Acknowledgement Command [no] llc2 t1-time [seconds] Purpose Used for controlling the waiting time of expecting remote acknowledgement. The command “no” can be used for restoring to the default value. Seconds The seconds of waiting for remote acknowledgement. The maximum is 60 seconds, the minimum is 1 second and the default is 1 second.
Configuration Mode: Interface Configuration Notes: A LLC2 connective end sometimes needs to know the status of opposite end. For this purpose, a command frame that requires a response from the opposite end needs to be sent. When the opposite end receives the command frame, it will reply a response frame. If the error occurs in the process, the send end will keep waiting. In order to avoid the situation, a clock needs to be enabled.
Example: Setting the times of re-send as 12 int ethernet1/1 llc2 n2 12 7.3.7 Configuring the Size Of Window for Resending The command is Command [no]llc2 local-window packet-count Purpose Used for controlling the maximum size of I frame send (namely the size of window for resend) when I frame is not confirmed. The command “no” can be used for restoring to the default value. packet-count:The maximum size of I frame send. The maximum is 127, the minimum is 1 and the default is 7.
the information frame sent by the opposite end exceeds the acknowledged maximum size, an acknowledge frame will be sent immediately rather than at the timeout. The command below can be used for setting the value. Command llc2 ack-delay-time seconds Purpose Setting the acknowledgement time-delay 7.3.
7.4 Example of LLC2 Configuration The number of LLC2 frame received before the response can be configured. For example, it is supposed that two information frames are received at the time 0 rather than at the maximum number 3, the responses of these frames are not sent. If the third frame that makes the router response is not received within 800 ms, the response will be transmitted as the time-delay timer is activated.
sdlc t1 milliseconds Controlling the total time of software of waiting for response. sdlc n2 retry-count Configuring the times of software of retrying a timeout operation. 7.4.3 Configuring the Number of SDLC Frame and Information Frame The maximum length of input frame and the maximum number of the information frame (or the size of window) received before router sends response to the receive end can be configured. When the configured value is relative big, the network overhead can be reduced.
the limit value of polling, but it may delay the polling to other slave stations. One or more commands below can be used under interface configuration mode for controlling the polling of slave station: Command Purpose sdlc poll-pause-timer milliseconds Configuring the waiting time interval of router’s polling to two slave stations on some single serial port. sdlc poll-limit-value count Configuring the times of a master station’s polling to slave station.
Command sdlc sdlc-largest-frame address size Purpose Configuring the maximum length of information frame that can be sent or received by the designated SDLC station. 7.4.9 Monitoring SDLC Workstation The command below can be used under management mode for monitoring the configuration of SDLC workstation and deciding which SDLC parameter needs to be adjusted. Command show interfaces Purpose Showing configuration workstation.
Chapter 8 AAA Configuration 8.1 AAA Overview Access control is used to control the users to access SWITCH or NAS and to limit their service types. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your SWITCH or access server. 8.1.1 AAA Security Service AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner.
Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos Multiple backup systems 8.1.3 AAA Principles AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces. 8.1.
sequence of the method list follows the name. The default method list is automatically applied to all interfaces. When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated.
8.2.2 AAA Authentication Configuration Task General configuration process of AAA authentication To configure AAA authentication, perform the following configuration processes: (1) If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, or TACACS+. Refer to the relevant section for the concrete configuration methods.
Configuring Login Authentication Using AAA The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login command to enable AAA authentication no matter which of the supported login authentication methods you decide to use. With the aaa authentication login command, you create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command.
To specify the enable password as the user authentication method, run the following command: aaa authentication login default enable (2) Using the line password to login Use the aaa authentication login command with the line method keyword to specify the line password as the login authentication method.
Enabling Password Protection at the Privileged Level Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level. You can specify up to four authentication methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Configuring Message Banners for AAA Authentication The banner of configurable, personal logon or failed logon is supported. When AAA authentication fails during system login, the configured message banner will be displayed no matter what the reason of the failed authentication is.
Configuring the registration banner Run the following command in global configuration mode. Command aaa authentication banner delimiter textstring delimiter Purpose Configures a personal logon registration banner.
Configuring the banner of failed logon Run the following command in global configuration mode. Command aaa authentication fail-message delimiter text-string delimiter Purpose Configures a personal banner about failed logon.
Usage Guidelines When creating a banner, you need to configure a delimiter and then to configure the text string itself. The delimiter is to notify that the following text string will be displayed as the banner. The delimiter appears repeatedly at the end of the text character string, indicating that the banner is ended.
Modifying the Notification Character String for Username Input To modify the default text of the username input prompt, run aaa authentication username-prompt. You can run no aaa authentication username-prompt to resume the password input prompt. username: The aaa authentication username-prompt command does not change any prompt information provided by the remote TACACS+ server or the RADIUS server.
Modifying AAA authentication password-prompt To change the text displayed when users are prompted for a password, use the aaa authentication passwordprompt command. To return to the default password prompt text, use the no form of this command. You can run no aaa authentication username-prompt to resume the password input prompt. password: The aaa authentication password-prompt command does not change any prompt information provided by the remote TACACS+ server or the RADIUS server.
Creating the Authentication Database with the Local Privilege To create the enable password database with the local privilege level, run enable password { [encryption-type] encrypted-password} [level level] in global configuration mode. To cancel the enable password database, run no enable password [level level]. enable password { [encryption-type] encrypted-password} [level level] no enable password [level level] 8.2.
RADIUS Authentication Example The following example shows how to configure the SWITCH to authenticate and authorize using RADIUS: aaa authentication login radius-login group radius local aaa authorization network radius-network group radius line vty 3 login authentication radius-login The meaning of each command line is shown below: The aaa authentication login radius-login group radius local command configures the SWITCH to use RADIUS for authentication at the login prompt.
General configuration process of AAA authorization To configure AAA authorization, perform the following configuration processes: (6) If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, or TACACS+. Refer to the relevant section for the concrete configuration methods. (7) Run aaa authorization to define the authorization method list. The authorization service is not provided by default.
Configuring EXEC authorization through AAA To enable AAA authorization, run aaa authorization. The aaa authorization exec command can create one or several authorization method lists and enable the EXEC authorization to decide whether the EXEC hull program is run by the users or not, or decide whether the users are authorized with the privilege when entering the EXEC hull program. After the authorization method lists are configured, you can apply these lists by running login authorization.
Example of Local EXEC Authorization The following example shows how to perform the local authorization and local authorization by configuring the SWITCH: aaa authentication login default local aaa authorization exec default local ! localauthor a1 exec privilege default 15 ! local author-group a1 username exec1 password 0 abc username exec2 password 0 abc author-group a1 username exec3 password 0 abc maxlinks 10 username exec4 password 0 abc autocommand telnet 172.16.20.
General configuration process of AAA accounting To configure AAA accounting, perform the following configuration processes: (9) If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, or TACACS+. Refer to the relevant section for the concrete configuration methods. (10) Apply the method lists to a particular interface or line, if required. The accounting service is not provided by default.
Configuring Connection Accounting Using AAA To enable AAA accounting, run command aaa accounting. To create a or multiple method list(s) to provide accounting information about all outbound connections made from the SWITCH, use the aaa accounting connection command. The outbound connections include Telnet, PAD, H323 and rlogin. Only H323 is supported currently.
Configuring Network Accounting using AAA To enable AAA accounting, run command aaa accounting. The aaa accounting network command can be used to establish one or multiple accounting method lists. The network accounting is enabled to provide information to all PPP/SLIP sessions, these information including packets, bytes and time accounting.
Configuring Accounting Update through AAA To activate the AAA accounting update function for AAA to send the temporary accounting record to all users in the system, run the following command: You can run the following command in global configuration mode to start the configuration: Command aaa accounting [periodic number] update Purpose [newinfo] Enables AAA accounting update.
Limiting User Accounting Without Username To prevent the AAA system from sending the accounting record to the users whose username character string is null, run the following command in global configuration mode: aaa accounting suppress null-username 8.5 Local Account Policy Configuration 8.5.
Local authentication policy configuration To enter local authentication configuration, run command localauthen WORD in global configuration mode. (1) The max login tries within a certain time login max-tries <1-9> try-duration 1d2h3m4s The configured local authentication policy can be applied to a local policy group or directly applied to a local account. It gives priority to some local account directly.
Local authorization policy configuration To enter local authorization configuration, run command localauthor WORD in global configuration mode. (1) To authorize priority for login users. exec privilege {default | console | ssh | telnet} <1-15> The configured local authorization policy can be applied to a local policy group or directly applied to a local account. It gives priority to some local account directly.
Local password policy configuration To enter local authorization configuration, run command localpass WORD in global configuration mode. (1) The password cannot be the same with the user name non-user (2) The history password check (The new password cannot be the same with the history password. The history password record is 20.
to configure the local authentication and local authorization.
Chapter 9 Configuring RADIUS This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. The "RADIUS Configuration Task List" section describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set. The last section in this chapter-RADIUS Configuration Examples- provides with two examples.
9.1.2 RADIUS Operation When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur: (12) The user is prompted for and enters a username and password. (13) The username and encrypted password are sent over the network to the RADIUS server. (14) The user receives one of the following responses from the RADIUS server: ACCEPT—The user is authenticated. REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.
responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.
9.4.4 Specifying RADIUS Authorization AAA authorization lets you set parameters that restrict a user's access to the network. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.
Chapter 10 TACACS+ Configuration 10.1 TACACS+ Overview As an access security control protocol, TACACS+ provides the centralized verification of acquiring the network access server’s access right for users. . The communication’s safety is guaranteed because the information exchange between network access server and TACACS+ service program is encrypted Before using TACACS+ configured on network access server, TACACS+’s server has to be accessed and configured.
Authentication in ASCII Form When user logs in network access server which uses TACACS+, and asking for simple authentication in ASCII form, the following process might happen under typical circumstances: When the connection is built up, network access server communicates with TACACS+ service program to acquire username prompt, and then gives it to user. User enters username, and network access server communicates with TACACS+ service program again to acquire password prompt.
Authentication in PAP and CHAP Ways PAP login is similar with ASCII login, but the difference is that username and password of network access server is in PAP message not entered by user, thus it would not prompt user to enter relative information. CHAP login is similar in the main parts. After authentication, user need to enter authorization stage if network access server asks for the authorization for user. But before TACACS+ authorization is handled, TACACS+ authentication has to be finished.
Use command tacacs-server to configure the following as well: Use single-connection key word to assign the adoption of single connection. This would allow server program to deal with more TACACS+ operations and be more efficient. multiconnection means the adoption of multiple TCP connection. Use parameter port to assign TCP interface number which is used by TACACS+ server program. The default interface number is 49.
10.5 TACACS+ Configuration Example This chapter includes the following TACACS+ configuration example. 10.5.1 TACACS+ Authentication Examples The following configuring login authentication is accomplished by TACACS+: aaa authentication login test group tacacs+ local tacacs -server host 1.2.3.4 tacacs-server key testkey line vty 0 login authentication test In this example: Command aaa authentication defines the authentication method table test used on vty0.
10.5.3 TACACS+ Accounting Examples The following configuration of login authentication’s method table uses TACACS+ as one of the methods to configure the accounting by TACACS+: aaa authentication login default group tacacs+ local aaa accounting exec default start-stop group tacacs+ tacacs-server host 10.1.2.3 tacacs-server key goaway In this example: Command aaa authentication defines the default authentication method table default during login authentication.
Chapter 11 HTTP Switch Configuration 11.1 HTTP Configuration Switch configuration can be conducted not only through command lines and SNMP but also through Web browser. The switches support the HTTP configuration, the abnormal packet timeout configuration, and so on. 11.1.1 Choosing the Prompt Language Up to now, switches support two languages, that is, English and Chinese, and the two languages can be switched over through the following command.
11.1.5 Setting the Maximum Number of VLAN Entries on Web Page A switch supports at most 4094 VLANs and in most cases Web only displays parts of VLANs, that is, those VLANs users want to see. You can use the following command to set the maximum number of VLANs. The default maximum number of VLANs is 100. Command Purpose ip http web max-vlan { max- Sets the maximum number of VLAN vlan } entries displayed in a web page. 11.1.
Chapter 12 Configuration Preparation 12.1 Accessing the Switch Through HTTP When accessing the switch through Web, please make sure that the applied browser complies with the following requirements: HTML of version 4.0 HTTP of version 1.1 JavaScriptTM of version 1.5 What's more, please ensure that the main program file, running on a switch, supports Web access and your computer has already connected the network in which the switch is located. 12.1.
its configuration files, the Web visit cannot be directly applied on the switch. Perform the following steps one by one to enable the Web visit on the switch: 1. Connect the console port of the switch with the accessory cable, or telnet to the management address of the switch through the computer. 2. Enter the global configuration mode of the switch through the command line, the DOS prompt of which is similar to “Switch_config#”. 3.
Figure 2: Web homepage The whole homepage consists of the top control bar, the navigation bar, the configuration area and the bottom control bar. 12.3.1 Top Control Bar Figure 3: Top control bar Save All Write the current settings to the configuration file of the device. It is equivalent to the execution of the write command. The configuration that is made through Web will not be promptly written to the configuration file after validation.
12.3.2 Navigation Bar Figure 4 Navigation bar The contents in the navigation bar are shown in a form of list and are classified according to types. By default, the list is located at “Runtime Info”. If a certain item need be configured, please click the group name and then the sub-item. For example, to browse the flux of the current port, you have to click “Interface State" and then “Interface Flow”.
be modified by the clicking of the items in the navigation bar. 12.3.4 Bottom Control Bar Figure 6: Bottom control bar If you click the About button on the top control bar, the bottom control bar appears. The main function of the bottom control bar is to realize the automatic refreshing of the configuration display area. For example, if you click “Interface Flow” in the navigation bar and then click “Refresh”, the flow of the interface can be continuously monitored.
Chapter 13 Basic Configuration Figure 1 A list of basic configuration 13.1 Hostname Configuration If you click Basic Config -> Hostname Config in the navigation bar, the Hostname Configuration page appears, as shown in figure 3. Figure 3 Hostname configuration The hostname will be displayed in the login dialog box. The default name of the device is “Switch”. You can enter the new hostname in the text box shown in figure 3 and then click “Apply”. 13.
Figure 4 Clock management To refresh the clock of the displayed device, click “Refresh”. In the “Select Time-Zone” dropdown box select the time zone where the device is located. When you select “Set Time Manually”, you can set the time of the device manually. When you select “Network Time Synchronization”, you can designate 3 SNTP servers for the device and set the interval of time synchronization.
Chapter 14 Configuration of the Physical Interface Figure 1: Physical port configuration list 14.1 Configuring Port Description If you click Physical port config -> Port description Config in the navigation bar, the Port description Configuration page appears, as shown in figure 2. Figure 2: Port description configuration You can modify the port description on this page and enter up to 120 characters. The description of the VLAN port cannot be set at present. 14.
Figure 3 Configuring the port attributes On this page you can modify the on/off status, rate, duplex mode, flow control status and medium type of a port. Note: 1. The Web page does not support the speed and duplex mode of the fast-Ethernet port. 2. After the speed or duplex mode of a port is modified, the link state of the port may be switched over and the network communication may be impaired. 14.
Click the dropdown list on the right side of "Mirror Port" and select a port to be the destination port of mirror. Click a checkbox and select a source port of mirror, that is, a mirrored port. RX The received packets will be mirrored to the destination port. TX The transmitted packets will be mirrored to a destination port. RX & TX The received and transmitted packets will be mirrored simultaneously. 14.
way, the MAC address that is allowed to visit the port will be limited. Figure 4-10 Setting the binding of the source MAC address 14.6.3 Setting the Static MAC Filtration Mode If you click Physical port Config -> Port Security -> Static MAC filtration mode in the navigation bar, the Configure the static MAC filtration mode page appears, as shown in figure 4-11. Figure 4-11: Setting the static MAC filtration mode On this page you can set the static MAC filtration mode.
14.7 Storm control In the navigation bar, click Physical port Config -> Storm control. The system then enters the page, on which the broadcast/multicast/unknown unicast storm control can be set. 14.7.1 Broadcast Storm Control Figure 5 Broadcast storm control Through the dropdown boxes in the Status column, you can decide whether to enable broadcast storm control on a port. In the Threshold column you can enter the threshold of the broadcast packets.
Through the dropdown boxes in the Status column, you can decide whether to enable multicast storm control on a port. In the Threshold column you can enter the threshold of the multicast packets. The legal threshold range for each port is given behind the threshold. 14.7.3 Unknown Unicast Storm Control Figure 7 Unknown unicast storm control In the Threshold column you can enter the threshold of the broadcast packets. The legal threshold range for each port is given behind the threshold. 14.
Click “New” to create a new port protect group, as shown in the above figure. Tick one port protect group and delete it. The port protect group is 0 by default, which cannot be deleted. 14.8.2 Port Protect Group Interface Configuration Click "Port Config" -> “Port Protect Group Config” -> “Port Protect Group Interface Config” in the navigation bar, and enter the configuration page of “Port Protect Group Interface Config”. The port protect group must be a created group.
Chapter 15 Layer-2 Configuration Figure 1: Layer-2 configuration list 15.1 VLAN Settings 15.1.1 VLAN List If you click Layer-2 Config -> VLAN Config in the navigation bar, the VLAN Config page appears, as shown in figure 2.
Figure 2 VLAN configuration The VLAN list will display VLAN items that exist in the current device according to the ascending order. In case of lots of items, you can look for the to-be-configured VLAN through the buttons like “Prev”, “Next” and “Search”. You can click “New” to create a new VLAN. You can also click “Edit” at the end of a VLAN item to modify the VLAN name and the port’s attributes in the VLAN.
Global Config page appears, as shown the following Figure. Figure 9 GVRP Global Configuration You can enable or disable the global GVRP protocol and sets whether the dynamic vlan is only effective on the registration interface. 15.2.2 Global Interface Attribute Configuration If you click Layer-2 Config -> GVRP Config -> GVRP Interface Config in the navigation bar, the GVRP Interface Config page appears, as shown the following Figure.
Figure 10 Configuring the global attributes of STP The root STP configuration information and the STP port’s status are only-read. On the local STP configuration page, you can modify the running STP mode by clicking the Protocol type dropdown box. The STP modes include STP, RSTP and disabled STP. The priority and the time need be configured for different modes. Note: The change of the STP mode may lead to the interruption of the network. 15.3.
15.4 IGMP-Snooping Configuration 15.4.1 IGMP-Snooping Configuration If you click Layer-2 Config -> IGMP snooping, the IGMP-Snooping configuration page appears. Figure 12 IGMP-snooping configuration On this page you can set whether to make a switch to forward unknown multicasts, whether to enable IGMP snooping, and whether to configure the switch as the querier of IGMP. 15.4.2 IGMP-Snooping VLAN List If you click Layer-2 Config -> IGMP snooping vlan list, the IGMP-Snooping VLAN list page appears.
Figure 14: Static routing port of IGMP VLAN When an IGMP-Snooping VLAN is created, its VLAN ID can be modified; but when the IGMP-Snooping VLAN is modified, its VLAN ID cannot be modified. You can click “>>” and “<<” to delete and add a routing port. 15.4.3 Static Multicast Address If you click Static multicast address, the Setting the static multicast address page appears.
15.5 Setting Static ARP If you click Layer-2 Config -> Static ARP Config, the static ARP configuration page appears. Figure 17 Displaying static ARP You can click New to add an ARP entry. If the Alias column is selected, it means to answer the ARP request of the designated IP address. If you click Edit, you can modify the current ARP entry. If you click Cancel, you can cancel the chosen ARP entry. Figure 18 Setting static ARP 15.
Click Delete to delete the selected MAC address table. Figure 19 Static MAC Address Config 15.7 LLDP Configuration 15.7.1 Configuring the Global Attributes of LLDP If you click Layer-2 Config -> LLDP Config -> LLDP Global Config in the navigation bar, the Basic Config of LLDP Protocol page appears, as shown in the following Figure. Figure11 Configuring the Global Attributes of LLDP You can choose to enable LLDP or disable it. When you choose to disable LLDP, you cannot configure LLDP.
15.7.2 LLDP Port Attribute Configuration If you click Layer-2 Config -> LLDP Config -> LLDP Interface Config in the navigation bar, the LLDP Port Config page appears. Figure 12 Configuring the LLDP port After the LLDP port is configured, you can enable or disable LLDP on this port. 15.8 DDM Configuration If you click L2 Config -> DDM Config in the navigation bar, the DDM configuration page appears, as shown in figure 5-21. Figure 5-21: DDM configuration 15.9 Link Aggregation Configuration 15.9.
An aggregation group is selectable when it is created but is not selectable when it is modified. When a member port exists on the aggregation port, you can choose the aggregation mode to be Static, LACP Active or LACP Passive. You can click >> and << to delete and add a member port in the aggregation group. 15.9.2 Configuring Load Balance of Port Aggregation Group Some models support aggregation group based load balance mode configuration and some not but can be configured in the global configuration mode.
2. After a ring is configured, its port, node type and control Vlan cannot be modified. If the port of the ring, the node type or the control Vlan need be adjusted, please delete the ring and then establish a new one. 15.10.2 EAPS Ring Configuration If you click “New” on the EAPS ring list, or “Operate” on the right side of a ring item, the “Configure EAPS” page appears.
The list shows the current configured MEAPS ring, including Domain ID, Ring ID, Ring type, Node type, Control Vlan, Hello Time, Failed Time, Pre Forward Time, primary port and secondary port. Click New to create a MEAPS ring. Click Edit on the right and configure the time parameter and the primary and secondary port of the ring. Note: 1. The system supports 4 MEAPS (0-3). 2. One domain supports 8 rings (0-7). 3.
On the page, the current configured backup link groups are shown, including Preemption Mode and Preemption Delay. Click New to create a new link backup group. Click Edit on the right to configure Preemption Mode and Preemption Delay. Note: 1. The system supports 8 link backup groups. 2. The Preemption mode determines the policy the primary port and the backup port forward packets. 15.12.
15.13 DHCP Snooping Configuration 15.13.1 DHCP Snooping Global Attribute Configuration If you click Layer-2 Config -> DHCP Snooping Config -> DHCP Snooping Global Config on the navigation bar, the DHCP Snooping Global Config page appears. Enable global DHCP Snooping protocol, the switch is to monitor all DHCP packets and form the corresponding binding relationship.
the DHCP request packet is then thought as a fake packet which is used as the attack packet for DHCP DOS and then the switch will drop it. When dynamic ARP monitoring is conducted in all physical ports of a VLAN, a received ARP packet will be rejected if the source MAC address and the source IP address of this packet do not match up with the configured MAC-IP binding relationship. The binding relationship on an interface can be dynamically bound by DHCP or configured manually.
takes the MAC address as the unique index. Click New to create DHCP Snooping manual Binding Port Item. 15.14 MTU Configuration If you click Layer-2 Config -> MTU Config on the navigation bar, the MTU Config page appears. You can set the size of the maximum transmission unit (MTU). 15.15 PDP Configuration 15.15.1 Configuring the Global Attributes of PDP If you click Layer-2 Config -> PDP Config in the navigation bar, the Global PDP Config page appears, as shown in figure 4.
After the PDP port is configured, you can enable or disable PDP on this port. 15.16 STP Configuration 15.16.1 STP Status Information If you click Layer-2 Config -> STP Config in the navigation bar, the STP Config page appears, as shown in figure 10. Figure 10 Configuring the global attributes of STP The root STP configuration information and the STP port’s status are only-read. On the local STP configuration page, you can modify the running STP mode by clicking the Protocol type dropdown box.
The configuration of the attributes of the port is irrelative of the global STP mode. For example, if the protocol status is set to “Disable” and the STP mode is also changed, the port will not run the protocol in the new mode. The default value of the path cost of the port is 0, meaning the path cost is automatically calculated according to the speed of the port. If you want to change the path cost, please enter another value. 15.17 IGMP-Snooping Configuration 15.17.
Figure 14: Static routing port of IGMP VLAN When an IGMP-Snooping VLAN is created, its VLAN ID can be modified; but when the IGMP-Snooping VLAN is modified, its VLAN ID cannot be modified. You can click “>>” and “<<” to delete and add a routing port. 15.17.3 Static Multicast Address If you click Static multicast address, the Setting the static multicast address page appears.
15.17.4 Multicast List Click the Multicast List Info option on the top of the page and the Multicast List Info page appears. Figure 16 Multicast List On this page the multicat groups, which are existent in the current network and are in the statistics of IGMP snooping, as well as port sets which members in each group belong to are dislayed. Click “Refresh” to refresh the contents in the list. Note: By default, a multicast list can display up to 15 VLAN items.
15.19 Ring Protection Configuration 15.19.1 EAPS Ring List If you click Layer-2 Config -> Ring protection Config, the EAPS ring list page appears. Figure 19 EAPS Ring List In the list shows the currently configured EAPS ring, including the status of the ring, the forwarding status of the port and the status of the link. Click “New” to create a new EAPS ring. Click the “Operate” option to configure the “Time” parameter of the ring. Note: 1. The system can support 8 EAPS rings. 2.
Enter a value between 1 and 4094 in the text box on the right of “Control VLAN” as the control VLAN ID. When a ring is established, the control VLAN will be automatically established too. Please note that if the designated control VLAN is 1 and the VLAN of the control device is also 1 the control device cannot access the control VLAN. Additionally, please do not enter a control VLAN ID that is same as that of another ring.
Figure 5-21: DDM configuration 158
Chapter 16 Layer 3 Configuration Figure 1: Layer-3 configuration list Note: Only Layer 3 switches have the Layer-3 configuration. 16.1 Configuring the VLAN Interface If you click Layer 3 Config -> VLAN interface Config, the Configuring the VLAN interface page appears. Figure 2: Configuring the VLAN interface Click New to add a new VLAN interface. Click Cancel to delete a VLAN interface. Click Modify to modify the settings of a corresponding VLAN interface.
Figure 3: VLAN interface configuration Note: Before the accessory IP of a VLAN interface is set, you have to set the main IP. 16.2 Setting the Static Route If you click Layer-3 Config -> Static route Config, the Static route configuration page appears. Figure 4 Displaying the static route Click Create to add a static route. If you click Edit, you can modify the current static route. If you click Cancel, you can cancel the chosen static route.
Figure 5: Setting the static route 16.3 IGMP Agent 16.3.1 Enabling the IGMP Agent If you click Layer-3 Config -> IGMP agent, the IGMP agent page appears. Figure 6: Enabling the IGMP agent On this page you can enable or disable the IGMP agent. It is noted that the IGMP agent can be enabled or disabled on a switch only after the IP IGMP-snooping function is enabled on the switch. 16.3.
Chapter 17 Advanced Configuration Figure 1 A list of advanced configuration 17.1 QoS Configuration 17.1.1 Configuring QoS Port If you click Advanced Config -> QoS -> Configure QoS Port, the Port Priority Config page appears. Figure 2 Configuring the QoS Port You can set the CoS value by clicking the dropdown box on the right of each port and selecting a value. The default CoS value of a port is 0, meaning the lowest priority.
the highest. 17.1.2 Global QoS Configuration If you click Advanced Config -> QoS Config -> Global QoS Config, the Port’s QoS parameter configuration page appears. Figure 3 Configuring Global QoS Attributes In WRR schedule mode, you can set the weights of the QoS queues. There are 4 queues, among which queue 1 has the lowest priority and queue 4 has the highest priority.n 17.2 MAC Access Control List 17.2.
Figure 5: Setting the Name of MAC Access Control list 17.2.2 Setting the Rules of the MAC Access Control List If you click Modify, the corresponding MAC access control list appears and you can set the corresponding rules for the MAC access control list. Figure 6: Specific MAC access control list configuration Click New to add a rule of the MAC access control list. Click Cancel to delete a rule of the MAC access control list. Figure 7: Setting the Rules of the MAC Access Control List 17.2.
17.3 IP Access Control List 17.3.1 Setting the Name of the IP Access Control List If you click Advanced Config -> IP access control list -> IP access control list Config, the IP ACL configuration page appears. Figure 9: IP access control list configuration Click New to add a name of the IP access control list. Click Cancel to delete an IP access control list.
Figure 12: Setting the Rules of the standard IP access control list Extended IP access control list Figure 13: Extended IP access control list Click New to add a rule of the IPaccess control list. Click Cancel to delete a rule of the IP access control list. If you click Modify, the corresponding IP access control list appears and you can set the corresponding rules for the IP access control list.
17.3.3 Applying the IP Access Control List If you click Advanced Config -> IP access control list -> Applying the IP access control list, the Applying the IP access control list page appears.
Chapter 18 Network Management Configuration Figure 1: Network management configuration list 18.1 SNMP Configuration If you click Network management Config -> SNMP management in the navigation bar, the SNMP management page appears, as shown in figure 2. 18.1.1 SNMP Community Management Figure 2 SNMP community management On the SNMP community management page, you can know the related configuration information about SNMP community.
Figure 4.2 SNMP community management settings On the SNMP community management page you can enter the SNMP community name, select the attributes of SNMP community, which include Read only and Read-Write. 18.1.2 SNMP Host Management Figure 4 SNMP host management On the SNMP community host page, you can know the related configuration information about SNMP host. You can create, modify or cancel the SNMP host information, and if you click New or Edit, you can switch to the configuration page of SNMP host.
Figure 6 Configuring the RMON statistic information You need to set a physical port to be the reception terminal of the monitor data. The index is used to identify a specific interface; if the index is same to that of the previous application interface, it will replace that of the previous application interface. At present, the monitor statistic information can be obtained through the command line “show rmon statistics”, but the Web does not support this function. 18.2.
Figure 8 Configuring the RMON alarm information The index is used to identify a specific alarm information; if the index is same to the previously applied index, it will replace the previous one. The MIB node corresponds to OID. If the alarm type is absolute, the value of the MIB object will be directly minitored; if the alarm type is delta, the change of the value of the MIB object in two sampling will be monitored.
The owner is used to describe the descriptive information of an event. "Enable log" means to add an item of information in the log table when the event is triggered. “Enable trap” means a trap will be generated if the event is triggered.
Chapter 19 Diagnosis Tools Figure 1: Diagnosis tool list 19.1 Ping 19.1.1 Ping If you click Diagnosis Tools -> Ping, the Ping page appears. Figure 2 Ping Ping is used to test whether the switch connects other devices. If a Ping test need be conducted, please enter an IP address in the “Destination address” textbox, such as the IP address of your PC, and then click the “PING” button.
result. “Source IP address” is used to set the source IP address which is carried in the Ping packet. “Size of the PING packet” is used to set the length of the Ping packet which is transmitted by the device.
Chapter 20 System Management Figure 1 Navigation list of system management 20.1 User Management 20.1.1 User List If you click System Manage -> User Manage, the User Management page appears. Figure 2 You can click “New” to create a new user.
To modify the permission or the login password, click “Edit” on the right of the user list. Note: 1. Please make sure that at least one system administrator exists in the system, so that you can manage the devices through Web. 2. The limited user can only browse the status of the device. 20.1.2 Establishing a New User If you click “New” on the User Management page, the Creating User page appears.
which are saved on the device. The log information which is saved in the memory will be lost after rebooting. Please enter the size of the buffer area in the “Size of the system log buffer” textbox and select the grade of the cached log in the “Grade of the cache log information” dropdown box. 20.2.1 Managing the Configuration Files If you click System Manage -> Configuration file, the Configuration file page appears. 20.2.
20.3 Software Management If you click System Manage -> Software Upgrade, the software management page appears. 20.3.1 Backing up the IOS Software Figure 7 Backing up IOS On this page the currently running software version is displayed. If you want to backup IOS, please click “Backuping IOS”; then on the browser the file download dialog box appears; click “Save” to store the IOS file to the disk of the PC, mobile storage device or other network location. Note: IOS 文件的缺省名称为“Switch.
20.4 Resuming Initial Configuration If you click System Manage -> Resume Config, the Resuming the original configuration page appears. Figure 9 Resuming the original configuration Note: 1. If you click the “Resume” button, the current configuration will be replaced by the original configuration, which will take effect after rebooting. 2.
Chapter 21 Interface Configuration Overview This section helps user to learn various kinds of interface that our switch supports and consult configuration information about different interface types. For detailed description of all interface commands used in this section, refer to Interface configuration command. For files of other commands appeared in this section, refer to other parts of the manual. The introduction includes communication information that can be applied to all interface types. 21.
interface command to display these interfaces. Each interface that the device supports provides its own state as follows: Switch_config#show interface g0/2 GigaEthernet0/2 is administratively down, line protocol is down Hardware is Giga-Combo-FX, address is 00e0.0f8d.e0e1 (bia 00e0.0f8d.
Chapter 22 Interface Configuration 22.1 Configuring Interface Common Attribute The following content describes the command that can be executed on an interface of any type and configures common attributes of interface. The common attributes of interface that can be configured include: interface description, bandwidth and delay and so on. 22.2 Adding Description Adding description about the related interface helps to memorize content attached to the interface.
To browse the state of an interface, run the above-mentioned command. Initializing and deleting the port Closing and restarting the port 22.3.1 Browsing the State of an Interface Our switches support those commands to display interface information, including the version ID of hardware and software, and the interface state. The following table presents you some port monitor commands: For more details, please refer to the "Interface Configuration Command".
22.4.1 Choosing an Ethernet Interface Run the following command in global configuration mode to enter the Ethernet interface configuration mode: Command Function interface fastethernet [slot|port ] Enters the fast-Ethernet configuration mode. interface interface gigaethernet [slot|port ] Enters the gigabit-Ethernet configuration mode. interface interface tgigaEthernet [slot|port ] Enters the 10GE-Ethernet configuration mode.
22.5 Configuring Logical Interface This section describes how to configure a logical interface. The contents are as follows: Configuring null interface Configuring loopback interface. Configuring aggregation interface Configuring VLAN interface Configuring SuperVLAN interface 22.5.1 Configuring Null Interface The whole system supports only one null interface. Its functions are similar to those of applied null devices on most operating systems.
Command Function Interface port-aggregator number Configuring aggregation interface 22.5.4 Configuring VLAN Interface VLAN interface is the routing interface in switch. TheVLANcommand in global configuration mode only adds layer 2 VLAN to system without defining how to deal with the IP packet whose destination address is itself in the VLAN. If there is no VLAN interface, this kind of packets will be dropped.
Chapter 23 Interface Configuration Example 23.1 Configuring Public Attribute of Interface 23.1.1 Example for Interface Description The following example shows how to add a description for an interface. interface vlan 1 ip address 192.168.1.23 255.255.255.0 23.1.2 Example of Interface Shutdown The following example shows how to disable GigaEthernet interface 0/1. interface GigaEthernet0/1 shutdown The following example shows how to restart the interface.
Chapter 24 Interface Range Configuration 24.1 Interface Range Configuration Task 24.1.1 Understanding Interface Range In the process of configuring interface tasks, there are cases when you have to configure the same attribute on ports of the same type. In order to avoid repeated configuration on each port, we provide the interface range configuration mode. You can configure ports of the same type and slot number with the same configuration parameters. This reduces the workload.
Chapter 25 Port Additional Characteristics Configuration 25.1 Storm Block In actual application, the Ethernet interface may receive the unknown packets (DLF packets) and the switch then broadcasts by default this kind of packets to all interfaces in a VLAN. This will increase the network load and influence the network capacity. To avoid the DLF packets from being broadcasted, you can set on the egress to drop the DLF packets, which is called storm limit.
[no] switch port protected Sets or Cancels Port Isolation exit Backs to the global configuration mode. exit Backs to the EXEC mode. 25.3 Storm Control The port of a switch may bear continuous and abnormal impact from unicast (MAC address fails to be found), multicast or broadcast packets, and therefore gets paralyzed even to the extent that the whole switch breaks down. That's why a mechanism must be provided to limit this phenomena.
egress means to exert an influence on the egress. exit Backs to the global configuration mode. exit Backs to the EXEC mode. 25.5 Loopback Detection Loopback detection is used to check whether loopback exists on an interface. You can configure the interval for a port to transmit the loop check packets. Run the following command in EXEC mode to forward the time interval of the loopback detection packets. Command Purpose config Enters the global configuration mode.
packets. In static security mode, you can set the static security MAC address on a port and then you should consider two cases: if it is in static reception mode, only the packets whose destination MACs are security MACs can be allowed to enter this port and other packets will be dropped; if it is in static rejection mode, the packets whose destination MACs are security MACs will be all dropped and other packets will be allowed to pass through this port.
Ip means only the ip packets that comply with the binding requirements can pass. Arp means only the arp packets that comply with the binding requirements can pass. both-arp-ip means that ip and arp packets that comply with the binding requirements can pass. exit Backs to the global configuration mode. exit Backs to the EXEC mode. 25.9 VLAN MAC Address Learning To enable or disable Vlan MAC learning on a port, run the following commands. Command Purpose config Enters the global configuration mode.
exit Exit to management configuration mode 25.11 Port FEC To reduce error rate of 100G port using dual-mode optical module, enable FEC. The function runs with enabled ports on both sides. Disable this function when using the single-mode optical module. To enter the configuration mode, run the following mode: Command Purpose config Enters the global configuration mode. interface cg0/1 Enters the port to be configured. [no] fec-enable Configures port FEC.
Set the time interval of port scan To set the scan interval of an interface, run the following command in the global configuration mode: Command Purpose Mode: optical port scan mode [no] Link scan {mode highspeed | normal interval | fast interval } link scan normal time Normal: standard link scan mode Fast link scan mode. Fast mode is mainly used for service protocol requirement, such as rstp. interval: Set the time interval of port scan. Sets the time interval of port scan. 25.12.
Set system mtu Run the following command in the global configuration mode: Command [no] system mtu mtu Purpose Set the mtu value of the system. 25.13.3 Configuration Example The following example shows how to set mtu to 1536 bytes.
Chapter 26 Interface Configuration 26.1 Configuring the Ethernet Interface The switch supports the 10Mbps/100Mbps Ethernet interfaces. See the following content for detailed configuration. Among the configuration, the first step is mandatory while others are optional. 26.1.1 Configuring Flow Control for the Port You can control the flow rate on the incoming and outgoing ports through configuration. Run the following commands in previliged mode to limit the flow rate of the port.
26.1.3 Configuring the Storm Control on the Port The ports of the switch may receives the attack by the continuous abnormal unicast (MAC address lookup failing), multicast or broadcast message. In this case, the attacked ports or the whole switch may break down. The storm control mechanism of the port is therefore generated. Command Purpose storm-control {broadcast | multicast | unicast} threshold count Performs the storm control to the broadcast/multicast/unicast message.
Chapter 27 Secure Port Configuration 27.1 Overview You can control the access function of the secure port, enabling the port to run in a certain range according to your configuration. If you enable the security function of a port through configuring the number of secure MAC addresses for the port. If the number of secure MAC addresses exceeds the upper limitation and MAC addresses are insecure, secure port violation occurs. You should take actions according to different violation modes.
27.3.2 Configuring the Static MAC Address of the Secure Port After you configure the static MAC address of the secure port, In accept mode, the flow whose source address is same to the local MAC address can be received by the port for communication. In reject mode, the flow whose source address is different to the local MAC address can be received by the port.
Chapter 28 Configuring Port Mirroring 28.1 Configuring Port Mirroring Task List Configuring port mirroring Displaying port mirroring information 28.2 Configuring Port Mirroring Task 28.2.1 Configuring Port Mirroring Through configuring port mirroring, you can use one port of a switch to observe the traffic on a group of ports. S2524, S2516 and S2524GX have only one destination port and one souce port for mirroring.
You need to monitor the traffic of interface g0/1 on switch a and interface g0/1 on switch b by the network analysis meter.
! ! vlan 1,100,1000 ! switch d: mirror session 1 destination interface g0/2 mirror session 1 source interface g0/1 both 203
Chapter 29 Configuring MAC Address Attribute 29.1 MAC Address Configuration Task List Configuring Static Mac Address Configuring Mac Address Aging Time Configring VLAN-shared MAC Address Displaying Mac Address Table Clearing Dynamic Mac Address 29.2 MAC address Configuration Task 29.2.1 Configuring Static Mac Address Static MAC address entries are MAC address entries that do not age by the switch and can only be deleted manually.
29.2.3 Displaying MAC Address Table Since debugging and management are required in operation process, we want to know content of the switch MAC address table. Use the show command to display content of the switch MAC address table. Command show mac address-table {dynamic [interface interface-id | vlan vlan-id] | static} Purpose Displays content of the MAC address table. Dynamic indicates the MAC address that acquires dynamically. Vlan-id indicates the VLAN number. Valid value is from 1 to 4094.
Chapter 30 Configuring MAC List 30.1 MAC List Configuration Task 30.1.1 Creating MAC List To apply the MAC list on the port, you must first create the MAC list. After the MAC list is successfully created, you log in to the MAC list configuration mode and then you can configure items of the MAC access list. Perform the following operations to add and delete a MAC list in privilege mode: Run… To… configure Log in to the global configuration mode. [no] mac access-list name Add or delete a MAC list.
MAC list configuration example Switch_config#mac acce 1 Switch-config-macl#permit host 1.1.1 any Switch-config-macl#permit host 2.2.2 any The above configuration is to compare the source MAC address, so the mask is the same. The configuration is successful. Switch_config#mac acce 1 Switch-config-macl#permit host 1.1.1 any Switch-config-macl#permit any host 1.1.
G0/3 Host A connects the G0/2 interface of the SWITCH, host B the G0/3 interface, and host C the G0/4 interface; the radius-server host’s IP is 192.168.20.
Global configuration username switch password 0 TST username TST password 0 TST aaa authentication dot1x TST-G0/2 group radius aaa authentication dot1x TST-G0/3 local aaa authentication dot1x TST-G0/4 group radius aaa accounting network dot1x_acc start-stop group radius dot1x enable dot1x re-authentication dot1x timeout re-authperiod 10 dot1x mabformat 2 dot1x guest-vlan interface VLAN1 ip address 192.168.20.24 255.255.255.0 ! vlan 1-2 radius-server host 192.168.20.
Configuration of interface f0/2 interface GigaEthernet 0/2 dot1x port-control auto dot1x authentication method TST-G0/2 dot1x user-permit radius-TST dot1x accounting enable dot1x accounting method dot1x_acc 210
Configuration of interface f0/3 Interface GigaEthernet 0/3 dot1x authentication multiple-hosts dot1x port-control auto dot1x authentication method TST-G0/3 dot1x guest-vlan 2 211
Configuration of interface f0/4 interface GigaEthernet 0/4 dot1x mab dot1x authentication method TST-G0/4 212
Chapter 31 VLAN Configuration 31.1 VLAN Introduction The virtual local area network (VLAN) is an exchange network which logically groups the devices in LAN. IEEE issued the IEEE 802.1Q standard in 1999 for realizing the VLAN standard. The VLAN technology can divide a physical LAN logic address into different broadcast domains. Each VLAN has a group of devices which have the same demands but the same attributes with those on the physical LAN.
Supports the inter-translation between customer VLAN and SPVLAN on the downlink port, including translation in Flat mode and in QinQ mode. Supports the configuration of the uplink port. Supports changeable TPID. 31.2.2 Dot1Q Tunnel Realization Mode There are two modes to realize Dot1Q Tunnel: port-based Dot1Q Tunnel and Dot1Q Tunnel based on inner CVLAN tag classification.
2 byte 3 bit 1 bit 12 bit Figure 3 Structure of the VLAN Tag of Ethernet frame TPID is a field in VLAN Tag and the value of this field regulated by IEEE 802.1Q is 0x8100.switches adopt the default TPID value, that is, 0x8100. Some manufacturers do not set the TPID of the outside tag of the Dot1Q Tunnel packets in their devices to 0x8100. In order to be compatible with these devices, most switches provide the function to modify the TPID value of the Dot1Q Tunnel packets.
vlan vlan-range Creates multiple VLANs simultaneously. no vlan vlan-id | vlan-range Deletes one or multiple VLANs. You can use the GVRP protocol to dynamically add or delete the VLAN. 31.4.2 Configuring the Port of the Switch The switch's port supports the following modes: the access mode, the relay mode, the VLAN tunnel mode, the VLAN translating tunnel mode and the VLAN tunnel uplink mode. 1.
configure the VLAN interface. Command Purpose [no] interface vlan vlan-id Creates or deletes a VLAN interface. 31.4.4 Configuring the Super VLAN Interface The Super Vlan technology provides the following mechanism: hosts that are in different VLANs but connect the same switch can be distributed to the same IPv4 subnet to use the same default gateway, and therefore lots of IP addresses are saved.
mode: Command Purpose show vlan [ id x | interface intf | dot1q-tunnel [interface intf] | mac-vlan | subnet | protocolvlan ] Displays the configuration and state of VLAN or Dot1Q tunnel. show interface {vlan | supervlan} x Displays the state of the VLAN interface or that of the SuperVLAN interface. 31.4.
table: Command Purpose switchport dot1q-translating-tunnel mode {flat | qinq} translate {oldvlanid | oldvlanlist} newvlan [priority] Configures the VLAN translation mode and translation item. 31.4.9 Setting MAC-Based VLAN The MAC-based VLAN is a VLAN planning mode based on the source MAC address of the packet. When a port of a device receives an untagged packet, the device will take the source MAC address of the packet as the matchup keyword and know the home VLAN by looking for the MAC VLAN entry.
Command Purpose [no] subnet { any | ip-addr mask } Adds or deletes a subnet VLAN entry. The IP-subnet VLAN function takes effect only on a port on which this function is enabled. In port configuration mode, run the following commands respectively to enable or disable the MAC VLAN function on a port. Command Purpose [no] switchport vlan-subnet enable To enable or disable the IP-subnet VLAN function on the ports, run the abovementioned commands respectively.
no switchport protocol-vlan protocol_index Deletes the association of a protocol template. 31.5 Configuration Example 31.5.1 SuperVLAN Configuration Example The network topology is shown in the following figure: Figure 9 SuperVLAN Six PC users from PC1 to PC6 connect six ports of a switch respectively. The IP addresses of these PCs belong to the 192.168.1.0/24 network segment. These PCs can ping each other successfully and the switch can be controlled through the IP address, 192.168.1.
Example 1 Figure 4 Typical configuration of Dot1Q tunnel As shown in the figure above, port F0/1 of CE1 connects port F0/1 (or port G0/1) of PE1, PE1 connects S8510 on port F0/2 (or port G0/2), PE2 connects S8510 on port F0/2 (or port G0/2), and port F0/1 (or port G0/1) of PE2 connects port F0/1 of CE1. Port G0/1 of PE is set to be the access port of VLAN 10 and on them Dot1Q Tunnel is enabled.
DA SA ETYPE(8100) SPVLAN Tag (6B) (6B) (2B) (2B) ETYPE (8100) (2B) CVLAN Tag ETYPE DATA FCS (2B) (2B) (0~1500B) (4B) Figure 6 Structure of a packet going into PE1 3) In the backbone network, packets are transmitted along the port of trunk VLAN 10. The tag of the private network is kept in transparent state until these packets reach PE2. 4) PE2 discovers that the port where it connects CE2 is the access port of VLAN 10, removes the tag header of VLAN 10 according to 802.
Example 2 If different services of a same user are dealt with and the access terminal of a user connects the UNI port of PE, the Dot1Q tunnel VLAN translation must be used to differentiate different services and carry different QoS standards. As shown in figure 8, the carrier distributes three VLANs for each user and each VLAN corresponds to a kind of service.
Figure 8 Typical configuration of Dot1Q tunnel (3) In figure 9, CE1 connects port G0/1 of PE1, CE2 connects port G0/2 of PE1 and the Dot1Q Tunnel NNI port of PE is port G0/3.
31.6 Appendix A Abbreviations Abbrev.
Chapter 32 Configuring GVRP 32.1 Introduction GVRP (GARP VLAN Registration Protocol GARP VLAN) is a GARP (GARP VLAN Registration Protocol GARP VLAN) application that provides IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.1Q trunk ports.
[no] gvrp Enables/disables interface GVRP. In order for the port to become an active GVRP participant, you must enable GVRP globally first and the port must be an 802.1Q trunk port, It is enabled by default. 32.3.4 Monitoring and Maintenance of GVRP Perform the following operations in EXEC mode: Command Description show gvrp statistics [interface port_list] Displays GVRP statistics. show gvrp status Displays GVRP global state information.
32.4 Configuration Example The network connection is as follows. In order to make the VLAN configuration information of Switch A and Switch B identical, you can enable GVRP on Switch A and Switch B.
Chapter 33 Private VLAN Settings 33.1 Overview of Private VLAN Private VLAN has settled the VLAN application problems facing ISPs: If ISP provides each user with a VLAN, the support by each device of 4094 VLANs will restrict the total of ISP-supported users. 33.2 Private VLAN Type and Port Type in Private VLAN Private VLAN subdivides the L2 broadcast domain of a VLAN into multiple sub-domains, each of which consists of a private VLAN pair: a primary VLAN and a secondary VLAN.
packets of private VLAN carry the tag or not. 33.3 Private VLAN Configuration Task List Configuring Private VLAN Configuring the association of private VLAN domains Configuring the L2 port of private VLAN to be the host port Configuring the L2 port of private VLAN to be the promiscuous port Modifying related fields of egress packets in private VLAN Displaying the configuration information of private VLAN 33.
no private-vlan association Clears all associations between the current primary VLAN and all secondary VLANs. exit Exits the VLAN configuration mode. 33.4.3 Configuring the L2 Port of Private VLAN to Be the Host Port Run the following commands to set the L2 port of private VLAN to be the host port: Purpose Command Interface interface Enters the interface configuration mode. switchport mode private-vlan host Sets the layer-2 port to be in host’s port mode.
Deletes no switchport private-vlan mapping the association between L2 promiscuous port and private VLAN. exit Exits from the interface configuration mode. 33.4.5 Modifying Related Fields of Egress Packets in Private VLAN Run the following commands to modify related fields of the egress packets in private VLAN: Command Purpose Enters the interface configuration mode. Interface interface switchport private-vlan tag-pvid Sets the VLAN ID field in the tag of egress packet.
33.5 Configuration Example Figure 1: Typical Configuration of Private VLAN As shown in figure 1, port G0/1 is the promiscuous port in primary VLAN 2 and ports G0/2-G0/6 are host ports, among which ports G0/2 and G0/3 are host ports (public ports) of Community VLAN 3, port G0/4 is that of Community VLAN 4, and ports G0/5 and G0/6 are host ports of Isolated VLAN 5.
Switch_config#interface GigaEthernet0/3 Switch_config_g0/3#switchport mode private-vlan host Switch_config_g0/3#switchport private-vlan host-association 2 3 Switch_config_g0/3#switchport pvid 3 Switch_config#interface GigaEthernet0/4 Switch_config_g0/4#switchport mode private-vlan host Switch_config_g0/4#switchport private-vlan host-association 2 4 Switch_config_g0/4# switchport pvid 4 Switch_config#interface GigaEthernet0/5 Switch_config_g0/5#switchport mode private-vlan host Switch_config_g0/5#switchpor
Switch_config#vlan 5 Switch_config_vlan5#private-vlan isolated Switch_config#show vlan private-vlan Primary Secondary Type Ports ----------- --------------- -------------------- ------------------------------------------ 2 3 community g0/1, g0/2, g0/3 2 4 community g0/1, g0/4 2 5 isolated g0/1, g0/5, g0/6 236
Chapter 34 Configuring STP 34.1 STP Introduction The standard Spanning Tree Protocol (STP) is based on the IEEE 802.1D standard. An SWITCH stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID. The spanning-tree algorithm and the spanning-tree protocol can set any bridge LAN to be a simply connected mobile topology. In the mobile topology, some bridge ports can forward frames, while other ports are blocked and cannot forward data.
34.2 SSTPConfiguration Task List Choosing the STP Mode Disabling/Enabling STP Disabling/Enabling STP on a Port Setting the Bridge Priority Setting the Hello Time Setting the Max Age Setting the Forward Delay Setting the Port Priority Value of the path cost of a port Monitoring the STP state Setting the SNMP Trap 34.3 SSTP Configuration Tasks 34.3.
Note: When no spanning-tree is set and a port has served as a root port, alternate port, master port or backup port, the protocol information that this port receives in RSTP/MSTP mode will age immediately and transfer to be a designated port, while the protocol information that this port receives in SSTP/PVST mode will remain the original role for a certain period and then age after the timer times out. Note: Every STP mode supports the BPDU Guard function on the port on which no spanning-tree is set. 34.
Run the following commands to configure the SSTP forward delay. Command Purpose spanning-tree sstp forward-time value Modifies the forward time of the SSTP mode. no spanning-tree sstp forward-time Resumes the default forward time, 15 seconds. 34.3.8 Setting the PortPriority When a loop generates, STP will change the states of some ports to the blocking state to cut off the loop. You can control whether to block a port by setting the port priority and the port path cost.
The STP trap can be received only when the network management software supports trap reception. The network management need be imported into the bridge MIB and OID is 1.3.6.1.2.1.17. Run the following commands in global configuration mode to enable the STP trap: Command Purpose spanning-tree management trap Enables the STP trap. [ newroot | topologychange ] If the trap type is not designated, two kinds of traps will be enabled at the same time. no spanning-tree management trap Disables the STP trap.
no spanning-tree vlan vlan-list hello-time Resumes the hello-time of a designated VLAN to the default value. Run the following commands to set the port’s features in switch port configuration mode: Command Purpose spanning-tree vlan vlan-list cost Sets the path cost of a port in a designated VLAN. no spanning-tree vlan vlan-list cost Resumes the path cost of a port in VLAN to the default value. spanning-tree vlan vlan-list port-priority Sets the port priority in VLAN.
Chapter 35 Configuring RSTP 35.1 RSTP Configuration Task List Enabling/disabling RSTP of the Switch Setting the Bridge Priority Setting the Forward Time Setting the Hello Time Setting the Max Age Value of the path cost of a port Setting the Port Priority Setting the Edge Port Setting the Port Connection Type Restarting the protocol conversion check 35.2 RSTP Configuration Tasks 35.2.
root port and designated port starts data forwarding immediately, temporary loop may be caused. To solve this problem, RSTP adopts a state removal mechanism. Before the root port and the designated port begin to forward data, an intermediate state must be experienced. The intermediate state changes into the forwarding state after the forward delay that guarantees the new configuration information has spread all over the whole network.
configure the Max Age to a relatively small value, then the calculation of the spanning tree will be relatively frequent, and the system may regard the network block as link failure. If you configurethe Max Age to a relatively big value, then the link status will go unnoticed in time. The Max Age of bridge is 20 seconds by default. 35.2.6 Value of the path cost of a port The path cost is related with the link rate of the port.
In auto mode, if a port has not received BPDU in a certain time this port is viewed as the edge port. 35.2.9 Setting the Port Connection Type If switches, on which RSTP is run, are in the point-to-point connection, these switches can establish a topology rapidly through the handshake mechanism. When the port connection type is set, the connection of a port can be set point-to-point. By default, RSTP will judge whether a port is in the point-to-point connection according to the duplex mode of this port.
Chapter 36 Configuring MSTP 36.1 MSTP Introduction 36.1.1 Overview Multiple Spanning Tree Protocol (MSTP) is used to establish a simple and complete topology in the bridge LAN. MSTP is compatible with STP (Spanning Tree Protocol) and RSTP (Rapid Spanning Tree Protocol). Both STP and RSTP only construct a single spanning tree topology in a network and the packets of all VLANs are forwarded along with this unique topology.
Figure 2.
CIST CIST stands for Common and Internal Spanning Tree. Common and Internal Spanning Tree (CIST) means the spanning tree comprised by allsingle switches and interconnected LAN. These switches may belong to different MSTregions. They may be switches running traditional STP or RSTP. Switches running STP or RSTP in the MST regions are considered to be in their own regions. After the network topology is stable, the whole CIST chooses a CIST root bridge.
CST CST stands for Common Spanning Tree. If each MST region is viewed as a single switch, CST is then the spanning tree that connects these “single switches”. As shown in figure 2.1, regions 1-3 and the STP switch constitute a CST of this network.
IST IST stands for Internal Spanning Tree. IST means a CIST part in a MST region, or be considered that IST and CST constitute CIST.
MSTI MSTI stands for Multiple Spanning Tree Instance. MSTP permits different VLANs to be classified into different spanning trees to establish multiple MSTIs. In general, MSTI 0 means CIST, which can be expanded to the whole network, while other MSTIs are each in a region. Each MSTI can be distributed to multiple VLANs. Originally, all VLANs are distributed in CIST. All MSTIs in the MST region are independent and they can choose different switches to be their roots. For example, in region 3 of figure 2.
Root Port Figure 2.2 Root port The root port means the path between the current switch to the root bridge. This path has the minimum root path cost.
Alternate Port Figure 2.3 Alternate Port The alternate port serves as path backup between the current switch and the root bridge. When the root port fails to connect, the alternate port can be immediately transferred to be a new root port and start work.
Designated Port Figure 2.4 Designated port The designated port can be used to connect the downstream switch or the downstream LAN and then runs as the path between LAN and thr root bridge.
Backup Port Figure 2.5 Backup port When two ports of a switch connect directly or connect the same LAN, the port with relatively low priority will run as the backup port and the other port will run as the designated port. If the designated port invalidates, the backup port will serve as the designated port.
Master port Figure 2.6 Master port The master port is used as the shortest path between MST region and CIST root bridge. The master port is also the root port of the root bridge in CIST region.
Boundary Port The concept of the boundary port is different from in CIST and in MSTI. In CIST, the boundary port means a port connecting another MST region; while in MSTI, the boundary port means that this spanning tree instance is not extended outside of this port.
Edge Port In RSTP and MSTP, the edge port means a port directly connecting the host, and is capable of entering the forwarding state directly without waiting and loop. Figure 2.7 Edge port Originally, MSTP, including RSTP, regards all ports are edge ports and therefore the network topology can be established swiftly. If a port in this case receives BPDU from another switch, the port will resume its edge state from its normal state; if it receives 802.
CIST Root Identifier 6 – 13 CIST External Root Path Cost 14 – 17 CIST Regional Root Identifier 18 – 25 CIST Port Identifier 26 – 27 Message Age 28 – 29 Max Age 30 – 31 Hello Time 32 – 33 Forward Delay 34 – 35 Version 1 Length 36 Version 3 Length 37 – 38 Format Selector 39 Configuration Name 40 – 71 Revision 72 – 73 Configuration Digest 74 – 89 CIST Internal Root Path Cost 90 – 93 CIST Bridge Identifier 94 – 101 CIST Remaining Hops 102 MSTI Configuration Messages 103 ~ Tab
(7) The designated port of the CIST provided its LAN with the minimum-cost path tothe CIST root. (8) The Alternate port and the Backup port provides connection when the switch,port or the LAN does not work or is removed. (9) The MSTI root port provides the minimum cost path to the MSTI regional root. (10) The designated port of MSTI provides the minimum cost path to the MSTIregional root. (11) A master port provides the connection between the region and the CIST root.
Configuring the edge port Configuring port connection type Activating MST-compatible mode Restarting the protocol conversion check Configuring role restriction of the port Configuring TCN restriction of the port CheckMSTPinformation 36.3 MSTP Configuration Tasks 36.3.1 Default MSTP Configuration Attributes Default Settings STP mode RSTP (PVST, SSTP and MSTP is not enabled) Area name Its default value is the MAC address of a switch.
36.3.3 Configuring MSTP region The MST area where the switch resides is decided by three attributes: configurationname, edit number, the mapping relation between VLAN and MSTI. You can configure them through area configuration commands. Note that the change of any of the three attributes will cause the change of the area where the switch resides. In original state, the MST configuration name is the character string of the MACaddress of the switch.
MSTP can set the switch to the network root through configuration. You can run the command Spanning-tree mstp instance-id root to modifythe priority value of the switch in a spanning tree instance from the default value (32768) to a sufficiently small value, ensuring the switch turns to be the root in the spanning tree instance.
STP time parameters. When the secondary root becomes the primary root and starts working, all these parameters starts functioning. Run the following command to set the switch to the secondary root of the network: Command Purpose spanning-tree mstp instance-id root secondary Sets the switch to the secondary root in the designated spanning tree instance. [ diameter net-diameter [ hello-time seconds ] ] instance-id represents the number of the spanning treeinstance, ranging from 0 to 15.
Hello Time: The interval to send the configuration message to the designated port when theswitch functions as the network root. Forward Delay: Time that the port needs when it changes from the Blocking state to theLearning state and to the Forwarding state in STP mode. Max Age: The maximum live period of the configuration information about the spanningtree. To reduce the shock of the network topology, the following requirements for the time parameters must be satisfied: 2 x (fwd_delay - 1.
no spanning-tree mstp diameter Resumes net-diameter to the default value. The net-diameter parameter is not saved as an independent configuration in the switch. Only the time parameter which is modified through network diameter configuration can be saved. 36.3.9 Configuring maximum hop count Use the following command to configure the max hop-count. Command Purpose spanning-tree mstp max-hops hop-count Set the maximum hops.
spanning-tree mstp instance-id cost cost Sets the path cost of the port. instance-id represents the number of the spanning treeinstance, ranging from 0 to 15. cost stands for the path cost of the port, which ranges from 1 to 200000000. spanning-tree cost value Sets the path cost of the port in all spanning tree instances. value: Path cost of a port, which ranges between 1 and 200,000,000 no spanning-tree mstp instance-id cost Resumes the port path cost to the default value.
mode. Switches running in MSTP-compatible mode can identify the message structure of other MSTPs, check the contained MST regional identifier and establish the MST region. The MST-compatible mode and the STP-compatible mode are based on MSTPprotocol conversion mechanism. If one port of the switch receives BPDU in compatible mode, the port automatically changes to the mode and sends BPDU in compatible mode. To resume the port to standard MST mode, you can run spanning-tree mstpmigration-check.
Command Purpose spanning-tree mstp migration-check Clears STP information detected by the port. 36.3.16 Configuring role restriction of the port The port will not be selected as the root port if the role restriction of the port is enabled. In the port configuration mode, run the following command to set the role restriction of a port. Command Purpose spanning-tree mstp restricted-role Sets the port not to be the root port 36.3.
Chapter 37 Configuring STP Optional Characteristic 37.1 STP Optional Characteristic Introduction The spanning tree protocol module of the switch supports seven additional characteristics (the so-called optional characteristics). These characteristics are not configured by default.
Figure 1.1 Port Fast Note: The rapid convergent spanning tree protocol, RSTP and MSTP can immediately bring an interface to the forwarding state, and therefore there is no need to use Port Fast feature. 37.1.2 BPDU Guard If one Port Fast receives BPDU, it may because of the false network configuration. When one Port Fast receives BPDU, BPDU Guard will protect it passively. In different STP modes, BPDU Guard acts differently.
entering the Forwarding state, the port must be in the Listening state and Learning state. The same with BPDU Guard, BPDU Filter characteristic can be configured in global configuration mode or in port configuration mode. In global configuration mode, run the command spanning-tree portfast bpdufilter to block all ports to send BPDU out. The port, however, can still receive and process BPDU. 37.1.
Figure 1.3 Uplink Fast Note: The Uplink Fast characteristic adjusts to the slowly convergent SSTP and PVST. In RSTP and MSTP mode, new root port can rapidly enter the Forwarding state without the Uplink Fast function. 37.1.5 Backbone Fast The Backbone Fast characteristic is a supplement of the Uplink Fast technology.
Figure 1.4 Backbone Fast Suppose the bridge priority of switch C is higher than that of switch B. When L1 is disconnected, device B is selected to send BPDU to device C because the bridge priority is used as root priority. To device C, the information contained by BPDU is not prior to information contained by its own. When Backbone Fast is not enabled, the port between device C and device B ages when awaiting the bridge information and then turns to be the designated port.
In a complicated layer-2 network, the administrator may hope a switch in the core layer as the root of the network, but it cannot manage all switches in the access layer (That's because the switch in the access layer may belong to other clients.) Thus, the inappropriate configuration of other switches may cause the core switch cannot become the root. To avoid the root role is occupied by switches outside the management area, you can configure Root Guard function on the boundary switch.
Configuring Backbone Fast Configuring Root Guard Configuring Loop Guard Configuring Loop Fast Configuring Address Table Aging Protection Configuring FDB-Flush Configuring BPDU Terminal 37.2.2 Configuring Port Fast In SSTP/PVST mode, Port Fast immediately brings an interface to the forwarding state, bypassing the listening and learning states. The function is invalid in other STP mode.
Command Purpose spanning-tree portfast bpduguard Globally enables BPDU Guard feature. It is valid to all interfaces. no spanning-tree portfast bpduguard Globally disables bpdu guard feature. Note: Globally enabling port fast feature may result in broadcast storm. The BPDU Guard or BPDU Filter should be configured for protection sake.
no spanning-tree bpdufilter Disables BPDU Filter feature on the interface. It has no effect on the global configuration. 37.2.5 Configuring Uplink Fast The characteristic Uplink Fast enables new root ports to rapidly enter the Forwarding state when the connection between the switch and the root bridge is disconnected. The Uplink Fast function validates only in SSTP/PVST mode.
the interface. 37.2.8 Configuring Loop Guard The Loop Guard attribute can protect a port after it changes from a root port or an alternate port to a designated port. This function can prevent a port from generating a loop when the port cannot receive BPDU continuously. Root Guard characteristic acts differently somehow in SSTP/PVST and RSTP/MSTP. In SSTP/PVST mode, designated port is always blocked by Loop Guard.
no spanning-tree loopfast Globally disables Loop Fast. Use the following command in interface configuration mode to enable Loop Fast: Command Purpose spanning-tree loopfast Enables loop fast feature on the interface. no spanning-tree loopfast Disables Loop Fast feature on the interface. If the global loop fast is configured, the feature on the interface remains effective. spanning-tree loopfast disable Disables Loop Fast on the interface. 37.2.
37.2.11 Configuring FDB-Flush Note: Please configure this command under the guide of technical engineers. By default, RSTP and MSTP of the switch clear the old MAC address by way of address table fast aging, rather than FDB-Flush. In global configuration mode, run the following command to configure FDB-Flush: Command Purpose spanning-tree fast-aging flush-fdb Enable FDB-Flush. no spanning-tree fast-aging flush-fdb Disable FDB-Flush. Note that FDB-Flush is independent of fast aging.
Chapter 38 Configuring Port Aggregation 38.1 Overview Link aggregation, also called trunking, is an optional feature available on the Ethernet switch and is used with Layer 2 Bridging. Link aggregation allows logical merge of multiple ports in a single link. Because the full bandwidth of each physical link is available, inefficient routing of traffic does not waste bandwidth. As a result, the entire cluster is utilized more efficiently.
aggregated to the logical channel, regardless of whether the current port accords with the conditions of port aggregation and whether the port that connects with the physical port accords with the aggregation conditions. Prerequisites for ports to be aggregated: The link of the port must be up and the port should be negotiated to full-duplex mode.
Command Description aggregator-group load-balance Configures load balance method. Note: The command is unavailable at the switch that does not support load balance methods or supports only one method. The switch using the command only selects the load balance strategies supported by itself.
Chapter 39 PDP Overview 39.1 Overview PDP is specially used to discover network equipment, that is, it is used to find all neighbors of a known device. Through PDP, the network management program can use SNMP to query neighboring devices to acquire network topology. Our company’s switches can discover the neighboring devices but they do not accept SNMP queries. Therefore, switches only run at the edge of network, or they cannot acquire a complete network topology. PDP can be set on all SNAPs (e.g.
39.2.3 Setting the PDP Version To set the PDP version, you can run the following command in global configuration mode. Command pdp version {1|2} Purpose Setts the PDP version. 39.2.4 Starting PDP on a Switch To enable PDP, you can run the following commands in global configuration mode. Command pdp run Purpose Starts PDP on a switch. 39.2.5 Starting PDP on a Port To enable PDP on a port by default, you can run the following command in port configuration mode.
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device-ID Local-Intf Hldtme Port-ID Platform Switch Fas0/1 COMPANY, RISC R S 169 Gig0/1 288 Capability
Chapter 40 Link Layer 2 Discovery Protocol (LLDP) 40.1 LLDP Overview 802.1ABThe link layer discovery protocol (LLDP) at 802.1AB helps to detect network troubles easily and maintain the network topology. It enables the neighboring device to sending out notice of its own state information to other devices and each port of all devices stores information of defining themselves.
function. 40.2.2 Initializing LLDP Reception Mode Set LLDP to receive-only in the interface mode. In receive-only mode, the interface can receive LLDP packets from the neighbors and save tlv into the remote MIB. The interface will drop LLDP packets when disabling the function. 40.2.3 LLDP PDU Packet Structure Description In accordance with the order, LLDP PDU includes three compulsory TLVs in the front, one or more optional TLV in the middle and LLDPUD TLV in the end.
19. Location Identification 20. Extended Power-via-MDI 21. Inventory(包含 Hardware Revision、Firmware Revision、Software Revision、Serial Number、Manufacturer Name、Mode Name、Assert ID) (3) The end TLV should be the last one in LLDP PDU. 40.
Procedure Command Purpose Step 1 config Enters the global configuration mode. Step 2 lldp holdtime time Configures the timeout time of LLDP. The value range from 0 to 65535. The default value is 120s. Resumes the timeout time to the default value: Procedure Command Purpose Step 1 config Enters the global configuration mode. Step 2 no lldp holdtime Resumes the timeout time to the default value, 120 seconds.
transmit message. The value ranges from 2 to 5. The default time is 2 seconds. Resumes the default value of reinit. Procedu Command Purpose re Step 1 config Enters the global configuration mode. Step 2 no lldp reinit Resumes the default interval of continuously transmitting message; the default interval value is two seconds. 40.4.5 Configuring the To-Be-Sent TLV You can choose TLV which requires to be sent by configuring tlv-select of LLDP. By default, all TLVs are transmitted.
description tlv. The port description uses number or letters for description. Step4 no lldp tlv-select system-capabilities This step is optional. Transmits the system performance tlv. The system performance refers to the system of transmitting packets such as the switch or router. Step 5 no lldp tlv-select system-description This step is optional. Transmits system description tlv. The system description consists of texts including numbers and letters.
Step 9 lldp dot3-tlv-select max-frame-size (Optional) Sends the 802.3-defined TLV and specifies the size of the maximum frame on a port(byte) . Step10 lldp med-tlv-select network-policy (Optional) Sends the MED-defined TLV and the interface can effectively discover and diagnose VLAN configured error-matching flow and the attribute of Layer 2 and Layer 3 Step 11 lldp med-tlv-select location (Optional) Sends the MED-defined TLV and specifies the address.
specifies the address. a) coordinate-based LCI, which is defined in IETF 3825[6]; b) city's address LCI, which is defined in IETF (refer to Annex B); c) ELIN code of the urgency call service; Step 12 no lldp med-tlv-select management power- Step 13 no lldp med-tlv-select inventory (Optional) Sends the MED-defined TLV and shows the information of power supply. (Optional) Sends the MED-defined TLV and shows the attribute of detailed inventory. 40.4.
Step 3 lldp management-ip A.B.C.D Sets the management IP address of a port. Note: Both the no lldp command and the management-ip command can be used to resume the default management address of the port and the default management address is the IP address of the VLAN interface that corresponds to the PVID port. When the corresponding VLAN interface does not exist, the management address is 0.0.0.0. 40.4.
Step 14 number WORD Sets the street number, such as number 123. Step 15 street-number-suffix WORD Sets the suffix of the street number, such as number 1/2 of A road. Step16 landmark WORD Sets the landmark, such as Colombia University. Step17 additional-location WORD Sets the additional location. Step 18 name WORD Sets the information about a resident, such as Joe’s haircut shop. Step 19 postal-code WORD Sets the postal code. Step 20 building WORD Sets the information about a building.
Step 17 no landmark Deletes the landmark, such as Colombia University. Step 18 no additional-location Deletes the additional location. Step 19 no name Deletes the information about a resident, such as Joe’s haircut shop. Step 20 no postal-code Deletes the name of a postal office. Step 21 no building Deletes the information about a building. Step 22 no unit Deletes the information about a unit. Step 23 no floor Deletes the information about a floor.
Command Displays the error information about the LLDP module. Show lldp errors Show lldp interface Purpose interface-name Displays the information about port state, that is, the transmission mode and the reception mode. Show lldp neighbors Displays the abstract information about the neighbor. Show lldp neighbors detail Displays the detailed information about the neighbor. Show lldp traffic Displays all received and transmitted statistics information.
Basic Settings Configuring switch S1: Switch_config#lldp run Switch_config# Configuring switch S2: Switch_config#lldp run Switch_config# The information of Neighbor B will be displayed on Switch A about 1 minute later. MED-TLV information is not sent by default.
VLAN 1 name: Default Auto Negotiation: supported,enabled Physical media capabilities: 1000baseX(FD) 1000baseX(HD) 100baseTX(FD) 100baseTX(HD) Operational MAU type: 2 pair category 5 UTP, full duplex mode(16) Power Via MDI: MDI power support -PSE MDI power support: support Port class: PSE PSE MDI power state: enabled PSE pairs selection control ability: can not be controlled PSE power pair: signal Power Classification: Class 0 Link Aggregation: Aggregation capability: capable of being aggregated Aggregation
TLV Configuration Configuring switch S1: Switch_config#lldp run Switch_config# Configuring switch S2: Switch_config#lldp run Switch_config# no lldp tlv-select system-name Switch_config#int g0/8 Switch_config_g0/8#no lldp dot1-tlv-select port-vlan-id Switch_config_g0/8#no lldp dot3-tlv-select max-frame-size Switch_config_g0/8# The information of Neighbor B will be displayed on Switch A about 1 minute later, which is highlighted in red.
IP: 90.0.0.
Location Configuration Configuring switch S1: Switch_config#lldp run Switch_config# Configuring switch S2: Switch_config#lldp run Switch_config#location elin identifier 1 1234567890 //Configuring elin information Switch_config#location civic identifier 1 //Entering location configuration mode Switch_config_civic#language English Switch_config_civic#city Shanghai Switch_config_civic#street Curie Switch_config_civic#script EN //The above configured is civic information Switch_config_civic#quit Switch_co
Device-ID Local-Intf Switch Gig0/8 Hldtme 115 Port-ID Gig0/1 Capability B Total entries displayed: 1 Switch_config#show lldp neighbors detail chassis id: 00e0.0fac.32ff port id: Gig0/1 port description: GigaEthernet0/1 system name: Switch system description: SWITCH Software, Version 4.1.0B Serial: S24090103 Compiled: 2011-9-21 9:24:8 by WRL Time remaining: 109 system capabilities: R B enabled capabilities: B Management Address: IP: 90.0.0.
MED Codes: (CA)Capabilities, (NP)Network Policy, (LI)Location Identification (PS)Power via MDI ¨CPSE, (PD)Power via MDI ¨CPD, (IN)Inventory Hardware Revision: 0.4.0 Software Revision: 4.1.0B Serial Number: S24090103 Manufacturer Name: Model Name: SWITCH Asset ID: S24090103 Capabilities: CA,NP,LI,PS,IN Device type: Network Connectivity Network Policy: Voice Policy: Unknown Power requirements: Type: PSE Device Source: Unknown Priority: Low Value: 150(0.
Chapter 41 Introduction of Fast Ethernet Ring Protection 41.1 Overview Ethernet ring protection protocol is a special type of link-layer protocol specially designed for constructing the ring Ethernet topology. The Ethernet protection protocol can shut down one link in a complete ring topology, preventing the data loop from forming the broadcast storm. If a link is broken, the protocol immediately resumes the link that is previously shut down.
Master node: It positively knows whether the ring’s topology is complete, removes loopback, and controls other switches to update topology information. Transit node: It only checks the state of the local port of the ring, and notifies the master node of the invalid link. The role of each node can be specified by user through configuration. The thing is that each switch in the same ring can be set to only one kind of node. In figure 1.
Note: The data VLAN can be used for normal L2/L3 communication. For example, you can establish a VLAN port corresponding to data VLAN and configure dynamic routing protocols. 41.2.4 Aging of the MAC Address Table The Ethernet ring protection protocol can transmit data packets to the correct link by controlling the aging of the switch’s MAC address table when the topology changes. In general, the time for a MAC address to age in the MAC address table is 300 seconds.
the ring network is not effective. Then the master node removes the blocking of data VLANs on the secondary port, ages the local MAC address table, and transmits the RING-DOWN-FLUSH-FDB packets to notify other nodes. If the master node receives the HEALTH packets at the secondary port that is open to data VLANs, the ring network is resumed.
After STP is disabled, you are recommended to run spanning-tree bpdu-terminal to keep the ring node from forwarding BPDU, which leads to the storm. See the following table: Table 2.1 Default settings of the Ethernet ring protection protocol and STP. Spanning tree protocol spanning-tree mode rstp Fast Ethernet Ring Protection There is no configuration. 41.
Switch_config#ether-ring id Sets a node and enters the node configuration mode. id: Instance ID Switch_config_ring#control-vlan vlan-id Configures the control VLAN. Vlan-id: ID of the control VLAN Switch_config_ring#master-node Configures the node type to be a master node. Switch_config_ring#hello-time value This step is optional. Configures the cycle for the master node to transmit the HEALTH packets. Value: It is a time value ranging from 1 to 10 seconds and the default value is 1 second.
intf-name: Stands for the name of an interface. Switch_config_intf#ether-ring id {primary-port | secondary-port | transit-port } Configures the type of the port of Ethernet ring. Switch_config_intf#exit Exits from interface configuration mode. ID of the node of Ethernet ring Remark: The no ether-ring id primary-port { secondary-port | transit-port } command can be used to cancel the port settings of Ethernet ring. 41.9.
Shuts down STP and configures the Ether-ring node: S1_config#no spanning-tree S1_config#ether-ring 1 S1_config_ring1#control-vlan 2 S1_config_ring1#master-node The following commands are used to set the time related parameters: S1_config_ring1#hello-time 2 S1_config_ring1#fail-time 6 Exits from the node configuration mode: S1_config_ring1#exit Configures the primary port and the secondary port: S1_config#interface gigaEthernet 0/1 S1_config_g0/1#ether-ring 1 primary-port S1_config_g0/1#exit S1_config#int
Chapter 42 IGMP Snooping Configuration 42.1 IGMP Snooping Configuration Task The task of IGMP snooping is to maintain the relationships between VLAN and group address and to update simultaneously with the multicast changes, enabling Layer 2 switches to forward data according to the topology structure of the multicast group.
42.1.2 Adding/Deleting Static Multicast Address of VLAN Hosts that do not support IGMP can receive corresponding multicast message by configuring the static multicast address. Perform the following configurations in global configuration mode: Command Description ip igmp-snooping vlan vlan_id interface intf static A.B.C.D Adds static multicast address of VLAN. no ip igmp-snooping vlan vlan_id interface intf static A.B.C.D Deletes static multicast address of VLAN. 42.1.
Command Purpose ip igmp-snooping policy word Adds IPACL in forwarding table. no ip igmp-snooping policy Deletes IPACL in generating multicast forwarding table. generating multicast 42.1.6 Configuring the Function to Filter Multicast Message Without Registered Destination Addresss When multicast message target fails to be found (DLF, the destination address is not registered in the switch chip through igmp-snooping), the default process method is to send message on all ports of VLAN.
sends the query message. If the report message is not received after the timer ages, the switch will delete the multicast address. Perform the following configurations in global configuration mode: Command Description ip igmp-snooping timer response-time timer_value Configures the value of Response Time of IGMP-snooping. no ip igmp-snooping timer response-time Resumes the default value of Response Time of IGMP-snooping. Note: The timer value cannot be too small.
no ip igmp-snooping Recovers IGMP snooping’s Querier Time as default querier querier-timer By default IGMP snooping querier is shut down. The default time interval of Query messages is 200 seconds. Note: If Querier function is initiated, querier-timer should not be set as too long. In subnet if there are other switches with querier initiated, long querier-timer (longer than other switch’s router-age) would lead to the instablization of querier selection in subnet. 42.1.
Note: If quick-query is enabled, send query to the new port when there is up of the port. The function is applicable to the downstream host of not actively sending join packets. 42.1.14 Configuring Decrease-query-report-for-mvc of IGMP Snooping If decrease-query-report of IGMP-snooping is enabled, the command works after enabling mvc. The command is used to decrease igmp-snooping forwarding or protocol packets of the broadcast in mvc mode.
When L3 multicast is enabled in multiple switch cascading, the upstream devices can only learn the downstream vlan ports through the multicast routing protocol and there is no IGMP packet exchange between the upstream and downstream devices. Hence the snooping of the upstream devices cannot learn the specific physical ports that the downstream devices connect and the upstream devices will send the multicast packets to all physical ports in the local vlan.
snooping leave-check 42.1.19 Configuring Function v3- query message after receiving v3 leave message.。 IGMP Snooping’s forward-wrongiif-within-vlan If IGMP-snooping’s forward-wrongiif-within-vlan function is enabled, do L2 forwarding of the multicast data message received from wrong vlan interface port within source vlan. Forward messages to the group member ports in the vlan. Otherwise, drop messages.
By default the maximum quantity is 2048 at IGMP-snooping. 42.1.22 Monitoring and Maintaining IGMP-Snooping Perform the following operations in management mode: Command Purpose show ip igmp-snooping Displays IGMP-snooping configuration information. show ip igmp-snooping timer Displays the clock information of IGMP-snooping. show ip igmp-snooping groups Displays information about the multicast group of IGMP-snooping. show ip igmp-snooping statistics Displays statistics snooping.
Display IGMP-snooping timer: switch#show ip igmp-snooping timers vlan 1 router age : 251 Indicating the timeout time of the router age timer vlan 1 multicast address 0100.5e00.0809 response time : 1 Indicating the period from when the last multicast group query message is received to the current time; if no host on the port respond when the timer times out, the port will be deleted..
Configuring Switch (3) Enable IGMP-snooping of VLAN 1 connecting Private Network A. Switch_config#ip igmp-snooping vlan 1 (4) Enable IGMP-snooping of VLAN 2 connecting Private Network B.
Chapter 43 IGMP Proxy Configuration 43.1 IGMP Proxy Configuration Tasks The IGMP Proxy allows the VLAN where the multicast user is located to receive the multicast source from other VLANs. The IGMP Proxy runs on layer 2 independently without other multicast routing protocols. IGMP proxy will be transmitted by the IGMP packets of the proxied VLAN to the proxying VLAN and maintain the hardware forward table of the multicast user of the agent VLAN according to these IGMP packets.
ip igmp-proxy agent-vlan avlan_map map cvlan_map client-vlan Adds the agent VLAN (avlan_map) to manage the represented vlan (cvlan_map). no ip igmp-proxy agent-vlan avlan_map client-vlan map cvlan_map Deletes the agent relationship. Note: 1. The represented VLAN cannot be configured before vlan is designated by avlan_map; also, the agent VLAN cannot be configured before cvlan_map. 2. The represented and agent VLANs must accept the control of IGMP Snooping. 43.1.
Switch# show ip igmp-proxy mcache Codes: '+' synchronization, '-' deleted, 'S' static '^' unsynchronization Item 1: Group 225.1.1.2 +(192.168.213.163, 2, G3/24) VLAN 3,4 43.1.5 IGMP Proxy Configuration Example The network topology is shown in figure 1. Switch configuration: (15) Enable IGMP snooping and IGMP proxy. Switch_config#ip igmp-snooping Switch_config#ip igmp-proxy enable (16) Add VLAN 2 as the agent VLAN of the represented VLAN 3.
Chapter 44 Chapter 1 DHCP Snooping Configuration 44.1 IGMP Snooping Configuration Tasks DHCP Snooping is to prevent the fake DHCP server from providing the DHCP service by judging the DHCP packets, maintaining the binding relationship between MAC address and IP address. The L2 switch can conduct the DAI function and the IP source guard function according to the binding relationship between MAC address and IP address.
44.1.2 Enabling DHCP Snooping in a VLAN If DHCP snooping is enabled in a VLAN, the DHCP packets which are received from all distrusted physical ports in a VLAN will be legally checked. The DHCP response packets which are received from distrusted physical ports in a VLAN will then be dropped, preventing the faked or mis-configured DHCP server from providing address distribution services.
44.1.5 Enabling/Disabling Binding Table Fast Update Function This function is disabled by default. When this function is disabled and a port has been bound to client A, the DHCP request of the same MAC address on other ports will be regarded as a fake MAC attack even if client A is off line. When this function is enabled, the above-mentioned case will not occur.
VLAN will be rejected if their source MAC addresses and source IP addresses do not match up with the configured MAC-to-IP binding relationship. The binding relationship on an interface can be dynamically bound by DHCP or configured manually. If no MAC addresses are bound to IP addresses on a physical interface, the switch rejects forwarding all IP packets received from the physical interface. Run the following commands in global configuration mode.
{snmp-ifindex/manual/hn-type / cm-type/ [host]} no ip dhcp-relay information snooping option format Sets that option82 is not carried when DHCP-snooping forwards the DHCP packets.
Command Operation dhcp snooping information If option82 is set to be in the manual format, you need to vendor-specific set DHCP-snooping to forward DHCP packets with string bearing of option82, whose content is the character string STRING written by STRING. This command is set on the port that connects the client.
there is no binding relationship on this interface. After source IPaddress monitoring is enabled, the switch rejected forwarding all IP packets. After the TFTP server is configured for interface binding backup, the binding relationship will be backed up to the server through the TFTP protocol. After the switch is restarted, the switch automatically downloads the binding list from the TFTP server, securing the normal running of the network. Run the following commands in global configuration mode.
no ip dhcp-relay snooping write-time Resumes the interval of checking interface binding backup to the default settings. 44.1.15 Setting Interface Binding Manually If a host does not obtain the address through DHCP, you can add the binding item on an interface of a switch to enable the host to access the network. You can run no ip source binding MAC IP to delete items from the corresponding binding list.
GigaEthernet0/11 The following shows the binding information about dhcp-relay snooping: switch#show ip dhcp-relay snooping binding Hardware Address 00-e0-0f-26-23-89 IP Address remainder time Type 192.2.2.101 86400 VLAN DHCP_SN interface 3 GigaEthernet0/3 The following shows the binding information about dhcp-relay snooping: switch#show ip dhcp-relay snooping binding all Hardware Address IP Address remainder time Type VLAN interface 00-e0-0f-32-1c-59 192.2.2.1 infinite MANUAL 1 192.2.2.
Configuring Switch Enable DHCP snooping in VLAN 1 which connects private network A. Switch_config#ip dhcp-relay snooping Switch_config#ip dhcp-relay snooping vlan 1 Enable DHCP snooping in VLAN 2 which connects private network B. Switch_config#ip dhcp-relay snooping Switch_config#ip dhcp-relay snooping vlan 2 Sets the interface which connects the DHCP server to a DHCP-trusting interface.
ip verify source vlan 1 ip dhcp-relay snooping information option format manual 340
Chapter 45 Configuring Layer 2 Protocol Tunnel 45.1 Introduction Layer 2 protocol tunnel allows users between two sides of the switch to transmit the specified layer 2 protocol on their own network without being influenced by the relevant layer 2 software module of the switch. The switch is a transparent media for users. 45.2 Configuring Layer 2 Protocol Tunnel Use the command line on the interface of the switch to configure tunnel function of the layer 2 protocol.
(6) The f0/1 of switch A1, f0/2 of A2 should be configured to Access, and enables tunnel function of the STP protocol.
Chapter 46 QoS Configuration If you care to use your bandwidth and your network resources efficiently, you must pay attention to QoS configuration. 46.1 QoS Overview 46.1.1 QoS Concept In general, the switch works in best-effort served mode in which the switch treats all flows equally and tries its best to deliver all flows. Thus if congestion occurs all flows have the same chance to be discarded.
Best-effort service The best-effort service is a singular service model. In this service model, an application can send any amount of data at any necessary time without application of permits or network notification. As to the best-effort service, if allowed, the network can transmit data without any guarantee of reliability, delay or throughput. The QoS of the switch on which the best-effort service is realized is in nature this kind of service, that is, first come and first served (FCFS).
Differentiated service As to the differentiated service, if a special service is to be transmitted in a network, each packet should be specified with a corresponding QoS tag. The switch uses this QoS rule to conduct classification and complete the intelligent queuing. The QoS of the switch provides Strict Priority (SP), Weighted Round Robin (WRR), Deficit Round Robin (DRR) and First-Come-First-Served (FCFS). 46.1.3 Queue Algorithm of QoS Each queue algorithm is the important basis to realize QoS.
Strict priority This algorithm means to first provide service to the flow with the highest priority and after the highest-priority flow comes the service for the next-to-highest flow. This algorithm provides a comparatively good service to those flows with relatively high priority, but its shortage is also explicit that the flows with low priority cannot get service and wait to die.
Weighted round robin Weighted Round Robin (WRR) is an effective solution to the defect of Strict Priority (SP), in which the lowpriority queues always die out. WRR is an algorithm that brings each priority queue a certain bandwidth and provides service to each priority queue according to the order from high priority to low priority. After the queue with highest priority has used up all its bandwidth, the system automatically provides service to those queues with next highest priority.
Weighted Fair Queuing Weighted Round Robin (WRR) is an effective solution to the defect of Strict Priority (SP), in which the lowpriority queues always die out. WRR is an algorithm that brings each priority queue a certain bandwidth and provides service to each priority queue according to the order from high priority to low priority.
First come first served The First-Come-First-Served queue algorithm, which is shortened as FCFS, provides service to those packets according to their sequence of arriving at a switch, and the packet that first arrives at the switch will be served first. 46.1.
Congestion avoidance and traditional packet loss mechanism Excessive congestion may inflict damage on network resources, so network congestion should be resolved through some measures. Congestion avoidance is a sort of flow control method of positively dropping packets and regulating network flows to solve network overload via network resource monitoring. The traditional way of resolving network congestion is to drop all incoming packets when the queue length reaches its threshold.
WRED The WRED algorithm is adopted to prevent TCP global synchronization. WRED helps users to set the queue threshold. When the queue length is less than the configured threshold, the packets will not be dropped; otherwise, the packets will be dropped randomly. Because WRED drops packets randomly, it is avoided for multiple TCP connections to slow down the transmission speed at the same time, which is the reason why TCP global synchronization is avoided.
8. Setting Global Cos to Local Priority Mapping 9. Setting the Bandwidth of the CoS Priority Queue 10. Setting the Schedule Policy of the CoS Priority Queue 11. Setting the Default CoS Value of a Port 12. Setting the CoS Priority Queue of a Port 13. Setting the CoS Priority Queue of a Port 14. Establishing the QoS Policy Mapping 15. Setting the Description of the QoS Policy Mapping 16. Setting the Matchup Data Flow of the QoS Policy Mapping 17.
cng-bit is congestion bit of cos mapping. exit Exit from management configuration mode. write Saving the configuration. 46.3.3 Setting the Bandwidth of the CoS Priority Queue The bandwidth of priority queue means the bandwidth distribution ratio of each priority queue, which is set when the schedule policy of the CoS priority queue is set to WRR/DRR. This series of switches has 8 priority queues in total. If this command is run, the bandwidth of all priority queues on all interfaces are affected.
, 46.3.5 Configuring the Minimum and Maximum Bandwidths of CoS Priority Queue The minimum and maximum bandwidths of CoS priority queue can be modified through configuration. All the flows with a bandwidth less than the configured minimum bandwidth shall not be dropped, but the flows with a bandwidth bigger than the configured maximum bandwidth shall all be dropped. Enter the privileged mode. Command Purpose config Enters the global configuration mode. interface g0/1 Enters the to-be-configured port.
conduct the configuration of a global CoS priority queue. Enter the privilege mode and run the following commands to set the default CoS value of a port: Command Purpose config Enters the global configuration mode. interface g0/1 Enters the to-be-configured port. [no] cos map quid cos1..cosn Sets the CoS priority queue. quid stands for the ID of a CoS priority queue. cos1…cosn stands for the IEEE802.1pdefined CoS value. exit Goes back to the global configuration mode.
46.3.10 Setting the Description of the QoS Policy Mapping Enter the privileged mode and run the following commands to set the description of a QoS policy mapping. This settings will replace the previous settings. Command Purpose config Enters the global configuration mode. [no]policy-map name Enters the configuration mode of the QoS policy map. name stands for the name of the policy. description description-text Sets the description of the QoS policy.
| mac mac-access-list } vlanid stands for the matched VLAN, which no classify { cos | icos | vlan | ivlan | ranges from 1 to 4094. ethernet-type | precedence | dscp | ivlanid stands for the matched inner VLAN, tos | diffserv | ip | ipv6 | mac } which ranges from 1 to 4094. ethernet-type stands for the matched packet type, which is between 0x0600 and 0xFFFF. precedence-value stands for the priority field in tos of IP packet, which ranges from 0 to 7.
commit-band {bc commit-burst-size {be peak-burst-size | pir pir-band } } | [conform {forward | dscp dscp- bandwidth. Sets the policing: cir commit-band stands for the certified bandwidth. value} | exceed {forward | drop | bc commit-burst-size stands for the size of dscp discardable burst packet, which ranges from 4 to 4096Kb.
actions are contradicted, the actions of the firstly matched policies. After a QoS policy is applied on a port, the switch adds a policy to this port by default to block other data flows, which are not allowed to pass through. When all policies on a port are deleted, the switch will automatically remove the default blockage policy from a port. Enter the following privileged mode and run the following commands to apply the QoS policy. Command Purpose config Enters the global configuration mode.
46.4 QoS Configuration Example 46.4.1 Example for Applying the QoS Policy on a Port The following example shows how to set packet’s cos to 2 on port g0/2: ip access-list extended ipacl permit ip 192.168.20.2 255.255.255.255 192.168.20.210 255.255.255.255 ! policy-map pmap classify ip ipacl action cos 2 ! interface g0/2 qos policy pmap ingress ! 46.
Chapter 47 DoS Attack Prevention Configuration 47.1 Concept of DoS Attack The DoS attack is also called the service rejection attack. Common DoS attacks include network bandwidth attacks and connectivity attacks. DoS attack is a frequent network attack mode triggered by hackers. Its ultimate purpose is to break down networks to stop providing legal users with normal network services.
Ping of Death Ping of Death is the abnormal Ping packet, which claims its size exceeds the ICMP threshold and causes the breakdown of the TCP/IP stack and finally the breakdown of the receiving host.
TearDrop TearDrop uses the information, which is contained in the packet header in the trusted IP fragment in the TCP/IP stack, to realize the attack. IP fragment contains the information that indicates which part of the original packet is contained, and some TCP/IP stacks will break down when they receive the fake fragment that contains the overlapping offset.
SYN Flood A standard TCP connection needs to experience three hand-shake processes. A client sends the SYN message to a server, the server returns the SYN-ACK message, and the client sends the ACK message to the server after receiving the SYN-ACK message. In this way, a TCP connection is established. SYN flood triggers the DoS attack when the TCP protocol stack initializes the hand-shake procedure between two hosts.
Land Attack The attacker makes a special SYN message (the source address and the destination address are the same service address). The SYN message causes the server to send the SYN-ACK message to the sever itself, hence this address also sends the ACK message and creates a null link. Each of this kinds of links will keep until the timeout time, so the server will break down. Landattack can be classified into IPland and MACland. 47.
Configures mac to prevent those packets whose source MACs are destination MACs. Configures tcpflags to prevent those TCP packets containing illegal TCP flags. Configures tcpfrag to prevent those TCP packets whose minimum TCP header is tcpfrag-value. exit Goes back to the EXEC mode. write Saves the settings. 47.4.2 Displaying All DoS Attack Prevention Configurations You can display the Dos attack prevention configurations through the show command.
Chapter 48 Attack Prevention Introduction 48.1 Overview of Filter To guarantee the reasonable usage of network bandwidth, this switch series provides the function to prevent vicious traffic from occupying lots of network bandwidth. Filter can identify the packets received by the interface of the switch and calculate them according to the packet type. In light of current attack modes, Filter can calculate the number of ARP, IGMP or IP message that a host sends in a time.
Chapter 49 Attack Prevention Configuration 49.1 Attack Prevention Configuration Tasks When the number of IGMP, ARP or IP message that is sent by a host in a designated interval exceeds the threshold, we think that the host attack the network. You can select the type of attack prevention (ARP, IGMP or IP), the attack prevention port and the attack detection parameter.
packet threshold equals to 3/4 of the attack filter packet threshold Switch_config# filter shutdown-action Sets shutdown of the port when detecting the attack source in raw mode. 49.3.1 Configuring the Attack Prevention Type In global and interface configuration mode, use the following command to configure the type of attack filter. Command Purpose Switch# config Enters the global configuration mode. Switch_config# filter dhcp Enables DHCP packet attack filter in the global configuration mode.
Note: 1、 The IGMP attack prevention and the IP attack prevention cannot be started up together. 2. IP, ICMP, ICMPv6 and DHCP filter take effect only in global and interface configuration mode. 49.3.2 Enabling the Attack Prevention Function After all parameters for attack prevention are set, you can start up the attack prevention function. Note that small parts of processor source will be occupied when the attack prevention function is started.
Chapter 50 Attack Prevention Configuration Example Note: The examples shown in this chapter is only a reference for Filter configuration. Please configure according to your actual network condition. 50.1 Using Filter ARP to Protect the LAN As shown in the following figure, configure ARP attack Filter on Switch. Sets the parameter of Filter. A host sending more than 100 ARP messages in 10s will be taken as an attack source.
50.2 Using Filter IP to Protect Layer-3 Network As shown in the following figure, Switch is connected to multiple LANs, servers and the internet. IP packet attack prevention can block IP scan of cross-subnet and large network connections triggered by BitTorrent in a short time. Sets the parameter of Filter. A host sending more than 300 ARP messages in 1 minute will be taken as an attack source.
Chapter 51 Configuring IP Addressing 51.1 IP Introduction 51.1.1 IP Internet Protocol (IP) is a protocol in the network to exchange data in the text form. IP has the functions such as addressing, fragmenting, regrouping and multiplexing. Other IP protocols (IP protocol cluster) are based on IP. As a protocol working on the network layer, IP contains addressing information and control information which are used for routing. Transmission Control Protocol (TCP) is also based on IP.
Others Details of the above items are not described in the section. We just want to remind you that your network requirements must be satisfied when you choose the routing protocols. (2) IGRP Interior Gateway Routing Protocol (IGRP) is used for network targets in an autonomous system. All IP IGRPs must be connected with networks when they are started up.
1.0.0.0 to 126.0.0.0 Available 127.0.0.0 Reserved 128.0.0.0 to 191.254.0.0 Available 191.255.0.0 Reserved 192.0.0.0 Reserved 192.0.1.0 to 223.255.254 Available 223.255.255.0 Reserved 224.0.0.0 to 239.255.255.255 Multicast address 240.0.0.0 to 255.255.255.254 Reserved 255.255.255.255 Broadcast B C D E The official description of the IP address is in RFC 1166 “Internet Digit”. You can contact the Internet service provider. An interface has only one primary IP address.
multiple subnets that connect the same physical network. If two subnets in one network are physically separated by another network In this case, you can take the address of the network as the subordinate IP address. Therefore, two subnets in a logical network that are physically separated, therefore, are logically connected together. Note: If you configure a subordinate IP address for a routing SWITCH in a network segment, you need to do this for other routing SWITCH in the same network segment.
The static ARP cache item is generally not required because most hosts support dynamic address resolution. You can define it in global configuration mode if necessary. The system utilizes the static ARP cache item to translate the 32-bit IP address into a 48-bit MAC address. Additionally, you can specify the routing SWITCH to respond to the ARP request for other hosts. You can set the active period for the ARP entries if you do not want the ARP entry to exist permanently.
ip proxy-arp Activates the proxy ARP on the interface. Configuring free ARP function The SWITCH can know whether the IP addresses of other devices collide with its IP address by sending free ARP message. The source IP address and the destination IP address contained by free ARP message are both the local address of the SWITCH. The source MAC address of the message is the local MAC address. The SWITCH processes free ARP message by default.
To set the maximum retransmissions of the Re-Detect packets, run the following command. The ARP entries (to be tagged with G), which the routing entry gateway depends on, require being re-detected at their aging so that the promptness and correctness of the hardware subnet routing can be guaranteed. The greater the retransmission times, the more likely to re-detect. Command Purpose Sets the maximum retransmissions of the Re- arp max-gw-retries number Detect packets. The default is 3.
identify and receive message of the two types. (1) Allowing Translating from Directed Broadcast to Physical Broadcast By default, the IP directional broadcast packets will be dropped, rather than being forwarded. Dropping the IP directional broadcast packet is conducive to prevent the routing SWITCH from attacks of "refusal service". You can activate the function of forwarding directed IP broadcast on the interface where the directed broadcast is transformed to the physical message.
51.3.6 Detecting and Maintaining IP Address To detect and maintain the network, run the following command: (1) Clearing Cache, List and Database Clearing cache, list and database You can clear all content in a cache, list or the database. When you think some content is ineffective, you can clear it. Run the following command in management mode to clear the cache, list and database: Command Purpose clear arp-cache Clears the IP ARP cache.
Chapter 52 Configuring DHCP 52.1 Overview Dynamic Host Configuration Protocol (DHCP) is used to provide some network configuration parameters for the hosts on the Internet, which is described in details in RFC 2131. One of the major functions of DHCP is to distribute IPs on an interface. DHCP supports the following three IP distribution mechanism: Automatic distribution The DHCP server automatically distributes a permanent IP address to a client.
DHCP server withdraws the IP. To continue to use this IP, the DHCP client needs to apply it again. 52.2 Configuring DHCP Client 52.2.1 Configuration Task List of DHCP Client Obtaining an IP address Specifying an address for DHCP server Configuring DHCP parameters Monitoring DHCP 52.2.2 DHCP Client Configuration Tasks (1) Obtaining an IP address Run the following command on the VLAN interface to obtain an IP address through the DHCP protocol for an interface.
provider. ip dhcp client client_identifier hrd_ether Specifies the client ID as the Ethernet type ip dhcp client timeout_shut Specifies client timeout shutdown of the interface ip dhcp client retry_interval <1-1440> Sets the re-transmission time. ip dhcp client bootfileaddmac Enables DHCP file name to add MAC address of the client ip dhcp client tftpdownload Enables TFTP download function The command is optional when you perform operations to "obtain an IP address".
52.3 Configuring DHCP Server 52.3.1 DHCP Server Configuration Tasks Enabling DHCP server Disabling DHCP server Configuring ICMP detection parameter Configuring database storage parameter Configuring the address pool of DHCP server Configuring the parameter for the address pool of DHCP server Monitoring DHCP server Clearing information about DHCP server 52.3.
Sets the timeout time of ICMP response. ip dhcpd ping timeout timeout (4) Setting a Parameter to Clear the “Abandoned” Mark To set the interval of clearing the “Abandoned” mark, run the following command in global mode: Command Purpose ip dhcpd abandon-time time Sets the interval of clearing the “Abandoned” mark.
auto-bind means to allow BOOTP client distributing auto binding address. (9) Configuring DHCP Database Server Address Run the following command in the global configuration mode: Command Purpose Configures DHCP database server address, run the following command. If this address is not set, the address distribution information will be saved to the ip dhcpd database-agent ip-address flash.
(12) Configuring DHCP Optional Server Host Name Run the following command in the global configuration mode: Command Purpose ip dhcpd server-name name Configures DHCP optional server host name. (13) Enabling DHCP TFTP Server Name Option Run the following command in the global configuration mode: Command Purpose ip dhcpd sname-option Enables DHCP TFTP server name option. (14) Configuring Relevant Parameters of DHCP Snooping The command can be used to enable the ARP map protection.
Command Purpose Adds the address pool of DHCP server and enters the configuration ip dhcpd pool name mode of the DHCP address pool. (18) Configuring Relevant Parameters for the Address Pool of DHCP Server In the configuration mode of DHCP address pool, you can run the following commands to set related parameters.
Sets a domain name, which is distributed to the domain-name name client. To set the time limitation of the address, which is distributed to the client, run the following command: Command Purpose Sets the time limitation of the address, which is lease {days [hours][minutes] | infinite } distributed to the client.
Command Purpose show ip dhcpd database- Displays the current address distribution information of DHCP agent server. To check the current address pool information of DHCP Server, run the following command in EXEC mode. Command Purpose show ip dhcpd pool Displays the current address pool information of DHCP server.
network 192.168.20.0 255.255.255.0 range 192.168.20.211 192.168.20.215 domain-name my315 default-router 192.168.20.1 dns-server 192.168.1.3 61.2.2.10 netbios-name-server 192.168.20.1 lease 1 12 0 ! ip dhcpd enable 52.4 Configuring DHCP Relay 52.4.1 Configuration Task List of DHCP Relay Enabling DHCP relay Disabling DHCP relay Setting the parameters of DHCP relay 52.4.2 DHCP Relay Configuration Tasks (1) Enabling DHCP Relay If you want to enable DHCP Relay on SWITCH, please enable DHCP server first.
Chapter 53 Chapter 3 IP Service Configuration The section is to describe how to configure optional IP service. For the details of the IP service commands, refer to section “IP Service Commands”. 53.1 Configuring IP Service Optional IP service configuration tasks are listed as follows: Managing IP connection Configuring performance parameters Configuring default gateway Detecting and Maintaining IP Network The above operations are not mandatory.
automatically opened. To enable the function, run the following command in VLAN interface configuration mode to forward ICMP redirectional packets: Command Purpose ip redirects Permit sending the ICMP redirection message. (3) Sending ICMP Mask Response Message Sometimes the host must know the network mask. To get the information, the host can send the ICMP mask request message. If the routing SWITCH can confirm the mask of the host, it will respond with the ICMP mask response message.
Command Purpose ip mtu bytes Sets IP MTU of the interface. (6) Authorizing IP Source Route The routing SWITCH checks the IP header of every message. The routing SWITCH supports the IP header options defined by RFC 791: strict source route, relax source route, record route and time stamp. If the SWITCH detects that an option is incorrectly selected, it will send message about the ICMP parameter problem to the source host and drop the message.
routing item in the hardware cache. The command can be enabled in global configuration mode. In case the next hop of the route of the indirectly connected host is same as that of a subnet route, the command will be used to decide whether to delete the hardware route of a host. Command Purpose Deletes the indirectly connected hardware route of a host ip route-cache age-exf whose next hop is the same with the hardware subnet route next hop.
Command Purpose ip route-cache hardware-index ticks The bigger the ticks, the faster the SWITCH can add the hardware route cache. To set the lifetime of the hardware route cache, run the following command in global mode: Command Purpose ip route-cache-aging-time seconds Sets the lifetime of the SWITCH hardware route cache.
Command Purpose ip tcp synwait-time seconds Sets the wait time for TCP connection. (2) Setting the Size of TCP Windows The default size of TCP windows is 2000 byte. Run the following command in global configuration mode to change the default window size: Command Purpose ip tcp window-size bytes Sets the size of TCP windows. 53.1.
show tcp Displays all TCP connection status information show tcp brief Briefly displays information about TCP connection states. show tcp statistics Displays the statistics data about TCP show tcp tcb address Displays information about the designated TCP connection state. (4) Displaying Debug Information When problem occurs on the network, you can run debug to display the debugging information. Run the following command in EXEC mode. For details, refer to “IP Service Command”.
Use the access list by following steps: (7) Create the access list by designating the access list name and conditions. (8) Apply the access list to the interface. 53.2.2 Creating Standard and Extensible IP Access List Use a character string to create an IP access list. Note: The standard access list and the extensible access list cannot have the same name.
non-allowed is set; totallen means the total length of the packet; timer-rage means the time range of conditions being effective; ttl means IP packet Time To Live; dest-portrange means the range of destination port; established means established connection Exit Log out from the access list configuration mode. After the access list is originally created, any part that is added later can be put at the end of the list. That is to say, you cannot add the command line to the designated access list.
53.2.4 Applying the Access List to the Global Mode After the access list is created, you can apply it to the routing interface in the global configuration mode including ingress and egress. Run the following command in global mode: Command Purpose Applies the established ip access list to an interface or cancels it on the interface in the global configuration mode.
second line allows any new TCP to connect the SMTP port of host 130.2.1.2. ip access-list extended aaa permit tcp any 130.2.0.0 255.255.0.0 gt 1023 permit tcp any 130.2.1.2 255.255.255.255 eq 25 interface vlan 10 ip access-group aaa in Another example to apply the extensible access list is given. Suppose a network connects the Internet, you expect any host in the Ethernet can create TCP connection with the host in the Internet.
Chapter 54 Application of IP Access Control List 54.1 Applying the IP Access Control List 54.1.1 Applying ACL on Ports After an ACL is established, it can be applied on one or many slots or globally. Run the following command in global or port configuration mode: Command Purpose config Enters the global configuration mode. interface g0/1 Enters the to-beconfigured port.
Chapter 55 Routing Protocol overview 55.1 IP Routing Protocol The router of the Company implements multiple IP dynamic routing protocol. They will be introduced in the description of each potocol in this Chapter. IP routing protocols are classified into two categories: interior gateway router protocol (IGP) and exterior gateway router protocol (EGP). The routers of our Company support RIP, OSPF, BGP and BEIGRP. RIP、 OSPF、BGP and BEIGRP can be configured separately on real needs.
BEIGRP 55.2.2 Exterior Gateway Routing Protocol Exterior gateway routing protocol is used for exchange routing information between different autonomous systems. It is usually required to configure the corresponding neighbors for exchanging routes, the reachable networks and local autonomous system number. The exterior gateway routing protocol supported by the router of our company is BGP.
Chapter 56 Configuring VRF 56.1 Overview One of the key of VPN is to keep safe and isolate data; it must be able to prevent communication of stations which belongs not to a same VPN. In order to differentiate VPN user route sent by which local interface on PE device, create virtual routes on PE device. Every virtual route has its own routing table and forwarding table. These routing tables and forwarding tables are called VRF(VPN Routing and Forwarding instances).
PE_config#interface vlan 1 Enters the interface configuration mode PE_config_v1#ip vrf forwarding vrf-name Relate the interface to VRF PE_config_v1#ip address ip-address Configures the IP address of the interface. subnet-mask 56.3.
Command Purpose Enters VRF configuration mode. PE_config#ip vrf ce PE_config_vrf_ce#rd ASN:nn or IP- Configures VRF routing tag, and creates VRF address:nn table. PE_config_vrf_ce# description LINE Configures description of VRF. 56.3.5 Configuring Static Route of VRF To configure the static route of VRF, do as follows: Command Purpose Enters VRF configuration mode. PE_config#ip vrf ce PE_config_vrf_ce#rd ASN:nn or IP- Configures VRF routing tag and creates VRF address:nn table.
PE #debug ip routing message Track information VRF received and sent Track the change of designated VRF routing PE #debug ip routing vrf vrf-name table including changing. 56.4 Example of the VRF Configuration The configuration of the routing device is as follows: Routing device CE: interface loopback 0 ip address 22.1.1.1 255.255.255.0 ! interface vlan 1 ip address 170.168.20.152 255.255.255.0 ! router ospf 1 network 170.168.20.0 255.255.255.0 area 0 network 22.1.1.0 255.255.255.
ip vrf pe1 rd 1:1 route-target 1:1 ! interface vlan 1 ip vrf forwarding pe1 ip address 170.168.20.153 255.255.255.0 ! interface vlan 2 ip address 176.168.20.152 255.255.255.0 ! router ospf 1 vrf pe1 network 170.168.20.0 255.255.255.0 area 0 ! router bgp 1 neighbor 176.168.20.154 remote-as 2 address-family vpnv4 neighbor 176.168.20.
exit-address-family address-family ipv4 vrf pe1 no synchronization redistribute ospf 1 exit-address-family Routing device PE2: ip vrf pe2 rd 1:1 route-target 1:1 ! interface loopback 0 ip vrf forwarding pe2 ip address 44.1.1.1 255.255.255.0 ! interface vlan 2 ip address 176.168.20.154 255.255.255.
router bgp 2 neighbor 176.168.20.153 remote-as 1 address-family vpnv4 neighbor 176.168.20.
Chapter 57 Static routing Configuration 57.1 Overview The chapter illustrates how to configure the Satatic routing. If you would like to have the detailed description on the Satatic routing commands in this section, you can refer to the Chapter of " Satatic routing " in the "Reference for the Network Protocol Commands". If you would like to search the document with other commands, you can use the master index for commands and conduct inline search.
57.3 Static Routing Configuration Task 57.3.1 Configure the Static Routing To activate the static routing, the following steps shall be carried out under the global configuration mode: Command Purpose ip route A.B.C.C mask {next-hop | interface} [di t ] [t t ] [ l b l] [d i ti Configure the Static Routing ] 57.4 Example of the Static Routing Configuration Assigned to the network segment 10.0.0.0/8 packets interface GigaEthernet3/0,the configuration is as follows: ip route 10.0.0.0 255.0.0.
Chapter 58 Configuring RIP 58.1 Overview The chapter illustrates how to configure the RIP. If you would like to have the detailed description on the RIP commands in this section, you can refer to the Chapter of "RIP Commands" in the "Reference for the Network Protocol Commands". If you would like to search the document with other commands, you can use the master index for commands and conduct inline search.
Activating or Prohibit the split-horizon 58.3 RIP Configuration Task 58.3.1 Starting the RIP To activate the RIP, the following steps shall be carried out under the global configuration mode: Command Purpose router rip Activate the RIP Routing Process and enter the router configuration mode. network network-number Appoint the Network Number relevant to the RIP Routing Process 58.3.
Command Purpose timers holddown value Regulating the time (Unit: Second) it take to delete certain route from the Routing Table timers expire value Regulating the time (Unit: Second) that the router is announced to be invalid. timers update value Regulating the frequency for sending the updating of the Router (the time interval between sedning of the updating of routing, (unit: Second) 58.3.
Notes: Regarding the safety, please don’t use Plaintext Authentication in the groups of RIP, because the unencrypted authentication key would be sent to each update of the RIP-2. If the safety is not a big question, (in case that it is guaranteed that the wrongly configured host can not take part in the route) the Plaintext Authentication can be used.
Command Purpose ip rip authentication simple Configures the interface with the plaintext authentication. ip rip password string Configures the plaintext authentication key. To configure MD5 authentication of RIP, do as follows in the interface configuration mode: Command Purpose ip rip authentication md5 Configures the authentication. ip rip md5-key key-ID md5 key Configures MD5 authentication key and authentication ID.
will prohibit the default function of authenticating the source IP address in incoming route updates. Command no validate-update-source Purpose Prohibit to authenticate the Source IP Address of the incoming RIP Router Updating. 58.3.11 Maximum Number of Routes By default, the local RIP routing table can contain up to 1024 routes. When the number of routes in the routing table exceeds the maximum number, the route will not be added to the routing table any more.
on a serial interface (and the interface is connected with a Packet-switched Network), you have to prohibit Split-Horizon to all routers in any relevant Multicast Group on that Network. 58.3.13 Monitoring and Maintainance of RIP With the RIP monitored and maintained, the Network Statistics can be displayed, such as: RIP protocol Parameter Configuration, Network utilization, Real-time Tracing of Network Communication and so on.
RouterA interface ethernet 1/1 ip address 192.168.20.81 255.255.255.0 ! interface loopback 0 ip address 10.1.1.1 255.0.0.0 ! router rip network 192.168.20.0 network 10.0.0.0 ! RouterB interface ethernet 1/1 ip address 192.168.20.82 255.255.255.0 interface loopback 0 ip address 20.1.1.1 255.0.0.0 ! router rip network 192.168.20.0 network 20.0.0.
Chapter 59 BEIGRP Configuration This chapter will detail the configuration process of BEIGRP dynamic routing protocol. 59.1 Overview Brief introduction of BEIGRP routing protocol. The technology used by BEIGRP is similar to distance vector routing protocol: The router only makes routing decisions with the information provided by directly connected neighbours; The router only provides the routing information it uses to the directly connected neighbors.
The supervision and maintenance of BEIGRP 59.2.
offset{type number | *} {in | out} access-list-name offset Apply an offset list. 59.2.5 Turning off Auto-Summary The auto-summary of BEIGRP is different with other dynamic routing protocols, and it obeys the following rules: When a BEIGRP process defines several networks, as long as there is at least one subnet of this networks exists in the BEIGRP topology list, it creates the summary route of the defined network.
It isn't have to configure the command "default-metric" when redistribute the static routes and the connected routes. The related parameter(such as: bandwidth, delay, reliability , load and MTU ) is attained from the related interface. It isn't necessary to configure the command "default-metric" when redistribute the routes of other beigrp process. The related parameter is attained from the BEIGRP process redistributed.
Adjusting the time interval of BEIGRP to send "hello" messages and the timeout death time of the neighbors BEIGRP hello protocol archieves 3 objectives to enable correct BEIGRP operation: It discovers accessible new neighbors. The discovery is automatic and requires manual configuration; no It checks neighbors’ configuration and only permits communication with the neighbours configured with compatible mode.
If you wish to adjust the timeout timer of the neighbour, use the following command: Command ip beigrp hold-time seconds Purpose Adjust the timeout death time of the neighbor 429
Shutting down the horizon split Commonly, we wish to use split-horizon. It will prevent the routing information from one interface to be broadcasted back to the same interface, so as to avoid route loop. But under certain circumstances, this is not the optimized choice, and then we can use the following command to disable split-horizon: Command no ip beigrp split-horizon Purpose Turn off horizontal split 59.2.
Chapter 60 Configuring OSPF 60.1 Overview The OSPF Configuration will be introduced in this chapter. For more specific detailed information about all the OSPF commands, please refer to the relevant sections about OSPF Commanders in the Reference for Network Protocol Configuration. OSPF is an IGP Route protocol developed by the OSPF Working Group of IETF.
The supervision and maintenance of OSPF In addition to that, about configuring route redistribution, please refer to the related content about “Route Redistribution” of “Protocol-independent Feather Configurations of IP routing Protocol”. 60.3 OSPF Configuration Tast 60.3.1 Starting OSPF Like other routing protocols, activating OSPF demands creating OSPF routing process, allocation of an IP address range related to the executing process, allocation of an area ID related to IP address range.
you can configure the physical broadcasting network to be a non-broadcasting, multi-access network; you can also configure non-broadcasting network (X.25, Frame Relay, and SMDS) to be broadcasting network. This feature also reduces the configuration of the neighbors, for detailed information, please refer to the related content of non-broadcasting network’s configuration of OSPF.
router ospf process-id Configure an OSPF router process and enter into router configuration mode. neighbor ip-address cost number Designate a neighbor and allocate a metric for it For each neighbor wishing to designate its metric, repeat step 4. Otherwise use the value designated by command “ip ospf cost”. 60.3.5 Configuring Non-Broadcasting Network Because there are many routers in the OSPF network, so there must be one DR elected for the network.
60.3.6 Configure OSPF domain Configurable area parameters include: authentication, designating Stub area, designating metric for default summary route. Authentication adopts protection based on passwords. Stub areas are those that don’t distribute external routes in them. Instead, ABR generates a default external route to enter the stub area, enable it to enter the external network of the autonomous system. in order to utilize the features OSPF Stub support, you should use default route in the Stub area.
Command Purpose area area-id range address mask Define the address range for route summary. 60.3.9 Configuring the Gathering of a Forwarding Router When distributing routes from other router areas to OSPF router area, each performs independent broadcasting in the form of external LSA. But you can configure the router to broadcast a route, which covers a certain address range. This method can reduce the size of OSPF link status database.
group of routers. Generally speaking, management distance is an integer between 0-255, the higher the value is, the lower the reliability level it is. If the management distance is 255, then the route information source will not be trusted and should be neglected. OSPF uses 3 different types of management distances: inter-domain, inner-domain and exterior. The route within an area is inner-domain; the route to other areas is inter-domain; the route distributed from other route protocol domains is exterior.
ip ospf demand-circuit Configures OSPF on-demand dialing. 60.3.15 Monitoring and Maintaining OSPF It can display the statistic information of the network, such as: the statistics about the content of IP routing Table, cache and database and etc… This information can help you to judge the utilization of the network resource, and solve the network problem. You can understand the availability of the network nodes, discover the route the network data packet goes through the network.
The configuration of BEIJING: Hostname Beijing ! interface serial 1/0 ip address 130.130.0.2 255.255.0.0 encapsulation frame-relay frame-relay map 130.130.0.1 pvc 201 broadcast frame-relay map 130.130.0.3 pvc 202 broadcast frame-relay map 130.130.0.4 pvc 203 broadcast ip ospf network point-to-multipoint ! router ospf 1 network 130.130.0.0 255.255.0.0 area 0 The configuration of ShangHai: hostname shanghai ! interface serial 1/0 ip address 130.130.0.1 255.0.0.0 encapsulation frame-relay frame-relay map 130.
router ospf 1 network 130.130.0.0 255.255.0.0 area 0 The configuration of ChongQing: hostname chongqing ! interface serial 1/1 ip address 130.130.0.3 255.0.0.0 encapsulation frame-relay physical speed 2000000 frame-relay map 130.130.0.2 pvc 301 broadcast ip ospf network point-to-multipoint ! router ospf 1 network 130.130.0.0 255.255.0.0 area 0 60.4.2 Examples of OSPF point to multipoints, non-broadcasting configuration interface Serial1/0 ip address 10.0.1.1 255.255.255.
efficiently utilize the address space of the network. In the following example, it only uses 30bit sub-network masks and reserves address space of 2 bit as the host address for the serial ports. For point-to-point serial link, which only requires two host addresses, it is enough. interface ethernet 1/0 ip address 131.107.1.1 255.255.255.0 ! 8 bits of host address space reserved for ethernets interface serial 1/1 ip address 131.107.254.1 255.255.255.
An example of basic OSPF configuration The following example illustrates a simple OSPF configuration. Activate routing process 90 , then connect the Ethernet interface 0 to area 0.0.0.0. Meanwhile, redistribute RIP to OSPF, OSPF to RIP. interface ethernet 1/0 ip address 130.130.1.1 255.255.255.0 ip ospf cost 1 ! interface ethernet 1/0 ip address 130.130.1.1 255.255.255.0 ! router ospf 90 network 130.130.0.0 255.255.0.0 area 0 redistribute rip ! router rip network 130.130.0.
An example of the basic configuration of inner router, ABR and ASBR The following example allocates 4 areas ID for 4 IP address range. Firstly, routing process 109 is activated, the 4 areas are: 10.9.5.0, 2, 3, 0. The masks of area 10.9.50.0,2,3 designate the address range, but area 0 includes all the networks. router ospf 109 network 131.108.20.0 255.255.255.0 area 10.9.50.0 network 131.108.0.0 255.255.0.0 area 2 network 131.109.10.0 255.255.255.0 area 3 network 0.0.0.0 0.0.0.
(8) Configure the router according to the above Figure: RouterA: interface loopback 0/0 ip address 202.96.207.81 255.255.255.0 ! interface Ethernet 1/0 ip address 192.168.10.81 255.255.255.0 ! interface ethernet 1/0 ip address 192.160.10.81 255.255.255.0 ! router ospf 192 network 192.168.10.0 255.255.255.0 area 1 network 192.160.10.0 255.255.255.0 area 0 ! RouterB: interface loopback 0/0 ip address 202.96.209.82 255.255.255.252 ! interface Ethernet 1/0 ip address 192.168.10.82 255.255.255.
ip address 192.163.20.83 255.255.255.0 ! interface ethernet 1/1 ip address 192.160.20.83 255.255.255.0 ! router ospf 192 network 192.168.20.0 255.255.255.0 area 1 network 192.163.20.0 255.255.255.
Configuration examples for complicated internal router, ABR and ASBR The following example shows how to configure multiple routers in a single OSPF autonomous system. Figure 4-2 shows the network topology of the configuration example: Figure 4-2 Network topology of the configuration example Configure the router according to Figure 4-2: Router A: interface loopback 0/0 ip address 202.96.207.81 255.255.255.0 ! interface Ethernet 1/0 ip address 192.168.10.81 255.255.255.
Router C: interface loopback 0/0 ip address 202.96.208.83 255.255.255.252 ! interface Ethernet 1/0 ip address 192.163.20.83 255.255.255.0 ! interface ethernet 1/1 ip address 192.160.20.83 255.255.255.0 ! router ospf 192 network 192.168.20.0 255.255.255.0 area 1 network 192.163.20.0 255.255.255.
an example of complex OSPF on ABR router configuration Here is an example of OSPF configuration: interface ethernet 1/0 ip address 192.168.20.81 255.255.255.0 ip ospf password GHGHGHG ip ospf cost 10 ! interface ethernet 1/1 ip address 192.168.30.81 255.255.255.0 ip ospf password ijklmnop ip ospf cost 20 ip ospf retransmit-interval 10 ip ospf transmit-delay 2 ip ospf priority 4 ! interface ethernet 1/2 ip address 192.168.40.81 255.255.255.
Chapter 61 Configure BGP 61.1 Overview This chapter describes how to configure border gateway protocol (BGP). For complete description about BGP commands in this chapter, please refer to other sections related to “BGP command”. BGP is an Exterior Gateway Protocol (EGP) defined in RFC1163, 1267 and 1771. It permits to establish a route selection mechanism among different autonomous systems, this mechanism can automatically guarantee the loop-free routing information exchange between the autonomous systems.
If each route has the same value, preferably select the route with the maximum local precedence. If each route has the same local precedence, select preferably the route generated by local router. For example, route may be generated by local router through the using of command “network, aggregate” or by redistributing IGP route. If the local precedences are the same, or if there is no route generated by local router, then select preferably the route with the shortest AS path.
Compare MED of routes from different AS. For more related information about the configuration of the attributes of several IP route selection protocols, please refer to“The configuration of attributes of IP routing which are independent from the protocol”. 61.3 Configure basic BGP features tast 61.3.1 Configuring Basic BGP Features 1.
use soft reconfiguration, currently, we enable the soft reconfiguration based on each neighbour. When the soft reconfiguration is used on the incoming update produced by the neighbor, it is called incoming soft reconfiguration; When the soft reconfiguration is used on the outcoming update to the neighbor, it is called outcoming soft reconfiguration.
Command Purpose no synchronization Cancel the synchronization between BGP and IGP. While canceling synchronization, you should use command “clear ip bgp” to clear BGP dialogue. For an example about BGP synchronization, please refer to the section in the bottom of this chapter “an example of BGP path filtration by the neighbors”. Normally, you do not expect to redistribute all routes to your IGP.
Command Purpose ip access-list standard access-list-name Define an access list. router bgp autonomous-system Enter into router configuration mode. neighbor {ip-address | peer-group-name} distribute-list access-list-name {in | out } Establish a BGP filter. Use prefix list together with global configuration command “ip prefix-list” and command “neighbour prefix-list”. Command Purpose ip prefix-list prefixs-list-name {permit |deny} Define a prefix list. A.B.C.
(11) Use the following router configuration command to disable nexthop treatment and use the local IP address of this BGP connection to replace the nexthop address of the outcoming routes. Command Purpose neighbor {ip-address | peer-group-name} nexthop-self Disable the nexthop treatment while carrying out BGP neighbour update. Using this command to configure will enable the current router to inform itself to be the nexthop of the route.
For examples regarding the using of BGP route aggregation, please refer to the section in the bottom of this chapter “examples of BGP route aggregation”. 3.
match community-list-name Configure rules of matching. router bgp autonomous-system Enter into router configuration mode neighbor {ip-address | peer-group-name} routemap route-map-name {in | out } Apply route-map. For examples of using community attributes, please refer to “Examples of route-map using BGP community attribute”. 4.
neighbors as the router reflector client: Command Purpose Configure the local router as route reflector and designate neighbors as the client. neighbor ip-address route-reflector-client An AS may have several route reflectors, the way route reflector to process other route reflectors is the same as the processing of IBGP speakers.Normally, a cluster of clients have only one route reflector, and then the cluster is identified by the route reflector ‘s router ID.
distance bgp {external-distance| internal-distance| local-distance} Configure BGP distances. route management The change of management distances of BGP route is dangerous, and normally it is not recommended. The external distance should be shorter than the distance of any other dynamic routing protocol and the internal distance should be longer than the distance of any other dynamic routing protocol. 9.
61.4.1 Deleting the BGP Routing Table and the BGP Database. The following table lists the tasks relative with high-speed cache deletion, table deletion or BGP database deletion. The commands listed in the following table are all run in EXEC mode. Command clear ip bgp * Purpose Resets all BGP connections. clear ip bgp as-number Resets the BGP connections of the designated autonomous system. clear ip bgp address Resets the BGP connections of the designated neighbor.
show ip bgp neighbors [address] [received-routes | routes | advertisedroutes] show ip bgp paths Displays the routes learned from the special BGP neighbor. Displays the information about all BGP paths in the database. show ip bgp summary Displays the states of all BGP connections. 61.4.3 Tracking the BGP Information You can observe BGP connection establishment and route transmission/reception by tracking the BGP information, which helps to locate the troubles and resolve the problems.
from autonomous system 690 to 127. The second entry allows the routes that don’t meet the above conditions to be transferred to neighbor 1.1.1.1. router bgp 100 neighbor 1.1.1.1 route-map freddy out ! ip aspath-list abc permit ^690_ ip aspath-list xyz permit .
ip aspath-list test2 permit _200$ ip aspath-list test2 permit ^100$ ip aspath-list test3 deny _690$ ip aspath-list test3 permit .* 61.5.4 Examples of BGP Route Filtration based on the Interface The following is the example of the configuration of route filtration based on the interface.
ip prefix-list abc deny 0.0.0.0/0 ge 25 This example: denies routes from network 10/8, because if the mask on class A network 10.0.0.0/8 is smaller or equal to 32 bit, all routes from that network will be denied: ip prefix -list abc deny 10.0.0.0/8 le 32 The following example: denies routes with mask length of more than 25 in network 204.70.1.24: ip prefix-list abc deny 204.70.1.0/24 ge 25 The following example: permits all routes: ip prefix-list abc permit any 61.5.
RTA configuration: interface s1/0 ip address 2.0.0.1 255.0.0.0 ! interface s1/1 ip address 3.0.0.1 255.0.0.0 ! interface s1/2 ip address 4.0.0.1 255.0.0.0 ! interface s1/3 ip address 5.0.0.1 255.0.0.0 ! router bgp 200 neighbor 2.0.0.1 remote-as 200 /*RTC IBGP*/ neighbor 2.0.0.1 route-reflector-client neighbor 3.0.0.1 remote-as 200 /*RTB IBGP*/ neighbor 3.0.0.1 route-reflector-client neighbor 5.0.0.1 remote-as 200 /*RTE IBGP*/ neighbor 4.0.0.2 remote-as 100 /*RTD EBGP*/ network 11.0.0.0/8 ! ip route 11.0.0.
network 14.0.0.0/8 ! ip route 14.0.0.0 255.0.0.0 4.0.0.12 RTE configuration: interface s1/0 ip address 5.0.0.2 255.0.0.0 ! router bgp 200 neighbor 5.0.0.1 remote-as 200 /*RTA IBGP*/ network 15.0.0.0/8 ! ip route 15.0.0.0 255.0.0.0 5.0.0.12 61.5.8 Example of BGP Confederation The following is the configuration of confederation.
RTA configuration: interface s1/0 ip address 1.0.0.1 255.0.0.0 ! interface s1/1 ip address 2.0.0.1 255.0.0.0 ! interface s1/2 ip address 4.0.0.1 255.0.0.0 ! interface s1/3 ip address 5.0.0.1 255.0.0.0 ! router bgp 65010 bgp confederation identifier 200 bgp confederation peers 65020 neighbor 1.0.0.2 remote-as 65010 /*RTB IBGP*/ neighbor 2.0.0.2 remote-as 65010 /*RTC IBGP*/ neighbor 5.0.0.2 remote-as 65020 /*RTE EBGP*/ neighbor 4.0.0.
! router bgp 100 neighbor 4.0.0.1 remote-as 200 /*RTA EBGP*/ RTE configuration: interface s1/0 ip address 5.0.0.2 255.0.0.0 ! router bgp 65020 bgp confederation identifier 200 bgp confederation peers 65010 neighbor 5.0.0.1 remote-as 65010 /*RTA EBGP*/ 61.5.9 Example of Route Map with BGP Group Attribute This section includes three examples of using route map with BGP community attribute. In the first example, “route map set-community” is applied on the outcoming update of neighbor 171.69.232.50.
901”. These routes may have other attribute values. All routes transmitting community list com2 will be set with the local preference value as 500. All other routes will be set with the local priority value as 50. So, all the rest of the routes of neighbor 171.69.232.55 have the preference of 50. router bgp 200 neighbor 171.69.232.55 remote-as 100 neighbor 171.69.232.
Chapter 62 Configuring RSVP 62.1 Overview This chapter explains how to configure RSVP. For details about RSVP Command, see “RSVP Command” in the “Network Protocol Command Reference”. For other document about Command, use index or type in Command in online help. Try to understand RSVP before configuring it, which would be helpful for users. RSVP protocol can be used by a host to request a certain quality of business to an application data process.
When using ip rsvp bandwidthCommand, under default configuration (interface-kbps and singleflow-kbp), the max resource reservation for the whole port and resource reservation for single data process will be limited to just 75% of the port total resource. 62.3.2 Start RSVP in an IP Phone Module Configuration Before configuring our IP Phone and IP Phone module of the router to use Voice over IP, users have to enable RSVP to use RSVP to reserve resource.
62.3.5 Use Access List in RSVP Module When users are configuring RSVP on a router, they are able to use access - list to accept or reject communication with certain hosts or routers. Command ip rsvp neighbor access-list-name Function With this function, users may configure the following Commands under interface configuration mode.
Chapter 63 Configuring PBR 63.1 Overview This section descripe how to configure PBR. PBR is the abbrecation of Policy Based Routing. PBR make the user have the ability to route ip packet according some policy other than dynamic routing protocol. We currently support the following policy: based on the length of ip packet, source ip address. You can set gateway or outgoing interface for packets matching the policy. PBR can support load balance.
63.3.3 Apply route-MAP on interface To enable PBR on interface,following the step bellow: Command Function interface interface_name Enter interface configurtion mode. ip policy route-map route-map_name Apply PBR on interface. 63.3.4 Debug PBR To debug PBR,following the step bellow: Command debug ip policy Function To debug PBR. 63.4 PBR configution example router configure ! interface FastEthernet0/0 ip address 10.1.1.3 255.255.255.
match ip address net2 set ip next-hop 14.1.1.99 ! route-map pbr 30 permit match ip address net3 set ip next-hop 13.1.1.99 14.1.1.99 load-balance ! route-map pbr 40 permit set ip default next-hop 13.1.1.99 configure explanation Policy routing is enabled on interface f0/0. For packets origined from 10.1.1.2, the gateway is 13.1.1.99 if 13.1.1.99 is reachable, if 13.1.1.99 isn't reachable, destination base routing is used. For packes from 10.1.1.
Chapter 64 Configuring DNS 64.1 Overview DNS is Domain Name System for short,DNS is a distributing database using in TCP/IP application.. It can provide the translation of host name and IP address, some information about email and hosts. The name DNS is used in the TCP/IP network, such as Internet,and it orientates hosts and service according to friendly name. When the DNS name is input, the system can translate it into relative information such as IP address.
PTR A pointer to another part of the domain name space. SOA Identifies the start of a zone of authority. DNS Zone: In general, the DNS database can dispart into defferent resouce records and each record is called zone. A zone can include the resource record of all the zones or parts of a zone.A zone is divide into serveral child zone is to simplize the mangement. After using this distrabuting frame, the administrator can manage every child zone effectivly when the domain name extends.
Command Function ip domain lookup Eable DNS lookup. no ip domain lookup Disable DNS lookup. 64.3.2 Specify the IP address of a domain name server It may assign serveral name servers,but can only appoint six at most.The name server assigned before will be queried earlier. When we use the no format without any parameter,it express for delete all the name servers.
64.3.5 Define static host name-to-address mapping Any IP address can correspond to a name, and the same name can correspond to many IP addresses. By doing this, the command such as telnet,ping can use the names directly. In congure use the following command: Command Function ip host name address1[address2,…] Map a name to some IP address. no ip host name [address1,…] Delete a map. Example:the following express mapping a name to several IP addresses router_config# ip host djh 172.16.20.
clear ip host name Delete a host in cache. clear ip host * Delte all the hosts in cache. 64.3.9 Specify the IP address of a primary server You can only specify one primary server, if you specify another,it will replace the one earlier. In congure use the following command: Command Function ip domain primary-server address Set a primary server. no ip domain primary-server Delete the primary server. 64.3.
Bind the domain name to the primary IP address of interface ip domain bind name interface number (Note:an interface can only correspond to one domain name, when you use another,the later will replace for the earlier.
64.4 Examples of BGP configuration The following configure can query and update.
Chapter 65 IP Hardware Subnet Routing Configuration 65.1 IP Hardware Subnet Configuration Task 65.1.1 Overview IP hardware subnet routing is similar to IP fast exchange. When the IP hardware subnet routing is not enabled, before forwarding message containing the IP address A at the next hop, the switch first checks whether the item of destination A exists in the IP cache of hardware. If the item exists, the message will be forwarded through hardware.
As to the direct-connecting routing, the next hop is CPU. If the next hop is a routing interface not an IP address, do as in the direct-connecting routing. When the number of the routing items in the system is bigger than that of the IP hardware subnet routing items, the default routing cannot be the IP hardware subnet routing. Two or several routes, which are prefix to each other, must be used together when IP hardware subnet routing is adopted.
Chapter 66 IP-PBR Configuration 66.1 IP-PBR Configuration IP-PBR realizes software PBR functions through the hardware of switch chip. PBR stands for Policy Based Routing. PBR enables users to rely on a certain policy not on routing protocol for routing. Software based PBR supports multiple policies and rules and also load balance. You can designate the next hop’s IP address or port for those packets that are in line with policy.
Create a route map; 2) Apply the route map on a port; To create an ACL, run the following command globally: Command ip access-list standard net1 Remarks Enters the ACL configuration mode and defines ACL. To create a route map, run the following commands globally: Command Remarks route-map pbr Enters the route map configuration mode. match ip address access-list Configures the match-up policy. set ip next-hop A.B.C.D Configures the next-hop address of IP packet.
All data related about IP-PBR running are shown below: switch#show ip pbr IP policy based route state: enabled No equiv exf apply item VLAN3 use route-map ddd, and has 1 entry active. -----------------Entry sequence 10, permit Match ip access-list: ac1 Set Outgoing nexthop 90.0.0.3 The IP-PBR policy routing information is shown below: switch#show ip pbr policy IP policy based route state: enabled VLAN3 use route-map ddd, and has 1 entry active.
ip access-list standard ac1 permit 10.1.1.21 255.255.255.255 ! ip access-list standard ac2 permit 10.1.1.2 255.255.255.255 ! route-map pbr 10 permit match ip address ac1 set ip next-hop 13.1.1.99 ! route-map pbr 20 permit match ip address ac2 set ip next-hop 13.1.1.99 14.1.1.99 load-balance ! Configuration Description The switch is to apply policy routing on the packets that are received from VLAN1.As to the packets whose source IPs are 10.1.1.21, their next hop is 13.1.1.99.
Chapter 67 Multi-VRF CE Intro 67.1 Overview The Virtual Private Network (VPN) provides a secure method for multiple client networks to share the ISPsupplied bandwidth. In general, one VPN comprises a team of client networks that share a public routing table on the ISP's routers. Each client network is connected to the interface of the network devices of ISP, while ISP's device will relate each interface to a VPN routing table. One VPN routing table is also called as a VRF (VPN Routing /Forwarding table).
67.1.2 Establishing Routes with PE The MCE switch (MCE) can connect one or multiple PEs, but both MCE and the connected PEs have to get VRF configured. MCE will provide PE the routes which MCE learns from CE and learns the routes of remote client networks from PE. The VRF route can be established between MCE and PE through dynamic routing protocols such as BGP, OSPF, RIP and BEIGRP. Of course, the VRF route can also be established statically. In general, MCE and PE belong to different autonomous systems.
Chapter 68 Multi-VRF CE Configuration 68.1 Default VRF Configuration Function Default Configuration VRF There is no configuration. All routes are added to the default routing table. VPN expansibility of VRF There is no Routing Distinguisher (RD). There is no input/output Routing Target (RT). Maximum number of VRF routes 10240 VRF port N/A. None of VLAN ports is related with VRF, and the routes of ports are added to the default routing table.
Switch_config# show ip vrf Browses the VRF information. [ brief | detail | interface ] [ vrf-name ] Switch_config#no ip vrf vrf-name Deletes the configured VRF and the relation between VRF and the L3 interface. vfi-name: Means the name of VRF. Switch_config_intf# no ip vrf forwarding Deletes the relation between the L3 interface and VRF. [ vrf-name ] 68.3.
remote-as ASN autonomous system number of a neighbor. Switch_config_bgp_af# exit-address-family Exits from the configuration mode of addressfamily. Switch_config_bgp# exit Exits from the BGP configuration mode. Switch_config# show ip bgp vpnv4 Browses the BGP-VRF routing information. [ all | rd | vrf ] Switch_config# no router bgp ASN Deletes the BGP routing configuration. 68.3.
Chapter 69 MCE Configuration Example Figure 2.1 shows a simple VRF network. Both S1 and S2 are the Multi-VRF CE switches. S11, S12 and S13 belong to VPN1, S21 and S22 belong to VPN2, and all of them are customer devices. The OSPF route should be configured between CE and customer device, while the BGP route is configured between CE and PE. Figure 2.1 MCE configuration example 69.
Switch_config# ip vrf vpn1 Switch_config_vrf_vpn1# rd 100:1 Switch_config_vrf_vpn1# route-target export 100:1 Switch_config_vrf_vpn1# route-target import 100:1 Switch_config_vrf_vpn1# exit Switch_config# ip vrf vpn2 Switch_config_vrf_vpn2# rd 100:2 Switch_config_vrf_vpn2# route-target export 100:2 Switch_config_vrf_vpn2# route-target import 100:2 Switch_config_vrf_vpn2# exit Configure the loopback port and the physical port, and use the address of the loopback port as the router ID of the BGP protocol.
Switch_config# router ospf 1 vrf vpn1 Switch_config_ospf_1# network 11.0.0.0 255.0.0.0 area 0 Switch_config_ospf_1# redistribute bgp 100 Switch_config_ospf_1#exit Switch_config# router ospf 2 vrf vpn2 Switch_config_ospf_2# network 15.0.0.0 255.0.0.0 area 0 Switch_config_ospf_2# redistribute bgp 100 Switch_config_ospf_2#exit Configure the EBGP route between PE and CE.
Switch_config# interface gigaEthernet 1/1 Switch_config_g1/1# switchport mode trunk Switch_config_g1/1# interface gigaEthernet 1/2 Switch_config_g1/2# switchport mode trunk Switch_config_g1/2# exit Set the L3 VLAN interface of PE, which connects S1: Switch_config# interface VLAN21 Switch_config_v21# ip vrf forwarding vpn1 Switch_config_v21# ip address 21.0.0.1 255.0.0.0 Switch_config_v21# exit Switch_config# interface VLAN22 Switch_config_v22# ip vrf forwarding vpn2 Switch_config_v22# ip address 22.0.0.
Switch_config_vrf_vpn1# route-target import 300:1 Switch_config_vrf_vpn1# exit Switch_config# ip vrf vpn2 Switch_config_vrf_vpn2# rd 300:2 Switch_config_vrf_vpn2# route-target export 300:2 Switch_config_vrf_vpn2# route-target import 300:2 Switch_config_vrf_vpn2# exit Configure the loopback port and the physical port, and use the address of the loopback port as the router ID of the BGP protocol. Switch_config# interface loopback 0 Switch_config_l0# ip address 103.0.0.1 255.255.255.
Switch_config_ospf_1#exit Switch_config# router ospf 2 vrf vpn2 Switch_config_ospf_2# network 46.0.0.0 255.0.0.0 area 0 Switch_config_ospf_2# redistribute bgp 300 Switch_config_ospf_2# exit Configure the EBGP route between PE and CE. Switch_config# router bgp 300 Switch_config_bgp# bgp log-neighbor-changes Switch_config_bgp# address-family ipv4 vrf vpn1 Switch_config_bgp_vpn1# no synchronization Switch_config_bgp_vpn1# redistribute ospf 1 Switch_config_bgp_vpn1# neighbor 31.0.0.
round-trip min/avg/max = 0/0/0 ms Testify the connectivity between S1 and PE: Switch# ping -vrf vpn1 21.0.0.1 !!!!! --- 21.0.0.
Chapter 70 VRRP Configuration 70.1 Overview The Virtual Router Redundancy Protocol (VRRP) ensures the successful single-node service in the default static routing condition. VRRP avoids the defects of the statically designated gateway. A group of SWITCHs can work together as a virtual SWITCH through VRRP. The virtual SWITCH has a virtual IP address and a virtual MAC address for the outside. VRRP chooses one SWITCH from the SWITCH group as the master SWITCH, responsible for forwarding packet.
to the default setting. In simple-text authentication mode, the authentication character string is in the message as clear code and is forwarded out. The receiver checks the authentication character string in the message to see whether it matches the locally configured authentication character string. The authentication character string has eight characters at most. By default, the authentication mode of VRRP is no-authen. 70.3.
70.3.6 Configuring VRRP Priority Run the following commands in vlan interface configuration mode. Command Purpose vrrp vrid priority value (1~254) Configures VRRP priority no vrrp vrid priority Resumes the default VRRP priority mode. When the virtual address and the port address are same, VRRP will automatically increase its priority value to 255. After the virtual address or the port address changes, the priority value automatically resumes to the original value. The default value is 100. 70.3.
link state. It provides an opportunity of switching master line state to the backup line state. The change of the link state refers to whether the destination link bypass the VRRP routing SWITCH is reachable, rather than the VRRP SWITCH itself is reachable. VRRP supports two monitoring objects: First, monitoring the interface status. When the monitored port link state is down, lower the priority of itself proactively. Second, monitoring the static route state of designated node.
Configuring SWITCH Switch A Fault 1: Configure the address for the interface of the private network. Switch_config_v1# ip address 192.168.20.18 255.255.255.0 Fault 2: Configure the address for the interface of the public network. Switch_config_v2# ip address 211.162.1.120 255.255.255.0 Fault 3: Configure virtual switch group 1 on the interface of the private network. The virtual address is 192.168.20.1. The priority value is 120. Switch_config_v1# vrrp 1 associate 192.168.20.1 255.255.255.
Configuring SWITCH Switch B Configure the address for the interface of the private network. Switch_config_v1# ip address 192.168.20.16 255.255.255.0 Configure the address for the interface of the public network. Switch_config_v2# ip address 211.162.1.125 255.255.255.0 Configure virtual SWITCH group 1 on the interface of the private network. The virtual address is 192.168.20.1. The priority value is 120. Switch_config_v1# vrrp 1 associate 192.168.20.1 255.255.255.
Configuring PC and Server of the Private Network Configure the default gateway for each PC and server in the private network to 192.168.20.1.
Chapter 71 Multicast Overview The chapter describes how to cofigure the multicast routing protocol. For the details of the multicast routing commands, refer to the part “Multicast Routing Commands”. The traditional IP transmission allows only one host to communicate with a single host (unicast communication) or to communicate with all hosts (broadcast communication). The multicast technology allows one host to send message to some hosts. These hosts are called as group members.
71.2 Multicast Routing Configuration Task List 71.2.1 Basic Multicast Configuration Task List Starting up the multicast routing (mandatory) Configuring TTL threshold (optional) Canceling rapid multicast forwarding (optional) Configuring static multicast route (optional) Configuring multicast boundary (optional) Configuring multicast helper (optional) Configuring Stub multicast route (optional) Monitoring and maintaining multicast route (optional) 71.2.
71.2.
Chapter 72 Basic Multicast Routing Configuration 72.1 Starting up Multicast Routing To allow the router software to forward the multicast message, you must start up the multicast routing. Run the following command in global configuration mode to start up the multicast message forwarding: Command ip multicast-routing Purpose Starts up the multicast routing. 72.2 Starting up the Multicast Function on the Port When the multicast routing protocol runs on a port, the IGMP is activated on the port.
Command Purpose ip multicast ttl-threshold ttl-value Configures the TTL threshold on the port. Example The following example shows how the administrator configures the TTL threshold on a port: interface ethernet 1/0 ip multicast ttl-threshold 200 72.4 Configuring IP Multicast Boundary Run the command ip multicast boundary to configure the multicast boundary for the port. Run the command no ip multicast boundary to cancel the configured boundary.
broadcast message. Configures the port number allowing to forward the message. ip forward-protocol [port] Example The following example shows how to configure the command ip multicast helper. The configuration of the router is shown in the following figure. Configure the command ip directed-broadcast on the e0 port of the first-hop router to handle the directional message. Configure ip multicast helper-map broadcast 230.0.0.
interface type number Enters the interface configuration mode. ip pim neighbor-filter access-list Filters all pim messages on the stub router. Example The configuration of router A and B is shown as follows: Stub Router A Configuration ip multicast-routing ip pim-dm ip igmp helper-address 10.0.0.2 Central Router B Configuration ip multicast-routing ip pim-dm ip pim-dm neighbor-filter stubfilter ip access-list stubfilter deny 10.0.0.1 72.
Clearing the multicast cache and the routing table If special caches or the routing table is invalid, you need to clear its content. Run the following commands in management mode: Command Purpose clear ip igmp group [type number] [group-address | ] Clears the items in the IGMP cache. clear ip mroute [* | group-address | source-address] Clears the items in the multicast routing table.
Displaying the multicast routing table and system statistics information The detailed information about the IP multicast routing table, cache or database helps to judge how the resources are used and to resolve network problems. Run the following commands in management mode to display the statistics information about the multicast route: Command Purpose show ip igmp groups [type number | group-address] [detail] Displays the information about the multicast group in the IGMP cache.
Chapter 73 IGMP Configuration 73.1 IGMP Overview Internet Group Management Protocol (IGMP) is a protocol used to manage multicast group members. IGMP is an asymmetric protocol, containing the host side and the switch side. At the host side, the IGMP protocol regulates how the host, the multicast group member, reports the multicast group it belongs to and how the host responds to the query message from the switch.
Changes the IGMP version running on the current port. ip igmp version version_number 73.3.1 Configuring IGMP Query Interval No matter what version number of the current IGMP-Router protocol is, the multicast switch can send the IGMP General Query message every a certain time on the port where the IGMP-Router function is started. The transmission address is 224.0.0.1.
message before the regulated maximum response time expires, indicating that the General Query message is received. If the maximum response time is set to a big value, the change of multicast group members delays. If the maximum response time is set to a small value, the flow of the IGMP message will be increased in the current network. Note: The maximum IGMP response time must be shorter than the IGMP query interval.
the multicast group assignment information varies. Different the above “dynamic multicast group”, if a port is configured to belong to a static multicast group, the multicast routing protocol then takes the port as one that always receives and sends the multicast message of the multicast group.
Example for changing the IGMP version The IGMP-Router protocol of latter version is compatible with the IGMP host of low version, but cannot be compatible with the IGMP-Router protocol of the earlier version. Therefore, if, there are switches running the IGMP-Router protocol of the earlier version in the current network, you need to change the IGMP-Router protocol of latter version to the IGMP-Router protocol of earliest version in the same network segment.
IGMP query interval configuration example The following example shows how to modify the IGMP query interval to 50 seconds on the interface ethernet 1/0: interface ethernet 1/0 ip igmp query-interval 50 522
IGMP Querier interval configuration example The following example shows how to modify the IGMP Querier interval to 100 seconds on the interface ethernet 1/0: interface ethernet 1/0 ip igmp querier-timeout 100 523
Maximum IGMP response time example The following example shows how to modify the maximum IGMP response time to 15 seconds on the interface ethernet 1/0: interface ethernet 1/0 ip igmp query-max-response-time 15 524
Example for configuring IGMP query interval for the last group member The following example shows how to modify the IGMP query interval of the last group member to 2000 ms on the interface ethernet 1/0: interface ethernet 1/0 ip igmp last-member-query-interval 2000 525
Static IGMP configuration example The configuration command of the static multicast group can define different classes of static multicast groups by adopting different parameters. The following examples shows the results of running different command parameter. interface ethernet 1/0 ip igmp static-group * The previous configuration command configures all static multicast groups on the interface ethernet 1/0.
IGMP Immediate-leave list configuration example The following example shows how to set the access list to imme-leave on the interface ethernet 1/0 with the immediate-leave function and to add the IP address 192.168.20.168 of the IGMP host to the access list. The configuration ensures that the IGMP host with IP address 192.168.20.168 realizes the immediate-leave function. interface ethernet 1/0 ip igmp immediate-leave imme-leave exit ip access-list standard imme-leave permit 192.168.20.
Chapter 74 PIM-DM Configuration 74.1 PIM-DM Introduction Protocol Independent Multicast Dense Mode (PIM-DM) is a multicast routing protocol in dense mode. By default, when the multicast source starts to send the multicast data, all network nodes in the domain receive the data. Therefore, PIM-DM forwards the multicast packets in broadcast-pruning mode. When the multicast source starts to send data, the switches alongside forward the multicast packets to all PIM-activated interfaces except the RPF interface.
74.2 Configuring PIM-DM 74.2.1 Modifying Timer The routing protocol adopts several timers to judge the transmission frequency of Hello message and staterefresh control message. The interval to transmit the Hello message affects whether the neighbor relationship can correctly created.
mode. To forbid a switch or switches at a network segment to join in the PIM-DM negotiation, the neighbor filtration list need be configured. To forbid or permit some groups to pass the local region, the multicast boundary filtration list need be configured. Command Purpose ip pim-dm neighor-filter Configures the neighbor filtration list. ip multicast boundary Configures the multicast boundary filtration list. 74.2.5 Setting DR Priority To be compatible with IGMP v1, the DR choice is required.
Chapter 75 Configuring PIM-SM 75.1 PIM-SM Introduction Protocol Independent Multicast Spare Mode (PIM-SM) is a multicast routing protocol in sparse mode. In the PIM-SM domain, the switches that run PIM-SM periodically send the Hello information to achieve the following purposes: Discover neighboring PIM-SM switches. Select the designated router (DR) in the multi-access network.
75.2 Configuring PIM-SM 75.2.1 Enabling Global Multicast Command: ip multicast-routing no ip multicast-routing If you want to use the protocol pim-sm, run the command in the configuration mode: switch_config#ip multicast-routing Show running as follows: ! ip multicast-routing ! If you don’t want to use the protocol pim-sm, run the command in the configuration mode: switch_config #no ip multicast-routing 75.2.
switch_config_v9#ip pim-sm nbr-filter nbr_permit switch_config_v9#exit switch_config#ip access-list standard nbr_permit switch_config_std_nacl#permit 172.20.21.174 255.255.255.0 Configuration result: enable hello packets from segment 172.20.21.0/24 and set up neighbor relation. R172_config_std_nacl#show ip pim-s nei PIM-SMv2 Neighbor Table Neighbor Interface Uptime/Expires DR Address Prior 172.20.21.
75.2.5 Configuring Candidate RP Configure the candidate RP to enable it to be sent to the BSR periodically and then be diffused to all PIM-SM routers in the domain, ensuring the RP mapping is unique. Run the following command in global configuration mode: Command ip pim-sm rp-candidate [type number] [interval|group-list acl-name] no ip pim-sm rp-candidate [type number] Purpose Configures the local switch as the candidate RP. After the candidate RP is configured, it will be sent to the BSR periodically.
3) Enable pim-sm on the interface; 4) Enter pim-sm configuration mode and address range of SSM group address; 5) Configure other functions of pim-sm (optional). Configuration instances: switch_config#interface v8 switch_config_v8#ip addr 1.1.1.1 255.255.255.0 switch_config_v8#ip pim-sm switch_config_v8#exit switch_config#router pim-sm switch_config_ps#ssm rang grp_range switch_config_ps#exit switch_config#ip access-list standard grp-range switch_config_std_nacl#permit 233.1.0.0 255.255.0.
2.1.2 Configure standby BSR and designate standby BSR port. Configuration instances: 1. Configure the management domain range on ZBR Sa_config_v9#ip pim-sm admin-scope 225.1.1.0 255.255.255.0 第3章 Configure the group range and port of standby BSR on domain pim-sm device Sb_config#interface loopback1 Sb_config_l1#ip addr 1.1.1.1 255.255.255.0 Sb_config_l1#ip pim-sm Sb_config#router pim-sm Sb_config_ps#c-bsr admin-scope 225.1.1.0 255.255.255.
Command show ip mroute pim-sm [group-address] [source-address] [type number] [summary] [count] [active kbps] Purpose Displays the information. PIM-SM multicast route 75.2.13 Clearing Multicast Routes Learned by PIM-SM Run the following command to clear multicast routes learned by PIM-SM: Command clear ip mroute pim-sm [ * | group-address ] [source-address] Purpose Clears information multicast routes. about the PIM-SM 75.3 Configuration Example 75.3.
! interface Serial0/0 ip address 192.168.21.144 255.255.255.0 ip pim-sm ! 75.3.2 BSR Configuration Example (The switch is configured on the VLAN port) The following example shows the BSR configuration of two switches. Device A: ! ip multicast-routing ! interface Loopback0 ip address 192.166.100.142 255.255.255.0 ip pim-sm ! interface Ethernet1/1 ip address 192.166.1.142 255.255.255.0 ip pim-sm ! interface Serial2/0 ip address 192.168.21.142 255.255.255.
Chapter 76 IPv6 Protocol’s Configuration 76.1 IPv6 Protocol’s Configuration The configuration of the IPv6 address of the router only takes effect on the VLAN interface, not on the physical interface. The IPv6 protocol is disabled in default state. If the IPv6 protocol need be used on a VLAN interface, this protocol should be first enabled in VLAN interface configuration mode. To enable the IPv6 protocol, users have to set the IPv6 address.
automatically. ipv6 address fe80::x link-local Sets a link-local address manually. Note: The link-local address must begin with fe80. The default length of the prefix is 64 bit. At manual settings only the values at the last 64 bits can be designated. On a VLAN interface can only one link-local address be set. After IPv6 is enabled through the configuration of the link-local address, IPv6 only takes effect on the local link.
Chapter 77 Setting the IPv6 Services 77.1 Setting the IPv6 Services After IPv6 is enabled, all services provided by IPv6 can be set. The configurable IPv6 service is shown below: (1) Managing the IPv6 Link 77.1.1 Managing the IPv6 Link IPv6 provides a series of services to control and manage the IPv6 link.
All interfaces have a default IPv6 MTU. If the length of an IPv6 packet exceeds MTU, the router will fragment this IPv6 packet. To set IPv6 MTU on a specific interface, run the following command in interface configuration mode: COMMAND ipv6 mtu bytes Purpose Sets IPv6 MTU on an interface. Setting IPv6 redirection Sometimes, the route selected by the host is not the best one.
COMMAND ipv6 traffic-filter WORD { in | out } Purpose Filters the IPv6 packets in the reception or transmission direction (in: receive; out: transmit) on a VLAN interface. 7. Setting IPv6 Hop-Limit Users can designate a router to transmit the value of the hop-limit field in the packets (except those forwarded packets). All those packets that this router transmits out, if the upper-level application does not apparently designate a hop-limit value, use the set value of hop-limit.
Chapter 78 Configuring the Routing Management Modules 78.1 Overview The static route is a special route and configured by the administrator manually; after a static route is set the packets with a designated destination will be forwarded along the path that is designated by the administrator. In those networks with simple networking structures, only the configuration of the static routes can realize network interconnection.
78.
78.3 Routing Management Module’s Configuration Tasks 78.3.1 Setting the Static Route To set the static route, run the following command in global configuration mode: Command Purpose Ipv6 route prefix / prefixlen {ipv6-address | Sets the static route. interface-type interface-number When setting the static route, you can designate the type and number of the outgoing interfaces, and also the address of the next hop.
78.3.3 Monitoring and Maintaining the State of the Routing Table To display all kinds of statistics information about routes, run the following commands in EXEC mode: Comman Purpos Displays the information in the main show ipv6 route ti t bl Displays the routing information of the show ipv6 route [protocol] corresponding routing protocol in the Displays the statistics information show ipv6 route summary about the main routing table.
Traces the packet interaction information Debug ipv6 routing packet Debug ipv6 routing message Debug ipv6 routing cache Debug ipv6 routing route Debug ipv6 routing search (line card) (line card) (line card) (line card) (line card) between the wire card and the main-control Traces the interaction information between th li d d th i t l it Traces the information about the cache on th li d Traces the information about route change th li d Traces the routing search information on the li 548 d
78.4 Static Route's Configuration Example As shown in the following figure, RA directly connects router RB.
RA configuration: interface FastEthernet0/1 no ip address no ip directed-broadcast ipv6 address 3FFE::1/64 ! interface Ethernet1/1 no ip address no ip directed-broadcast duplex half ipv6 address 3333::1111/64 ! 550
RB configuration: interface VLAN1 no ip address no ip directed-broadcast ipv6 address 3333::3333/64 ! ! 551
Browsing the address of the local link of RA: RA_config#show ipv6 route Codes: C - Connected, L - Local, S - Static, R - Ripng, B - BGP ON1 - OSPF NSSA external type 1, ON2 - OSPF NSSA external type 2 OE1 - OSPF external type 1, OE2 - OSPF external type 2 DHCP - DHCP type VRF ID: 0 C 3333::/64[1] is directly connected, C,Ethernet1/1 C 3333::1111/128[1] is directly connected, L,Ethernet1/1 C 3ffe::/64[1] is directly connected, C,FastEthernet0/1 552
C 3ffe::1/128[1] is directly connected, L,FastEthernet0/1 C fe80::/10[1] is directly connected, L,Null0 C fe80::/64[1] is directly connected, C,FastEthernet0/1 C fe80::a00:3eff:fed5:effc/128[1] is directly connected, L,FastEthernet0/1 C fe80::/64[1] is directly connected, C,Ethernet1/1 C fe80::a00:3eff:fed5:effd/128[1] is directly connected, L,Ethernet1/1 C ff00::/8[1] is directly connected, L,Null0 ! Setting a static route, which leads to subnet 3ffe::/64 on RB: ! ipv6 route 3ffe::/64 3333::1111 ! Or:
Chapter 79 ND Configuration 79.1 ND Overview A node (host and router) uses ND (Neighbor Discovery protocol) to determine the link-layer addresses of the connected neighbors and to delete invalid cache rapidly. The host also uses the neighbor to discover the packet-forwarding neighboring routers. Additionally, the node uses the ND mechanism to positively trace which neighbors are reachable or unreachable and to test the changed link-layer address.
hardware-address address into a link-layer address. 79.3 ND Configuration The ND protocol is used not only for address resolution but for other functions such as neighbor solicitation, neighbor advertisement, router solicitation, router advertisement and redirect.
the host obtains the IPv6 address prefix and related parameter from this option. Command Purpose ipv6 nd prefix {ipv6-prefix/prefix-length | default} [no-advertise | [valid-lifetime Means that the local port transmits preferred-lifetime [off-link | no-autoconfig]] ] RA message. the prefix option's content in the Setting the RA transmission interval The following command is used to set the range of RA transmission interval.
Command ipv6 nd router-preference preference Purpose Sets the router-preference field in the RA message transmitted by the local port.It is medium by default. Stopping a port to be the notification port of a switch Only the notification port can transmit RA packets. The notification port supports multicast and is set to have at least one unicast IP address. Its AdvSendAdvertisment flag is TRUE in value. The configuration of ipv6 nd suppress-ra in the VLAN port means shutdown the notification port.
Chapter 80 OSPFv3 Configuration 80.1 Overview OSPFv3 is an IGP routing protocol developed by the OSPF working group of IETF for the IPv6 network. OSPFv3 supports the IPv6 subnet, the mark of the external routing information and the packet’s authentication. OSPFv3 and OSPFv2 have a lot in common: Both router ID and area ID are 32 bit. The following are the same type of packets: Hello packets, DD packets, LSR packets, LSU packets and LSAck packets.
Setting OSPFv3 on different physical networks Setting the parameters of the OSPFv3 domain Configuring the NSSA Domain of OSPFv3 Setting the Route Summary in the OSPFv3 Domain Setting the Summary of the Forwarded Routes Generating a Default Route Choosing the route ID on the loopback interface Setting the management distance of OSPFv3 Setting the Timer of Routing Algorithm Monitoring and Maintaining OSPFv3 80.3 OSPFv3 Configuration Tasks 80.3.
router. ipv6 ospf hello-interval seconds Sets the interval for the OSPFv3 interface to transmit the Hello packets. ipv6 ospf dead-interval seconds Means that in a regulated interval if the OSPFv3 packets are not received from a neighboring router, this neighboring router is viewed to be shut down. 80.3.
Run the following command in router configuration mode to set the domain’s parameters: Command Purpose area area-id stub [no-summary] Defines a stub area. area area-id default-cost cost Sets the weight of the default route of the stub area. As to those areas that are not backbone areas and do not connect the backbone areas directly or as to those discontinuous areas, the OSPFv3 virtual link can be used to establish a logic connectivity.
down or the IPv4 address is deleted, the OSPF process will recalculate the ID of this new router and retransmit the routing information from all interfaces. If an IPv4 address is configured on a loopback interface, the router will first use the IPv4 address of loopback as its ID. Because the loopback interface will never be down, the routing table is greatly stable. The router can first select the loopback interface as its ID or select the maximum IPv4 address in all loopback interfaces as its ID.
show ipv6 ospf [process-id] database show ipv6 ospf [process-id] database [router] [adv-router router-id] Displays the information about the OSPFv3 database.
The fourth example shows how to set the OSPFv3 virtual link.
Basic OSPFv3 Configuration Example The following example shows a simple OSPFv3 settings. In this example, you have to activate process 90, connect Ethernet interface 0 to area 0.0.0.0, distribute RIPng to OSPFv3 and OSPFv3 to RIPng. ipv6 unicast-routing ! interface vlan 10 ipv6 address 2001::1/64 ipv6 enable ipv6 rip aaa enable ipv6 rip aaa split-horizon ipv6 ospf 90 area 0 ipv6 ospf cost 1 ! router ospfv3 90 router-id 1.1.1.
Configuring multiple OSPFv3 processes The following example shows that two OSPFv3 processes are created. ipv6 unicast-routing ! ! interface vlan 10 ipv6 address 2001::1/64 ipv6 enable ipv6 ospf 109 area 0 instance 1 ipv6 ospf 110 area 0 instance 2 ! ! interface vlan 11 ip address 2002::1/64 ipv6 enable ipv6 ospf 109 area 1 instance 1 ipv6 ospf 110 area 1 instance 2 ! ! router ospfv3 109 router-id 1.1.1.1 redistribute static ! router ospfv3 110 router-id 2.2.2.
Complicated configuration example The following example shows how to configure multiple routers in a single OSPFv3 autonomous system. The following figure shows the network topology of the configuration example: iMac Configure the router according to the above-mentioned figure: R1: interface vlan 0 ipv6 enable ipv6 ospf 1 area 1 ! interface vlan 1 ipv6 enable ipv6 ospf 1 area 0 ! ipv6 route 2001::/64 6::2 ! router ospfv3 1 router-id 1.1.1.
is directly connected, L,Null0 From the command sentences above, we can see that R2 has learned route forwarding. Setting area 1 to be the stub area: R1: interface vlan 0 ipv6 enable ipv6 ospf 1 area 1 ! interface vlan 1 ipv6 enable ipv6 ospf 1 area 0 ! ipv6 route 2001::/64 6::2 ! router ospfv3 1 router-id 1.1.1.1 area 1 stub redistribute static ! R2: interface vlan 0 ipv6 enable ipv6 ospf 1 area 1 ! ! router ospfv3 1 router-id 2.2.2.
Configuring the virtual link The following example shows how to configure a virtual link in a single autonomous OSPFv3 system. The following figure shows the network topology of the configuration example: iMac Configure the router according to the above-mentioned figure: R1: interface vlan 0 ipv6 address 101::1/64 ipv6 enable ipv6 ospf 1 area 1 ! interface vlan 1 ipv6 address 6::1/64 ipv6 enable ipv6 ospf 1 area 0 ! ipv6 route 2001::/64 6::2 ! router ospfv3 1 router-id 200.200.200.
Neighbor ID 200.200.200.2 200.200.200.2 Pri 1 1 State Full/DR Full/ - R2#show ipv6 ospf neighbor OSPFv3 Process (1) OSPFv3 Process (1) Neighbor ID Pri State 200.200.200.1 1 Full/Backup 200.200.200.
C C C C fe80::2e0:fff:fe26:a8/128[1] is directly connected, L, VLAN0 fe80::/64[1] is directly connected, C, VLAN1 fe80::2e0:fff:fe26:a9/128[1] is directly connected, L, VLAN1 ff00::/8[1] is directly connected, L,Null0 571
Chapter 81 Overview 81.1 Stipulation 81.1.1 Format Stipulation in the Command Line Syntax Meaning Stands for the keyword in the command line, which stays unchanged and must be Bold entered without any modification. It is presented as a bold in the command line. Stands for the parameter in the command line, which must be replaced by the actual {italic} value. It must be presented by the italic in the brace. Stands for the parameter in the command line, which must be replaced by the actual value.
Chapter 82 NTP Configuration 82.1 Overview Network Time Protocol (NTP) is a type of computer time synchronization protocol which can be used for time synchronization between distributed time servers and clients. It has highly accurate time correction function and can prevent malicious protocol attacks through encrypted authentication. Clients and servers communicate through the User Datagram Protocol (UDP), and the port number is 123. 82.2 NTP Configuration 82.2.
can be designated. ntp peer ip-address [version number | key keyid | vrf vrf-name]* Configure the IP address of equipment NTP peer; the version number, key number, and vrf instance can be designated. Usage Guidelines: 1. Equipment can provide time services for NTP clients provided that the equipment has achieved time synchronization; otherwise the client device that employs the equipment as its server cannot achieve time synchronization. 2.
Chapter 83 IPv6 ACL Configuration 83.1 IPv6 ACL Configuration 83.1.1 Filtering IPv6 Packets Filtering IPv6 packets helps the control packet run in the network. Such control can limit network transmission and network running by a certain user or device. For enabling or disabling packets from the cross designated port, we provide with ACL.
rule deny or permit. In other words, add [sequence value] in the front or back of the rule deny/permit, you can add ACL commands in any position of the designated ACL. Likewise, you can use “no permit” and “no deny” to delete an item in ACL or “no sequence” to delete the rule in a certain position directly. Note: When setting up ACL, please remember the end sentence of ACL by default covers the sentence of deny ipv6 any any. The ACL must be applied to the line or port after being set up.
Chapter 84 Configuring Time Range 84.1 Time Range Introduction 84.1.1 Overview Time Range is a time module controlling the effective time and the failure time of a function (For instance, expansion IP access control list). Time Range can play its role only when cooperating with other modules which support the Time Range function. Time Range is consisted of separate time ranges. These time ranges have two kinds: one is absolute and the other is periodic.
is a from-to time range. 84.1.6 Activating Time Range A Time Range can have the absolute time range and periodic time range simultaneously. The state of Time Range can be divided into 4 situations according to whether the absolute time range/periodic time range is configured. Situation 1 If a Time Range neither configure absolute time range nor periodic time range, it is called EMPTY. The Time Range does not exist activating time range.
Run the following commands to configure Time Range: Command Purpose time-range name Add a Time Range named name and enter the configuration mode of Time Range exit Exit the configuration mode of Time Range no time-range name Delete Time Range named name Note: 1. If the system has Time Range named name, run command time-range name to enter the TimeRange configuration mode, but not create the new TimeRange. 84.3.
| weekend hour:minute to hour:minute | {Friday | Monday | Saturday | Sunday | Thursday |Tuesday|Wednesday} hour:minute to hour:minute | {Friday | Monday | Saturday | Sunday | Thursday | Tuesday | Wednesday} hour:minute to {Friday | Monday | Saturday | Sunday | Thursday | Tuesday | Wednesday} hour:minute } no periodic [ Deletes a periodic time daily hour:minute to hour:minute range | weekdays hour:minute to hour:minute | weekend hour:minute to hour:minute | {Friday | Monday | Saturday | Sunday | Thursday
periodic weekdays 09:00 to 18:00 time-range entry: y (empty) time-range entry: z (active) periodic daily 12:00 to 13:00 periodic Monday Thursday Friday 08:00 to 09:00 periodic Saturday 15:00 to Sunday 20:00 periodic daily 9:00 AM to 6:00 PM Switch_config# In the first line shows “Now: Date: 2016.3.4 Time: 13:16 Day: Tuesday”, which means the date is 4th March, 2016; the time is 13:16; the day is Tuesday.
