User's Manual XGS3-24042 XGS3-24242 24-Port Gigabit with 4 Optional 10G slots Layer 3 Managed Stackable Switch 1
Trademarks Copyright © PLANET Technology Corp. 2012. Contents subject to which revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. respective owners.
Content CHAPTER 1 INTRODUTION........................................................................................... 1-1 1.1 PACKET CONTENTS ............................................................................................................................. 1-1 1.2 PRODUCT DESCRIPTION ....................................................................................................................... 1-1 1.3 PRODUCT FEATURES ....................................................................
.4.4 SNMP Configuration ............................................................................................................... 4-8 4.4.5 Typical SNMP Configuration Examples ................................................................................ 4-11 4.4.6 SNMP Troubleshooting ......................................................................................................... 4-12 4.5 SWITCH UPGRADE ......................................................................................
10.3 ULDP FUNCTION TYPICAL EXAMPLES .............................................................................................. 10-4 10.4 ULDP TROUBLESHOOTING .............................................................................................................. 10-5 CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION ............................... 11-1 11.1 INTRODUCTION TO LLDP FUNCTION ................................................................................................. 11-1 11.
15.3.1 Introduction to Dot1q-tunnel .............................................................................................. 15-11 15.3.2 Dot1q-tunnel Configuration ............................................................................................... 15-12 15.3.3 Typical Applications of the Dot1q-tunnel ........................................................................... 15-12 15.3.4 Dot1q-tunnel Troubleshooting .........................................................................
18.1.2 QoS Implementation ........................................................................................................... 18-2 18.1.3 Basic QoS Model ................................................................................................................ 18-2 18.2 QOS CONFIGURATION TASK LIST ..................................................................................................... 18-7 18.3 QOS EXAMPLE ...........................................................................
22.4 URPF ........................................................................................................................................... 22-43 22.4.1 Introduction to URPF......................................................................................................... 22-43 22.4.2 URPF Configuration Task Sequence ................................................................................ 22-44 22.4.3 URPF Typical Example ..............................................................
27.3 GRATUITOUS ARP CONFIGURATION EXAMPLE ................................................................................ 27-62 27.4 GRATUITOUS ARP TROUBLESHOOTING .......................................................................................... 27-62 CHAPTER 28 KEEPALIVE GATEWAY CONFIGURATION .........................................28-63 28.1 INTRODUCTION TO KEEPALIVE GATEWAY......................................................................................... 28-63 28.
32.4 DHCPV6 OPTION37, 38 TROUBLESHOOTING .................................................................................. 32-15 CHAPTER 33 DHCP SNOOPING CONFIGURATION ...................................................33-1 33.1 INTRODUCTION TO DHCP SNOOPING ................................................................................................ 33-1 33.2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE ........................................................................ 33-2 33.
37.3.1 Typical RIPng Examples ..................................................................................................... 37-7 37.3.2 RIPng Aggregation Route Function Typical Examples ....................................................... 37-8 37.4 RIPNG TROUBLESHOOTING .............................................................................................................. 37-9 CHAPTER 38 OSPF .................................................................................................
42.3 IPV6 BLACK HOLE ROUTING CONFIGURATION TASK ......................................................................... 42-1 42.4 BLACK HOLE ROUTING CONFIGURATION EXMAPLES ......................................................................... 42-2 42.5 BLACK HOLE ROUTING TROUBLESHOOTING ..................................................................................... 42-3 CHAPTER 43 GRE TUNNEL CONFIGURATION ..........................................................43-5 43.
48.1 IPV4 MULTICAST PROTOCOL OVERVIEW ........................................................................................... 48-1 48.1.1 Introduction to Multicast ...................................................................................................... 48-1 48.1.2 Multicast Address ................................................................................................................ 48-1 48.1.3 IP Multicast Packet Transmission .....................................................
48.9 IGMP............................................................................................................................................ 48-41 48.9.1 Introduction to IGMP ......................................................................................................... 48-41 48.9.2 IGMP Configuration Task List............................................................................................ 48-43 48.9.3 IGMP Configuration Examples ...............................................
49.6.2 MLD Configuration Task List ............................................................................................. 49-25 49.6.3 MLD Typical Application .................................................................................................... 49-26 49.6.4 MLD Troubleshooting Help................................................................................................ 49-27 49.7 MLD SNOOPING .......................................................................................
53.2 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP CONFIGURATION TASK SEQUENCE ............................................................................................................................................................... 53-2 53.3 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP TYPICAL EXAMPLES ................. 53-4 53.4 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP TROUBLESHOOTING HELP ........
CHAPTER 59 VLAN-ACL CONFIGURATION ...............................................................59-1 59.1 INTRODUCTION TO VLAN-ACL ........................................................................................................ 59-1 59.2 VLAN-ACL CONFIGURATION TASK LIST .......................................................................................... 59-1 59.3 VLAN-ACL CONFIGURATION EXAMPLE............................................................................................ 59-3 59.
65.1 INTRODUCTION TO VRRPV3 ............................................................................................................. 65-1 65.1.1 The Format of VRRPv3 Message ....................................................................................... 65-2 65.1.2 VRRPv3 Working Mechanism ............................................................................................. 65-3 65.2 VRRPV3 CONFIGURATION ...................................................................................
70.3 TYPICAL EXAMPLES OF RSPAN ....................................................................................................... 70-4 70.4 RSPAN TROUBLESHOOTING ............................................................................................................ 70-7 CHAPTER 71 SFLOW CONFIGURATION .....................................................................71-1 71.1 INTRODUCTION TO SFLOW ..................................................................................................
76.7 SYSTEM LOG ................................................................................................................................... 76-3 76.7.1 System Log Introduction ..................................................................................................... 76-3 76.7.2 System Log Configuration ................................................................................................... 76-5 76.7.3 System Log Configuration Example ............................................
81.3.1 Create BGP MPLS VPN between PE-CE via EBGP ........................................................ 81-41 81.3.2 Create BGP MPLS VPN between PE-CE via OSPF ........................................................ 81-46 81.3.3 Create BGP MPLS VPN between PE-CE via RIP ............................................................ 81-49 81.3.4 Create BGP MPLS VPN between PE-CE via Static Routes ............................................. 81-52 81.4 MPLS BGP VPN TROUBLESHOOTING .........................
Chapter 1 INTRODUTION The PLANET XGS3-24042 / XGS3-24242 is 24-Port Gigabit with 4 Optional 10G slots Layer 3 Managed Stackable Switch. It boasts a high performance switch architecture that is capable of providing non-blocking switch fabric and wire-speed throughput as high as 128Gbps. Its two optional 2-Port 10Gbps SFP+ uplink module slots also offer incredible extensibility, flexibility and connectivity to the Core switch or Servers.
Support 10Gb Ethernet 10Gb Ethernet which adopts full-duplex technology instead of low-speed, half-duplex CSMA/CD protocol, is a big leap in the evolution of Ethernet. 10Gb Ethernet can be deployed in star or ring topologies. With 10Gb Ethernet, XGS3 switch provide broad bandwidth and powerful processing capacity. It is suitable for metropolitan networks and wide area networks. Using XGS3 switch, users can simplify network structures and reduce cost of network construction.
1.3 Product Features Physical Port XGS3-24042 24-Port 10/100/1000Base-T RJ-45 copper 4 100/1000Base-X mini-GBIC/SFP slots, shared with Port-21 to Port-24. 2 10GbE module slots, support up to 4 10G SFP+ transceivers 1 RJ-45 serial console interface for Switch basic management and setup XGS3-24242 24 100/1000Base-X mini-GBIC/SFP slots 12-Port 10/100/1000Base-T RJ-45 copper, shared with Port-13 to Port-24.
− IEEE 802.1Q Tagged VLAN − Up to 4K VLANs groups, out of 4096 VLAN IDs − Provider Bridging (VLAN Q-in-Q) support (IEEE 802.1ad) − GVRP protocol for VLAN Management − Private VLAN Edge (PVE) − Voice VLAN − MAC-based VLAN − Protocol-based VLAN Support Spanning Tree Protocol − STP, IEEE 802.1d (Spanning Tree Protocol) − RSTP, IEEE 802.1w (Rapid Spanning Tree Protocol) − MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by VLAN) − Root Guard − BPDU Guard Support Link Aggregation − 802.
WEB-based, Telnet, Console Command Line management SSH( Secure Shell), SSL Accesses through SNMPv1, v2c and v3 security set and get requests.
Back pressure for Half-Duplex Jumbo Frame 9Kbytes System: LED Power, SYS diagnostic, Redundant Power, Alert Malfunction Ports: 10/100/1000 Link/Act, SFP+ Link/Act Dimension (W x D x H) 440 x 325 x 44.5mm, 1U height Weight 4.3kg Power Requirement Power Consumption AC: 100~240V AC, 50/60Hz, Auto-sensing.
MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by VLAN) Root Guard BPDU Guard Static Trunk Link Aggregation IEEE 802.3ad LACP Support 128 groups of 8-Port trunk support Traffic classification based, Strict priority and WRR 8-level priority for switching - Port Number QoS - 802.
LLDP MAU-MIB Management Function System Configuration Console, Telnet, SSH, Web Browser, SSL, SNMPv1, v2c and v3 Management Support the unite for IPv4/IPv6 HTTP and SSL Support the user IP security inspection for IPv4/IPv6 SNMP Support MIB and TRAP Support IPv4/IPv6 FTP/TFTP Support IPv4/IPv6 NTP Support RMOM 1, 2, 3, 9 four group Support the RADIUS authentication for IPv4/IPv6 telnet user name and password Support IPv4/IPv6 SSH The right configuration for users can adopt radius server’s shell management
Chapter 2 INSTALLATION This section describes the hardware features and installation of the Managed Switch on the desktop or rack mount. For easier management and control of the Managed Switch, familiarize yourself with its display indicators, and ports. Front panel illustrations in this chapter display the unit LED indicators. Before connecting any network device to the Managed Switch, please read this chapter completely. 2.1 Hardware Description 2.1.
2.1.2 LED Indications The front panel LEDs indicates instant status of port links, data activity, system operation, Stack status and system power, helps monitor and troubleshoot when needed. XGS3-24042 LED indication Figure 2-1-3 XGS3-24042 LED panel ■ System LED Color Green Function Lights to indicate that the Switch has power. PWR Off Power is off. Light to indicate that the system is operating normally. SYS Green Blink to indicate that the system is loading.
■ 10/100/1000Base-T and SFP interfaces LED Color Function Lights to indicate the link through that port is successfully established with speed 100Mbps Red Blink to indicate that the switch is actively sending or receiving data over that port. Lights to indicate the link through that port is successfully established with LNK/ACT speed 1000Mbps Green Blink to indicate that the switch is actively sending or receiving data over that port.
■ 10/100/1000Base-T and SFP interfaces LED Color Function Lights: Green LNK/ACT To indicate the link through that port is successfully established Blink: To indicate that the switch is actively sending or receiving data over that port.
2.1.3 Switch Rear Panel The rear panel of the Managed Switch indicates an AC inlet power socket, which accept input power from 100 to 240V AC, 50-60Hz.
2.2 Install the Switch This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. 2.2.1 Desktop Installation To install the Managed Switch on desktop or shelf, please follows these steps: Step1: Attach the rubber feet to the recessed areas on the bottom of the Managed Switch.
Connection to the Managed Switch requires UTP Category 5 network cabling with RJ-45 tips. For more information, please see the Cabling Specification in Appendix A. Step5: Supply power to the Managed Switch. Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable to a standard wall outlet. When the Managed Switch receives power, the Power LED should remain solid Green. 2.2.
Figure 2-2-3 Mounting XGS3-24042 in a Rack Step6: Proceeds with the steps 4 and steps 5 of session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. 2.2.3 Installing the SFP transceiver The sections describe how to insert an SFP transceiver into an SFP slot. The SFP transceivers are hot-pluggable and hot-swappable. You can plug-in and out the transceiver to/from any SFP port without having to power down the Managed Switch. As the Figure 2-2-4 appears.
Approved PLANET SFP Transceivers PLANET Managed Switch supports both Single mode and Multi-mode SFP transceiver.
management interface of the switch/converter (if available) to disable the port in advance. 2. Remove the Fiber Optic Cable gently. 3. Turn the handle of the MGB module to horizontal. 4. Pull out the module gently through the handle. Figure 2-22 Pull out the SFP transceiver Never pull out the module without pull the handle or the push bolts on the module. Direct pull out the module with violent could damage the module and SFP module slot of the Managed Switch.
Chapter 3 Switch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Figure 3-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”. Figure 3-3 Opening HyperTerminal 3) In the “Connecting using” drop-list, select the RS-232 serial port used by the PC, e.g. COM1, and click “OK”.
Figure 3-4 Opening HyperTerminal 4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”. Figure 3-5 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Switch.
Testing RAM... 0x077C0000 RAM OK Loading MiniBootROM... Attaching to file system ... Loading nos.img ... done. Booting...... Starting at 0x10000... Attaching to file system ... …… --- Performing Power-On Self Tests (POST) --DRAM Test....................PASS! PCI Device 1 Test............PASS! FLASH Test...................PASS! FAN Test.....................PASS! Done All Pass.
The following describes the steps for a Telnet client to connect to the switch’s VLAN1 interface by Telnet(IPV4 address example): Figure 3-6 Manage the switch by Telnet Step 1: Configure the IP addresses for the switch and start the Telnet Server function on the switch. First is the configuration of host IP address. This should be within the same network segment as the switch VLAN1 interface IP address. Suppose the switch VLAN1 interface IP address is 10.1.128.251/24.
Figure 3-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise the switch will reject Telnet access. This is a method to protect the switch from unauthorized access.
3.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; 3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
Telnet is enabled for configuring and managing the switch, username and password for authorized Telnet users must be configured with the following command: username privilege [password (0|7) ] To open the local authentication style with the following command: authentication line web login local. Privilege option must exist and just is 15.
Figure 3-11 Main Web Configuration Interface When configure the switch, the name of the switch is composed with English letters. 3.1.2.
3.2 CLI Interface The switch provides thress management interface for users: CLI (Command Line Interface) interface, Web interface, Snmp netword management software. We will introduce the CLI interface and Web configuration interface in details, Web interface is familiar with CLI interface function and will not be covered, please refer to “Snmp network management software user manual”. CLI interface is familiar to most users.
3.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode. Under User Mode, no configuration to the switch is allowed, only clock time and version information of the switch can be queries. 3.2.1.
3.2.1.3 Global Mode Type the config command under Admin Mode will enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc. And the user can go further to Port Mode for configuration of all the interfaces.
ACL Mode ACL type Entry Operates Exit Standard IP ACL Type ip access-list Configure parameters Use the exit command Mode standard command under for Standard IP ACL to return to Global Global Mode. Mode. Mode. Type ip access-list Configure parameters Use the exit command extanded command under for Extended IP ACL to return to Global Global Mode. Mode. Mode. Extended IP Mode ACL 3.2.2 Configuration Syntax Switch provides various configuration commands.
Ctrl +n The same as Down key “↓”. Ctrl +b The same as Left key “←”. Ctrl +f The same as Right key “→”. Ctrl +z Return to the Admin Mode directly from the other configuration modes (except User Mode). Ctrl +c Break the ongoing command process, such as ping or other command execution. Tab When a string for a command or keyword is entered, the Tab can be used to complete the command or keyword if there is no conflict. 3.2.
Please configure precursor The command is recognized, but the prerequisite command command "*" at first! has not been configured. syntax error : missing '"' before the Quotation marks are not used in pairs. end of command line! 3.2.6 Fuzzy Match Support Switch shell support fuzzy match in searching command and keyword. Shell will recognize commands or keywords correctly if the entered string causes no conflict.
Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode enable disable The User uses enable command to step into admin mode from normal user mode. The disable command is for exiting admin mode.
4.2 Telnet Management 4.2.1 Telnet 4.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation. Telnet can send the user’s keystrokes to the remote host and send the remote host output to the user’s screen through TCP connection. This is a transparent service, as to the user, the keyboard and monitor seems to be connected to the remote host directly.
{|} Telnet/SSH/Web; the no form command will no authentication ip access-class cancel the binding ACL. authentication ipv6 access-class Binding standard IPv6 ACL protocol to login with {|} Telnet/SSH/Web; the no form command will no authentication ipv6 access-class cancel the binding ACL. authentication line {console | vty | web} login {local | radius | tacacs } Configure telnet authentication mode.
Global Mode ssh-server enable no ssh-server enable ssh-user password {0 | 7} no ssh-user ssh-server timeout no ssh-server timeout Enable SSH function on the switch; the “no ssh-server enable” command disables SSH function. Configure the username and password of SSH client software for logging on the switch; the “no ssh-user ” command deletes the username.
4.3 Configurate Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding. VLAN interface represent a Layer 3 interface function which can be assigned an IP address, which is also the IP address of the switch. All VLAN interface related configuration commands can be configured under VLAN Mode.
3. BOOTP configuration Command Explanation VLAN Port Mode Enable the switch to be a BootP client and obtain IP ip bootp-client enable address and gateway address through BootP no ip bootp-client enable negotiation; the “no ip bootp-client enable” command disables the BootP client function. 4.
Get-Bulk-Request Set-Request Trap Inform-Request NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and Set-Request messages; and the Agent, upon receiving the requests, replies with Get-Response message. On some special situations, like network device ports are on Up/Down status or the network topology changes, Agents can send Trap messages to NMS to inform the abnormal events.
In this figure, the OID of the object A is 1.2.1.1. NMS can locate this object through this unique OID and gets the standard variables of the object. MIB defines a set of standard variables for monitored network devices by following this structure. If the variable information of Agent MIB needs to be browsed, the MIB browse software needs to be run on the NMS. MIB in the Agent usually consists of public MIB and private MIB.
3. Configure IP address of SNMP management base 4. Configure engine ID 5. Configure user 6. Configure group 7. Configure view 8. Configuring TRAP 9. Enable/Disable RMON 1. Enable or disable SNMP Agent server function Command Explanation Global Mode snmp-server enabled no snmp-server enabled Enable the SNMP Agent function on the switch; the no command disables the SNMP Agent function on the switch. 2.
Command Explanation Global Mode 5. snmp-server engineid Configure the local engine ID on the switch. This no snmp-server engineid command is used for SNMP v3. Configure user Command Explanation Global Mode snmp-server user [{authPriv | authNoPriv} auth {md5 | sha} ] [access {|}] Add a user to a SNMP group. This command is [ipv6-access {|}] used to configure USM for SNMP v3.
Command Explanation Global Mode snmp-server enable traps Enable the switch to send Trap message. This no snmp-server enable traps command is used for SNMP v1/v2/v3. snmp-server host { | Set the host IPv4/IPv6 address which is used to } {v1 | v2c | {v3 {noauthnopriv receive SNMP Trap information.
Scenario 3: NMS uses SNMP v3 to obtain information from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch.
The switch enabled SNMP Agent server function (use “snmp-server” command) Secure IP for NMS (use “snmp-server securityip” command) and community string (use “snmp-server community” command) are correctly configured, as any of them fails, SNMP will not be able to communicate with NMS properly. If Trap function is required, remember to enable Trap (use “snmp-server enable traps” command).
cable Console cable connection connection Figure 4-2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch. The PC should have FTP/TFTP server software installed and has the image file required for the upgrade. Step 2: Press “ctrl+b” on switch boot up until the switch enters BootROM monitor mode.
file. [Boot]: load nos.img Loading... Loading file ok! Step 5: Execute write nos.img in BootROM mode. The following saves the system update image file. [Boot]: write nos.img File nos.img exists, overwrite? (Y/N)?[N] y Writing nos.img..................................................... Write nos.img OK. [Boot]: Step 6: The following update file boot.rom, the basic environment is the same as Step 4. [Boot]: load boot.room Loading… Loading file ok! Step 7: Execute write boot.rom in BootROM mode.
Step 9: Execute write flash:/config.rom in BootROM mode. The following saves the update file. [Boot]: write flash:/config.rom [Boot]: write flash:/config.rom File exists, overwrite? (Y/N)[N] y Writing flash:/config.rom... Write flash:/config.rom OK. [Boot]: Step 10: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run(or reboot) Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH.
There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete.
To prevent illicit file upload and easier configuration, switch mandates the name of start up configuration file to be startup-config. Running configuration file: refers to the running configuration sequence use in the switch. In switch, the running configuration file stores in the RAM.
copy FTP/TFTP client upload/download file. [ascii | binary] (2)For FTP client, server file list can be checked. Admin Mode For FTP client, server file list can be ftp-dir checked. FtpServerUrl format looks like: ftp: //user: password@IPv4|IPv6 Address. 2.
Start TFTP server, the no command shuts down tftp-server enable no tftp-server enable TFTP server and prevents TFTP user from logging in. (2)Modify TFTP server connection idle time Command Explanation Global Mode tftp-server retransmission-timeout Set maximum retransmission time within timeout interval. (3)Modify TFTP server connection retransmission time Command Explanation Global Mode tftp-server retransmission-number Set the retransmission time for TFTP server. 4.5.3.
Place the “12_30_nos.img” file to the appropriate FTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy ftp: //Switch:switch@10.1.1.1/12_30_nos.img nos.img With the above commands, the switch will have the “nos.img” file in the computer downloaded to the FLASH.
The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#tftp-server enable Computer side configuration: Login to the switch with any TFTP client software, use the “tftp” command to download “nos.img” file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server.
4.5.3.4 FTP/TFTP Troubleshooting 4.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is what the message displays when files are successfully transferred.
When upload/download system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is the message displays when files are successfully transferred. Otherwise, please verify link connectivity and retry “copy” command again. nos.
Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or Bootrom mode. 5.2 File System Operation Configuration Task list 1. The formatting operation of storage devices 2.
directory on a certain device. 4. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Configuration Mode pwd Display the current working directory. 6.
5.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 5.
Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches.
5) Clear the list of candidate switches maintained by the switch 4. Configure attributes of the cluster in the candidate switch 1) Set the time interval of keep-alive messages of the cluster 2) Set the max number of lost keep-alive messages that can be tolerated in the cluster 5. Remote cluster network management 1) Remote configuration management 2) Remotely upgrade member switch 3) Reboot member switch 6. Manage cluster network with web 1) Enable http 7. Manage cluster network with snmp 1) Enable snmp ser
Set cluster keepalive loss-count the max number of lost keep-alive messages that can be no cluster keepalive loss-count tolerated in the cluster. Admin mode clear cluster nodes [nodes-sn Clear nodes in the list of candidate | mac-address switches maintained by the switch. ] 4.
Enable http function in commander switch and member switch. Notice: must insure the http function be enabled in member switch when ip http server commander switch visiting member switch by web. The commander switch visit member switch via beat member node in member cluster topology. 7. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch and member switch.
Configuration of SW1: Switch(config)#cluster run Switch(config)#cluster ip-pool 10.2.3.4 Switch(config)#cluster commander 5526 Switch(config)#cluster auto-add 2. Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes: If the command switch is correctly configured and the auto adding function (cluster auto-add) is enabled.
Chapter 7 Port Configuration 7.1 Introduction to Port XGS3-24042 switches contain Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
Command Explanation Port Mode combo-forced-mode {copper-forced | copper-preferred-auto | sfp-forced | Sets the combo port mode (combo ports only). sfp-preferred-auto } shutdown no shutdown name no name mdi {auto | across | normal} no mdi Enables/Disables specified ports. Names or cancels the name of specified ports. Sets the cable type for the specified port; this command is not supported by combo port and fiber port of switch.
Set the max packet reception rate of a port. If rate-violation <200-2000000> [recovery <0-86400>|] the rate of the received packet violates the packet reception rate, shut down this port and configure the recovery time, the default is no rate-violation 300s. The no command will disable the rate-violation function of a port. Global Mode port-rate-statistics interval [] 3.
The configurations are listed below: Switch1: Switch1(config)#interface ethernet 1/0/7 Switch1(Config-If-Ethernet1/0/7)#bandwidth control 50 both Switch2: Switch2(config)#interface ethernet 1/0/9 Switch2(Config-If-Ethernet1/0/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/0/9)#exit Switch2(config)#interface ethernet 1/0/10 Switch2(Config-If-Ethernet1/0/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/0/10)#exit Switch2(config)#monitor session 1 source interface ethernet1/0/8;1/0/9 Switc
Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
3. Specify the flow to be isolated Command Explanation Global Mode Apply the port isolation configuration to isolate-port apply [] isolate layer-2 flows, layer-3 flows or all flows. 4. Display the configuration of port isolation Command Explanation Admin Mode and global Mode Display the configuration of port isolation, show isolate-port group [ ] including all configured port isolation groups and Ethernet ports in each group. 8.
between any downlink port and a specified uplink port is normal. The uplink port can communicate with any port normally.
Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
1.Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time Configure the time interval of loopback detection. no loopback-detection interval-time 2.Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan Enable and disable the function of port no loopback-detection specified-vlan loopback detection.
5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode loopback-detection control-recovery timeout <0-3600> Configure the loopback-detection control mode (automatic recovery enabled or not) or recovery time. 9.
If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured. Switch(config)#spanning-tree Switch(config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 9.
Chapter 10 ULDP Function Configuration 10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found.
mentioned above. In a switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can disable the port automatically or manually according to users’ configuration. The ULDP of switches recognizes remote devices and check the correctness of link connections via interacting ULDP messages.
Global configuration mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4. Configure aggressive mode on a port Command Explanation Port configuration mode uldp aggressive-mode no uldp aggressive-mode Set the working mode of the port. 5. Configure the method to shut down unidirectional link Command Explanation Global configuration mode uldp manual-shutdown Configure the method to shut down no uldp manual-shutdown unidirectional link. 6.
Command Explanation Admin mode Display ULDP information. No parameter means to display global ULDP information. show uldp [interface ethernet IFNAME] The parameter specifying a port will display global information and the neighbor information of the port. debug uldp fsm interface ethernet Enable or disable the debug switch of the state machine transition information on the no debug uldp fsm interface ethernet specified port.
connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link. The final result is that port g1/0/1, g1/0/2 of SWITCH A and port g1/0/3, g1/0/4 of SWITCH B are all shut down by ULDP. Only when the connection is correct, can the ports work normally (won’t be shut down).
the port is considered as “Down”. In order to make sure that neighbors can be correctly created and unidirectional links can be correctly discovered, it is required that both end of the link should enable ULDP, using the same authentication method and password. At present, no password is needed on both ends.
Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs.
11.2 LLDP Function Configuration Task Sequence 1. Globally enable LLDP function 2. Configure the port-based LLDP function switch 3. Configure the operating state of port LLDP 4. Configure the intervals of LLDP updating messages 5. Configure the aging time multiplier of LLDP messages 6. Configure the sending delay of updating messages 7. Configure the intervals of sending Trap messages 8. Configure to enable the Trap function of the port 9.
Command Explanation Global Mode Configure the aging time multiplier of lldp msgTxHold LLDP messages as the specified value or no lldp msgTxHold default value. 6. Configure the sending delay of updating messages Command Explanation Global Mode Configure the sending delay of updating lldp transmit delay messages as the specified value or no lldp transmit delay default value. 7.
Configure the size of space to store lldp neighbors max-num < value > Remote Table of the port as the no lldp neighbors max-num specified value or default value. 11. Configure the type of operation when the Remote Table of the port is full Command Explanation Port Configuration Mode lldp tooManyNeighbors {discard| Configure the type of operation when the delete} Remote Table of the port is full. 12.
11.3 LLDP Function Typical Example Figure 11-1 LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel. If the spanning tree function is enabled in the switch, the spanning tree protocol will regard Port Channel as a logical port and send BPDU frames via the master port. Port aggregation is closely related with switch hardware.
1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation. The ports which have the same attribute of speed and duplex, are connected to the same device, have the same basic configuration, can be dynamically aggregated together. Even if only one port can create the dynamic aggregation, that is the single port aggregation.
2. Add physical ports to the port group Command Explanation Port Mode port-group mode Add the ports to the port group and set their {active | passive | on} mode. no port-group 3. Enter port-channel configuration mode. Command Explanation Global Mode interface port-channel Enter port-channel configuration mode. 4.
12.4 Port Channel Examples Scenario 1: Configuring Port Channel in LACP. S1 S2 Figure 12-2 Configuring Port Channel in LACP The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with passive mode. All the ports should be connected with cables.
Scenario 2: Configuring Port Channel in ON mode. S1 S2 Figure 12-3 Configuring Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode.
Configuration result: Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in “on” mode is completely joined forcedly, switch in other ends won’t exchange LACP PDU to complete aggregation.
Chapter 13 Jumbo Configuration 13.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU.
Chapter 14 EFM OAM Configuration 14.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
need to wait until it receives the connection request. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs continuously to keep the valid Ethernet OAM connection. If an Ethernet OAM entity receives no Information OAMPDU for five seconds, the Ethernet OAM connection is disconnected. 2.
4. Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is established. With remote loopback enabled, operating Ethernet OAM entity in active mode issues remote loopback requests and the peer responds to them. If the peer operates in loopback mode, it returns all packets except Ethernet OAMPDUs to the senders along the original paths. Performing remote loopback testing periodically helps to detect network faults in time.
Configure work mode of EFM OAM, default is ethernet-oam mode {active | passive} active mode. ethernet-oam Enable EFM OAM of port, no command no ethernet-oam disables EFM OAM of port. Configure transmission period of OAMPDU ethernet-oam period (optional), no command restores the default no ethernet-oam period value. ethernet-oam timeout Configure timeout of EFM OAM connection, no ethernet-oam timeout no command restores the default value. 2.
no ethernet-oam remote-failure (failure means critical-event or link-fault event of the local), no command disables the function. (optional) ethernet-oam errored-symbol-period Configure the high threshold of errored threshold high {high-symbols | none} symbol period event, no command restores no ethernet-oam errored-symbol-period the default value.
Ethernet 1/0/1 CE Ethernet 1/0/1 802.1ah OAMPDU PE Figure 14-3 Typical OAM application topology Configuration procedure: (Omitting SNMP and Log configuration in the following) Configuration on CE: CE(config)#interface ethernet 1/0/1 CE (config-if-ethernet1/0/1)#ethernet-oam mode passive CE (config-if-ethernet1/0/1)#ethernet-oam CE (config-if-ethernet1/0/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration.
exclusive. When enabling OAM, the negotiation of the port will be disabled automatically. So the negotiation in the peer of the link must be disabled, otherwise the link connection will unsuccessful. When disabling OAM, the negotiation of the port will be restored. Therefore, to ensure the link connection is normal, the negotiations must be accordant in two peers of the link. After enabling OAM, when the link negotiations in two peers are successful, the state is up.
Chapter 15 VLAN Configuration 15.1 VLAN Configuration 15.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
XGS3 Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer. The ports of Trunk type allow multi-VLANs to pass, can receive and send the packets of multi-VLANs. Usually they are used to connect between the switches.
3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface Assign Switch ports to VLAN. no switchport interface 4. Set the Switch Port Type Command Explanation Port Mode switchport mode {trunk | access | hybrid} Set the current port as Trunk, Access Hybrid port. 5. Set Trunk port Command Explanation switchport trunk allowed vlan {WORD | all Set/delete VLAN allowed to be crossed | add WORD | except WORD|remove by Trunk.
8. Disable/Enable VLAN Ingress Rules Command Explanation Port Mode vlan ingress enable Enable/Disable VLAN ingress rules. no vlan ingress enable 9. Configure Private VLAN Command Explanation VLAN mode private-vlan {primary | isolated | Configure current VLAN to Private VLAN. community} The no command deletes private VLAN. no private-vlan 10. Set Private VLAN association Command Explanation VLAN mode private-vlan association Set/delete Private VLAN association.
VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC PC VLAN2 PC Workstation VLAN100 Workstation PC VLAN200 Figure 15-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs are cross two different location A and B.
Switch(Config-Vlan200)#switchport interface ethernet 1/0/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)#exit Switch(config)# Switch B: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/5-7 Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vla
PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA. We can implement this status through Hybrid port.
15.2 GVRP Configuration 15.2.1 Introduction to GVRP GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute Registration Protocol). GARP is mainly used to establish an attribute transmission mechanism to transmit attributes, so as to ensure protocol entities registering and deregistering the attribute. According to different transmission attributes, GARP can be divided to many application protocols, such as GMRP and GVRP.
Command Explanation Global Mode garp timer join <200-500> garp timer leave <500-1200> Configure leaveall, join and garp timer leaveall <5000-60000> leave timer for GVRP. no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port mode gvrp Enable/ disable GVRP function no gvrp of port. 3. Configure GVRP function Command Explanation Global Mode gvrp Enable/disable the GVRP no gvrp function for the switch. 15.2.
Figure 15-5 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries. Configuration Item Configuration description VLAN100 Port 2 -6 of Switch A and C.
Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit 15.2.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first. 15.
transmitted in VLAN3 when traveling in the ISP internet network while carrying two VLAN tags (the inner tag is added when entering PE1, and the outer is SPVID), whereas the VLAN information of the user network is open to the provider network. When the packet reaches PE2 and before being forwarded to CE2 from the client port on PE2, the outer VLAN tag is removed, then the packet CE2 receives is absolutely identical to the one sent by CE1.
network. Configuration Item Configuration Explanation VLAN3 Port1 of PE1 and PE2. dot1q-tunnel Port1 of PE1 and PE2.
15.4 VLAN-translation Configuration 15.4.1 Introduction to VLAN-translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. VLAN translation is classified to ingress translation and egress translation, this switch only supports switchover of ingress for VLAN ID. Application and configuration of VLAN translation will be explained in detail in this section. 15.4.
Command Explanation Admin mode Show the related configuration of show vlan-translation vlan-translation. 15.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network; port1 of PE2 is connected to CE2, port10 is connected to public network.
15.4.4 VLAN-translation Troubleshooting Normally the VLAN-translation is applied on trunk ports. Priority of vlan translation and vlan ingress filtering for processing packets is: vlan translation > vlan ingress filtering 15.5 Dynamic VLAN Configuration 15.5.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN.
1. Configure the MAC-based VLAN function on the port Command Explanation Port Mode switchport mac-vlan enable Enable/disable the MAC-based VLAN no switchport mac-vlan enable function on the port. 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLAN to MAC mac-vlan vlan VLAN; the “no mac-vlan” command no mac-vlan cancels the MAC VLAN configuration of this VLAN. 3.
protocol-vlan mode {ethernetii etype |llc {dsap ssap Add/delete the correspondence between }|snap etype } vlan the Protocols and the VLAN, namely priority specified protocol joins/leaves specified no protocol-vlan {mode {ethernetii etype VLAN. |llc {dsap ssap }|snap etype }|all} 7.
For example, M at E1/0/1 of SwitchA, then the configuration procedures are as follows: Switch A, Switch B, Switch C: SwitchA (Config)#mac-vlan mac 00-03 -0f-11-22-33 vlan 100 priority 0 SwitchA (Config)#interface ethernet 1/0/1 SwitchA (Config-Ethernet1/0/1)# swportport mode hybrid SwitchA (Config-Ethernet1/0/1)# swportport hybrid allowed vlan 100 untagged SwitchB (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan 100 priority 0 SwitchB (Config)#exit SwitchB# SwitchC (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan
15.6 Voice VLAN Configuration 15.6.1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and adding the ports of the connected voice equipments to the Voice VLAN, the user will be able to configure QoS (Quality of service) service for voice data, and improve the voice data traffic transmission priority to ensure the calling quality.
] no voice-vlan {mac mask |name |all} 3. Enable the Voice VLAN of the port Command Explanation Port Mode switchport voice-vlan enable Enable/disable the Voice VLAN function no switchport voice-vlan enable on the port 15.6.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN.
Switch(Config-If-Ethernet1/0/10)#exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#switchport mode hybrid Switch(Config-If-Ethernet1/0/1)#switchport hybrid allowed vlan 100 untag Switch(Config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#switchport mode hybrid Switch(Config-If-Ethernet1/0/2)#switchport hybrid allowed vlan 100 untag Switch(Config-If-Ethernet1/0/2)#exit 15.6.
Chapter 16 MAC Table Configuration 16.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch. The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 as an example, the MAC address learning process is as follow: 1.
Three types of frames can be forwarded by the switch: Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames: Broadcast frame: The switch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the switch are in the same broadcast domain. When the switch receives a broadcast frame, it forwards the frame in all ports.
] | [source|destination|both] no mac-address-table {static | blackhole | dynamic} [address ] [vlan ] [interface [ethernet | portchannel] ] 3. Clear dynamic address table Command Explanation Admin Mode clear mac-address-table dynamic [address Clear the dynamic address table. ] [vlan ] [interface [ethernet | portchannel] ] 16.
1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2. Set the static mapping relationship for PC2 and PC3 to port 7 and port 9, respectively. Switch(config)#mac-address-table static 00-01-22-22-22-22 interface ethernet 1/0/7 vlan 1 Switch(config)#mac-address-table static 00-01-33-33-33-33 interface ethernet 1/0/9 vlan 1 16.
4. mac-notification trap configuration 1. Enable MAC address binding function for the ports Command Explanation Port Mode Enable MAC address binding function for the port and lock the port. When a port is locked, the MAC address learning function switchport port-security for the port will be disabled: the “no no switchport port-security switchport port-security” command disables the MAC address binding function for the port, and restores the MAC address learning function for the port. 2.
switchport port-security violation Set the violation mode for the port; the “no {protect | shutdown} switchport port-security violation” no switchport port-security violation command restores the default setting. 4. mac-notification trap configuration Command Explanation Global Mode mac-address-table periodic-monitor-time <5-86400> Set the MAC monitor interval to count the added and deleted MAC in time, and send out them with trap message. 16.5.1.
Chapter 17 MSTP Configuration 17.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Root A Root A B M E MST D F D REGION C Figure 17-1 Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 17.1.1.
17.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port On top of those roles, each MSTI port has one new role: Master Port. The port roles in the CIST (Root Port, Designated Port, Alternate Port and Backup Port) are defined in the same ways as those in the RSTP. 17.1.3 MSTP Load Balance In a MSTP region, VLANs can by mapped to various instances. That can form various topologies.
2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority Set bridge priority for specified instance. no spanning-tree mst priority spanning-tree priority Configure the spanning-tree priority of the no spanning-tree priority switch. Port Mode spanning-tree mst cost Set port path cost for specified instance.
name Set MSTP region name. no name revision-level Set MSTP region revision level. no revision-level Quit MSTP region mode and return to abort Global mode without saving MSTP region configuration. Quit MSTP region mode and return to exit Global mode with saving MSTP region configuration. Cancel one command or set initial no value. 4.
Port Mode spanning-tree format standard Configure the format of port spanning-tree packet,standard format spanning-tree format privacy is spanning-tree format auto compatible with CISCO and auto no spanning-tree format means the format is determined by provided by IEEE, privacy is checking the received packet. 7. Configure the spanning-tree attribute of port Command Explanation Port Mode spanning-tree cost Set the port path cost.
topology changes. Port Mode spanning-tree tcflush {enable| disable| Configure the port flush mode. The no protect} command restores to use the global no spanning-tree tcflush configured flush mode. 17.3 MSTP Example The following is a typical MSTP application example: Switch1 2 1 Switch2 1 4 5 5 x 2 2 x 1 3 3 x 4 6 x Switch3 6 7 7x Switch4 Figure 17-2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure.
Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in Switch2, Switch3 and Switch4. Set ports 1-7 as trunk ports in Switch2 Switch3 and Switch4.
Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/0/1-7 Switch3(Config-Port-Range)#switchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)
forwarding. Because the instance 3 and the instance 4 are only valid in the MSTP region, the following figure only shows the topology of the MSTP region.
2 Switch2 5X 4 2X 3 3X 4 6 7X Switch3 6 5 7 Switch4 Figure 17-5 The Topology Of the Instance 4 after the MSTP Calculation 17.4 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.
Chapter 18 QoS Configuration 18.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Drop Precedence: When processing the packets, firstly drop the packets with the bigger drop precedence, the ranging is 0-1. It’s shortening is Drop-Prec or DP. Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs. Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets.
Figure 18-3 Basic QoS Model Classification: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below explains this in detail.
Start N tag packet Y L2 COS value obtained by the packet as the default COS(*1) L2 COS value of the packet is its own L2 COS Trust DSCP (*2) Y IP packet N N N Trust COS (*2) Y Y N tag packet Y Set Int-Prio as the default ingress IntPrio COS -to-Int-Prio conversion according to L2 COS value of the packet DSCP-to-Int-Prio conversion according to DSCP value of the packet Enter the policing flow Figure 18-4 Classification process Note 1: L2 CoS value is considered a property of the packets,
Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be single bucket dual color or dual bucket three color. The traffic, will be assigned with different color, can be discarded or passed, for the passed packets, add the remarking action.
Note 1: Int-Prio will be covered with the after setting, Set Int-Prio of the specific color action will cover Set Int-Prio of the unrelated action with the color. Note 2: Drop the internal priority of the packets according to IntP-to-IntP map. Source Int-Prio means to the obtainable Int-Prio in Classification flow or Int-Prio set by the unrelated action with the color.
18.2 QoS Configuration Task List 1. Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. 2. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode.
Global Mode Create a policy map and enter policy policy-map map mode; the no command deletes the no policy-map specified policy map. After a policy map is created, it can be associated to a class. Different policy or class [insert-before new DSCP value can be applied to ] different data streams in class mode; the no class no command deletes the specified class.
drop Drop or transmit the traffic that match no drop the class, the no command cancels the assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Interface Configuration Mode mls qos trust {cos | dscp} Configure port trust; the no command no mls qos trust {cos | dscp} disables the current trust status of the port. Configure the default CoS value of the mls qos cos {} port; the no command restores the no mls qos cos default setting.
mls qos map (cos-dp | dscp-dscp Set the priority mapping for QoS, the to | dscp-intp no command restores the default to | dscp-dp mapping value. to ) no mls qos map (cos-dp | dscp-dscp | dscp-intp | dscp-dp) mls qos map intp-dscp no mls qos map intp-dscp 6.
Switch(Config-If-Ethernet 1/0/1)#mls qos trust cos Switch(Config-If-Ethernet1/0/1)#mls qos cos 5 Configuration result: When QoS enabled in Global Mode, the egress queue bandwidth proportion of each port is 1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/0/1, it will be map to the internal priority according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8 respectively.
Server QoS area Switch3 Switch2 Trunk Switch1 Figure 18-7 Typical QoS topology As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/0/1(set the internal priority to 40, set the default intp-dscp mapping to 40-40, the corresponding IP precedence to 5). The port connecting to switch2 is a trunk port.
18.4 QoS Troubleshooting trust cos and EXP can be used with other trust or Policy Map. trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets. trust exp, trust dscp and trust cos may be configured at the same time, the priority is: EXP>DSCP>COS. If the dynamic VLAN (mac vlan/voice vlan/ip subnet vlan/protocol vlan) is configured, then the packet COS value equals COS value of the dynamic VLAN.
Chapter 19 Flow-based Redirection 19.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
19.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6. Modification of configuration: 1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111; 2: Apply the redirection based on this flow to port 1.
Chapter 20 Egress QoS Configuration 20.1 Introduction to Egress QoS In traditional IP networks, all packets are treated in the same way. All network equipments treat them by the first-in-first-out policy and try best effort to send them to the destination. However, it does not guarantee the performance like reliability and transmission delay. Network develops so fast that new demand has been raised for the quality of service on IP network with the continual emergence of new applications.
20.1.
Description of action that modify QoS attribute according to egress remark table: cos-cos:for cos value of packets, modify cos value of packets according to cos table of QoS remarking cos-dscp:for cos value of packets, modify dscp value of packets according to cos table of QoS remarking dscp-cos:for dscp value of packets, modify cos value of packets according to dscp table of QoS remarking dscp-dscp:for dscp value of packets, modify dscp value of packets according to dscp table of QoS remarking 20.
access-group} 2. Configure a policy-map Command Explanation Global Mode Create a policy-map and enter policy-map policy-map mode, no command deletes the specific no policy-map policy-map. class [insert-before Create a policy map to associate with a ] class map and enter policy class map no class mode, then different data streams can apply different policies and be assigned a new DSCP value.
class map mode, add statistic function to the flow of the policy class map. In single bucket mode, packets can only red or green when passing policy. In the print information, in-profile means green and out-profile means red. In dual bucket mode, there are three colors of packets in-profile means green and out-profile means red and yellow. 3.
Admin Mode clear mls qos statistics [interface Clear accounting data of the specified | vlan ] ports or VLAN Policy Map. If there are no parameters, clear accounting data of all policy map. 6. Show QoS configuration Command Explanation Admin Mode show mls qos {interface [] Show QoS configuration of the port. [policy | queuing] | vlan } show class-map [] Show the class map information of QoS.
switch(config)#class-map 1 switch(config-classmap-1)#match ipv6 dscp 7 switch(config-classmap-1)#exit Create a policy map: switch(config)#policy-map 1 switch(config-policymap-1)#class 1 switch(config-policymap-1-class-1)#set cos 4 switch(config-policymap-1-class-1)#exit switch(config-policymap-1)#exit Bind a policy to VLAN switch(config)#service-policy output 1 vlan 10 Example 3: In egress of port 1, limit the speed of packets.
switch(config-if-port-range)#mls qos trust dscp Bind policy to egress of port1 switch(config-if-ethernet1/0/1)#service-policy output p1 20.4 Egress QoS Examples Not all equipments support Egress QoS presently, so please make sure the current device supports this function. If the policy configured cannot bind to the port or VLAN, please check whether the match option in classification table is supported by the current device.
Chapter 21 Flexible QinQ Configuration 21.1 Introduction to Flexible QinQ 21.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
Command Explanation Global mode class-map Create a class-map and enter class-map no class-map mode, the no command deletes the specified class-map.
vlan command deletes the specified no service-policy input policy-map applied to the VLAN. vlan 4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode show mls qos {interface [] Show flexible QinQ configuration on the port. 21.3 Flexible QinQ Example Figure 21-1 Flexible QinQ application topology As shown in the figure, the first user is assigned three VLANs that the tag values are 1001, 2001, 3001 respectively in DSLAM1.
Switch(config-classmap-c1)#match vlan 1001 Switch(config-classmap-c1)#exit Switch(config)#class-map c2 Switch(config-classmap-c2)#match vlan 2001 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match vlan 3001 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)# set s-vid 1001 Switch(config-policymap-p1)#class c2 Switch(config-policymap-p1-class-c2)# set s-vid 2001 Switch(config-policyma
21.
Chapter 22 Layer 3 Forward Configuration Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result. If the IP packet is destined to another subnet reachable from this switch, then the packet will be forwarded to the appropriate interface.
1. Create Layer 3 Interface Command Explanation Global Mode Creates a VLAN interface (VLAN interface interface vlan is a Layer 3 interface); the no command no interface vlan deletes the VLAN interface (Layer 3 interface) created in the switch. Creates a Loopback interface then enter interface loopback the loopback Port Mode; the no command no interface loopback deletes the Loopback interface created in the switch. 2.
Global Mode ip vrf Create VRF instance; VRF instance is not no ip vrf created by default. VRF Mode Configure RD of VRF instance. RD is not rd created by default. route-target {import | export | both} Configure RT of VRF instance no route-target {import | export | both} Interface Mode ip vrf forwarding Configure the relation between VRF no ip vrf forwarding instance and the interface.
every connection status which increases network delay greatly and decreases network performance. Moreover, the translation of network data packet addresses baffles the end-to-end network security check, IPSec authentication header is such an example. Therefore, in order to solve all kinds of problems existing in IPv4 comprehensively, the next generation Internet Protocol IPv6 designed by IETF has become the only feasible solution at present.
22.2.2 IP Configuration Layer 3 interface can be configured as IPv4 interface, IPv6 interface. 22.2.2.1 IPv4 Address Configuration IPv4 address configuration task list: 1. Configure the IPv4 address of three-layer interface 1.
via DHCPv6 (15) Set the flag representing whether the address information will be obtained via DHCPv6 3. IPv6 Tunnel configuration (1) Create/Delete Tunnel (2) Configure tunnel description (3) Configure Tunnel Source (4) Configure Tunnel Destination (5) Configure Tunnel Next-Hop (6) Configure Tunnel Mode (7) Configure Tunnel Routing 1.
makes duplicate address detection. The no command resumes default value (1). (2) Configure Send Neighbor solicitation Message Interval Command Explanation Interface Configuration Mode Set the interval of the interface to send ipv6 nd ns-interval neighbor query message. The NO no ipv6 nd ns-interval command resumes default value (1 second). (3) Enable and disable router advertisement Command Explanation Interface Configuration Mode Forbid IPv6 Router Advertisement.
Interface Configuration Mode ipv6 nd prefix Configure the address prefix and [off-link] [no-autoconfig] advertisement parameters of router. The no ipv6 nd prefix NO command cancels the address prefix of routing advertisement.
Interface Configuration Mode Set the retrans-timer of sending router ipv6 nd retrans-timer advertisement. (14) Set the flag representing whether information other than the address information will be obtained via DHCPv6. Command Explanation Interface Configuration Mode Set the flag representing whether ipv6 nd other-config-flag information other than the address information will be obtained via DHCPv6.
Tunnel Configuration Mode Configure tunnel destination end tunnel destination { | IPv4/IPv6 address. The NO command } deletes the IPv4/IPv6 address of tunnel no tunnel destination destination end. (5) Configure Tunnel Next-Hop Command Explanation Tunnel Configuration Mode Configure tunnel next-hop IPv4 address. tunnel nexthop The NO command deletes the IPv4 no tunnel nexthop address of tunnel next-hop end.
address 192.168.2.1 255.255.255.0 in VLAN2. 3. Configure two VLANs on Switch2, respectively VLAN2 and VLAN3. 4. Configure IPv4 address 192.168.2.2 255.255.255.0 in VLAN2 of Switch2, and configure IPv4 address 192.168.3.1 255.255.255.0 in VLAN3. 5. The IPv4 address of PC1 is 192.168.1.100 255.255.255.0, and the IPv4 address of PC2 is 192.168.3.100 255.255.255.0. 6. Configure static routing 192.168.3.0/24 on Switch1, and configure static routing 192.168.1.0/24 on Switch2. 7. Ping each other among PCs.
Configuration Description: 1. Configure two VLANs on Switch1, namely, VLAN1 and VLAN2. 2. Configure IPv6 address 2001::1/64 in VLAN1 of Switch1, and configure IPv6 address 2002::1/64 in VLAN2. 3. Configure 2 VLANs on Switch2, namely, VLAN2 and VLAN3. 4. Configure IPv6 address 2002::2/64 in VLAN2 of Switch2, and configure IPv6 address 2003::1/64 in VLAN3. 5. The IPv6 address of PC1 is 2001::11/64, and the IPv6 address of PC2 is 2003::33/64.
no login ! end Switch2#show run interface Vlan2 ipv6 address 2002::2/64 ! interface Vlan3 ipv6 address 2003::1/64 ! interface Loopback mtu 3924 ! ipv6 route 2001::/64 2002::1 ! no login ! End Example 2: SwitchC SwithA SwitchB PC-A PC-B Figure 22-3 IPv6 tunnel This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported. SwitchC only runs IPv4, PC-A and PC-B communicate. Configuration Description: 1.
3. Configure two VLANs on SwitchB, namely, VLAN3 and VLAN4, VLAN4 is IPv6 domain, and VLAN3 connects to IPv4 domain. 4. Configure IPv6 address 2002:cbcb:cb01:2::1/64 in VLAN4 of SwitchB and turn on RA function, configure IPv4 address 203.203.203.1 on VLAN3. 5. Configure tunnel on SwitchA, the source IPv4 address of the tunnel is 202.202.202.1, the tunnel routing is ::/0 6. Configure tunnel on SwitchB, the source IPv4 address of the tunnel is 203.203.203.1, and the tunnel routing is ::/0 7.
22.3 IP Forwarding 22.3.1 Introduction to IP Forwarding Gateway devices can forward IP packets from one subnet to another; such forwarding uses routes to find a path. IP forwarding of switch is done with the participation of hardware, and can achieve wire speed forwarding. In addition, flexible management is provided to adjust and monitor forwarding.
Figure 22-4 URPF application situation In the above figure, Router A sends requests to the server Router B by faking messages whose source address are 2.2.2.1/8 .In response, Router B will send the messages to the real ”2.2.2.1/8”. Such illegal messages attack both Router B and Router C. The application of URPF technology in the situation described above can avoid the attacks based on the Source Address Spoofing. 22.4.2 URPF Configuration Task Sequence 1. Enable URPF 2.
In the network, topology shown in the graph above, IP URPF function is enabled on SW3. When there is someone in the network pretending to be someone else by using his IP address to launch a vicious attack, the switch will drop all the attacking messages directly through the hardware function. Enable the URPF function in SW3. SW3 configuration task sequence: Switch3#config Switch3(config)#urpf enable 22.4.
3. Clear dynamic ARP 4. Clear the statistic information of ARP messages 1. Configure static ARP Command Explanation VLAN Interface Mode arp Configures a static ARP entry; the no {interface [ethernet] } command deletes a ARP entry of the no arp specified IP address. 2. Configure proxy ARP Command Explanation VLAN Interface Mode ip proxy-arp Enables the proxy ARP function for Ethernet no ip proxy-arp ports: the no command disables the proxy ARP.
22.5.3 ARP Troubleshooting If ping from the switch to directly connected network devices fails, the following can be used to check the possible cause and create a solution. Check whether the corresponding ARP has been learned by the switch. If ARP has not been learned, then enabled ARP debugging information and view the sending/receiving condition of ARP packets. Defective cable is a common cause of ARP problems and may disable ARP learning. 22.6 Hardware Tunnel Capacity Configuration 22.6.
Chapter 23 ARP Scanning Prevention Function Configuration 23.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-traffic-attack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth.
anti-arpscan enable Enable or disable the ARP Scanning no anti-arpscan enable Prevention function globally. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Explanation Global configuration mode anti-arpscan port-based threshold Set the threshold of the port-based no anti-arpscan port-based ARP Scanning Prevention.
anti-arpscan log enable Enable or disable the log function of ARP no anti-arpscan log enable scanning prevention. anti-arpscan trap enable Enable or disable the SNMP Trap function no anti-arpscan trap enable of ARP scanning prevention. show anti-arpscan [trust | prohibited ] configuration of ARP scanning prevention.
SWITCHB configuration task sequence: Switch B(config)# anti-arpscan enable SwitchB(config)#interface ethernet1/0/1 SwitchB (Config-If-Ethernet 1/0/1)#anti-arpscan trust port SwitchB (Config-If-Ethernet 1/0/1)exit 23.4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information.
Chapter 24 Prevent ARP, ND Spoofing Configuration 24.1 Overview 24.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4F-FD-1D-2B.
What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.
24.3 Prevent ARP, ND Spoofing Example Switch A B C Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; IP:192.168.1.4; A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some mac: 00-00-00-00-00-04 1 There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing.
Chapter 25 ARP GUARD Configuration 25.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
Command Explanation Port configuration mode arp-guard ip no arp-guard ip Configure/delete ARP GUARD address 25-57
Chapter 26 ARP Local Proxy Configuration 26.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid ARP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch. 192.168.1.1 192.168.1.200 192.168.1.
26.2 ARP Local Proxy Function Configuration Task List 1.Enable/disable ARP local proxy function Command Explanation Interface vlan mode ip local proxy-arp Enable or disable ARP local proxy function. no ip local proxy-arp 26.3 Typical Examples of ARP Local Proxy Function As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is layer-2 access switches supporting interface isolation. Considering security, interface isolation function is enabled on S2.
26.4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default. Users can view the current configuration with display command. With correct configuration, by enabling debug of ARP, users can check whether the ARP proxy is normal and send proxy ARP messages. In the process of operation, the system will show corresponding prompts if any operational error occurs.
Chapter 27 Gratuitous ARP Configuration 27.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for XGS3 switches is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally. The purpose of gratuitous ARP is as below: 1.
27.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 Interface vlan1 192.168.14.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Figure 27-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are connected to the interface. The IP address of interface VLAN 1 is 192.168.14.
Chapter 28 Keepalive Gateway Configuration 28.1 Introduction to Keepalive Gateway Ethernet port is used to process backup or load balance, for the reason that it is a broadcast channel, it may not detect the change of physical signal and fails to get to down when the gateway is down. Keepalive Gateway is introduced to detect the connectivity to the higher-up gateway, in the case that a Ethernet port connect with a higher-up gateway to form a point-to-point network topology.
Show show keepalive gateway [interface-name] keepalive running status of the specified interface, if there is no interface is specified, show keepalive running status of all interfaces. Show IPv4 running status of the specified show ip interface [interface-name] interface, if there is no interface is specified, show IPv4 running status of all interfaces. 28.
Send ARP detection once 3 seconds to detect whether gateway A is reachable, after 3 times detection is failing, gateway A is considered to be unreachable. 28.
Chapter 29 DHCP Configuration 29.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
allocation and manual IP address binding are: 1) IP address obtained dynamically can be different every time; manually bound IP address will be the same all the time. 2) The lease period of IP address obtained dynamically is the same as the lease period of the address pool, and is limited; the lease of manually bound IP address is theoretically endless. 3) Dynamically allocated address cannot be bound manually.
dns-server [[[… ]]] Configure DNS server for DHCP clients. The no command deletes DNS server configuration. no dns-server Configure Domain name for DHCP clients; domain-name the “no domain-name” command deletes no domain-name the domain name. netbios-name-server [[[… Configure the address for WINS server. The ]]] no operation cancels the address for server.
host
[ | Specify/delete the IP address to be ] assigned to the specified client when no host binding address manually. client-identifier Specify/delete the unique ID of the user no client-identifier when binding address manually. client-name Configure/delete a client name when no client-name binding address manually. 3.4. On receiving DHCPREQUEST, the DHCP server responds with a DHCPACK packet via DHCP relay to the DHCP client. DHCP Relay Configuration Task List: 1. Enable DHCP relay. 2. Configure DHCP relay to forward DHCP broadcast packet. 1. Enable DHCP relay. Command Explanation Global Mode service dhcp DHCP server and DHCP relay is enabled as the no service dhcp DHCP service is enabled. 2. Configure DHCP relay to forward DHCP broadcast packet.
Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.0 Switch(Config-Vlan-1)#exit Switch(config)#ip dhcp pool A Switch(dhcp-A-config)#network 10.16.1.0 24 Switch(dhcp-A-config)#lease 3 Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201 Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.
E1/1 DHCP Client 192.168.1.1 E1/2 10.1.1.1 DHCP Relay DHCP Client DHCP Server 10.1.1.10 DHCP Client Figure 29-3 DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.
servers are not in the same physical network, verify the router responsible for DHCP packet forwarding has DHCP relay function. If DHCP relay is not available for the intermediate router, it is recommended to replace the router or upgrade its software to one that has a DHCP relay function.
Chapter 30 DHCPv6 Configuration 30.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
4. The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message. The above four steps finish a Dynamic host configuration assignment process. However, if the DHCPv6 server and the DHCPv6 client are not in the same network, the server will not receive the DHCPv6 broadcast packets sent by the client, therefore no DHCPv6 packets will be sent to the client by the server.
(2)To configure parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode network-address { | } [eui-64] To configure the range of IPv6 address assignable of address pool. no network-address dns-server To configure DNS server address for no dns-server DHCPv6 client. domain-name no domain-name To configure DHCPv6 client domain name.
Command Explanation Interface Configuration Mode ipv6 dhcp relay destination {[] [interface To specify the destination address of { | vlan <1-4096>}]} DHCPv6 relay transmit; The no form of no ipv6 dhcp relay destination this command delete the configuration. {[] [interface { | vlan <1-4096>}]} 30.4 DHCPv6 Prefix Delegation Server Configuration DHCPv6 prefix delegation server configuration task list as below: 1.
ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool. (2)To configure prefix delegation pool used by DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode prefix-delegation pool [lifetime { | infinity} { | infinity}] no prefix-delegation pool To specify prefix delegation pool used by DHCPv6 address pool, and assign usable prefix to client.
30.5 DHCPv6 Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuration task list as below: 1. To enable/disable DHCPv6 service 2. To enable DHCPv6 prefix delegation client function on port 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2.
Usage guide: Switch3 configuration: Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.
Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64 Switch2(Config-if-Vlan1)#exit Switch2(config)#interface vlan 10 Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64 Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag Switch2(Config
Usage guide: Switch2 configuration Switch2>enable Switch2#config Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 address 2001:da8:1100::1/64 Switch2(Config-if-Vlan2)#exit Switch2(config)#service dhcpv6 Switch2(config)#ipv6 local pool client-prefix-pool 2001:da8:1800::/40 48 Switch2(config)#ipv6 dhcp pool dhcp-pool Switch2(dhcpv6-dhcp-pool-config)#prefix-delegation pool client-prefix-pool 1800 600 Switch2(dhcpv6-dhcp-pool-config)#exit Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#i
Switch1(Config-if-Vlan3)#ipv6 dhcp server foo Switch1(Config-if-Vlan3)#ipv6 nd other-config-flag Switch1(Config-if-Vlan3)#no ipv6 nd suppress-ra Switch1(Config-if-Vlan3)#exit 30.
Chapter 31 DHCP option 82 Configuration 31.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
31.1.2 option 82 Working Mechanism DHCP RelayAgent DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge. The DHCP protocol follows the procedure below: 1)DHCP client sends a request broadcast message while initializing.
1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global mode Set this command to enable the option 82 ip dhcp relay information option no ip dhcp relay information option function of the switch Relay Agent. The “no ip dhcp relay information option” is used to disable the option 82 function of the switch Relay Agent. 2.
Set the suboption2 (remote ID option) ip dhcp relay information option content of option 82 added by DHCP request remote-id {standard | } packets (They are received by the interface). no ip dhcp relay information option The remote-id suboption2 (remote ID option) format of no command sets the additive option 82 as standard. 3. Enable the DHCP option 82 of server.
ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82.
In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2.
max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.50, and allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51~192.168.102.80. 31.4 DHCP option 82 Troubleshooting DHCP option 82 is implemented as a sub-function module of DHCP Relay Agent.
Chapter 32 DHCPv6 option37, 38 32.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
This ipv6 dhcp snooping remote-id option no ipv6 dhcp snooping remote-id option ipv6 dhcp snooping subscriber-id enables DHCPv6 SNOOPING to support option 37 option, no command disables it. This option command command enables DHCPv6 SNOOPING to support option 38 option, no no ipv6 dhcp snooping subscriber-id command disables it.
ipv6 dhcp snooping subscriber-id select Configures user configuration options to (sp | sv | pv | spv) delimiter WORD generate (delimiter WORD |) restores to its original default configuration, no ipv6 dhcp snooping subscriber-id i.e. enterprise number together with vlan select delimiter MAC. ipv6 dhcp snooping subscriber-id select (sp|sv|pv|spv) delimiter WORD subscriber-id, no command Configures user configuration options to generate subscriber-id.
Configures user configuration options to ipv6 dhcp relay remote-id delimiter generate remote-id. The no command WORD restores to its original default configuration, no ipv6 dhcp relay remote-id delimiter i.e. enterprise number together with vlan MAC. ipv6 dhcp relay subscriber-id select (sp | sv | pv | spv) delimiter WORD (delimiter WORD |) no ipv6 dhcp relay subscriber-id select delimiter Configures user configuration options to generate subscriber-id.
This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment, the no form of this no ipv6 dhcp use class command disables it without removing the relative DHCPv6 class information that has been configured. This command defines a DHCPv6 class ipv6 dhcp class and enters DHCPv6 class mode, the no no ipv6 dhcp class form of this command removes this DHCPv6 class.
32.3 DHCPv6 option37, 38 Examples 32.3.1 DHCPv6 Snooping option37, 38 Example Figure 32-1 DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.
Network topology: In access layer, layer2 access device Switch1 connects users in dormitory; in first-level aggregation layer, aggregation device Switch2 is used as DHCPv6 relay agent; in second-level aggregation layer, aggregation device Switch3 is used as DHCPv6 server and connects with backbone network or devices in higher aggregation layer; in user side, PCs are generally loaded with Windows Vista system, thus having DHCPv6 client.
execute adding, discarding or forwarding operation. Therefore, please check policy configuration of snooping option37,38 on second device when obtaining the false address or no address is obtained according to option37,38. DHCPv6 server obtains option37,38 of the packets from client by default, if no, it will obtain option37,38 of the packet sent by relay.
Chapter 33 DHCP Snooping Configuration 33.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET.
33.2 DHCP Snooping Configuration Task Sequence 1. Enable DHCP Snooping 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping binding ARP function 4. Enable DHCP Snooping option82 function 5. Set the private packet version 6. Set DES encrypted key for private packets 7. Set helper server address 8. Set trusted ports 9. Enable DHCP Snooping binding DOT1X function 10. Enable DHCP Snooping binding USER function 11. Adding static list entries function 12. Set defense actions 13.
Globe mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable DHCP Snooping option 82 function. 5. Set the private packet version Command Explanation Globe mode ip user private packet version two no ip user private packet version two To configure/delete the private packet version.
Command Explanation Port mode ip dhcp snooping binding user-control Enable or disable the DHCP snooping binding no ip dhcp snooping binding user function. user-control 11. Add static binding information Command Explanation Globe mode ip dhcp snooping binding user address vlan interface (ethernet|) no ip dhcp snooping binding user Add/delete DHCP snooping static binding list entries.
Command Explanation Globe mode ip dhcp snooping information option subscriber-id format {hex | acsii | vs-hp} This command is used to set subscriber-id format of DHCP snooping option82. ip dhcp snooping information Set the suboption2 (remote ID option) content of option remote-id {standard | option 82 added by DHCP request packets (they } are received by the port).
option subscriber-id {standard | option 82 added by DHCP request packets (they } are received by the port). The no command sets no ip dhcp snooping information the additive suboption1 (circuit ID option) format option subscriber-id of option 82 as standard. 33.3 DHCP Snooping Typical Application Figure 33-1 Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the switch. It operates via DHCP Client, IP 1.1.1.
33.4 DHCP Snooping Troubleshooting Help 33.4.1 Monitor and Debug Information The “debug ip dhcp snooping” command can be used to monitor the debug information. 33.4.
33.
The “debug ipv6 dhcp snooping” command can be used to monitor the debug information. 33.6.2 DHCPv6 Snooping Troubleshooting Help If there is any problem happens when using DHCPv6 Snooping function, please check whether the problem is caused by the following reasons: Check whether the DHCPv6 Snooping is enabled globally; If DHCP client does not obtain IP when configuring DHCPv6 Snooping, please check whether the port connected by DHCPv6 server/relay is set as a trust port.
Chapter 34 Routing Protocol Overview To communicate with a remote host over the Internet, a host must choose a proper route via a set of routers or Layer3 switches. Both routers and layer3 switches calculate the route using CPU, the difference is that layer3 switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router always store the calculated route in the route table or route buffer, and data forwarding is performed by the CPU.
Destination address: used to identify the destination address or destination network of an IP packet. Network mask: used together with destination address to identify the destination host or the network the layer3 switch resides. Network mask consists of several consecutive binary 1's, and usually in the format of dotted decimal (an address consists of 1 to 4 255’s.
To achieve routing policy, first we have to define the characteristics of the routing messages to be applied with routing policies, namely define a group matching rules. We can configure by different properties in the routing messages such as destination address, the router address publishing the routing messages. The matching rules can be previously configured to be applied in the routing publishing, receiving and distributing policies.
autonomic system path field. As for relevant as-path configurations, please refer to the ip as-path command in BGP configuration. 5. community-list Community-list is only for BGP. There is a community property field in the BGP routing messages packet for identifying a community. The community list is for specifying matching conditions for Community-list field. As for relevant Community-list configuration, please refer to the ip as-path command in BGP configuration 34.2.
Match a community property access-list. The match community [exact-match] [ community-list-num > [exact-match]] [exact-match]] command deletes match condition. Match by ports; The no match interface match interface [] no match interface [] command deletes match condition.
Distribute an AS No. for set aggregator as BGP aggregator; The no no set aggregator as [ ] command deletes the configuration set as-path prepend Add a specified AS No.
set tag Set OSPF routing tag no set tag [ ] value; The no command deletes the configuration set vpnv4 next-hop Set BGP VPNv4 no set vpnv4 next-hop [ ] next-hop address; the no command deletes the configuration set weight < weight_val> Set BGP routing weight; no set weight [ ] The no command deletes the configuration 4.
AS1 AS2 192.68.11.1 VLAN1 VLAN3 192.68.10.1 VLAN2 192.68.6.1 SwitchB SwitchA VLAN3 172.16.20.1 VLAN2 192.68.6.2 VLAN3 172.16.20.2 VLAN1 192.68.5.2 AS3 VLAN1 192.68.5.1 SwitchC VLAN2 172.16.1.2 SwitchD VLAN2 172 16 1 1 Figure 34-1 Policy routing Configuration Configuration procedure: (only SwitchA is listed, configurations for other switches are omitted.) The configuration of Layer 3 switchA: SwitchA#config SwitchA(config) #router bgp 1 SwitchA(config-router)#network 192.68.11.0 mask 255.255.255.
Chapter 35 Static Route 35.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup. However, it also has its own defects.
2. VRF configuration Command Explanation Global mode ip route vrf { |} {|} Configure the static route, the [] no command will delete the no ip route vrf { static route. |} [|] [] 35.
Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PC-C.
Chapter 36 RIP 36.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: • Number of hops to reach the destination network, or metrics to use or number of networks to pass.
(simple plaintext password and MD5 password authentication are supported), and support variable length subnet mask. RIP-II used some of the zero field of RIP-I and require no zero field verification. switch send RIP-II packets in multicast by default, both RIP-I and RIP-II packets will be accepted. Each layer3 switch running RIP has a route database, which contains all route entries for reachable destination, and route table is built based on this database.
4) Configure and apply route filter 5) Configure Split Horizon (3) Configure other RIP protocol parameters 1) Configure the managing distance of RIP route 2) Configure the RIP route capacity limit in route table 3) Configure the RIP update, timeout, holddown and other timer. 4) Configure the receiving buffer size of RIP UDP 3.
Command Explanation Router Configuration Mode Specify the IP address of the neighbor router neighbor needs point-transmitting; the no neighbor no neighbor command cancels the appointed router. Block the RIP broadcast on specified pot and the passive-interface no passive-interface RIP data packet is only transmittable among Layer 3 switch configured with neighbor. The no passive-interface command cancels the function.
ip rip authentication key-chain Sets the key chain used in authentication, the no ip no ip rip authentication key-chain [] command means the key [] chain is not used. ip rip authentication cisco-compatible no ip rip authentication cisco-compatible rip authentication key-chain After configure this command, configure MD5 authentication, then can receive RIP packet of cisco, the no command resores the defaule configuration.
distribute-list {< access-list-number Configure and apply the access table and prefix |access-list-name >|prefix}{in|out} [] {< no distribute-list {< access-list-number |access-list-name>|prefix}{ |access-list-name >|prefix]command means do not use ame>}{in|out} [] the access table and prefix table.
Configure the versions of all the RIP data version { 1 | 2 } no version packets transmitted/received by the Layer 3 switch port sending/receiving the no version command restores the default configuration, version 2. (2)Configure the RIP version to send/receive in all ports.
Command Explanation Interface Configuration Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address on interface. A.B.C.D/M (3) Display IPv4 aggregation route information Command Explanation Admin Mode and Configuration Mode show ip rip aggregate To display aggregation route information. 6.
exit-address-family This command exits the address family mode. 36.3 RIP Examples 36.3.1 Typical RIP Examples Interface Interface vlan1:10.1.1.1/24 vlan1:10.1.1.2/24 SWITCHB SWITCHC SWITCHA Interface Interface vlan2:20.1.1.1/24 vlan1:20.1.1.2/24 Figure 36-1 RIP example In the figure shown above, a network consists of three Layer 3 switches, in which SwitchA connected with SwitchB and SwitchC, and RIP routing protocol is running in all of the three switches. SwitchA (interface vlan1:10.1.1.
Configure that the interface vlan 2 do not transmit RIP messages to SwitchC SwitchA(config)#router rip SwitchA(config-router)#passive-interface vlan 2 SwitchA(config-router)#exit SwitchA(config) # b) Layer 3 SwitchB Configure the IP address of interface vlan 1 SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(Config-if-Vlan1)# ip address 10.1.1.2 255.255.255.
S1 vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 S2 192.168.23.0/24 192.168.24.0/24 Figure 36-2 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/24, 192.168.22.0/24, 192.168.23.0/24, 192.168.24.0/24. S2 supports route aggregation, and to configure aggregation route 192.168.20.
sending route updating messages to all neighboring Layer 3 switches every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch is received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIP route, this route item is assured to be deleted from route table after 300 seconds.
Chapter 37 RIPng 37.1 Introduction to RIPng RIPng is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIPng is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send 2 kind of information to the neighboring devices regularly: • Number of hops to reach the destination network, or metrics to use or number of networks to pass.
destination, and route table is built based on this database. When a RIPng layer3 switch sent route update packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large network, routing data to be transferred and processed for each layer3 switch is quite large, causing degraded network performance. Besides the above mentioned, RIPng protocol allows IPv6 route information discovered by the other routing protocols to be introduced to the route table.
3. Configure other RIPng parameters (1) Configure timer for RIPng update, timeout and hold-down 4. Delete the specified route in RIPng route table 5. Configure RIPng route aggregation 6.
1)Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP) Command Explanation Router configuration mode default-metric no default-metric Configure the default metric of distributed route; the no default-metric command restores the default configuration 1.
4)Configure split horizon Command Explanation Interface configuration mode Configure that take the split-horizon when the IPv6 rip split-horizon [poisoned] port sends data packets, poisoned means with poison reverse. no IPv6 rip split-horizon Cancel the split-horizon. 3.
ipv6 rip aggregate-address X:X::X:X/M To configure or delete IPv6 aggregation route no ipv6 rip aggregate-address on interface. X:X::X:X/M (3) Display IPv6 aggregation route information Command Explanation Admin Mode and Configuration Mode To display IPv6 aggregation route information, show ipv6 rip aggregate such as aggregation interface, metric, numbers of aggregation route, times of aggregation. 6.
37.3 RIPng Configuration Examples 37.3.1 Typical RIPng Examples Interface VLAN1: Interface VLAN1: 2000:1:1::1/64 2000:1:1::2/64 SwitchC SwitchB SwitchA Interface VLAN2: Interface VLAN1: 2001:1:1::1/64 2001:1:1::2/64 Figure 37-1 RIPng Example As shown in the above figure, a network consists of three layer 3 switches. SwitchA and SwitchB connect to SwitchC through interface vlan1 and vlan2. All the three switches are running RIPng.
SwitchA(config-router)#passive-interface Vlan1 SwitchA(config-router)#exit Layer 3 SwitchB Enable RIPng protocol SwitchB (config)#router IPv6 rip SwitchB (config-router-rip)#exit Configure the IPv6 address and interfaces of Ethernet port vlan1 to run RIPng SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if)# IPv6 address 2001:1:1::2/64 SwitchB(config-if)#IPv6 router rip SwitchB(config-if)exit Layer 3 SwitchC Enable RIPng protocol SwitchC(config)#router IPv6 rip SwitchC(config-router-rip)#e
S1 VLAN1 2001:1::1:1 2001:1::20:0/110 VLAN1 2001:1::20:0/112 2001:1::1:2 2001:1::21:0/112 S2 2001:1::22:0/112 2001:1::23:0/112 Figure 37-2 Typical application of RIPng aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 2001:1::20:0/112, 2001:1::21:0/112, 2001:1::22:0/112, 2001:1::23:0/112.
route updating messages every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch are received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIPng route, this route item is assured to be deleted from route table after 300 seconds.
Chapter 38 OSPF 38.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database. Autonomous system (AS) is a self-managed interconnected network.
One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is because of the way link-state routing protocols build up their routing table. The second advantage is that converging in a link-state interconnected network is very fast, once the routing topology changes, updates will be flooded throughout the network very soon. Those advantages release some layer3 switch resources, as the process ability and bandwidth used by bad route information are minor.
In conclusion, LSA can only be transferred between neighboring Layer3 switches, OSPF protocol includes 5 types of LSA: router LSA, network LSA, network summary LSA to the other areas, ASBR summary LSA and AS external LSA. They can also be called type1 LSA, type2 LSA, type3 LSA, type4 LSA, and type5 LSA.
38.2 OSPF Configuration Task List The OSPF configuration for XGS3 series switches may be different from the configuration procedure to switches of the other manufacturers. It is a two-step process: 1、 Enable OSPF in the Global Mode;2、Configure OSPF area for the interfaces. The configuration task list is as follows: 1. 2.
Enables OSPF protocol; the “no router [no] router ospf [process ] ospf” command disables OSPF protocol. (required) OSPF Protocol Configuration Mode Configures the ID number for the layer3 switch running OSPF; the “no router id” router-id command cancels the ID number. The IP no router-id address of an interface is selected to be the layer3 switch ID.
Command Explanation Interface Configuration Mode ip ospf hello-interval
Admin Mode or Configure Mode Display the configuration information of the show ip ospf [] OSPF process importing other outside redistribute routes. 3)Debug Command Explanation debug ospf redistribute message send Enable or disable debugging of sending no debug ospf redistribute message command from OSPF process redistributed send to other OSPF process routing.
4)Configure the priority of the interface when electing designated layer3 switch (DR). Command Explanation Interface Configuration Mode ip ospf priority no ip ospf priority Sets the priority of the interface in “designated layer3 switch” election; the no ip ospf priority command restores the default setting.
SwitchA E1/1:100.1.1.1 SwitchE vlan2 E1/2:30.1.1.1 SwitchD vlan3 E1/2:10.1.1.1 E1/1:100.1.1.2 E1/1:30.1.1.2 vlan1 vlan2 vlan3 Area 0 E1/1:10.1.1.2 vlan1 E1/1:20.1.1.2 vlan3 E1/2:20.1.1.1 SwitchB SwitchC vlan3 Area 1 Figure 38-1 Network topology of OSPF autonomous system The configuration for layer3 Switch1 and Switch5 is shown below: Layer 3 Switch1 Configuration of the IP address for interface vlan1 Switch1#config Switch1(config)# interface vlan 1 Switch1(config-if-vlan1)# ip address 10.
Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 Switch2(config-if-vlan1)#no shutdown Switch2(config-if-vlan1)#exit Switch2(config)# interface vlan 3 Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.0 Switch2(config-if-vlan3)#no shutdown Switch2(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfaces vlan1 and vlan3 in Switch2(config)#router ospf Switch2(config-router)# network 10.1.1.0/24 area 0 Switch2(config-router)# network 20.1.1.
Switch4(config)#exit Switch4# Layer 3 Switch5: Configuration of the IP address for interface vlan2 Switch5#config Switch5(config)# interface vlan 2 Switch5(config-if-vlan2)# ip address 100.1.1.2 255.255.255.0 Switch5(config-if-vlan2)#no shutdown Switch5(config-if-vlan2)#exit Configuration of the IP address for interface vlan3 Switch5(config)# interface vlan 3 Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.
N11 N1 N12 N13 SwitchD SwitchA N3 N2 SwitchB SwitchE SwitchF SwitchC Area1 N4 Area0 N10 N14 SwitchK SwitchI N8 SwitchJ N7 Area2 N9 N15 SwitchL Area3 SwitchG N5 SwitchH N6 Figure 38-2 Typical complex OSPF autonomous system This scenario is a typical complex OSPF autonomous system network topology.
SwitchB interface VLAN2 is 10.1.1.2, IP address of layer3 SwitchC interface VLAN2 is 10.1.1.3, IP address of layer3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP address 20.1.2.1); SwitchC is connecting to network N4 through Ethernet interface VLAN3 (IP address 20.1.3.1). All the three addresses belong to area 1.
SwitchB(config)# interface vlan 2 SwitchB(config-If-Vlan2)# ip address 10.1.1.2 255.255.255.0 SwitchB(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2. SwitchB(config)#router ospf SwitchB(config-router)#network 10.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#interface vlan 2 Configure simple key authentication.
SwitchC(config-If-Vlan2)#exit Configure IP address and area number for interface vlan3 SwitchC(config)# interface vlan 3 SwitchC(config-If-Vlan3)#ip address 20.1.3.1 255.255.255.0 SwitchC(config-If-Vlan3)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 20.1.3.0/24 area 1 SwitchC(config-router)#exit Configure IP address and area number for interface vlan 1 SwitchC(config)# interface vlan 1 SwitchC(config-If-Vlan1)#ip address 10.1.5.1 255.255.255.
SwitchD(config-If-Vlan2)#ip ospf authentication-key DCS SwitchD(config-If-Vlan2)#exit Configure the IP address and the area number for the interface vlan 1 SwitchD(config)# interface vlan 1 SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255.255.255.0 SwitchD(config-If-Vlan1)exit SwitchD(config)#router ospf SwitchD(config-router)#network 10.1.6.
Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 1.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 2.2.2.2 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#router ospf 10 Switch(config-router)#network 2.2.2.0/24 area 1 Switch(config-router)#exit Switch(config)#router ospf 20 Switch(config-router)#network 1.1.1.0/24 area 1 Switch(config-router)#redistribute ospf 10 Switch(config-router)#exit 38.3.
Associate the vlan 1 and vlan 2 respectively with vpnb and vpnc while configuring IP address SwitchA(config)#in vlan1 SwitchA(config-if-Vlan1)#ip vrf forwarding vpnb SwitchA(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)#exit SwitchA(config)#in vlan2 SwitchA(config-if-Vlan2)#ip vrf forwarding vpnc SwitchA(config-if-Vlan2)#ip address 20.1.1.1 255.255.255.
SwitchC(config-router)#exit 38.4 OSPF Troubleshooting The OSPF protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the OSPF protocol.
Chapter 39 OSPFv3 39.1 Introduction to OSPFv3 OSPFv3(Open Shortest Path First) is the third version for Open Shortest Path First, and it is the IPv6 version of OSPF Protocol. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
be flooded throughout the network very soon. Those advantages release some layer3 switch resources, as the process ability and bandwidth used by bad route information are minor. The features of OSPFv3 protocol include the following: OSPFv3 supports networks of various scales, several hundreds of layer3 switches can be supported in an OSPFv3 network. Routing topology changes can be quickly found and updating LSAs can be sent immediately, so that routes converge quickly.
In one word, LSA can only be transferred between neighboring Layer3 switches, and OSPFv3 protocol includes seven kinds of LSA: link LSA, internal-area prefix LSA, router LSA, network LSA, inter-area prefix LSA, inter-area router LSA and autonomic system exterior LSA.
39.2 OSPFv3 Configuration Task List OSPFv3 Configuration Task List: 1. 2.
Configure router for OSPFv3 process. The router-id no router-id no router-id command returns ID to 0.0.0.0 .(required) Configure an interface receiving without sending. [no] passive-interface The [no] passive-interfacecommand cancels configuration. Interface Configuration Mode Implement OSPFv3 routing on the interface.
IPv6 ospf transit-delay
Command Explanation Admin Mode debug ipv6 ospf redistribute message send Enable or disable debugging of sending no debug ipv6 ospf redistribute command from OSPFv3 process redistributed message send to other OSPFv3 process routing. debug ipv6 ospf redistribute route Enable or disable debugging of received receive routing message from NSM for OSPFv3 no debug ipv6 ospf redistribute route process.
no router IPv6 ospf ospf [] Disable OSPFv3 Routing Protocol. 39.3 OSPFv3 Examples Examples 1: OSPF autonomous system. This scenario takes an OSPF autonomous system consists of five switch for example.
SwitchA(config-if-vlan2)# IPv6 router ospf area 0 SwitchA (config-if-vlan2)#exit SwitchA(config)#exit SwitchA# Layer 3 SwitchB: Enable OSPFv3 protocol, configure router ID SwitchB(config)#router IPv6 ospf SwitchB (config-router)#router-id 192.168.2.
Configure interface vlan3 IPv6 address and affiliated OSPFv3 area SwitchD#config SwitchD(config)# interface vlan 3 SwitchD(config-if-vlan3)# IPv6 address 2030:1:1::2/64 SwitchD(config-if-vlan3)# IPv6 router ospf area 0 SwitchD(config-if-vlan3)#exit SwitchD(config)#exit SwitchD# Layer 3 SwitchE: Startup OSPFv3 protocol, configure router ID SwitchE(config)#router IPv6 ospf SwitchE(config-router)#router-id 192.168.2.
switch is a part of this Layer 3 switch interface belongs to area 0, and another part of interface belongs to not area 0; for multi-access net etc like broadcast, Layer 3 switch DR needs vote and appoint; for each OSPFv3 process must not configure router ID of 0.0.0.0 address.
Chapter 40 BGP 40.1 Introduction to BGP BGP stands for a Border Gateway Protocol.It’s a dynamic routing protocol inter-autonomous system. Its basic function is automatically exchanging routing information without loops. By exchanging routing reachable information with autonomous number of AS sequence attributes, BGP could create autonomous topological map to eliminate routing loop and implement policies configured by users.
connection to exchange routing information. The operation of BGP protocol is driven by messages and the messages can be divided into four kinds: Open message----It’s the first message which is sent after a TCP connection is established. It is used to create BGP connecting relation among BGP peers. Some parameters in Open Message are used to negotiate if a connection could be established among BGP peers. Keepalive Message ----- it’s the message to check connection availability.
switches are in the same AS, they can be neighbors each other. Because BGP can’t detect route, the route tables of other inner route protocols (such as static route, direct route, OSPF and RIP) need contain neighbor IP addresses and these routes are used to exchange information among BGPs. In order to avoid routing loops, when a BGP speaker receives a route notification from inner neighbor, it would not notify this route to other inner neighbors.
40.2 BGP Configuration Task List The BGP configuration tasks include basic and advanced tasks.
no router bgp ”command disenable BGP process. Router configuration mode bgp asnotation asdot no bgp asnotation asdot network no network Show AS number and match the regular expression with ASDOT method. The no command cancels this method. Set the network that BGP will announce, the no network command cancels the network that will be announced.
BGP configuration mode This command can store routing information from neighbors and neighbor { | } peers; soft-reconfiguration inbound { no neighbor { | } the no | neighbor soft-reconfiguration soft-reconfiguration inbound } inbound command cancels the storage of routing information. Admin Mode clear ip bgp {<*>|| external|peer-group Configure |} soft in reconfiguration. BGP inbound soft 4.
Command Explanation Route mapped configuration command set ip next-hop no set ip next-hop Set the Next-Hop attribute of outbound route. The no set ip next-hop command cancels this setting. 7. Configure EGBP Multi-Hop If the connections with outer neighbors are not direct, the following command can configure neighbor Multi-Hop.
BGP configuration mode Apply a route map to incoming or neighbor { | } route-map outgoing routes; the no neighbor {in | out} { no neighbor { | } route-map {in | route-map {in | out} out} | command cancels } the settings of routing maps.
[..]command the AS from deletes the AS confederation. 5.Configure a Route Reflector (1) The following commands can be used to configure route reflector and its clients. Command Explanation BGP configuration mode Configure the current switch as route reflector and specify a neighbor route-reflector-client no neighbor route-reflector-client client. the no neighbor route-reflector-client commands format deletes a client.
(2) Add neighbors to peers groups Command Explanation BGP configuration mode neighbor peer-group Make a neighbor a member of the peer group. The no neighbor peer-group no neighbor peer-group member.
advertisement-interval } advertisement-interval command recovers the default value. Configure the allowance of EBGP neighbor { | } ebgp-multihop connections [<1-255>] connected no neighbor { | } neighbor { | } ebgp-multihop ebgp-multihop command cancels with networks indirectly; the no this setting.
route reflector. Store the route information from neighbor { | } neighbor or peers; the no neighbor soft-reconfiguration inbound { no neighbor { | } | soft-reconfiguration soft-reconfiguration inbound } inbound command cancels the storage.
10. Configure the Local Preference Value Command Explanation BGP configuration mode Change default local preference; the no bgp bgp default local-preference default no bgp default local-preference local-preference command recovers the default value. 11. Enable sending default route Command Explanation BGP configuration mode Permit sending default route 0.0.0.
14. Configure Route Dampening Command Explanation BGP configuration mode bgp dampening [<1-45>] [<1-20000> <1-20000> <1-255>] [<1-45>] no bgp dampening Enable BGP route dampening and apply the specified dampening parameters; the command no stops bgp route dampening 15. Configure BGP capability Negotiation Command Explanation BGP configuration mode neighbor {|} capability {dynamic | route-refresh} no neighbor {|} capability {dynamic | route-refresh} neighbor {
route-server-client under EBGP environment to reduce the no neighbor {|} number of peers that every client has route-server-client configured; format “no” of the command configures this router as route server and specify the clients neighbor it serves, the no {|} route-server-client command can delete clients.
no debug bgp redistribute message sent by BGP for redistributing OSPF routing. send To enable or disable debugging messages debug bgp redistribute route receive received from NSM for redistributing OSPF no debug bgp redistribute route routing. receive 40.3 Configuration Examples of BGP 40.3.1 Examples 1: configure BGP neighbor SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100. SwitchA and SwitchB share the same network segment. SwitchB and SwitchD are not connected physically.
The configurations of SwitchC are as following: SwitchC(config)#router bgp 200 SwitchC(config-router-bgp)#network 12.0.0.0 SwitchC(config-router-bgp)#network 13.0.0.0 SwitchC(config-router-bgp)#neighbor 12.1.1.2 remote-as 200 SwitchC(config-router-bgp)#neighbor 13.1.1.4 remote-as 200 SwitchC(config-router-bgp)#exit The configurations of SwitchD are as following: SwitchD(config)#router bgp 200 SwitchD(config-router-bgp)#network 13.0.0.0 SwitchD(config-router-bgp)#neighbor 12.1.1.
40.3.3 Examples 3: configure BGP community attributes In the following sample, “route map set-community” is used for the outgoing update to neighbor 16.1.1.6. By accessing to route in table 1 to configure special community value to “1111”, other can be announced normally. Switch(config)#router bgp 100 Switch(config-router-bgp)#neighbor 16.1.1.6 remote-as 200 Switch(config-router-bgp)#neighbor 16.1.1.
Switch(config)#ip community-list com2 permit 90 Switch(config)#exit Switch#clear ip bgp 16.1.1.6 soft out 40.3.4 Examples 4: configure BGP confederation The following is the configuration of an AS. As the picture illustrated, SwitchB and SwitchC establish IBGP connection. SwitchD is affiliated to AS 20.SwitchB and SwitchC establish EBGP of inner AS confederation. AS10 and AS20 form AS confederation with the AS number AS200; SwitchA belongs to AS100, SwitchB may create EBGP connection by AS200.
SwitchB(config)#router bgp 10 SwitchB(config-router-bgp)#bgp confederation identifier 200 SwitchB(config-router-bgp)#bgp confederation peers 20 SwitchB(config-router-bgp)#neighbor 12.1.1.3 remote-as 10 SwitchB(config-router-bgp)#neighbor 13.1.1.4 remote-as 20 SwitchB(config-router-bgp)#neighbor 11.1.1.1 remote-as 100 SwitchC: SwitchC(config)#router bgp 10 SwitchC(config-router-bgp)#bgp confederation identifier 200 SwitchC(config-router-bgp)#bgp confederation peers 20 SwitchC(config-router-bgp)#neighbor 12.
AS200 SwitchH vlan1:8.8.8.8 SwitchG(RR) AS100 vlan1:7.7.7.7 SwitchD(RR) vlan1:3.3.3.4 vlan1:3.3.3.3 SwitchC(RR) SwitchE vlan1:1.1.1.1 vlan1:6.6.6.6 vlan1:5.5.5.5 vlan1:2.2.2.2 SwitchA SwitchF SwitchB AS300 SwitchI vlan1:9.9.9.9 Figure 40-3 the Topological Map of Route Reflector The configurations are as following: The configurations of SwitchC: SwitchC(config)#router bgp 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 remote-as 100 SwitchC(config-router-bgp)#neighbor 1.1.1.
SwitchD(config-router-bgp)#neighbor 6.6.6.6 remote-as 100 SwitchD(config-router-bgp)#neighbor 6.6.6.6 route-reflector-client SwitchD(config-router-bgp)#neighbor 3.3.3.3 remote-as 100 SwitchD(config-router-bgp)#neighbor 7.7.7.7 remote-as 100 The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 1.1.1.2 remote-as 100 SwitchA(config-router-bgp)#neighbor 9.9.9.
SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 2.2.2.1 remote-as 300 SwitchA(config-router-bgp)#neighbor 3.3.3.2 remote-as 300 SwitchA(config-router-bgp)#neighbor 4.4.4.3 remote-as 400 The configurations of SwitchC: SwitchC(config)#router bgp 300 SwitchC (config-router-bgp)#neighbor 2.2.2.2 remote-as 100 SwitchC (config-router-bgp)#neighbor 2.2.2.2 route-map set-metric out SwitchC (config-router-bgp)#neighbor 1.1.1.
40.3.7 Examples 7: example of BGP VPN For the configuration of MPLS VPN, BGP is part of the core routing system and it is also an important utility to support ILM and FTN entries on the edge devices. For DCNOS, the BGP protocol together with the LDP protocol, constructs the foundation of the MPLS VPN application. The LDP protocol works at the WLAN side and for the routers which are not on the edge of the network, the BGP protocol does not function.
CE-A1(config)#interface vlan 2 CE-A1(config-if-Vlan2)#ip address 192.168.101.2 255.255.255.0 CE-A1(config-if-Vlan2)#exit CE-A1(config)#interface vlan 1 CE-A1(config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0 CE-A1(config-if-Vlan2)#exit CE-A1(config)#router bgp 60101 CE-A1(config-router)#neighbor 192.168.101.1 remote-as 100 CE-A1(config-router)#exit Configurations on CE-A2: CE-A2#config CE-A2(config)#interface vlan 2 CE-A2(config-if-Vlan2)#ip address 192.168.102.2 255.255.255.
CE-B2(config-router)#neighbor 192.168.202.1 remote-as 100 CE-B2(config-router)#exit Configurations on PE1: PE1#config PE1(config)#ip vrf VRF-A PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target both 100:10 PE1(config-vrf)#exit PE1(config)#ip vrf VRF-B PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target both 100:20 PE1(config-vrf)#exit PE1(config)#interface vlan 1 PE1(config-if-Vlan1)#ip vrf forwarding VRF-A PE1(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.
PE2(config)#ip vrf VRF-A PE2(config-vrf)#rd 100:10 PE2(config-vrf)#route-target both 100:10 PE2(config-vrf)#exit PE2(config)#ip vrf VRF-B PE2(config-vrf)#rd 100:20 PE2(config-vrf)#route-target both 100:20 PE2(config-vrf)#exit PE2(config)#interface vlan 1 PE2(config-if-Vlan1)#ip vrf forwarding VRF-A PE2(config-if-Vlan1)#ip address 192.168.102.1 255.255.255.0 PE2(config-if-Vlan1)#exit PE2(config)#interface vlan 2 PE2(config-if-Vlan2)#ip vrf forwarding VRF-B PE2(config-if-Vlan2)#ip address 192.168.202.1 255.
40.4 BGP Troubleshooting In the process of configuring and implementing BGP protocol, physical connection, configuration false probably leads to BGP protocol doesn’t work.
Chapter 41 MBGP4+ 41.1 Introduction to MBGP4+ MBGP4+ is multi-protocol BGP (Multi-protocol Border Gateway Protocol) extension to IPv6, referring to BGP protocol chapter about BGP protocol introduction in this manual. Different from RIPng and OSPFv3, BGP has no corresponging independent protocol for IPv6, instead,it takes extensions to address families on the original BGP. The extensions to BGP by MBGP4+ are mostly embodied: a. neighbor address configured can be IPv6 address; b.
3. Configure redistribution of OSPFv3 routing to MBGP4+ (1) Enable redistribution of OSPFv3 routing to MBGP4+ Command Explanation Router IPv6 BGP Configuration Mode redistribute ospf [] [route-map] To enable or disable redistribution of OSPFv3 no redistribute ospf routing to MBGP4+.
Accordingly SwitchA configuration as follows: SwitchA(config)#router bgp 100 SwitchA(config-router)#bgp router-id 1.1.1.1 SwitchA(config-router)#neighbor 2001::2 remote-as 200 SwitchA(config-router)#address-family IPv6 unicast SwitchA(config-router-af)#neighbor 2001::2 activate SwitchA(config-router-af)#exit-address-family SwitchA(config-router-bgp)#exit SwitchA(config)# SwitchB configuration as follows: SwitchB(config)#router bgp 200 SwitchA(config-router)#bgp router-id 2.2.2.
SwitchD(config-router-af)#exit-address-family SwitchD(config-router)#exit Here the connection between SwitchB and SwitchA is EBGP, and the connection between SwitchC and SwitchD is IBGP. The BGP connection can be processed between SwitchB and SwitchD without physical link, but the premise is a route which reaches from one switch to the other switch. The route can be obtained by static routing or IGP. 41.4 MBGP4+ Troubleshooting It is the same as corresponding section of BGP.
Chapter 42 Black Hole Routing Manual 42.1 Introduction to Black Hole Routing Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule. 42.2 IPv4 Black Hole Routing Configuration Task 1. Configure IPv4 Black Hole Routing Command Explaination Global Configuration Mode ip route { |/} null0 [] no ip route { |/} To configure the static Black Hole Routing.
42.4 Black Hole Routing Configuration Exmaples Example 1: IPv4 Black Hole Routing function. 192.168.0.1/21 SWITCH1 192.168.0.2/21 SWITCH2 192.168.1.0/24 ……… 192.168.7.0/24 Figure 42-1 IPv4 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces. The network addresses are 192.168.1.0/24 ~ 192.268.7.0/24. A default routing is configured on Switch 2 to connect to Switch 1.
Example 2: IPv6 Black Hole Routing function. 2004:1:2:3::1/64 SWITCH1 2004:1:2:3::2/64 SWITCH2 2004:1:2:3:1::/80 ……… 2004:1:2:3:7::/80 Figure 41-2 IPv6 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces. The network addresses are 2004:1:2:3:1/80~2004:1:2:3:7/80. A default routing is configured on Switch 2 to connect to Switch 1.
For problems that cannot be fixed through above methods, please issue the command show ip route distance and show ip route fib, and show l3. And copy and paste the output of the commands, and send to the technical service center of our company.
Chapter 43 GRE Tunnel Configuration 43.1 Introduction to GRE Tunnel GRE (General Routing-protocol Encapsulation) was referred to IETF by Cisco and Net-smiths companies in 1994, in RFC1701 and RFC1702. At present, the network devices of the most manufacturers support the GRE tunnel protocol. GRE set how to encapsulate a kind of network protocol in other kind of network protocol.
Command Explanation Tunnel interface configuration mode Configure the tunnel mode as GREv4 tunnel. tunnel mode gre ip After the data packet is encapsulated with GRE, no tunnel mode it has a head of IPv4 packets, and passes the IPv4 network. Configure the tunnel mode as GREv6 tunnel. tunnel mode gre ipv6 After the data packet is encapsulated with GRE, no tunnel mode it has the head of IPv6 packets, and passes the IPv6 network. 2.
ip route tunnel Configure the egress interface of the IPv4 static no ip route route to GRE tunnel. tunnel ipv6 route tunnel Configure the egress interface of the IPv6 static no ipv6 route route to GRE tunnel. tunnel 43.
Configuration steps Instruction: the topology environment of this chapter may be different to the actual environment. To ensure the effect of the configuration, please make sure the current configuration of the device does not conflict with the following configuration. (1) The configuration of device A 1. The configuration step Enable IPv6 function. SwitchA(config)#ipv6 enable Create the interface VLAN 11 and its address.
SwitchA(config)#interface vlan 10 SwitchA(config-if-vlan10)# ip address 10.1.1.2 255.255.255.0 SwitchA(config-if-vlan10)#exit Configure OSPF routing protocol. SwitchA(config)#router ospf SwitchA(config-router)#router-id 1.1.1.1 SwitchA(config-router)#network 100.1.1.0/24 area 0 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#exit After the OSPF protocol of two ends are fully connected through the tunnel, we can see the tunnel route SwitchA(config)#show ip route O 20.1.1.
Tunnel1 gre ipv6 2005:1000:3000::1 2000:1000:3000::1 The configuration of GRE tunnel is successful. Configure the IPv4 address of the tunnel interface. To run OSPF routing protocol, the interface address must be configured. SwitchA (config-if-tunnel1)#ip address 100.1.1.2 255.255.255.0 Configure the interface VLAN20 and its address.
Create the interface VLAN 12 and its address SwitchA(config)#vlan 12 SwitchA(config-vlan12)#switchport interface ethernet 1/0/12 SwitchA(config-vlan12)#exit SwitchA(config)#interface vlan 12 SwitchA(config-if-vlan12)#ipv6 address 2005:3000:1000::2/64 SwitchA(config-if-vlan12)#exit (4) The configuration of PC Configure the IP address of PC1 and the default gateway. PC1: the IP address: 10.1.1.1 255.255.255.0, the default gateway: 10.1.1.2 PC2: the IP address: 20.1.1.1 255.255.255.
Switch C 2000:3000:1000::2/64 V11 2005:3000:1000::2/64 Interface e1/0/12 Interface e1/0/11 V12 2000:3000:1000::1/64 Interface e1/0/11 2005:3000:1000::1/64 Interface e1/0/12 Interface e1/0/12 1 Switch A GRE tunnel Tunnel1 100.1.1.1/24 10.1.1.2/24 Switch B Tunnel 1 100.1.1.2/24 20.1.1.2/24 Interface e1/0/10 Interface e1/0/10 V10 V20 10.1.1.1/24 20.1.1.
(1) The configuration of device A 1. The configuration step Enable IPv6 function. SwitchA(config)#ipv6 enable Create the interface VLAN 11 and its address. SwitchA(config)#vlan 11 SwitchA(config-vlan11)#switchport interface ethernet 1/0/11 SwitchA(config-vlan11)#exit SwitchA(config)#interface vlan 11 SwitchA(config-if-vlan11)#ipv6 address 2000:3000:1000::1/64 Configure the IPv6 static route to switch B from interface Vlan11.
SwitchA (config-if-tunnel1)# loopback-group 1 Configure OSPF routing protocol. SwitchA(config)#router ospf SwitchA(config-router)#router-id 1.1.1.1 SwitchA(config-router)#network 100.1.1.0/24 area 0 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#exit After the OSPF protocol of two ends are fully connected through the tunnel, we can see the tunnel route SwitchA(config)#show ip route O 20.1.1.0/24 [110/2] via 100.1.1.
Configure the IPv4 address of the tunnel interface. To run OSPF routing protocol, the interface address must be configured. SwitchA (config-if-tunnel1)#ip address 100.1.1.2 255.255.255.0 Configure the interface VLAN20 and its address. SwitchA(config)#vlan 20 SwitchA(config-vlan20)#switchport interface ethernet 1/0/10 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(config-if-vlan20)# ip address 20.1.1.2 255.255.255.
SwitchA(config-vlan12)#exit SwitchA(config)#interface vlan 12 SwitchA(config-if-vlan12)#ipv6 address 2005:3000:1000::2/64 SwitchA(config-if-vlan12)#exit (4) The configuration of PC Configure the IP address of PC1 and the default gateway. PC1: the IP address: 10.1.1.1 255.255.255.0, the default gateway: 10.1.1.2 PC2: the IP address: 20.1.1.1 255.255.255.0, the default gateway: 20.1.1.2 43.
Chapter 44 ECMP Configuration 44.1 Introduction to ECMP ECMP (Equal-cost Multi-path Routing) works in the network environment where there are many different links to arrive at the same destination address. If using the traditional routing technique, only a link can be used to send the data packets to the destination address, other links at the backup state or the invalidation state, and it needs some times to process the mutual switchover under the static routing environment.
Command Explanation Global mode load-balance {dst-src-mac | Set load-balance for switch, it takes effect for dst-src-ip | dst-src-mac-ip } port-group and ECMP function at the same time. 44.3 ECMP Typical Example Figure 44-3 the application environment of ECMP As it is shown in the figure, the R1 connect to R2 and R3 with the interface address 100.1.1.1/24 and 100.1.2.1/24. The R2 and R3 connect to R1 with the interface address 100.1.1.2/24 and 100.1.2.2/24.
S 5.5.5.5/32 [1/0] via 100.1.1.2, Vlan100 tag:0 [1/0] via 100.1.2.2, Vlan200 tag:0 C 100.1.1.0/24 is directly connected, Vlan100 tag:0 C 100.1.2.0/24 is directly connected, Vlan200 tag:0 C 127.0.0.0/8 is directly connected, Loopback tag:0 Total routes are : 6 item(s) 44.3.2 OSPF Implements ECMP R1 configuration: R1(config)#interface Vlan100 R1(Config-if-Vlan100)# ip address 100.1.1.1 255.255.255.0 R1(config)#interface Vlan200 R1(Config-if-Vlan200)# ip address 100.1.2.1 255.255.255.
R3(config-router)# network 100.1.2.0/24 area 0 R3(config-router)# network 100.2.2.0/24 area 0 R4 configuration: R4(config)#interface Vlan100 R4(Config-if-Vlan100)# ip address 100.2.1.1 255.255.255.0 R4(config)#interface Vlan200 R4(Config-if-Vlan200)# ip address 100.2.2.1 255.255.255.0 R4(config)#interface loopback 1 R4(Config-if-loopback1)# ip address 5.5.5.5 255.255.255.255 R4(config)#router ospf 1 R4(config-router)# ospf router-id 4.4.4.4 R4(config-router)# network 100.2.1.
Chapter 45 BFD 45.1 Introduction to BFD BFD (Bidirectional Forwarding Detection) provides a detection mechanism to quickly detect and monitor the connectivity of links in networks. To improve network performance, between protocol neighbors must quickly detect communication failures to restore communication through backup paths as soon as possible. BFD provides a general-purpose, standard, medium-independent and protocol-independent fast failure detection mechanism.
bfd interval min_rx multiplier no bfd interval bfd Configure the minimum transmission interval and the multiplier of session detection for BFD control packets, no command restores the default detection multiplier. min-echo-receive-interval Configure the minimum receiving interval for BFD control packets, no command restores its no bfd min-echo-receive-interval default value. bfd echo Enable bfd echo, no command disables the no bfd echo function.
ipv6 route {vrf | } prefix bfd Configure BFD for the static IPv6 route, no no ipv6 route {vrf command cancels the configuration. | } prefix bfd 4. Configure BFD for VRRP (v3) Command Explanation VRRP(v3) Group Configuration Mode bfd enable no bfd enable Enable BFD for VRRP(v3) protocol and enable BFD detection on this group, no command disables the function. 45.3 Examples of BFD 45.3.
Switch(config)#interface vlan 14 Switch(config-if-vlan15)#ip address 14.1.1.1 255.255.255.0 Switch(config)#ip route 15.1.1.0 255.255.255.0 12.1.1.1 bfd When the link between Switch B and layer 2 switch is failing, Switch A can detect the change of Switch B immediately, here the static routing is at inactive state. 45.3.2 Example for Linkage of BFD and RIP Route Example: Switch A and Switch B are connected and run RIP protocol, both of them enable BFD function.
Switch (config-router)#network vlan 300 Switch(config)#interface vlan 100 Switch(config-if-vlan100) #rip bfd enable When the link between Switch A and Switch B is failing, BFD can detect it immediately and notifies RIP to delete the learnt route. 45.3.3 Example for Linkage of BFD and VRRP Example: When the master is failing, the backup cannot become the master until the configured timeout timer expires. The timeout is generally three to four seconds and therefore the switchover is slow.
Switch(config-router)#enable Switch(config-router)#bfd enable # Configure Switch B Switch#config Switch(config)#bfd mode passive Switch(config)#interface vlan 2 Switch(config-ip-vlan2)#ip address 192.16.0.102 255.255.255.0 Switch(config)#router vrrp 1 Switch(config-router)#virtual-ip 192.168.0.10 Switch(config-router)#interface vlan 1 Switch(config-router)#enable Switch(config-router)#bfd enable 45.
Chapter 46 BGP GR 46.1 Introduction to GR Along with network development, it requires the higher availability, so HA (High Availability) is set, namely, how to ensure packets to be forwarded and does not affect traffic operation when router control layer can not work normally. Usually, when a router does not work normally, neighbor in route protocol layer will detect their relationship to be down, and is up soon. The process is called neighborhood shock.
information and enable selection deferral timer. 5. R1 delays the count process of the local BGP route until it receives all End-of-RIB from BGP neighbors in GR-Aware or until the local selection deferral timer is overtime. 6. Count route and send the update route. After that, it will send End-of-RIB to neighbors. Restarting Speaker(GR-Helper): 1. R1 and R2 negotiate GR capability with the restarted router when they establish the original neighborhood with BGP, R1 is a router that support GR-Capable. 2.
BGP protocol unicast address family mode and VRF address family mode neighbor (A.B.C.D | X:X::X:X | WORD) capability graceful-restart Set a label for neighbor, it takes GR parameter no neighbor (A.B.C.D | X:X::X:X | when send OPEN messages. WORD) capability graceful-restart 3.
Stalepath-time uses the default value of 360s, bgp graceful-restart stale-path-time <1-3600> which is much longer than restart-time and selection-deferral-time. Because during the time from no bgp graceful-restart stale-path-time <1-3600> Receiving Speaker receives OPEN messages to receives EOR, it sends the initial route update and waits that the initial route update is received completely. 6.
R2 configuresint vlan 12,ip address 12.1.1.2 R1 configuration: R1#config R1(config)#vlan 12 R1(config-vlan12)#int vlan 12 R1(config-if-vlan12)#ip address 12.1.1.1 255.255.255.0 R1(config-if-vlan12)#exit R1(config)#router bgp 1 R1(config-router)#neighbor 12.1.1.2 remote-as 2 R1(config-router)#neighbor 12.1.1.
Chapter 47 OSPF GR 47.1 Introduction to OSPF GR OSPF Graceful-Restart(short for OSPF GR) ,is used to maintain data forwarding correctly and flow of crucial service is not interrupted when routing protocol restarts or switchover of layer 3 switches between active master and standby master. It is one of high availability technologies. So far, the high layer 3 switches usually adopt a design for separating control and forwarding.
protocol while GR helper is layer 3 switch to help GR restarter. In the above example, S1 is GR restarter and S2 is GR helper The advantages of OSPF GR in the following: Increase network reliability Reduce the effect of routing shiver to network Reduce the effect to traffic and avoid that lose packets during switchover 47.2 OSPF GR Configuration OSPF GR configuration task list: 1. Enable GR for OSPF 2. Configure grace-period for OSPF GR restarter (optional) 3.
47.3 OSPF GR Example Example: There are for switches from S1 to S4 (They are two master control board and supports OSPF GR), they enable OSPF to implement the following functions: 1. S1 keeps traffic forwarding during the switchover, S2-S4 ensure that no routing shiver and the continuous network traffic. 2. S1 needs to finish the switchover and restart protocol within 120s, otherwise S2 will quit GR and count routing again. 3.
specific GR is not disabled. Whether network topology is changed during OSPF GR process. When it is changed, switch may quit GR and restart OSPF. Please ensure all neighbors of GR restarter support GR. Do not modify the relevant configuration of OSPF during GR.
Chapter 48 IPv4 Multicast Protocol 48.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. All IPs in this chapter are IPv4. 48.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
Multicast group are dynamic, the hosts can join and leave the Multicast group at any time. Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed but its member structure can vary within. The member amount of Permanent Multicast Group can be arbitrary, even zero.
48.1.3 IP Multicast Packet Transmission In Multicast mode, the source host sends packets to the host group indicated by the Multicast group address in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be forwarded to a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast transmission procedure is more complicated than Unicast transmission procedure.
The working process of PIM-DM can be summarized as: Neighbor Discovery, Flooding & Prune, and Graft. 1. Neigh hour Discovery After PIM-DM router is enabled, Hello message is required to discover neighbors. The network nodes which run PIM-DM use Hello message to contact each other. PIM-DM Hello message is sent periodically. 2. Flooding & Prune of process PIM-DM assumes all hosts on the network are ready to receive Multicast data.
48.2.2 PIM-DM Configuration Task List 1. Enable PIM-DM (Required) 2. Configure static multicast routing entries(Optional) 3. Configure additional PIM-DM parameters(Optional) a) Configure the interval for PIM-DM hello messages b) Configure the interval for state-refresh messages c) Configure the boundary interfaces d) Configure the management boundary 4. Disable PIM-DM protocol 1.
ip pim hello-interval < interval> no ip pim hello-interval b) To configure the interval for PIM-DM hello messages. The no form of this command will restore the interval to the default value. Configure the interval for state-refresh messages Command Explanation Interface Configuration Mode ip pim state-refresh origination-interval no ip pim state-refresh origination-interval c) To configure the interval for sending PIM-DM state-refresh packets.
48.2.3 PIM-DM Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding vlan, and enable PIM-DM Protocol on each vlan interface. SwitchB SwitchA Vlan 1 Vlan 2 Vlan 1 Vlan 2 Figure 48-1 PIM-DM Typical Environment The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.
48.2.4 PIM-DM Troubleshooting In configuring and using PIM-DM Protocol, PIM-DM Protocol might not operate normally caused by physical connection or incorrect configuration.
and reach the host. In this way the RPT with RP as root is generated. (2) Multicast Source Registration When a Multicast Source S sends a Multicast packet to Multicast Group G, the PIM-SM Multicast router connected to it directly will take charge of encapsulating the Multicast packet into registered message and unicast it to corresponding RP. If there are more than one PIM-SM Multicast routers on a network segment, then DR (Designated Router) takes charge of sending the Multicast packet.
1. Enable PIM-SM Protocol The PIM-SM protocol can be enabled on XGS3 series Layer 3 switches by enabling PIM in global configuration mode and then enabling PIM-SM for specific interfaces in the interface configuration mode. Command Explanation Global Mode To enable the PIM-SM protocol for all the interfaces (However, in order to make PIM-SM ip pim multicast-routing work for specific interfaces, the following command should be issued).
To configure the value of the holdtime field in the ip pim hello-holdtime PIM-SM hello messages. The no form of this no ip pim hello-holdtime command will restore the hold time to the default value. 3) Configure ACL for PIM-SM neighbors Command Explanation Interface Configuration Mode ip pim neighbor-filter{} To configure ACL to filter PIM-SM neighbors.
Command Explanation Global Configuration Mode This command is the global candidate BSR ip pim bsr-candidate {vlan configuration command, which is used to | configure the information of PIM-SM candidate }[ ][ ] other no ip pim bsr-candidate bsr-candidate” candidate BSR. The command “no ip cancels pim the configuration of BSR.
Command Explanation Interface Configuration Mode no ip pim sparse-mode | no ip pim multicast-routing(Global To disable the PIM-SM protocol. configuration mode) 48.3.3 PIM-SM Configuration Examples As shown in the following figure, add the Ethernet interfaces of SwitchA, SwitchB, SwitchC and SwitchD to corresponding VLAN, and enable PIM-SM Protocol on each VLAN interface.
Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 24.1.1.2 255.255.255.0 Switch(Config-if-Vlan2)# ip pim sparse-mode Switch(Config-if-Vlan2)# exit Switch(config)# ip pim rp-candidate vlan2 (3) Configure SwitchC: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 34.1.1.3 255.255.255.0 Switch(Config-if-Vlan1)# ip pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 13.1.1.
In configuring and using PIM-SM Protocol, PIM-SM Protocol might not operate normally caused by physical connection or incorrect configuration.
48.4.2 Brief Introduction to MSDP Configuration Tasks 1. 2. 3. 4.
48.4.3.2 Enabling MSDP MSDP should be enabled before various MSDP functions can be configured. 1. Enable the MSDP function 2. Configure MSDP 1. Enabling MSDP Commands Explanation Global Configuration Mode router msdp To enable MSDP. The no form of this no router msdp command will disable MSDP globally. 2. Configuration of MSDP parameters Commands Explanation MSDP Configuration Mode To configure the Connect-Source interface for connect-source MSDP Peer.
48.4.4.2 Configuration of MSDP parameters Commands Explanation MSDP Peer Configuration Mode To configure the Connect-Source interface for connect-source MSDP Peer. The no form of this command will remove no connect-source the configured Connect-Source interface. To configure the descriptive information about description the MSDP entities. The no form of this no description command will remove the configured description.
no sa-request-filter [list command will remove the configured filter ] rules for SA request packets. 48.4.6 Configuration of Parameters of SA-cache Commands Explanation MSDP Configuration Mode cache-sa-state To enable the SA packet cache. no cache-sa-state To disable the SA packets cache. MSDP Configuration Mode cache-sa-holdtime <150-3600> no cache-sa-holdtime The aging time for entries in the SA cache. To restore the default aging time configuration.
DomainB RouterB RP2 DomainC RP3 RouterA Receiver DomainA Source RP1 Figure 48-3 Network Topology for MSDP Entry Configuration tasks are listed as below: Prerequisites: Enable the single cast routing protocol and PIM protocol on every router, and make sure that the inter-domain routing works well and multicasting inside the domain works well. Suppose the multicast server S in Domain A offers multicast programs at 224.1.1.1. A host in Domain C named R subscribes this program.
Switch(router-msdp)#peer 20.1.1.1 Router B in Domain B: Switch#config Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(Config)#interface vlan 3 Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.2 Switch(msdp-peer)#exit Switch(router-msdp)#peer 30.1.1.
SA Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 48-4 Flooding of SA messages Mesh Group SA RA RD Peer Peer PIM SM 1 Peer Peer RC RB Peer Peer Figure 48-5 Flooding of SA messages with mesh group configuration Configuration steps are listed as below: Router A: Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.1 255.255.255.
Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 10.1.1.2 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 20.1.1.4 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 30.1.1.3 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Router B: Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.
Switch(Config-if-Vlan6)#ip address 60.1.1.4 255.255.255.0 Switch(Config-if-Vlan6)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.1 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 40.1.1.4 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 60.1.1.2 Switch(router-msdp)#mesh-group XGS3-1 Router D: Switch#config Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.4 255.255.255.
If the MSDP problems cannot be solved through all the methods provided above, please issue the command debug msdp to get the debugging messages within three minutes, and send them to the technical service center of our company. 48.5 ANYCAST RP Configuration 48.5.1 Introduction to ANYCAST RP Anycast RP is a technology based on PIM protocol, which provides redundancy in order to recover as soon as possible once an RP becomes unusable.
2. Configure ANYCAST RP v4 (1) Configure the RP candidate Command Explanation Global Configuration Mode Now, the PIM-SM has allowed the Loopback interface to be a RP candidate.(necessary) Please pay attention to that, ANYCAST RP protocol can configure the Loopback interface ip pim rp-candidate {vlan |loopback |} [] [] or a regular three-layer VLAN interface to be the RP candidate.
done with the absence of the interface. The self-rp-address should be unique. No operation will cancel the self-rp-address which is used to communicate with other RPs by this router (as a RP). (3) Configure other-rp-address (other RP communication addresses) Command Explanation Global Configuration Mode Configure anycast-rp-addr on this router (as a RP).
from a DR is received, it should be forwarded to all of these other RP one by one. No operation will cancel an other-rp-address communicating with this router. 48.5.3 ANYCAST RP Configuration Examples VLAN1:10.1.1.1 Multicast Server DR VLAN2:192.168.2.5 VLAN2:192.168.2.1 RP1 VLAN1:192.168.1.4 ……… VLAN2:192.168.3.2 receiver RP2 VLAN2:2.2.2.
Switch(config)#ip pim rp-candidate loopback1 Switch(config)#ip pim bsr-candidate vlan 1 Switch(config)#ip pim multicast-routing Switch(config)#ip pim anycast-rp Switch(config)#ip pim anycast-rp self-rp-address 192.168.2.1 Switch(config)#ip pim anycast-rp 1.1.1.1 192.168.3.2 RP2 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ip address 1.1.1.1 255.255.255.
Source Specific Multicast (PIM-SSM) is a new kind of multicast service protocol. With PIM-SSM, a multicast session is distinguished by the multicast group address and multicast source address. In SSM, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM, but leave out the shared tree and RP management in PIM-SM. In SSM, SPT tree will be constructed with (S, G).
Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.
Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-If-Vlan3)# ip pim sparse-mode Switch(Config-If-Vlan3)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.255 Switch(config)#ip multicast ssm range 1 48.6.4 PIM-SSM Troubleshooting In configuring and using PIM-SSM Protocol, PIM-SSM Protocol might not operate normally caused by physical connection or incorrect configuration.
The check which determines if the packet gets to the correct interface is called RPF check. When some Multicast data packets get to some interface, it will determine the reverse path to the source network by looking up DVMRP router table. If the interface data packets get to is the one which is used to send Unicast message to the source, then the reverse path check is correct, and the data packets are forwarded out from all downstream interfaces.
48.7.
Configure the delay of transmitting DVMRP ip dvmrp output-report-delay report message on interface and the message [] number each time it transmits, the “no ip dvmrp no ip dvmrp output-report-delay output-report-delay” command restores default value. ip dvmrp metric no ip dvmrp metric Configure interface DVMRP report message metric value; the “no ip dvmrp metric” command restores default value.
Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)# ip dvmrp enable (2) Configure SwitchB: Switch (config)#ip dvmrp multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 12.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)# ip dvmrp enable Switch(Config-if-Vlan1)#exit Switch (config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.
The Multicast Packet Source Controllable technology of Security Controllable Multicast technology is mainly processed in the following manners: 1. On the edge switch, if source under-control multicast is configured, then only multicast data from specified group of specified source can pass. 2. For RP switch in the core of PIM-SM, for REGISTER information out of specified source and specified group, REGISTER_STOP is transmitted directly and table entry is not allowed to set up.
The next is to configure the rule of source control. It is configured in the same manner as for ACL, and uses ACL number of 5000-5099, every rule number can be used to configure 10 rules. It is noticeable that these rules are ordered, the front one is the one which is configured the earliest. Once the configured rules are matched, the following rules won’t take effect, so rules of globally allow must be put at the end.
Globally enable IPv4 and IPv6 destination control. The no operation of this command will globally disable [no] multicast destination-control (required) destination control. All of the other configuration can only take effect after globally enabled. The next is configuring destination control rules, which are similar. Next is to configure destination control rule. It is similar to source control, except to use ACL No. of 6000-7999.
to set priority for the specified multicast. The commands are as follows: Command Explanation Global Configuration Mode [no] ip multicast policy cos Configure multicast strategy, specify priority for sources and groups in specific range, and the range is <0-7>. 48.8.
Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can configure on its join-in switch as follows: Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.3/32 cos 4 In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible one is protocol data; if higher priority is set, when there is too many multicast data, it might cause abnormal behavior of the switch protocol) when it gets to other switches through this switch.
Under this kind of situation, since all switches which runs IGMP under this network segment can get membership report message from the host, therefore, only one switch is required to transmit membership query message, so an exchange election mechanism is required to determine a switch as query machine.
membership trace. 11. In querying messages, the new router side restraint process (S sign) modified the existing strength of IGMPv2. 48.9.
Command Explanation Interface Configuration Mode ip igmp access-group {} to IGMP group; the “no ip igmp access-group” no ip igmp access-group command cancels the filtering condition. ip igmp join-group no ip igmp join-group ip igmp static-group no ip igmp static-group Configure the interface to join in some IGMP group, the “no ip igmp join-group ” command cancels the join.
no ip dvmrp | no ip pim dense-mode | no ip pim sparse-mode | no ip dvmrp Disable IGMP Protocol. multicast-routing | no ip pim multicast-routing 48.9.3 IGMP Configuration Examples As shown in the following figure, add the Ethernet ports of Switch A and Switch B to corresponding VLAN, and start PIM-DM on each VLAN interface.
Firstly to assure that physical connection is correct; Next, to assure the Protocol of Interface and Link protocol is UP (use show interface command); Afterwards, to assure to start a kind of multicast protocol on the interface; Multicast Protocol requires RPF Check using unicast routing; therefore the correctness of unicast routing must be assured beforehand. 48.10 IGMP Snooping 48.10.
Enables IGMP Snooping for specified VLAN. ip igmp snooping vlan The no operation disables IGMP Snooping for no ip igmp snooping vlan specified VLAN. ip igmp snooping proxy Enable IGMP Snooping proxy function, the no no ip igmp snooping proxy command disables the function. ip igmp snooping vlan < vlan-id > limit Configure the max group count of vlan and {group | source } the max source count of every group.
query-mrsp period. The “no ip igmp snooping vlan no ip igmp snooping vlan query-mrsp” command restores to query-mrsp the default value. ip igmp snooping vlan Configure the query robustness. The “no ip query-robustness igmp no ip igmp snooping vlan query-robustness” command restores to the query-robustness default value. ip igmp snooping vlan Configure the suppression query time.
Multicast router Multicast Server 1 Multicast Server 2 Multicast port IGMP Snooping Group 1 Group 1 Group 1 Group 2 Figure 48-10 Enabling IGMP Snooping function Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10, 12 respectively and the multicast router is connected to port 1.
Multicast Server Group 1 Group 2 Switch A IGMP Snooping L2 general querier Multicast port Group 1 Group 1 Switch B IGMP Snooping Group 1 Group 2 Figure 48-11 The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 6, 10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2.
router) Configurations are listed as below: switch#config switch(config)#ip pim multicast-routing switch(config)#interface vlan 100 switch(config-if-vlan100)#ip pim sparse-mode IGMP snooping does not distribute entries when layer 3 multicast protocol is enabled. It only does the following tasks. Remove the layer 2 multicast entries. Provide query functions to the layer 3 with vlan, S, and G as the parameters. When layer 3 IGMP is disabled, re-enable distributing layer 2 multicast entries.
the join and leave messages received from downstream ports and forward them to the multicast router through upstream ports. The IGMP proxy configuration is exclusive with PIM and DVMRP configuration. 48.11.2 IGMP Proxy Configuration Task List 1. Enable IGMP Proxy function 2. Enable configurations for both downstream and upstream ports for the IGMP Proxy in different interfaces 3. Configure IGMP Proxy 1. Enable IGMP Proxy function Command Explanation Global Mode ip igmp proxy Enable IGMP Proxy function.
no ip igmp proxy unsolicited-report this command will restore the default value. robustness To configure non-query downstream ports to ip igmp proxy aggregate be able to aggregate the IGMP operations. no ip igmp proxy aggregate The no form of this command will restore the default configuration. ip multicast ssm range <1-99> To configure the address range for IGMP ip multicast ssm default proxy ssm multicast groups; The no form of no ip mulitcast ssm this command will remove the configuration.
The configuration steps are listed below: Switch#config Switch(config)#ip igmp proxy Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip igmp proxy upstream Switch(Config)#interface vlan 2 Switch(Config-if-Vlan2)#ip igmp proxy downstream Multicast Configuration: Suppose the multicast server offers some programs through 224.1.1.1. Some hosts subscribe that program at the edge of the network.
Switch#config Switch(config)#ip igmp proxy Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip igmp proxy upstream Switch(Config)#interface vlan 2 Switch(Config-if-Vlan2)#ip igmp proxy downstream Switch(Config-if-Vlan2)#ip igmp proxy multicast-source Route1 configuration: Switch#config Switch(config)#ip pim multicast Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip pim sparse-mode Switch(Config-if-Vlan1)#ip pim bsr-border Multicast Configuration: Suppose the server provides programs throu
Chapter 49 IPv6 Multicast Protocol 49.1 PIM-DM6 49.1.1 Introduction to PIM-DM6 PIM-DM6(Protocol Independent Multicast, Dense Mode)is the IPv6 version of Protocol Independent Multicast Dense Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of network environment. There is no difference compared with the IPv4 version PIM-DM except that the addresses it uses are IPv6 addresses.
the multicast packet will be discarded as redundant message. The unicast routing message used as path judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any specific unicast routing protocol. 4. Assert Mechanism If two multicast router A and B in the same LAN segment have their own receiving paths to multicast source S, they will respectively forward multicast data packet to LAN after receiving the packet from multicast source S.
ipv6 pim dense-mode To enable PIM-DM for the specified interface (required). 2.Configure static multicast routing entries Command Explanation Global configuration mode ipv6 mroute <.ifname> no ipv6 mroute [ <.ifname>] To configure IPv6 static multicast routing entries. The no form of this command will remove the specified routing entry. 3.
Command Explanation Interface Configuration Mode To configure PIM-DM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ipv6 pim scope-border <500-599>| no ipv6 pim scope-border ffx0::/13 is considered as the scope of the management group. If ACL is configured, then the scope specified by ACL permit command is the scope of the management group. acl_name should be standard IPv6 ACL name.
Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:10:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan2 Switch(Config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64 Switch(Config-if-Vlan2)#ipv6 pim dense-mode (2) Configure SwitchB: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64 Switch(Config-if-Vlan1)#ipv6 pim dense-mode Switch(Config-if-Vlan1)#ex
PIM-SM routers and establish, using Join/Prune message of routers, RPT (RP-rooted shared tree) based on RP. Consequently the network bandwidth occupied by data packets and control messages is cut down and the transaction cost of routers is reduced. Multicast data get to the network segment where the multicast group members are located along the shared tree flow.
Notice: Multicast Routing Protocol is not supported by 5950-28T-L and 5950-52T-L in this chapter. 49.2.
ipv6 mroute <.ifname> no ipv6 mroute [ <.ifname>] To configure a static multicast routing entry. The no form of this command will remove the specified static multicast routing entry. 3.
5) Configure the interface as the management boundary of the PIM-SM6 protocol Command Explanation Interface Configuration Mode To configure PIM-SM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ipv6 pim scope-border <500-599>| no ipv6 pim scope-border ffx0::/13 is considered as the scope of the management group. If ACL is configured, then the scope specified by ACL permit command is the scope of the management group.
Global Configuration Mode ipv6 pim rp-address [] no ipv6 pim rp-address {all|} To configure the address of the candidate RP. The no form of this command will remove the configuration for the candidate RP.
The configuration procedure for SwitchA, SwitchB, SwitchC and SwitchD is as below: (1) Configure SwitchA: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:13:1:1::1/64 Switch(Config-if-Vlan2)#ipv6 pim sparse-mode (2) Configure Switch B: Switch(config)#ipv6 pim multicast-routing Swit
Switch(Config-if-Vlan1)#ipv6 address 2000:34:1:1::4/64 Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:24:1:1::4/64 Switch(Config-if-Vlan2)#ipv6 pim sparse-mode Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)#ipv6 address 2000:40:1:1::1/64 Switch(Config-if-Vlan3)#ipv6 pim sparse-mode 49.2.
Anycast RP defines that the nearest RP to the multicast source should forward the source register messages to all the other RP to guarantee that all joiners of the RP can find the multicast source. The method to realize the PIM-protocol-based Anycast RP is that: maintaining an ANYCAST RP list on every switch configured with Anycast RP and using another address as the label to identify each other.
no ipv6 pim anycast-rp self-rp-address identify this router when communicating with other RP.(necessary) the effect of self-rp-address refers to two respects: 1 Once this router (as a RP) receives the register message from a DR unicast, it needs to forward the register message to all the other RP in the network, notifying them of the state of source (S.G). While forwarding the register message, this router will change the source address of it into self-rp-address.
absence of the interface in accordance with the anycast-rp-addr. Configure on this router (as a RP) the other-rp-addresses of other RP communicating with it. This unicast address identifies other RP and is used in the communication with local routers. The effect of other-rp-address refers to two respects: 1 Once this router (as a RP) receives the register message from a DR unicast, it should forward it to other RP in the network to notify all the RP in the network of the source (S.
RP1 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ipv6 address 2006::1/128 Switch(Config-if-Loopback1)#exit Switch(config)#ipv6 pim rp-candidate loopback1 Switch(config)#ipv6 pim bsr-candidate vlan 1 Switch(config)#ipv6 pim multicast-routing Switch(config)#ipv6 pim anycast-rp Switch(config)#ipv6 pim anycast-rp self-rp-address 2003::1 Switch(config)#ipv6 pim anycast-rp 2006::1 2004::2 RP2 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(C
49.4 PIM-SSM6 49.4.1 Introduction to PIM-SSM6 Source Specific Multicast (PIM-SSM6) is a new kind of multicast service protocol. With PIM-SSM6, a multicast session is distinguished by the multicast group address and multicast source address. In SSM6, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM6, but leave out the shared tree and RP management in PIM-S6M. In SSM6, SPT tree will be constructed with (S,G).
Figure 49-4 PIM-SSM typical environment Configurations of switchA , switchB, switchC and switchD are listed as below: (1) Configuration of switchA: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:12:1:1::1/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address 2000:13:1:1::1/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(Config-If-Vlan2)#e
Switch(config)# ipv6 pim rp-candidate vlan2 Switch(config)#ipv6 access-list 500 permit ff1e::1/64 Switch(config)#ip pim ssm range 500 (3) Configuration of SwitchC: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:34:1:1::3/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address 2000:13:1:1::3/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(C
Make sure the physical links are connected correctly. Make sure the state of the data link layer has become UP. (Use show interface command). Make sure PIM6 is enabled in global configuration mode (Refer to the command ipv6 pim multicast-routing). Make sure PIM-SM6 is configured on the interface (Refer to the command ipv6 pim sparse-mode) Make sure SSM6 is configure in global configuration mode. The multicast protocol uses the unicast routing to make RPF check.
the command of globally enabling the source control: Command Explanation Global Configuration Mode Globally enable the source control, the no operation of this command will globally disable the source control. What should be paid attention to is that, once globally enable ipv6 multicast source-control(necessary) the no ipv6 multicast source-control messages will be dropped by default.
First, globally enable the destination control, since destination control needs to avoid the unauthorized users from receiving multicast data, once it is enabled globally, the switch will stop broadcasting received multicast data, so if a switch has enabled destination control, users should not connect two or more other Layer three switches within the same VLAN where it locates.
3. The configuration of multicast policy The multicast policy adopts the method of specifying a priority for the specified multicast data to meet the user’s particular demand, what should be paid attention to is that only when multicast data is transmitted in TRUNK, can it be taken special care of.
Switch(config)#ipv6 multicast destination-control fe80::203:fff:fe01:228a/64 access-group 9000 Thus, the users of this segment can only join groups other than 2ff1e::1/64.
MLD protocol version2 use FF02::16 as destination address of membership report, and 143 as data type. The other logic of MLD Protocol version2 is similar to IGMP Protocol version3. 49.6.
1)Configure interval time for MLD to send query messages 2)Configure the maximum response time of MLD query 3)Configure the overtime of MLD query Command Explanation Port Configuration Mode ipv6 mld query-interval no ipv6 mld query-interval Configure the interval of MLD query messages sent periodically; the NO operation of this command restores the default value.
(1) Configure SwitchA: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan 1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::1/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode (2) Configure SwitchB: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::2/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode Switch (Config-if-Vlan1) #
(namely ff02::1). Once there is a listener who wishes to join the multicast address, it will send a MLD Multicast listener Report back through the multicast address. MLD Snooping is namely the MLD listening. The switch restricts the multicast traffic from flooding through MLD Snooping, and forward the multicast traffic to ports associated to multicast devices only.
mrouter-port interface ipv6 mld snooping vlan Enable the function that the specified VLAN mrouter-port learnpim6 learns mrouter-port (according to pimv6 no ipv6 mld snooping vlan packets), the no command will disable the mrouter-port learnpim6 function. ipv6 mld snooping vlan mrpt Configure the keep-alive time of the mrouter port. The “no” form of this command no ipv6 mld snooping vlan mrpt restores to the default.
Scenario 1: MLD Snooping Function Multicast Router Mrouter Port MLD Snooping Switch Group1 Group1 Group1 Group2 Figure 49-6 Open the switch MLD Snooping Function figure As shown above, the vlan 100 configured on the switch consists of ports 1, 2, 6, 10, 12. Four hosts are respectively connected to 2, 6, 10, 12 while the multicast router on port 1.
SwitchA SwitchB Figure 49-7 Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically, global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
Scenario 3: To run in cooperation with layer 3 multicast protocols SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1.
Chapter 50 Multicast VLAN 50.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
3. Configure the MLD Snooping Command Explanation Global Mode Enable MLD Snooping on multicast VLAN; ipv6 mld snooping vlan the “no” form of this command disables MLD no ipv6 mld snooping vlan Snooping on multicast VLAN. Enable the MLD Snooping function. The “no” ipv6 mld snooping form of this command disables the MLD no ipv6 mld snooping snooping function. 50.
SwitchA(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip pim dense-mode Switch(Config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/0/10 SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ethernet 1/0/15 SwitchB(config-
Chapter 51 ACL Configuration 51.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
51.2 ACL Configuration Task List ACL Configuration Task Sequence: 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit” or “deny” rule entries. c) Exit ACL Configuration Mode (4) Configuring an extended IP access-list based on nomenclature.
5. Clear the filtering information of the specified port 1.
5. Clear the filtering information of the specified port 1. Configuring access-list (1) Configuring a numbered standard IP access-list Command Explanation Global Mode Creates a numbered standard IP access-list, if access-list {deny | permit} {{ } | any-source | {host-source }} no access-list the access-list already exists, then a rule will add to the current access-list; the “no access-list “ command deletes a numbered standard IP access-list.
access-list {deny | permit} udp {{ } | any-source | {host-source }} [s-port { | range }] {{ } | any-destination | {host-destination }} [d-port { | range }] [precedence ] [tos ][time-range] access-list {deny | permit} {eigrp | gre | igrp | ipinip | ip | ospf | } {{ } | any-source | {host-source }} {{ } | any-de
Command Explanation Standard IP ACL Mode Exits name-based standard IP exit ACL configuration mode. (4) Configuring an name-based extended IP access-list a. Create an extended IP access-list basing on nomenclature Command Explanation Global Mode Creates an access-list nomenclature; ip access-list extended access-list no ip access-list extended extended IP basing on the “no ip extended “ command deletes the name-based extended IP access-list. b.
][time-range] [no] {deny | permit} udp {{ } | any-source | {host-source }} [s-port Creates { | range }] name-based UDP IP access {{ } | any-destination | rule; the no form command {host-destination }} [d-port { | deletes range }] [precedence extended IP access rule.
{host-source-mac}|{}}{any-destination-mac|{host-destination-mac}|{}}[{untagged-eth 2 | tagged-eth2 | untagged-802-3 | tagged-802-3} [ [ already exists, then a rule will add to the current access-list; the “no access-list “ command deletes a [ [ numbered ]]]]] access-list.
[no]{deny|permit} {any-source-mac|{host-source-mac}|{< smac>}} {any-destination-mac |{host-destination-mac}|{}} [vlanid [][ethertype []]] [no]{deny|permit}{any-source-mac|{host-source-ma c}|{}}{any-destin ation-mac|{host-destination-mac}|{}}[untagged-eth2 [ethertype [protocol-mask]]] Creates an extended name-based MAC access rule matching
(8) Configuring a numbered extended MAC-IP access-list Command Explanation Global mode access-list{deny|permit} {any-source-mac| {host-source-mac } | { }} {any-destination-mac | Creates {host-destination-mac } | {}} icmp {{ } |any-source| {host-source }} {{ } | any-destination | {host-destination }} [ []] [precedence a numbe
access-list{deny|permit}{any-source-mac| {host-source-mac}|{}}{any-destination-mac|{host-destination-mac }|{}}udp {{}|any-source| {host-source}} [s-port { | range }] {{}|any-destinati on| {host-destination}} [d-port { | range }] Creates a numbered mac-udp extended mac-ip access rule; if the numb
Command Explanation Extended name-based MAC-IP access Mode [no]{deny|permit} {any-source-mac|{host-source-mac }|{}} {any-destination-mac|{host-destination-mac Creates }|{}}icmp name-based {{}|any-source| access rule; the no form {host-source}} command {{}|any-destinati name-based on| {host-destination }} MAC-ICMP access rule.
c}|{}} name-based {any-destination-mac|{host-destination-mac access rule; the no form }|{}}udp command {{}|any-source| name-based {host-source}} [s-port { | MAC-UDP access rule.
deletes a numbered standard IPv6 access-list.
a. Create a standard IPV6 access-list based on nomenclature Command Explanation Global Mode ipv6 access-list standard Creates no ipv6 access-list standard access-list a nomenclature; command standard IP based on the no delete the name-based standard IPV6 access-list. b.
Command Explanation Extended IPV6 ACL Mode [no] {deny | permit} icmp {{} | Creates any-source | {host-source }} name-based { | any-destination | access rule; the no form {host-destination }} [ command []] [dscp ] [flow-label ] name-based extended IPv6 [time-range ] access rule.
Command Explanation Extended IPV6 ACL Mode exit Exits extended name-based IPV6 ACL configuration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode Enables firewall enable global packet filtering function. Disables firewall disable global packet filtering function. 3.
[no] periodic {{Monday+Tuesday+Wednesday+Thursday+ Friday+Saturday+Sunday} | daily | weekdays | weekend} to (3)Configure absolute time range Command Explanation Global Mode absolute start [end Configure ] range. [no] absolute start [end Stop the function of the time ] range. absolute time 4. Bind access-list to a specific direction of the specified port.
3. Bind the ACL to the port The configuration steps are listed below: Switch(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch(config)#firewall enable Switch(config)#firewall default permit Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#ip access-group 110 in Switch(Config-If-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall status: enable. Firewall default rule: permit.
Configuration result: Switch#show firewall Firewall Status: Enable. Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 MAC Ingress access-list used is 1100,traffic-statistics Disable.
access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 MAC-IP Ingress access-list used is 3110, traffic-statistics Disable.
IPv6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.1 as its IP address should be disabled from accessing the listed interfaces. Configuration description: 1. Create the corresponding access list. 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed as below.
If an access-list contains same filtering information but conflicting action rules, binding to the port will fail with an error message. For instance, configuring “permit tcp any any-destination” and “deny tcp any any-destination” at the same time is not permitted. Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP packets or specific TCP or UDP port packet.
Chapter 52 802.1x Configuration 52.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
system should support EAPOL (Extensible Authentication Protocol over LAN). The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected. An authenticator system usually is a network device supporting 802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided can either be physical or logical. The authentication server system is an entity to provide authentication service for authenticator systems.
52.1.2 The Work Mechanism of 802.1x IEEE 802.1x authentication system uses EAP (Extensible Authentication Protocol) to implement exchange of authentication information between the supplicant system, authenticator system and authentication server system. Figure 52-2 the Work Mechanism of 802.1x EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system and the PAE of the authenticator system in the environment of LAN.
PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Type: represents the type of the EAPOL data packets, including: EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP messages. This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system.
Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte. Data: the content of the EAP packet, depending on the Code type. 52.1.4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-Authenticator. Please refer to the Introduction of RADIUS protocol in “AAA-RADIUS-HWTACACS operation” to check the format of RADIUS messages. 1.
the remote RADIUS server. The following is the description of the process of these two authentication methods, both started by the supplicant system. 52.1.5.1 EAP Relay Mode EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over RADIUS, making sure that extended authentication protocol messages can reach the authentication server through complicated networks.
the same. 1. EAP-MD5 Authentication Method EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash function is vulnerable to dictionary attacks. The following figure illustrated the basic operation flow of the EAP-MD5 authentication method. Figure 52-9 the Authentication Flow of 802.1x EAP-MD5 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols.
The following figure illustrates the basic operation flow of the EAP-TLS authentication method. Figure 52-10 the Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate.
authentication. The following figure illustrates the basic operation flow of PEAP authentication method. Figure 52-11 the Authentication Flow of 802.1x PEAP 52.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee-counting. The basic operation flow is illustrated in the next figure.
Figure 52-12 the Authentication Flow of 802.1x EAP Termination Mode 52.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.
resources, which means all users of this port can access limited resources before being authenticated. The user-based advanced control will restrict the access to limited resources, only some particular users of the port can access limited resources before being authenticated. Once those users pass the authentication, they can access all resources. Attention: when using private supplicant systems, user-based advanced control is recommended to effectively prevent ARP cheat.
the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low. Once the 802.
Command Explanation Port Mode dot1x port-control {auto|force-authorized|force- Sets the 802.1x authentication mode; the no command unauthorized } restores the default setting. no dot1x port-control 2) Configure port access management method Command Explanation Port Mode dot1x port-method {macbased | portbased |webbased|userbased advanced} Sets the port access management method; the no command restores MAC-based access management.
dot1x eapor enable no dot1x eapor enable Enables the EAP relay authentication function in the switch; the no command sets EAP local end authentication. 3. Supplicant related property configuration Command Explanation Global Mode dot1x max-req no dot1x max-req Sets the number of EAP request/MD5 frame to be sent before the switch re-initials authentication on no supplicant response, the no command restores the default setting.
Update server Authenticator server E3 VLAN2 VLAN10 SWITCH E2 E6 VLAN100 VLAN5 Internet User Figure 52-13 The Network Topology of Guest VLAN Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3 and E6 means Ethernet 1/0/6. As showed in the next figure, a switch accesses the network using 802.1x authentication, with a RADIUS server as its authentication server.
is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/0/2 is added into VLAN10, allowing the user to access the Update Server.
# Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/0/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100. Switch(Config-If-Ethernet1/0/2)#dot1x guest-vlan 100 Switch(Config-If-Ethernet1/0/2)#exit Using the command of show running-config or show interface ethernet 1/2, users can check the configuration of Guest VLAN.
Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.
Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#dot1x enable Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto Switch(Config-If-Ethernet1/0/2)#exit 52.4 802.1x Troubleshooting It is possible that 802.
Chapter 53 The Number Limitation Function of Port, MAC in VLAN and IP Configuration 53.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
through configuration commands. Limiting the number of dynamic MAC and IP of ports: 1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address by the switch is already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC study function on this port, otherwise, the port can continue its study. 2. Limiting the number of dynamic IP.
2. Enable the number limitation function of MAC、IP in VLAN Command Explanation VLAN configuration mode vlan mac-address dynamic maximum Enable and disable the number limitation no vlan mac-address dynamic function of MAC in the VLAN. maximum Interface configuration mode ip arp dynamic maximum Enable and disable the number limitation no ip arp dynamic maximum function of ARP in the VLAN.
show nd-dynamic count {vlan Display | interface ethernet NEIGHBOUR in corresponding ports and } VLAN. debug switchport mac count All kinds of debug information when no debug switchport mac count limiting the number of MAC on ports. debug switchport arp count All kinds of debug information when no debug switchport arp count limiting the number of ARP on ports.
SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries of the switch, causing successful DOS attacks. Limiting the MAC, ARP, ND list entry can prevent DOS attack. On port 1/0/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20, dynamic ARP address as 20, NEIGHBOR list entry as 10.
Chapter 54 Operational Configuration of AM Function 54.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded, otherwise, dumped.
Enable/disable AM function on the port. am port When the AM function is enabled on the no am port port, no IP or ARP message will be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool Configure the forwarding IP of the port. no am ip-pool 4.
54.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC30 Figure 54-1 a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones.
Chapter 55 TACACS+ Configuration 55.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs-server timeout TACACS+ server, the “no tacacs-server no tacacs-server timeout timeout” command restores the default configuration. 4. Configure the IP address of the TACACS+ NAS Command Explanation Global Mode tacacs-server nas-ipv4 To configure the source IP address for the no tacacs-server nas-ipv4 TACACS+ packets for the switch. 55.
Switch(config)#authentication line vty login tacacs 55.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First good condition of the TACACS+ server physical connection. Second all interface and link protocols are in the UP state (use “show interface” command).
Chapter 56 RADIUS Configuration 56.1 Introduction to RADIUS 56.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network: which one can visit the network device, which access-level the user can have and the accounting for the network resource.
Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords. This field falls into two kinds: the Request Authenticator and the Response Authenticator. Attribute field: used to carry detailed information about AAA.
56.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function. 2. Configure the RADIUS authentication key. 3. Configure the RADIUS server. 4. Configure the parameter of the RADIUS service. 5. Configure the IP address of the RADIUS NAS. 1. Enable the authentication and accounting function. Command Explanation Global Mode To enable the AAA authentication function. aaa enable The no form of this command will disable no aaa enable the AAA authentication function.
radius-server accounting host Specifies the IPv4/IPv6 address and the { | } [port port number, whether be primary server for ] [key ] [primary] RADIUS no radius-server accounting host command deletes the RADIUS accounting { | } server. accounting server; the no 4.
10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Figure 56-2 The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RADIUS authentication server without Ethernet1/0/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813. Configure steps as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.
Figure 56-3 The Topology of IPv6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Chapter 57 SSL Configuration 57.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted. SSL handshake is done when the SSL session is being set up. The switch should be able to provide certification keys.
2. Configure/delete port number by SSL used Command Explanation Global Mode Configure port number by SSL used, the“no ip http secure-port ip http secure-port” command deletes the no ip http secure-port port number. 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode ip http secure-ciphersuite {des-cbc3-sha|rc4-128-sha| Configure/delete secure cipher suite by SSL des-cbc-sha} used. no ip http secure-ciphersuite 4.
Web Server Date Acquisition Fails Malicious Users Web Browser https SSLSession Connected PC Users Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 57.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
Chapter 58 IPv6 Security RA Configuration 58.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface ] Display the distrust port and whether globally security RA is enabled. 58.
Chapter 59 VLAN-ACL Configuration 59.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete MAC VLAN-ACL. no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete MAC-IP VLAN-ACL.
59.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique department can access the outside network at timeout, but finance department are not allowed to access the outside network at any time for the security. Then the following policies are configured: Set the policy VACL_A for technique department.
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 3) Configure the extended acl_b of IP, at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.
Chapter 60 MAB Configuration 60.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user.
mac-authentication-bypass enable Enable the port MAB authentication no mac-authentication-bypass enable function. 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass Set the authentication mode of MAB username-format {mac-address | {fixed authentication function. username WORD password WORD}} 3.
mac-authentication-bypass timeout To obtain IP again, set the interval of linkup-period <0-30> down/up when MAB binding is changing no mac-authentication-bypass timeout into VLAN. linkup-period mac-authentication-bypass Enable the spoofing-garp-check function, spoofing-garp-check enable MAB no mac-authentication-bypass spoofing-garp spoofing-garp-check enable command disables the function.
Figure 60-1 MAB application Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/0/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based function and configures guest vlan as vlan8. Ethernet 1/0/2 is a hybrid port, connects to PC2, native vlan of the port is vlan1, and configures guest vlan as vlan8, it joins in vlan1, vlan8 and vlan10 with untag method and enables MAB function.
Switch(config)#interface ethernet 1/0/2 Switch(config-if-ethernet1/0/2)# switchport mode hybrid Switch(config-if-ethernet1/0/2)# switchport hybrid native vlan 1 Switch(config-if-ethernet1/0/2)# switchport hybrid allowed vlan 1;8;10 untag Switch(config-if-ethernet1/0/2)# mac-authentication-bypass enable Switch(config-if-ethernet1/0/2)# mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/0/2)#exit Switch(config)#interface ethernet 1/0/3 Switch(config-if-ethernet1/0/3)# switchport mode acc
Chapter 61 PPPoE Intermediate Agent Configuration 61.1 Introduction to PPPoE Intermediate Agent 61.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up.
PADO packet match with the servce information needed by client). MAC address of the other end used for session will be known after server is selected, and send PADR (PPPoE Active Discovery Request) packet to it to announce server the session requirement. 4.
PPPoE data Version Type Code Session ID Length Field TLV1 …… TLV N TLV frame Type Length Data Each field meanings in the following: Type field (2 bytes) of Ethernet II frame: The protocol sets type field value of PPPoE protocol packet as 0x8863 (include 5 kinds of packets in PPPoE discovery stage only), type field value of session stage as 0x8864. PPPoE version field (4 bits): Specify the current PPPoE protocol version, the current version must be set as 0x1.
61.1.2.3 PPPoE Intermediate Agent vendor tag Frame The following is the format of tag added by PPPoE IA, adding tag is the Uppermost function of PPPoE IA.
client as untrust port, trust port can receive all packets, untrust port can receive only PADI, PADR and PADT packets which are sent to server. To ensure client operation is correct, it must set the port connected server as trust port, each access device has a trust port at least. PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets.
61.3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows: Figure 61-4 PPPoE IA typical application Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f.
Typical configuration (2) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)#pppoe intermediate-agent Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag strip function. Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent vendor-tag strip Step3: Port ethernet1/0/2 of vlan1 and port ethernet1/0/3 of vlan 1234 enable PPPoE IA function of port.
Chapter 62 SAVI Configuration 62.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
Command Explanation Global Mode savi enable Enable the global SAVI function, no no savi enable command disables the function. 2. Enable or disable application scene function for SAVI Command Explanation Global Mode savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for dhcp-slaac} enable SAVI, no command disables the function. no savi ipv6 {dhcp-only | slaac-only | dhcp-slaac} enable 3.
6. Configure the global max-slaac-life for SAVI Command Explanation Global Mode savi max-slaac-life Configure the lifetime period of the no savi max-slaac-life dynamic slaac binding at BOUND state, no command restores the default value. 7.
11. Configure the check mode for SAVI conflict binding Command Explanation savi check binding mode Configure the check mode for the conflict no savi check binding mode binding, no command deletes the check Global Mode mode. 12. Enable or disable user authentication Command Explanation Port mode savi ipv6 check source [ip-address Enable mac-address | ip-address | mac-address] function for user, no command disables no savi ipv6 check source the function.
savi ipv6 binding num Configure the binding number of a port, no savi ipv6 binding num no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 62.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link.
Ethernet1/0/12 of Switch1 and port Ethernet1/0/13 of Switch2, and enable the source address check function of SAVI. Ethernet1/0/1 and Ethernet1/0/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trust functions. Aggregation Switch3 enables DHCPv6 server function and route advertisement function.
Chapter 63 Web Portal Configuration 63.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol.
2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication no webportal enable of the port. 3. Configure the max web portal binding number allowed by the port Command Explanation Port Mode webportal binding-limit <1-256> Configure the max web portal binding no webportal binding-limit number allowed by the port 4.
clear webportal binding {mac WORD | Delete the binding information of web interface |} portal authentication. 63.3 Web Portal Authentication Typical Example Internet RADIUS server Portal server 192.168.40.100 192.168.40.99 DHCP server DNS server Switch1 192.168.40.
The configuration of the common web portal authentication is as follows: Switch(config)#interface vlan 1 Switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 Switch(config)#webportal enable Switch(config)#webportal nas-ip 192.168.40.50 Switch(config)#webportal redirect 192.168.40.
Chapter 64 VRRP Configuration 64.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IETF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
(1) Configure the preemptive mode for VRRP (2) Configure VRRP priority (3) Configure VRRP Timer intervals (4) Configure VRRP interface monitor 1. Create/Remove the Virtual Router Command Explanation Global Mode router vrrp no router vrrp Creates/Removes the Virtual Router. 2.
Command Explanation VRRP protocol configuration mode advertisement-interval
SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchB(Config-Router-Vrrp)# interface vlan 1 SwitchB(Config-Router-Vrrp)# enable 64.4 VRRP Troubleshooting In configuring and using VRRP protocol, the VRRP protocol may fail to run properly due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: Good condition of the physical connection. All interface and link protocols are in the UP state (use “show interface” command).
Chapter 65 IPv6 VRRPv3 Configuration 65.1 Introduction to VRRPv3 VRRPv3 is a virtual router redundancy protocol for IPv6. It is designed based on VRRP (VRRPv2) in IPv4 environment. The following is a brief introduction to it. In a network based on TCP/IP protocol, in order to guarantee the communication between the devices which are not physically connected, routers should be specified.
protocols. Compared with NDP, VRRP provides a fast default gateway switch. In VRRP, backup routers can take up the unavailable master router in about 3 seconds (default parameter), and this process needs no interaction with hosts, which means being transparent to hosts. 65.1.
65.1.2 VRRPv3 Working Mechanism The working mechanism of VRRPv3 is the same with that of VRRPv2, which is mainly implemented via the interaction of VRRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MAC address outwardly, and the format of which is 00-00-5E-00-02-{VRID} (the format of virtual MAC address in VRRPv2 is 00-00-5E-00-01-{VRID}).
65.2 VRRPv3 Configuration 65.2.1 Configuration Task Sequence 1. Create/delete the virtual router (necessary) 2. Configure the virtual IPv6 address and interface of VRRPv3 (necessary) 3. Enable/disable the virtual router (necessary) 4. Configure VRRPv3 assistant parameters (optional) (1) Configure VRRPv3 preempt mode (2) Configure VRRPv3 priority (3) Configure the VRRPv3 advertisement interval (4) Configure the monitor interface of VRRPv3 1.
( 2 ) Configure VRRPv3 priority Command Explanation VRRPv3 Protocol Mode priority < priority > Configure VRRPv3 priority. ( 3 ) Configure the VRRPv3 advertisement interval Command Explanation VRRPv3 Protocol Mode Configure advertisement-interval
IPv6_A and IPv6_B are in the same segment), the virtual IPv6 address of backup group 1 and backup group are “V_IPv6_C” and “V_IPV6_D” respectively, and the default IPv6 gateway address are configured as “V_IPv6_C” and “V_IPv6_D” respectively (in reality, the IPv6 gateway address of hosts are usually learnt automatically via router advertisements, thus, the IPv6 next hop of the hosts will have some randomness). Doing this will not only implement router backup but also the flow sharing function in the LAN.
Chapter 66 MRPP Configuration 66.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown above, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
66.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately. The primary node receives link down packet and immediately releases block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of transfer nodes, refreshing own MAC address forward list. 2.
2) Configure MRPP ring Command Explanation Global Mode mrpp ring Create MRPP ring. The “no” command no mrpp ring deletes MRPP ring and its configuration. MRPP ring mode control-vlan Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID. node-mode {master | transit} hello-timer < timer> no hello-timer Configure node type of MRPP ring (primary node or secondary node).
Clear clear mrpp statistics {} receiving data packet statistic information of MRPP ring. 66.3 MRPP Typical Scenario SWITCH A SWITCH B E1 Master Node E2 E2 E1 MRPP Ring 4000 E1 E12 E11 SWITCH C SWITCH D Figure 66-2 MRPP typical configuration scenario The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring.
Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# SWITCH C configuration Task
66.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring. When the MRPP ring of enabled switch is disabled on MRPP ring, it ensures the ring of the MRPP ring has been disconnected.
Chapter 67 ULPP Configuration 67.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is siwthed to forwarding state.
method of MSTP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happennig, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded.
1. Create ULPP group globally Command Expalnation Global mode ulpp group Configure and delete ULPP group no ulpp group globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode Configure the preemption mode of preemption mode ULPP group. The no no preemption mode operation deletes the preemption mode. Configure the preemption delay, the preemption delay no operation restores the default no preemption delay value 30s.
ulpp group master Configure or delete the master port no ulpp group master of ULPP group. ulpp group slave Configure or delete the slave port of no ulpp group slave ULPP group. 3. Show and debug the relating information of ULPP Command Explanation Admin mode show ulpp group [group-id] Show the configuration information of the configured ULPP group.
SwitchD SwitchB E1/1 E1/2 E1/1 SwitchC E1/2 SwitchA Figure 67-3 ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group.
Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp flush enable mac Switch(config-If-Ethernet1/0/1)# ulpp flush enable arp Switch(config-If-Ethernet1/0/1)# ulpp control vlan 10 SwitchC configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/2 Switch(Config-
mutually backup, respectively forward the packets of different VLAN ranges. When port E1/0/1 has the problem, the traffic of VLAN 1-200 are forwarded by port E1/0/2. When port E1/0/1 is recovering the normal state, still port E1/0/2 forwards the data of VLAN 101-200, the data of VLAN 1-100 are switched to port E1/0/1 to forward.
67.4 ULPP Troubleshooting At present, configuration of more than 2 multi-uplinks is allowed, but it may cause loopback, so is not recommended. With the normal configuration, if the broadcast storm happen or the communication along the ring is broken, please enable the debug of ULPP, copy the debug information of 3 minutes and the configuration information, send them to our technical service center.
Chapter 68 ULSM Configuration 68.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
68.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group no ulsm group Configure and delete ULSM group globally. 2.
68.3 ULSM Typical Example SwitchD E1/0/3 SwitchB E1/0/4 E1/0/1 E1/0/2 E1/0/1 E1/0/2 SwitchC SwitchA Figure 68-2 ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
Switch(config-If-Ethernet1/0/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/3 Switch(config-If-Ethernet1/0/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/0/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/2)#exit Switch(Config)#interface ethernet 1/0/4 Switch(config-If-Ethernet1/0/4)#ulsm group 1 uplink Switch(
Chapter 69 Mirror Configuration 69.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
Command Explanation Global mode monitor session source {interface | cpu [slot ]} {rx| tx| both} Specifies mirror source port; the no command no monitor session source deletes mirror source port. {interface | cpu [slot ]} 3.
Switch(config)#monitor session 4 source interface ethernet 1/0/15 access-list 120 rx 69.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Chapter 70 RSPAN Configuration 70.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same VLAN. The destination port and the source ports can be in different VLAN.
1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as remote-span RSPAN VLAN. The no command will no remote-span remove the configuration of RSPAN VLAN. 2. Configure mirror source port Command Explanation Global Mode monitor session source {interface | cpu [slot ]} {rx| tx| both} To configure mirror source port; The no no monitor session source command deletes the mirror source port.
70.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their PCs directly to the switches, in order to check the statistics of the network. However, with the help of RSPAN, the network administrators can configure and supervise the switches remotely, which brings more efficiency. The figure below shows a sample application of RSPAN.
Intermediate switch: Interface ethernet1/0/6 is the source port which is connected to the source switch. Interface ethernet1/0/7 is the destination port which is connected to the intermediate switch. The native VLAN of this port cannot be configured as RSPAN VLAN, or the mirrored data may not be carried by the destination switch. RSPAN VLAN is 5.
Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#switchport mode trunk Switch(Config-If-Ethernet1/0/2)#exit Switch(config)#interface ethernet 1/0/3 Switch(Config-If-Ethernet1/0/3)#switchport mode trunk Switch(Config-If-Ethernet1/0/3)#exit Switch(config)#monitor session 1 source interface ethernet1/0/1 rx Switch(config)#monitor session 1 reflector-port ethernet1/0/3 Switch(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/0/6 is the source port which is
70.4 RSPAN Troubleshooting Due to the following reasons, RSPAN may not function: Whether the destination mirror port is a member of the Port-channel group. If so, please change the Port-channel group configuration; The throughput the destination port is less than the total throughput of the source mirror ports. If so, the destination cannot catch all the datagrams from every source ports.
Chapter 62 ULSM Configuration Chapter 71 sFlow Configuration 71.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Chapter 62 ULSM Configuration 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address Configure the source IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command deletes this address. 3.
Chapter 62 ULSM Configuration Port Mode sflow counter-interval Configure the max interval when sFlow no sflow counter-interval performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Port Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer. 71.
Chapter 62 ULSM Configuration 71.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible.
Chapter 72 SNTP Configuration 72.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
72.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … SWITCH SWITCH SWITCH Figure 72-2 Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.
Chapter 73 NTP Function Configuration 73.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
ntp server { | } [version ] [key ] no ntp server { | To enable the specified time server of time source. } 3. To configure the max number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max number of broadcast or ntp broadcast server count multicast servers supported by the NTP no ntp broadcast server count client.
7. To specified some interface as NTP broadcast/multicast client interface Command Explication Interface Configuration Mode ntp broadcast client To configure specified interface to receive no ntp broadcast client NTP broadcast packets. ntp multicast client To configure specified interface to receive no ntp multicast client NTP multicast packets. ntp ipv6 multicast client To configure specified interface to receive no ntp ipv6 multicast client IPv6 NTP multicast packets. 8.
debug ntp sync To enable debug switch of time synchronize no debug ntp sync information. debug ntp events To enable debug switch of NTP event no debug ntp events information. 73.
Chapter 74 DNSv4/v6 Configuration 74.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
74.2 DNSv4/v6 Configuration Task List 1. To enable/disable DNS function 2. To configure/delete DNS server 3. To configure/delete domain name suffix 4. To delete the domain entry of specified address in dynamic cache 5. To enable DNS dynamic domain name resolution 6. Enable/disable DNS SERVER function 7. Configure the max number of client information in the switch queue 8. Configure the timeout value of caching the client information on the switch 9. Monitor and diagnosis of DNS function 1.
5. To enable DNS dynamic domain name resolution Command Explanation Global Mode dns lookup {ipv4 | ipv6} To enable DNS dynamic domain name resolution. 6. Enable/disable DNS SERVER function Command Explanation Global Mode ip dns server no ip dns server Enable/disable DNS SERVER function. 7.
debug dns {all | packet [send | recv] | events | relay} no debug dns {all | packet [send | recv] To enable/disable DEBUG of DNS function. | events | relay} 74.3 Typical Examples of DNS DNS SERVER IP: 219.240.250.101 IPv6: 2001::1 ip domain-lookup dns-server 219.240.250.
request; otherwise, the switch will relay the request to the real DNS server, pass the reply from the DNS Server to the client and record the domain and its IP address for a faster lookup in the future. Switch configuration for DNS CLIENT: Switch(config)# ip domain-lookup Switch(config)# dns-server 219.240.250.101 Switch(config)# dns-server 2001::1 Switch#ping host www.sina.com.cn Switch#traceroute host www.sina.com.cn Switch#telnet host www.sina.com.
Chapter 75 Summer Time Configuration 75.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel. Configuration procedure is as follows: Switch(config)#clock summer-time time_travel recurring 23:00 first sat apr 00:00 last sun oct 120 75.
Chapter 76 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 76.
and packet sent time) whose HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a 「ICMPv6 time exceeded」 message (including the source address of the IPv6 packet, all content in the IPv6 packet and the IPv6 address of the router). Upon receiving this message, the Traceroute6 sends another datagram of which the HOPLIMIT is increased to 2 so to discover the second router.
Display the operation information and the state show tech-support of each task running on the switch. It is used by the technicians to diagnose whether the switch operates properly. show version Display the version of the switch. show temperature Show CPU temperature of the switch. 76.6 Debug All the protocols switch supports have their corresponding debug commands. The users can use the information from debug commands for troubleshooting.
SDRAM (Synchronous Dynamic Random Access Memory) and NVRAM (Non Vulnerable Random Access Memory) is provided inside the switch as two part of the log buffer zone, The two buffer zone record the log information in a circuit working pattern, namely when log information need to be recorded exceeds the buffer size, the oldest log information will be erased and replaced by the new log information, information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounte
Outputted information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels. Amongst the debugging information can only be sent to the monitor.
Command Description Global Mode logging executed-commands {enable | disable} 4. Enable or disable the logging executed-commands Display the log source Command Description Admin and configuration mode Show the log information source of show logging source mstp 5. MSTP module. Display executed-commands state Command Description Admin mode show logging executed-commands state Show the state of logging executed-commands 76.7.
Chapter 77 Reload Switch after Specified Time 77.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 77.2 Reload Switch after Specifid Time Task List 1.
Chapter 78 Debugging and Diagnosis for Packets Received and Sent by CPU 78.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 78.
Chapter 79 MPLS Overview 79.1 MPLS Overview MPLS (Multiprotocol Label Switching), originating from IPv4, was first designed for improving the forwarding speed. Its core technology can be extended into multiple network protocols, including IPv6 (Internet Protocol version 6), IPX (Internet Packet Exchange), Appletalk, DECnet, CLNP (Connectionless Network Protocol) and etc, since the “Multiprotocol” in MPLS means supporting multiple protocols.
Label Exp S TTL Figure 79-1 The Encapsulation Structure of a Label There are 4 fields in a label: Label:The label value, whose length is 20 bits, a pointer for forwarding. Exp:3bits, used by QoS. S:1bit, the label’s layered structure supported by MPLS, that is, there are multiple label layers. The value 1 represents the bottom-most layer of label. TTL:8bits, serves the same purpose as the TTL (Time To Live) in IP packets.
LSP are separately called the upstream and downstream LSR, along the direction of data transmission. In the next figure, R2 is the downstream LSR of R1,while R1 is the upstream LSR of R2. R1 R2 R3 R21 R4 R22 Figure 79-2 Label Switched Path LSP The function of LSP, the same as the virtual circuit of ATM and Frame Relay, is a unidirectional path form the ingress of a MPLS network to its egress. Each router along the LSP is a LSR.
With the LSR mapping multiple incoming labels to the same FEC, all these incoming labels will correspond with the same outgoing label and egress port. As a result, when packets with different labels reach the LSR, all outgoing packets will carry the same label. This process is called Label Merging. Label Merging can decrease the label number in the MPSL domain, but maybe at the cost of losing ingress port information of the packets.
Label Switched Path (LSP) Ingress Egress MPLS Core LSR MPLS Edge LSR (LER ) Figure 79-3 The MPLS Network Structure The basic working process of MPLS based on the above figure : First, LDP, together with traditional routing protocols (like OSPF, ISIS, etc) create route tables and LIB (Label Information Base) for FEC demanding services; The ingress LER receives packets, completes L3 function, determines the FEC of the packets, labels them, and thus generates MPLS label packets.
However, combining the powerful L3 switching function of IP networks and efficient forwarding mechanism of traditional L2 networks, MPLS uses connection-oriented method at the forwarding plane, similar to the current L2 network. As a result, it can easily achieve seamless convergence of IP and L2 networks like ATM and Frame Relay, and provide better solutions for applications like QoS, TE and VPN.
pre-configured service policy to different services, ensuring the service quality. The service quality class mechanism and the label mechanism of Diff-Serv are similar to the label distribution mechanism of MPLS. In fact, the MPLS-based Diff-Serv is implemented via the combination of the DS distribution and MPLS label distribution. 79.1.5 MPLS PHP In the MPLS network, the core LSR will forward packets according to their labels.
Chapter 80 LDP 80.1 LDP Introduction LDP protocol is used for label distribution in the MPLS label switching environment, and only applies to networks capable of label switching. LDP, integrated with traditional routing algorithm, distribute labels, advertise map, create and maintain Label Forwarding Information Base and LSP, by transmitting various messages via TCP connections. LDP is used to distributing public network label in the MPLS VPN environment.
80.1.1 Basic Concept of LDP LDP Peer When distributing labels to FEC, LDP needs to advertise this label and its meaning in the MPLS network to create LSP. LSR is a LDP peer when switching label information via LDP. LDP peers obtain each other’s label map and other messages. LDP Session Two LSR will create a LDP session between each other after exchanging LDP Discovery Hello messages. LSP relies on LDP sessions to exchange messages like label map, release.
TLV Encoding LDP encapsulates parameters in LDP messages via TLV (Type-Length-Value). The LDP TLV format is as follows: Figure 80-2 The TVL Format of LDP U bit:Unknown flag, I bit. If the U flag is 0, LSR should notify the source LSR of the packet and ignore the whole message; otherwise, ignore this TLV parameter and analyze other ones normally. F bit:Forwarding unknown TLV flag, 1bit. This flag only applies to LDP messages with unknown TLV and a U bit set as 1.
Common Session Parameters 0x0500 ATM Session Parameters 0x0501 Frame Relay Session Parameters 0x0502 Label Request Message ID 0x0600 Vendor-Private 0x3E00- 0x3EFF Experimental 0x3F00- 0x3FFF 80.1.3 LDP Label Management In the MPLS system, the downstream LSR determines the distribution of label to specific FEC, and notifies the upstream. That is to say the labels are specified by the downstream and distributed from downstream to upstream.
LSP1 Ingress A B Egress C D LSP2 Label Request E Label Mapping F G MPLS LSR MPLS LER H LDP Session Figure 80-3 The Process of Label Advertisement For example, as for LSP1 in the above figure, LSR B is the upstream LSR of LSR C, while LSR C is the downstream LSR of LSR B. The main difference of two label advertisement mode lies on whether the label advertisement is DoD or DU.
Ordered Mode: For a FEC label mapping of a LSR, the LSR only advertise the mapping to its upstream when it already has the label mapping of the FEC next-hop, or when it is the egress router of the FEC. The label advertisement of a flow starts from the egress router of this FEC flow, binding routers from downstream to upstream, thus to guarantee the mapping between labels and the flow is complete and coherent in the whole network. The ordered mode can prevent loop more effectively.
incoming labels. LSR will map the labels of received packets to NHLFE; LSR will find the corresponding NHLFE in the LIB based on the label, replace it with the new label and then forward the label packet. 80.1.
downstream LSR, and specifies for which FEC this label request is. (2) The downstream receiving the label request message will save this message, finds the corresponding FEC next-hop according to the local route table and then sends a label request message to its downstream.
The hop count of the path exceeds the configured maximum value. If no record of its LSR ID is found, a new one will be added. The maximum value of path vector is the same as that of the hop count. 80.2 LDP Configuration LDP Configuration Task Sequence: 1. Enable MPLS Globally (Necessary) 2. Enable LDP (Necessary) (1) Enable/Disable the LDP module (2) Enable/Disable label-switching on the interface (3) Enable/Disable LDP module on the interface 3.
2. Enable LDP It is easy to implement basic configurations of LDP in DCNOS. Usually users only have to enable the LDP switch, and enable it on the interface where the LDP will work. Please notice that, the interface with LDP enabled should enable label switching.
Optional Configure the global label advertisement mode: downstream-on-demand This or advertisement-mode downstream-Unsolicited. {downstream-on-demand|downstream-u relates with the other two. The change of it nsolicited} will change the label retention mode and mode the global label path control mode at the same time.
optional Configure the maximum hop count of LDP [no] loop-detection-count loop detection, whose default value is 255, the no operation will restore the default value. (3) Configure the LDP specified peers Command Explanation Router Configuration Mode optional [no] targeted-peer Configure the remote peer of the LDP targeted destination.
Optional Configure the LDP multicast peer hold [no] hold-time time, whose default value is 15 seconds; the no operation will restore the default value optional [no] targeted-peer-Hello-interval Configure the interval of sending HELLO to specified targets, whose default value is 15 seconds; the no operation will restore the default value optional [no] targeted-peer-hold-time Configure the LDP targeted peer hold time, whose default value is 45 seconds; the no op
optional [no] ldp targeted-peer-hold-time Configure the LDP targeted peer hold time on a specified interface; the no operation will restore the default value router configuration mode optional Configure the LDP router ID, which is obtained automatically by default. The no [no] router-id operation will cancel the manually configured router ID, and automatically obtain a valid interface IP address as the router ID. optional Configure the IP address of LDP for TCP connections.
optional [no] request-retry Configure the LDP to retry 5 times when the label request is rejected, the no operation will disable the retry. optional [no] request-retry-timeout Configure the retry interval, whose default value is 5 second, the no operation will restore the default value. optional Configure LDP to receive HELLOs from specified targets, even the targeted peer is not configured on the host. Not receiving [no] targeted-peer-Hello-receipt such HELLOs is the default setting.
Figure 80-4 MPLS VPN Typical Instance The above figure demonstrates a typical MPLS VPN instance, in which, PE1, P and PE2 form the public network area – the area switching via MPLS. CE-A1 and CE-A2 form VPN-A, CE-B1 and CE-B2 form VPN-B. Both VPNs communicate via the public network label switching, and need to configure LDP for distributing and advertising labels in the public network area. To guarantee the reachability of routes, we advertise routes via OSPF.
The LDP configuration of P is as follows: P#config P(config)#mpls enable P(config)# router ldp P(config-router)#exit P(config)#interface vlan 1 P(config-if-Vlan1)#ip address 202.200.1.1 255.255.255.0 P(config-if-Vlan1)#ldp enable P(config-if-Vlan1)#label-switching P(config-if-Vlan1)#exit P(config)#interface vlan 2 P(config-if-Vlan2)#ip address 202.200.2.1 255.255.255.0 P(config-if-Vlan2)#ldp enable P(config-if-Vlan2)#label-switching P(config-if-Vlan2)#exit P(config)#router ospf P(config-router)#network 202.
Second, use the “show ldp interface” command to check whether the LDP has been enabled correctly on the interface after the connection succeeds. If the LDP has been correctly enabled but cannot be displayed, it is possible that the interface is not in the UP mode or not configured with interface label-switching.
Chapter 81 MPLS VPN 81.1 BGP/MPLS VPN Introduction 81.1.1 BGP/MPLS VPN Network Structure BGP/MPLS VPN is a PE-based L3VPN technology in the VPN solutions provide by providers, using BGP to advertise VPN routes and MPLS to forward VPN messages in the provider backbone network. The BGP/MPLS VPN networking is flexible, extendible, and can support MPLS QoS and MPLS TE conveniently, resulting in its increasingly popular application. BGP/MPLS VPN model consists of three parts: CE, PE and P.
the local VPN route to PE, and learn the remote VPN route from PE. CE and PE use BGP/IGP to exchange route information or static routes. PE will exchange VPN route information with other PEs via BGP after learning the local VPN route form CE. It only maintains the VPN route directly connected with it rather than all VPN routes in the service provider network. P router only maintains routes to PE, without learning any VPN route information.
route table and IFIL (Label Forwarding Information Base). To be specific, the information in VPN instances include: LFIB, IP route table, interfaces bound with VPN instance, and its management information (including RD, route filter policy, member interface list and etc). VPN-IPv4 Address The traditional BGP can’t correctly handle the VPN routes with overlapping address spaces. Assume that VPN1 and VPN2 both use the segment of 10.110.10.
Import Target Attribute: when receiving the VPN-IPv4 route advertised by other PE routers, PE will check their Export Target Attribute, and add the routes into corresponding VPN route table only when their Export Target attributes match the Import Target attributes of the VPN instances on it. In other words, VPN Target attribute defines which sites can accept a VPN-IPv4 route, and a PE router can receive routes from witch sites.
Layer1 1.1.1.2 CE1 Layer2 Layer2 1.1.1.2 1.1.1.2 PE1 1.1.1.2 CE2 PE2 P P site1 site2 1.1.1.1/24 1.1.1.2/24 Figure 81-3 Forwarding VPN Packets 1. Site1 sends an IP packet with a destination address of 1.1.1.2, which is sent by CE1 to PE1. 2. PE1 looks up VPN-instance entries according to the interface receiving the packet and the destination address, then forwards the packet after adding two layers of label (inner and outer) to it, if there is a match. 3.
VPN1 CE VPN1: Import: 1:1 Export: 1:1 PE P PE VPN2 site2 CE site3 site1 CE VPN2 VPN2: Import: 2:1 Export: 2:1 VPN1 VPN2: Import: 2:1 Export: 2:1 VPN1: Import: 1:1 Export: 1:1 CE site4 Figure 81-4 Basic VPN Networking Resolution In the above figure, the VPN Target distributed by PE for VPN1 is 100:1; and that for VPN2 is 200:1. The sites of VPN1 can intercommunicate with each other, so do the two of VPN2. But the intercommunication between sites in VPN1 and those in VPN2 arise forbidden.
VPN1 VPN1: Import: Hub Export: Spoke CE site1 VPN1 VPN1-Hub: Export: Hub Hub-PE Spoke-PE CE-Hub site3 CE-Spoke Spoke-PE VPN1-Spoke: Import: Spoke VPN1 CE VPN1: Import: Hub Export: Spoke site2 Figure 81-5 Hub&Spoke Networking Resolution In the above figure, Spoke sites communicate with each other via Hub sites (the arrow in the figure is the route advertisement process from site2 to site1): Hub-PE can receive VPN-IPv4 routes advertised by all Spoke-PE The VPN-IPv4 routes advertised by Hub-PE
If a VPN user wants to provide some site resource of this VPN to outside users, the Extranet Networking resolution can solve the problem. In this networking if a VPN needs to access the sharing site, its Export Target should be included in the Import Target of the sharing site VPN instances, and its Import Target should be included in the Export Target of the sharing site VPN instances.
In real networking applications, multiple sites of a user VPN may connect to SP with different ASN, or to different AS of the same SP. Such applications of one VPN crossing multiple autonomy systems are called Multi-AS VPN.
1. Enable globally MPLS (necessary) 2. Configure VPN instances (necessary) (1) Create VPN instances, and enter the VPN instance view. (2) RD Configure the VPN instance RD (3) Configure the VPN instance RT (4) Configure the VPN instance to relate with the interface 3.
Necessary mpls enable Enable MPLS; the no operation will disable no mpls enable MPLS. 2. Configure VPN instances (necessary) (1) Create VPN instances and enter VPN instance view (2) Configure VPN instance RD (3) Configure VPN instance RT (4) Configure VPN instance to relate with the interface Command Explanation Global Configuration Mode Necessary [no] ip vrf Create VPN instances; no VPN instance is created by default.
Command Explanation BGP Protocol Configuration Mode necessary neighbor remote-as Configure the remote PE as the public network VPNv4 neighbor. It’s suggest to select loopback interface to set up the BGP neighbor among public network PE. neighbor update-source Point the local loopback interface for set up neighbor. Enter the BGP-VPNv4 view necessary address-family vpnv4 [unicast] Create BGP VPNv4. No VPNv4 is created by default.
3) Enable OSPF in the segment between PE-CE 4) Configure to re-advertise BGP routes 5) Enter the BGP-VPN instance view 6) Configure to re-advertise OSPF routes 7) Advertise local private network routes Command Explanation BGP Protocol Configuration Mode necessary neighbor remote-as Configure the remote PE as the public network VPNv4 neighbor. It’s suggest to select loopback interface to set up the BGP neighbor among public network PE.
BGP-VPN instance view optional [no] redistribute {connected | ospf | rip | static} Configure connected to re-advertise routes and the other directly protocol routes. No re-advertisement of any route by default.
optional [no] redistribute { kernel | connected | static | ospf | isis | bgp} [metric ] [route-map] Configure to re-advertise the BGP routes. No re-advertisement of any route by default. BGP Protocol Configuration Mode optional [no] address-family ipv4 {unicast| Create multicast|vrf } BGP-VPN instance view. No VPNv4 is BGP VPNv4 and enter the created by default.
Global Configuration Mode [no] ip route vrf { |} {|null0} between PE-CE. BGP Protocol Configuration Mode optional [no] address-family ipv4 {unicast| Create multicast|vrf } BGP-VPN instance view. No VPNv4 is BGP VPNv4 and enter the created by default.
AS 650003 VPN-A RT:100:1 AS 65001 VPN A RT:100:1 CE1 VLAN1: 10.1.1.1/24 CE3 PE-CE USING EBGP VLAN3: 10.3.1.1/24 AS 100 VLAN1: 10.1.1.2/24 Loopback 1: 172.3.3.3/32 VLAN100: 100.1.1.1/24 Loopback1 172.1.1.1/3 2 VLAN2: 10.2.1.2/24 PE 1 VLAN100: 100.1.1.2/24 P VLAN3: 10.3.1.2/24 VLAN200: 200.1.1.1/24 VLAN200: 200.1.1.2/24 PE2 Loopback1 172.2.2.2./32 VLAN4: 10.4.1.2/24 MPLS backbone VLAN2: 10.2.1.1/24 CE4 CE2 VPN-B RT:100:2 AS 65002 VLAN4: 10.4.1.
PE1(config-if-Vlan1)# ip vrf forwarding vpna PE1(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 PE1(config-if-Vlan1)#exit PE1(config)# interface vlan 2 PE1(config-if-Vlan2)# ip vrf forwarding vpnb PE1(config-if-Vlan2)#ip address 10.2.1.2 255.255.255.0 PE1(config-if-Vlan2)#exit (3) Globally enable MPLS and LDP PE1(config)#mpls enable PE1(config)#router ldp PE1(config-router)#exit (4) LDP Configure the interface and enable LDP PE1(config)# interface loopback 1 PE1(config-if-Loopback1)# ip address 172.1.
PE1(config-router-af)#neighbor 10.2.1.1 remote-as 65002 PE1(config-router-af)#redistribute connected PE1(config-router-af)#exit PE1(config-router)#exit The configuration of router P is as follows: (1) Globally enable MPLS and configure LDP on related interfaces. P#config P(config)#mpls enable P(config)#router ldp P(config-router)#exit P(config)# interface loopback 1 P(config-if-Loopback1)# ip address 172.3.3.3 255.255.255.
(2) Configure to bind the interface with the VPN instances PE2(config)# interface vlan 3 PE2(config-if-Vlan3)# ip vrf forwarding vpna PE2(config-if-Vlan3)#ip address 10.3.1.2 255.255.255.0 PE2(config-if-Vlan3)#exit PE2(config)# interface vlan 4 PE2(config-if-Vlan4)# ip vrf forwarding vpnb PE2(config-if-Vlan4)#ip address 10.4.1.2 255.255.255.
PE2(config-router-af)#exit PE2(config-router)# address-family ipv4 vrf vpnb PE2(config-router-af)#neighbor 10.4.1.1 remote-as 65004 PE2(config-router-af)#redistribute connected PE2(config-router-af)#exit PE2(config-router)#exit 81.3.2 Create BGP MPLS VPN between PE-CE via OSPF AS 65001 VPN A RT:100:1(both) PE-CE Using OSPF CE1 VLAN1: 10.1.1.1/24 AS 650003 VPN-A RT:100:1(both) CE3 VPN-A AREA 0 VLAN3: 10.3.1.1/24 AS 100 VLAN1: 10.1.1.2/24 VLAN100: 100.1.1.1/24 Loopback1 172.1.1.1/3 2 VLAN2: 10.2.1.
PE1#config PE1(config)#ip vrf vpna PE1(config-vrf)#rd 100:1 PE1(config-vrf)#route-target both 100:1 PE1(config)#ip vrf vpnb PE1(config-vrf)#rd 100:2 PE1(config-vrf)#route-target both 100:2 (2) Configure to bind the interface with the VPN instances PE1(config)# interface vlan 1 PE1(config-if-Vlan1)# ip vrf forwarding vpna PE1(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.
PE1(config)#router ospf 1 vpna PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)#redistribute connected PE1(config-router)#redistribute bgp PE1(config-router)#exit PE1(config)#router ospf 1 vpnb PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)#redistribute connected PE1(config-router)#redistribute bgp PE1(config-router)#exit (7) Configure BGP PE1(config)# router bgp 100 PE1(config-router)#neighbor 172.2.2.2 remote-as 100 PE1(config-router)#neighbor 172.2.2.2 update-source 172.
P(config-if-Vlan100)#exit P(config)#interface vlan200 P(config-if-Vlan200)#ip address 200.1.1.2 255.255.255.0 P(config-if-Vlan200)#label-switching P(config-if-Vlan200)#ldp enable P(config-if-Vlan200)#exit (2) Configure OSPF P(config)#router ospf P(config-router)# ospf router-id 172.3.3.3 P(config-router)# network 0.0.0.0/0 area 0 P(config-router)# redistribute connected 81.3.3 Create BGP MPLS VPN between PE-CE via RIP AS 650003 VPN-A RT:100:1 AS 65001 VPN A RTP:100:1 CE1 VLAN1: 10.1.1.
CE1(config-router)#redistribute connect CE1(config-router)#exit The confiugraiton of MPLS BGP on switch PE1 is as follows : (the configuration of PE2 is similar) (1) Configure VPN instances PE1#config PE1(config)#ip vrf vpna PE1(config-vrf)#rd 100:1 PE1(config-vrf)#route-target both 100:1 PE1(config)#ip vrf vpnb PE1(config-vrf)#rd 100:2 PE1(config-vrf)#route-target both 100:2 (2) Configure to bind the interface with the VPN instances PE1(config)# interface vlan 1 PE1(config-if-Vlan1)# ip vrf forwarding v
PE1(config-router)# ospf router-id 172.1.1.1 PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)# redistribute connected PE1(config-router)#exit (6) Enable OSPF VRF to advertise the private network routes PE1(config)#router rip PE1(config-router)#address-family ipv4 vrf vpna PE1(config-router-af)#network 0.0.0.
P(config)# interface loopback 1 P(config-if-Loopback1)# ip address 172.3.3.3 255.255.255.255 P(config-if-Loopback1)# exit P(config)#interface vlan 100 P(config-if-Vlan100)#ip address 100.1.1.2 255.255.255.0 P(config-if-Vlan100)#label-switching P(config-if-Vlan100)#ldp enable P(config-if-Vlan100)#exit P(config)#interface vlan200 P(config-if-Vlan200)#ip address 200.1.1.2 255.255.255.
The configuration of CE1 is as follows: (the configurations of CE2~CE4 are similar) CE1#config CE1(config)# interface vlan 1 CE1(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 CE1(config-if-Vlan1)#exit CE1(config)# interface loopback 1 CE1(config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 CE1(config-if-Vlan1)# exit CE1(config)# ip route vrf vpna 192.168.2.1/24 10.1.1.
PE1(config-if-Vlan100)#ip address 100.1.1.1 255.255.255.0 PE1(config-if-Vlan100) #ldp enable PE1(config-if-Vlan100)#exit (5) Enable OSPF to advertise the inner network routes PE1(config)#router ospf PE1(config-router)# ospf router-id 172.1.1.1 PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)# redistribute connected PE1(config-router)#exit (6) Configure static private network routes PE1(config)# ip route vrf vpna 192.168.1.1/24 10.1.1.2 PE1(config)# ip route vrf vpnb 192.168.2.1/24 10.1.1.
P(config-router)#exit P(config)# interface loopback 1 P(config-if-Loopback1)# ip address 172.3.3.3 255.255.255.255 P(config-if-Loopback1)# exit P(config)#interface vlan 100 P(config-if-Vlan100)#ip address 100.1.1.2 255.255.255.0 P(config-if-Vlan100)#ldp enable P(config-if-Vlan100)#exit P(config)#interface vlan200 P(config-if-Vlan200)#ip address 200.1.1.2 255.255.255.0 P(config-if-Vlan100)#ldp enable P(config-if-Vlan200)#exit (2) Configure OSPF P(config)#router ospf P(config-router)# ospf router-id 172.3.3.
Besides, if no remote CE device can be checked on CE after saving the correction configuration and rebooting the device, please be patience, since the establishing OSPF, LDP, BGP connections and advertising routes are time-consuming.
Chapter 82 Public Network Access of MPLS VPN 82.1 Public Network Access Introduction Public network access of VPN means the ability of VPN sites to access public Internet. RFC4364 defines the basic protocol regulations, including some methods for VPN to access Internet: Non-VRF Internet Access Mode VRF Internet Access Mode 3 82.1.
82.1.2 VRF Internet Access Mode 3 In VRF Internet Access Mode 3, as demonstrated in the next figure, VPN site access the Internet via private network connections between PE and CE. The VRF route tabl eof PE routers contain Internet routes, which are learnt via the PE routers conencted with the Internet gateway (Internet PE). Internet PE will create an Internet VRF, and connect withe Internet gateway withe the interface bound with the Internet VRF.
(4) Configure proper filter policy on the public network interface, to filter the packets whose source and destination addresses are private network addresses. (5) Configure default routes 1) IGW import the default routes to BGP 2) PE advertise the default routes to CE via the public network connection 3) CE advertise the default routes to PE via the private network connection, and then to other CE.
Figure 82-3 Non-VRF Internet Access Mode The configuration of CE1 is as follows: CE1#config CE1(config)#access-list 1 deny 100.100.1.0 0.0.0.255 CE1(config)#access-list 1 deny 100.200.1.0 0.0.0.255 CE1(config)#access-list 1 permit any-source CE1(config)#access-list 2 permit 10.1.1.0 0.0.0.255 CE1(config)#access-list 2 permit 10.1.2.0 0.0.0.255 CE1(config)#access-list 2 deny any-source CE1(config)# interface vlan 1 CE1(config-if-Vlan1)#ip address 192.168.102.2 255.255.255.
CE1(config-router)#network 10.1.2.0/24 CE1(config-router)#redistribute connected CE1(config-router)#neighbor 100.100.1.1 remote-as 100 CE1(config-router)#neighbor 100.100.1.1 distribute-list 2 out CE1(config-router)#neighbor 192.168.102.1 remote-as 100 CE1(config-router)#neighbor 192.168.102.1 default-originate CE1(config-router)#neighbor 192.168.102.1 distribute-list 1 out CE1(config-router)#exit CE1(config)# ip route 100.100.1.1 255.255.255.0 100.200.1.1 CE1(config)# ip route 0.0.0.0/0 100.200.1.
PE1(config)#router bgp 100 PE1(config-router)#neighbor 100.200.1.2 remote-as 60102 PE1(config-router)#neighbor 200.200.1.1 remote-as 100 PE1(config-router)#neighbor 202.200.3.2 remote-as 100 PE1(config-router)#neighbor 202.200.3.2 next-hop-self PE1(config-router)#address-family vpnv4 unicast PE1(config-router-af)#neighbor 200.200.1.1 activate PE1(config-router-af)#exit-address-family PE1(config-router)#address-family ipv4 vrf VRF-A PE1(config-router-af)#neighbor 192.168.102.
PE2(config-vrf)#exit PE2(config)#interface Vlan1 PE2(config-if-Vlan1)#ip vrf forwarding VRF-A PE2(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.0 PE2(config-if-Vlan1)#exit PE2(config)#interface Vlan2 PE2(config-if-Vlan2)#label-switching PE2(config-if-Vlan2)#enable-ldp PE2(config-if-Vlan2)#ip address 202.200.1.2 255.255.255.0 PE2(config-if-Vlan2)#exit PE2(config)#interface Loopback1 PE2(config-if-loopback1)#ip address 200.200.1.1 255.255.255.
IGW(config-if-Vlan1)#ip address 202.200.3.2 255.255.255.0 IGW(config-if-Vlan1)#exit IGW(config)#interface Vlan2 IGW(config-if-Vlan2#ip address 150.1.1.1 255.255.255.0 IGW(config-if-Vlan2#exit IGW(config)#router ospf IGW(config-router)#network 202.200.3.0 0.0.0.255 area 0 IGW(config-router)#exit IGW(config)#router bgp 100 IGW(config-router)#neighbor 202.200.2.2 remote-as 100 IGW(config-router)#neighbor 202.200.2.2 default-originate 82.
Chapter 83 SWITCH OPERATION 83.1 Address Table The Switch is implemented with an address table. This address table composed of many entries. Each entry is used to store the address information of some node in network, including MAC address, port no, etc. This in-formation comes from the learning process of Ethernet Switch. 83.2 Learning When one packet comes in from any port, the Switch will record the source address, port no. And the other related information in address table.
The Switch performs "Store and forward" therefore, no error packets occur. More reliably, it reduces the re-transmission rate. No packet loss will occur. 83.5 Auto-Negotiation The STP ports on the Switch have built-in "Auto-negotiation". This technology automatically sets the best possible bandwidth when a connection is established with another network device (usually at Power On or Reset).
Chapter 84 TROUBLE SHOOTING This chapter contains information to help you solve problems. If the Ethernet Switch is not functioning properly, make sure the Ethernet Switch was set up according to instructions in this manual. The Link LED is not lit Solution: Check the cable connection and remove duplex mode of the Ethernet Switch Some stations cannot talk to other stations located on the other port Solution: Please check the VLAN settings, trunk settings, or port enabled / disabled status.
Chapter 85 APPENDEX A 85.1 A.1 Switch's RJ-45 Pin Assignments 1000Mbps, 1000Base T Contact MDI MDI-X 1 BI_DA+ BI_DB+ 2 BI_DA- BI_DB- 3 BI_DB+ BI_DA+ 4 BI_DC+ BI_DD+ 5 BI_DC- BI_DD- 6 BI_DB- BI_DA- 7 BI_DD+ BI_DC+ 8 BI_DD- BI_DC- Implicit implementation of the crossover function within a twisted-pair cable, or at a wiring panel, while not expressly forbidden, is beyond the scope of this standard. 85.2 A.
The standard RJ-45 receptacle/connector There are 8 wires on a standard UTP/STP cable and each wire is color-coded.
Chapter 86 GLOSSARY Bandwidth Utilization The percentage of packets received over time as compared to overall bandwidth. BOOTP Boot protocol used to load the operating system for devices connected to the network. Distance Vector Multicast Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet. DVMRP combines many of the features of RIP with Reverse Path Broadcasting (RPB).
Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign end-stations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Multicast Switching A process whereby the switch filters incoming multicast frames for services no attached host has registered for, or forwards them to all ports contained within the designated multicast VLAN group. Open Shortest Path First (OSPF) OSPF is a link state routing protocol that functions better over a larger network such as the Internet, as opposed to distance vector routing protocols such as RIP.
Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
EC Declaration of Conformity For the following equipment: *Type of Product: *Model Number: 24-Port 100/1000X SFP with 4 Optional 10G slots Layer 3 Managed Stackable Switch XGS3-24242 * Produced by: Manufacturer‘s Name : Manufacturer‘s Address: Planet Technology Corp. 10F., No.96, Minquan Rd., Xindian Dist., New Taipei City 231, Taiwan (R.O.C.).
EC Declaration of Conformity For the following equipment: *Type of Product: *Model Number: 24-Port Gigabit with 4 Optional 10G slots Layer 3 Managed Stackable Switch XGS3-24042 * Produced by: Manufacturer‘s Name : Manufacturer‘s Address: Planet Technology Corp. 10F., No.96, Minquan Rd., Xindian Dist., New Taipei City 231, Taiwan (R.O.C.).
