s3500 series operation manual

1. Getting Started

Table of Contents i.........................................................................................Chapter 1 Product Overview 1-1........................................................................

1.1 Product Overview 1-1..............................................................................1.2 Function Features 1-2.............................................................................

Chapter 2 Logging in Ethernet Switch 2-1..........................................................2.1 Set up Configuration Environment via the Console Port 2-1...................2.2 Set up Configuration Environment through Telnet 2-3............................

2.2.1 Connect PC to Ethernet Switch through Telnet 2-3........................2.2.2 Telnet Ethernet Switch through Ethernet Switch 2-5......................

2.3 Set up Configuration Environment through a Dial-up the Modem 2-6....Chapter 3 Command Line Interface 3-1.............................................................

3.1 Command Line Interface 3-1...................................................................3.2 Command Line View 3-1.........................................................................3.3 Feature and Functions of Command Line 3-6.........................................

3.3.1 Online Help of Command Line 3-6.................................................3.3.2 Displaying Characteristics of Command Line 3-7...........................3.3.3 History Command of Command Line 3-7.......................................3.3.4 Common Command Line Error Messages 3-8...............................3.3.5 Editing Characteristics of Command Line 3-8................................

Chapter 4 User Interface Configuration 4-1........................................................4.1 User Interface Overview 4-1...................................................................4.2 User Interface Configuration 4-2.............................................................

4.2.1 Enter User Interface View 4-2.........................................................4.2.1 Configure the User Interface-supported Protocol 4-2.....................4.2.2 Configure the Attributes of AUX (Console) Port 4-3.......................4.2.3 Configure the Terminal Attributes 4-4.............................................4.2.4 Manage Users 4-6..........................................................................4.2.5 Configure Redirection 4-9...............................................................

4.3 Display and Debug User Interface 4-10....................................................

2. Port

Table of Contents i.........................................................................................Chapter 1 Ethernet Port Configuration 1-1.........................................................

1.1 Ethernet Port Overview 1-1.....................................................................1.2 Ethernet Port Configuration 1-2..............................................................

1.2.1 Enter Ethernet port view 1-2...........................................................1.2.2 Enable/Disable Ethernet Port 1-3...................................................1.2.3 Set Description Character String for Ethernet Port 1-3...................1.2.4 Set Duplex Attribute of the Ethernet Port 1-3.................................

1.2.5 Set Speed on the Ethernet Port 1-4................................................1.2.6 Set Cable Type for the Ethernet Port 1-5.......................................1.2.7 Enable/Disable Flow Control for Ethernet Port 1-5.........................1.2.8 Set Ethernet Port Broadcast Suppression Ratio 1-6......................1.2.9 Set link type for Ethernet port 1-6...................................................1.2.10 Add the Ethernet port to Specified VLANs 1-7.............................1.2.11 Set the Default VLAN ID for the Ethernet Port 1-7.......................1.2.12 Set the VLAN VPN Feature 1-8....................................................1.2.13 Set loopback detection for the Ethernet port 1-9..........................1.2.14 Set the Time Interval of Calculating Port StatisticsInformation 1-10.........................................................................................

1.3 Display and Debug Ethernet Port 1-10.....................................................1.4 Ethernet Port Configuration Example 1-11...............................................1.5 Ethernet Port Troubleshooting 1-11..........................................................

Chapter 2 Link Aggregation Configuration 2-1...................................................2.1 Link Aggregation Overview 2-1...............................................................2.2 Link Aggregation Configuration 2-1.........................................................

2.2.1 Aggregate Ethernet Ports 2-1.........................................................2.3 Display and Debug Link Aggregation 2-2................................................2.4 Link Aggregation Configuration Example 2-2..........................................2.5 Ethernet Link Aggregation Troubleshooting 2-3......................................

3. VLAN

Table of Contents i.........................................................................................Chapter 1 VLAN Configuration 1-1.....................................................................

1.1 VLAN Overview 1-1.................................................................................1.2 Configure VLAN 1-1................................................................................

1.2.1 Enable/Disable VLAN Feature 1-1..................................................1.2.2 Create/Delete a VLAN 1-2..............................................................1.2.3 Add Ethernet Ports to a VLAN 1-2..................................................1.2.4 Set/Delete VLAN or VLAN interface Description CharacterString 1-3.................................................................................................1.2.5 Specify/Remove VLAN Interface 1-3..............................................1.2.6 Assign/Delete IP Address and Mask for/of a VLAN Interface 1-3...1.2.7 Shut down/Enable VLAN Interface 1-4...........................................

1.3 Display and Debug VLAN 1-4.................................................................1.4 VLAN Configuration Example 1-4...........................................................

Chapter 2 Isolate-User-Vlan Configuration 2-1..................................................2.1 Isolate-user-vlan Overview 2-1...............................................................2.2 Configure isolate-user-vlan 2-1...............................................................

2.2.1 Configure isolate-user-vlan 2-1.......................................................

2.2.2 Configure Secondary VLAN 2-2.....................................................2.2.3 Configure to Map isolate-user-vlan to Secondary VLAN 2-2..........

2.3 Display and Debug isolate-user-vlan 2-3................................................2.4 isolate-user-vlan Configuration Example 2-3..........................................

Chapter 3 GARP/GVRP Configuration 3-1.........................................................3.1 Configure GARP 3-1...............................................................................

3.1.1 GARP Overview 3-1.......................................................................3.1.2 Set GARP Timer 3-2.......................................................................3.1.3 Display and Debug GARP 3-3........................................................

3.2 Configure GVRP 3-3...............................................................................3.2.1 GVRP Overview 3-3.......................................................................3.2.2 Enable/Disable Global GVRP 3-4...................................................3.2.3 Enable/Disable Port GVRP 3-4.......................................................3.2.4 Set GVRP Registration Type 3-4....................................................3.2.5 Display and Debug GVRP 3-5........................................................3.2.6 GVRP Configuration Example 3-5..................................................

4. Network Protocol

Table of Contents i.........................................................................................Chapter 1 IP Address Configuration 1-1.............................................................

1.1 IP Address Overview 1-1........................................................................1.1.1 IP Address Classification and Indications 1-1.................................1.1.2 Subnet and Mask 1-2......................................................................

1.2 Configure IP Address 1-3........................................................................1.2.1 Configure Hostname and Host IP Address 1-3...............................1.2.2 Configure IP Address of the VLAN Interface 1-4............................

1.3 Display and debug IP Address 1-4..........................................................1.4 IP Address Configuration Example 1-4...................................................1.5 Troubleshoot IP Address Configuration 1-5............................................

Chapter 2 ARP Configuration 2-1.......................................................................2.1 Introduction to ARP 2-1...........................................................................2.2 Configure ARP 2-2..................................................................................

2.2.1 Manually Add/Delete Static ARP Mapping Entries 2-2...................2.2.2 Configure ARP Timed Probing Function 2-2..................................2.2.3 Configure the Dynamic ARP Aging Timer 2-3................................2.2.4 Configure ARP Source Address Suppression 2-3..........................

2.3 Display and debug ARP 2-4....................................................................Chapter 3 DHCP Relay Configuration 3-1..........................................................

3.1 Brief Introduction to DHCP Relay 3-1.....................................................3.2 Configure DHCP Relay 3-2.....................................................................

3.2.1 Configure IP Address of a DHCP Server 3-2..................................

3.2.2 Configure Corresponding DHCP Server Group of the VLANInterface 3-3.............................................................................................3.2.3 Configure the Address Table Entry 3-3..........................................3.2.4 Enable/Disable DHCP security features 3-4...................................3.2.5 Enable/Disable DHCP pseudo-server detection 3-4.......................

3.3 Display and debug DHCP Relay 3-5.......................................................3.4 DHCP Relay Configuration Example 3-5................................................3.5 Troubleshoot DHCP Relay Configuration 3-6.........................................

Chapter 4 DHCP Configuration 4-1....................................................................4.1 DHCP Overview 4-1................................................................................

4.1.1 DHCP Fundamentals 4-1................................................................4.1.2 DHCP Relay 4-4.............................................................................

4.2 DHCP Public Configuration 4-4...............................................................4.2.1 Enable/Disable the DHCP Service 4-5...........................................4.2.2 Define DHCP Message Handling Method 4-5................................4.2.3 Enable/Disable Pseudo-DHCP Server Detection 4-6.....................

4.3 DHCP Server Configuration 4-6..............................................................4.3.1 Create Global DHCP Address Pool 4-7..........................................4.3.2 Configure Address Allocation Method for a DHCP AddressPool 4-8...................................................................................................4.3.3 Configure IP Addresses Forbidden in Automatic Allocation 4-9.....4.3.4 Configure IP Address Lease Duration for a DHCP AddressPool 4-10...................................................................................................4.3.5 Configure DHCP Client Domain Name 4-11.....................................4.3.6 Configure DNS Server Addresses for DHCP Clients 4-12...............4.3.7 Configure NetBIOS Server Addresses for DHCP Clients 4-13.........4.3.8 Define NetBIOS Node Type of DHCP Clients 4-14..........................4.3.9 Configure a DHCP Option 4-15........................................................4.3.10 Configure IP Addresses of Egress Gateways for DHCPclients 4-16................................................................................................4.3.11 Configure the Ping Mechanism on DHCP Server 4-17...................

4.4 DHCP Relay Configuration 4-18...............................................................4.4.1 Configure the DHCP Servers to Which the ReceivedPackets Are Relayed 4-18.........................................................................4.4.2 Distribute Load among DHCP Servers 4-19.....................................4.4.3 Release Client IP Address through DHCP Relay 4-19.....................4.4.4 Configure Address Map Entry for Security Check 4-19....................4.4.5 Enable/Disable DHCP Security Feature on VLAN Interface 4-20....

4.5 Display and Debug DHCP 4-20................................................................4.6 DHCP Configuration Example 4-21..........................................................

4.6.1 DHCP Server Configuration Example 4-21......................................4.6.2 DHCP Relay Configuration Example 4-23........................................

4.7 DHCP Troubleshooting 4-24.....................................................................Chapter 5 Access Management Configuration 5-1.............................................

5.1 Access Management Overview 5-1........................................................5.2 Configure Access Management 5-2........................................................

5.2.1 Enable Access Management Function 5-2.....................................5.2.2 Configure the Access IP Address Pool Based on thePhysical Port 5-3......................................................................................5.2.3 Configure Layer 2 Isolation between Ports 5-3...............................5.2.4 Configure Port, IP Address and MAC Address Binding 5-3............5.2.5 Enable/Disable Access Management Trap 5-4..............................

5.3 Display and debug Access Management 5-5..........................................5.4 Access Management Configuration Example 5-5...................................

Chapter 6 IP Performance Configuration 6-1.....................................................6.1 IP Performance Configuration 6-1...........................................................

6.1.1 Configure TCP Attributes 6-1..........................................................6.2 Display and debug IP Performance 6-2..................................................6.3 Troubleshoot IP Performance 6-2...........................................................

5. Routing Protocol

Table of Contents i.........................................................................................Chapter 1 IP Routing Protocol Overview 1-1......................................................

1.1 Introduction to IP Route and Routing Table 1-1......................................1.1.1 IP Route and Route Segment 1-1...................................................1.1.2 Route Selection through the Routing Table 1-2..............................

1.2 Routing Management Policy 1-4.............................................................1.2.1 Routing protocols and the preferences of the correspondingroutes 1-4.................................................................................................1.2.2 Support Load Sharing and Route Backup 1-4................................1.2.3 Routes Shared between Routing Protocols 1-5..............................

Chapter 2 Static Route Configuration 2-1...........................................................2.1 Introduction to Static Route 2-1...............................................................

2.1.1 Attributes and Functions of Static Route 2-1..................................2.1.2 Default Route 2-1............................................................................

2.2 Static Route Configuration 2-2................................................................2.2.1 Configure a static route 2-2............................................................2.2.2 Configure a default route 2-3..........................................................2.2.3 Configure the default preference of static routes 2-3......................

2.3 Display and Debug Static Route 2-3.......................................................2.4 Typical Static Route Configuration Example 2-4.....................................2.5 Static Route Fault Diagnosis and Troubleshooting 2-5...........................

Chapter 3 RIP Configuration 3-1........................................................................

3.1 Brief Introduction to RIP 3-1....................................................................3.2 RIP Configuration 3-2..............................................................................

3.2.1 Enable RIP and Enter RIP view 3-3................................................3.2.2 Enable RIP Interface 3-3................................................................3.2.3 Configure Unicast of the Message 3-3...........................................3.2.4 Specify RIP Version of the Interface 3-4.........................................3.2.5 Configure RIP-1 zero field check of the interface packet 3-4.........3.2.6 Specify the operating state of the interface 3-5..............................3.2.7 Disable host route 3-6.....................................................................3.2.8 RIP-2 Route Aggregation Function 3-6...........................................3.2.9 Set RIP-2 Packet Authentication 3-6..............................................3.2.10 Configure Split Horizon 3-7...........................................................3.2.11 Configure RIP to Import Routes of Other Protocols 3-7...............3.2.12 Configure Default Cost for the Imported Route 3-8......................3.2.13 Set the RIP Preference 3-8...........................................................3.2.14 Set Additional Routing Metric 3-9.................................................3.2.15 Configure Route Filtering 3-9........................................................

3.3 Display and Debug RIP 3-10.....................................................................3.4 Typical RIP Configuration Example 3-10..................................................

3.4.1 Networking requirements 3-10..........................................................3.4.2 Networking diagram 3-11..................................................................3.4.3 Configuration procedure 3-11...........................................................

3.5 RIP Fault Diagnosis and Troubleshooting 3-12........................................Chapter 4 OSPF Configuration 4-1....................................................................

4.1 OSPF Overview 4-1................................................................................4.1.1 Introduction to OSPF 4-1................................................................4.1.2 Process of OSPF Route Calculation 4-1........................................4.1.3 OSPF Packets 4-2..........................................................................4.1.4 Basic Concepts Related to OSPF 4-3............................................

4.2 OSPF Configuration 4-4..........................................................................4.2.1 Enable OSPF and Enter OSPF View 4-5.......................................4.2.2 Enter OSPF Area view 4-5.............................................................4.2.3 Specify interface 4-6.......................................................................4.2.4 Configure Router ID 4-6..................................................................4.2.5 Configure the Network Type on the OSPF Interface 4-7................4.2.6 Configure the Cost for Sending Packets on an Interface 4-8.........4.2.7 Set the Interface Priority for DR Election 4-8..................................4.2.8 Set the Peer 4-9..............................................................................4.2.9 Set the Interval of Hello Packet Transmission 4-10..........................4.2.10 Set a dead timer for the neighboring routers 4-10..........................4.2.11 Configure an Interval required for sending LSU packets 4-11........

4.2.12 Set an Interval for LSA Retransmission betweenNeighboring Routers 4-11..........................................................................4.2.13 Set a Shortest Path First (SPF) Calculation Interval forOSPF 4-12.................................................................................................4.2.14 Configure STUB Area of OSPF 4-12..............................................4.2.15 Configure NSSA of OSPF 4-13......................................................4.2.16 Configure the Route Summarization of OSPF Area 4-14...............4.2.17 Configure Summarization of Imported Routes by OSPF 4-15........4.2.18 Configure OSPF Virtual Link 4-16..................................................4.2.19 Configure the OSPF Area to Support PacketAuthentication 4-17....................................................................................4.2.20 Configure OSPF Packet Authentication 4-17.................................4.2.21 Configure OSPF to import Routes of Other Protocols 4-18............4.2.22 Configure Parameters for OSPF to Import External Routes 4-19...4.2.23 Configure OSPF to Import the Default Route 4-19.........................4.2.24 Set OSPF Route Preference 4-20..................................................4.2.25 Configure OSPF Route Filtering 4-20.............................................4.2.26 Configure to Fill the MTU Field When an InterfaceTransmits DD Packets 4-21.......................................................................4.2.27 Disable the Interface to Send OSPF Packets 4-21.........................4.2.28 Reset the OSPF Process 4-22.......................................................

4.3 Display and Debug OSPF 4-22.................................................................4.4 Typical OSPF Configuration Example 4-23..............................................

4.4.1 Configuring DR Election Based on OSPF Priority 4-23....................4.4.2 Configuring OSPF Virtual Link 4-25..................................................4.4.3 OSPF Fault Diagnosis and Troubleshooting 4-27............................

Chapter 5 BGP Configuration 5-1.......................................................................5.1 Brief Introduction to BGP 5-1..................................................................5.2 BGP Configuration 5-2............................................................................

5.2.1 Enable BGP 5-3..............................................................................5.2.2 Configure Networks for BGP Distribution 5-3.................................5.2.3 Configure BGP Peer (Group) 5-3...................................................5.2.4 Configure BGP Timer 5-10...............................................................5.2.5 Configure the local preference 5-10.................................................5.2.6 Configure MED for AS 5-11..............................................................5.2.7 Comparing the MED Routing Metrics from the Peers inDifferent ASs 5-11.....................................................................................5.2.8 Configure BGP Community 5-12......................................................5.2.9 Configure BGP Route Summarization 5-12......................................5.2.10 Configure BGP Route Reflector 5-13.............................................5.2.11 Configure BGP AS Confederation Attribute 5-15............................5.2.12 Configure BGP route dampening 5-17...........................................

5.2.13 Configure the repeating time of local AS 5-17................................5.2.14 Configure the Redistribution of BGP and IGP 5-18........................5.2.15 Define ACL, AS Path List, and Route-policy 5-18..........................5.2.16 Configure BGP Route Filtering 5-19...............................................5.2.17 Clear BGP Connection 5-20...........................................................

5.3 Display and Debug BGP 5-20...................................................................5.4 Typical BGP Configuration Example 5-21.................................................

5.4.1 Configure BGP AS Confederation Attribute 5-21..............................5.4.2 Configure BGP Route Reflector 5-23...............................................5.4.3 Configure BGP Routing 5-26............................................................

5.5 Fault Diagnosis and BGP Troubleshooting 5-29.......................................Chapter 6 IP Routing Policy Configuration 6-1...................................................

6.1 Brief Introduction to IP Routing Policy 6-1..............................................6.2 IP Routing Policy Configuration 6-3........................................................

6.2.1 Define a route-policy 6-3.................................................................6.2.2 Define If-match clauses for a Route-policy 6-4...............................6.2.3 Define apply clauses for a Route-policy 6-5...................................6.2.4 Importing Routing Information Discovered by Other RoutingProtocols 6-6............................................................................................6.2.5 Define ip-Prefix 6-6.........................................................................6.2.6 Configure Route Filtering 6-7..........................................................

6.3 Display and Debug the Routing Policy 6-8..............................................6.4 Typical IP Routing Policy Configuration Example 6-8.............................

6.4.1 Configure to Filter the Received Routing Information 6-8...............6.5 Routing Policy Fault Diagnosis and Troubleshooting 6-10.......................

Chapter 7 Route Capacity Configuration 7-1......................................................7.1 Route Capacity Configuration Overview 7-1...........................................

7.1.1 Introduction 7-1...............................................................................7.1.2 Route Capacity Limitation Implemented by S3500 EthernetSwitch 7-1................................................................................................

7.2 Route Capacity Configuration 7-2...........................................................7.2.1 Set the Lower Limit of the Ethernet switch Memory 7-2.................7.2.2 Set the Safety Value of the Ethernet switch Memory 7-2...............7.2.3 Set the Lower Limit and the Safety Value Simultaneously 7-3.......7.2.4 Disable the Ethernet switch to Recover the DisconnectedRouting Protocol Automatically 7-4..........................................................7.2.5 Enable the Ethernet switch to Recover the DisconnectedRouting Protocol Automatically 7-4..........................................................

7.3 Display and Debug Route Capacity 7-4..................................................

6. Multicast

Table of Contents i.........................................................................................

Chapter 1 IP Multicast Overview 1-1..................................................................1.1 IP Multicast Overview 1-1.......................................................................1.2 Multicast Addresses 1-2..........................................................................

1.2.1 IP Multicast Addresses 1-2.............................................................1.2.2 Ethernet Multicast MAC Addresses 1-4..........................................

1.3 IP Multicast Protocols 1-4.......................................................................1.3.1 Internet Group Management Protocol 1-4......................................1.3.2 Multicast Routing Protocol 1-5........................................................

1.4 IP Multicast Packet Forwarding 1-6........................................................1.5 Application of Multicast 1-6.....................................................................

Chapter 2 GMRP Configuration 2-1...................................................................2.1 GMRP Overview 2-1...............................................................................2.2 Configure GMRP 2-1...............................................................................

2.2.1 Enable/Disable GMRP Globally 2-1................................................2.2.2 Enable/Disable GMRP on the Port 2-2...........................................

2.3 Display and debug GMRP 2-2................................................................2.4 GMRP Configuration Example 2-2..........................................................

Chapter 3 IGMP Snooping Configuration 3-1.....................................................3.1 IGMP Snooping Overview 3-1.................................................................

3.1.1 IGMP Snooping Principle 3-1.........................................................3.1.2 Implement IGMP Snooping 3-3......................................................

3.2 Configure IGMP Snooping 3-5................................................................3.2.1 Enable/Disable IGMP Snooping 3-5...............................................3.2.2 Configure Router Port Aging Time 3-6...........................................3.2.3 Configure Maximum Response Time 3-6.......................................3.2.4 Configure Aging Time of Multicast Group Member 3-6..................

3.3 Display and debug IGMP Snooping 3-7..................................................3.4 IGMP Snooping Configuration Example 3-7...........................................

3.4.1 Enable IGMP Snooping 3-7............................................................3.5 Troubleshoot IGMP Snooping 3-8...........................................................

Chapter 4 Common Multicast Configuration 4-1................................................4.1 Introduction to Common Multicast Configuration 4-1..............................4.2 Common Multicast Configuration 4-1......................................................

4.2.1 Enable Multicast 4-1.......................................................................4.3 Display and Debug Common Multicast Configuration 4-1......................

Chapter 5 IGMP Configuration 5-1.....................................................................5.1 IGMP Overview 5-1.................................................................................5.2 IGMP Configuration 5-2..........................................................................

5.2.1 Enable Multicast 5-2.......................................................................5.2.2 Configure the IGMP Version 5-3.....................................................5.2.3 Configure a Router to Join Specified Multicast Group 5-3..............

5.2.4 Limit Multicast Groups An Interface Can Access 5-4.....................5.2.5 Configure the Interval to Send IGMP Query Message 5-4.............5.2.6 Configure the Present Time of IGMP Querier 5-4..........................5.2.7 Configure Maximum Response Time for IGMP QueryMessage 5-5............................................................................................

5.3 Display and Debug IGMP 5-5.................................................................Chapter 6 PIM-DM Configuration 6-1.................................................................

6.1 PIM-DM Configuration 6-2......................................................................6.1.1 Enable Multicast 6-3.......................................................................6.1.2 Enable PIM-DM 6-3........................................................................6.1.3 Configure the Interface Hello Message Interval 6-3.......................

6.2 Display and Debug PIM-DM 6-4.............................................................6.3 PIM-DM Configuration Example 6-4.......................................................

Chapter 7 PIM-SM Configuration 7-1.................................................................7.1 PIM-SM Overview 7-1.............................................................................

7.1.1 Introduction to PIM-SM 7-1.............................................................7.1.2 PIM-SM Operating Principle 7-1.....................................................7.1.3 Preparations before Configuring PIM-SM 7-2.................................

7.2 PIM-SM Configuration 7-3.......................................................................7.2.1 Enable Multicast 7-4.......................................................................7.2.2 Enable PIM-SM 7-4........................................................................7.2.3 Configure the Interface Hello Message Interval 7-4.......................7.2.4 Configure the PIM-SM Domain Border 7-5.....................................7.2.5 Enter PIM View 7-5.........................................................................7.2.6 Configure Candidate-BSRs 7-5......................................................7.2.7 Configure Candidate-RPs 7-6.........................................................7.2.8 Configure Static RP 7-7..................................................................7.2.9 Configure RP to Filter the Register Messages Sent by DR 7-7......7.2.10 Set the Threshold of Switchover from the RPT to the SPT 7-8....

7.3 Display and Debug PIM-SM 7-8..............................................................7.4 PIM-SM Configuration Example 7-9........................................................

7. QoS/ACL

Table of Contents i.........................................................................................Chapter 1 ACL Configuration 1-1.......................................................................

1.1 Brief Introduction to ACL 1-1...................................................................1.1.1 ACL Overview 1-1...........................................................................1.1.2 ACL Supported by Ethernet Switch 1-3..........................................

1.2 Configure ACL of S3526 Series Ethernet Switches 1-4..........................1.2.1 Configure Time-Range 1-4.............................................................1.2.2 Define ACL 1-5...............................................................................

1.2.3 Activate ACL 1-7.............................................................................1.2.4 Display and Debug ACL 1-9...........................................................

1.3 Configure ACL of S3526E and S3526C 1-9............................................1.3.1 Configure Time-Range 1-10.............................................................1.3.2 Define ACL 1-10...............................................................................1.3.3 Activate ACL 1-14.............................................................................1.3.4 Display and Debug ACL 1-14...........................................................

1.4 Configure ACL of S3552 Series Ethernet Switches 1-15..........................1.4.1 Configure Time-Range 1-15.............................................................1.4.2 Define ACL 1-16...............................................................................1.4.3 Activate ACL 1-18.............................................................................1.4.4 Display and Debug ACL 1-18...........................................................

1.5 ACL Configuration Example of S3526 Series Switches 1-19....................1.5.1 Advanced ACL Configuration Example 1-19....................................1.5.2 Basic ACL Configuration Example 1-20...........................................1.5.3 Link ACL Configuration Example 1-21..............................................

1.6 ACL Configuration Example of S3526E and S3526C 1-22.......................1.6.1 Advanced ACL Configuration Example 1-22....................................1.6.2 Basic ACL Configuration Example 1-24...........................................1.6.3 Link ACL Configuration Example 1-25..............................................1.6.4 User-defined ACL Configuration Example 1-26................................

Chapter 2 QoS configuration 2-1........................................................................2.1 QoS Overview 2-1...................................................................................

2.1.1 Traffic 2-1........................................................................................2.1.2 Traffic Classification 2-1.................................................................2.1.3 Packet Filter 2-2..............................................................................2.1.4 Traffic Policing 2-2..........................................................................2.1.5 Port traffic limit 2-2..........................................................................2.1.6 Redirection 2-2...............................................................................2.1.7 Traffic Priority 2-2...........................................................................2.1.8 Queue Scheduling 2-2....................................................................2.1.9 Traffic Mirroring 2-4........................................................................2.1.10 Traffic Counting 2-4......................................................................

2.2 Configure QoS of S3526 Series Switches 2-4........................................2.2.1 Set the Port Priority 2-7..................................................................2.2.2 Configure Trust Packet Priority 2-7.................................................2.2.3 Configure Priority Marking 2-8........................................................2.2.4 Configure Queue Scheduling 2-8...................................................2.2.5 Configure Traffic Mirroring 2-10........................................................2.2.6 Configure Traffic Statistics 2-10........................................................2.2.7 Display and Debug QoS 2-11...........................................................

2.3 Configure QoS of S3526E and S3526C 2-11...........................................2.3.1 Set the Port Priority 2-12..................................................................2.3.2 Configure Trust Packet Priority 2-12.................................................2.3.3 Traffic Policing 2-12..........................................................................2.3.4 Port Traffic limit 2-13.........................................................................2.3.5 Configure Packet Redirection 2-13...................................................2.3.6 Configure Priority Marking 2-14........................................................2.3.7 Configure Queue Scheduling 2-15...................................................2.3.8 Configure Traffic Mirroring 2-17........................................................2.3.9 Configure Traffic Statistics 2-17........................................................2.3.10 Display and Debug QoS 2-18.........................................................

2.4 QoS Configuration for S3552 Series Ethernet Switches 2-18...................2.4.2 Configure Service Group Allocation Rule 2-19.................................2.4.3 Configure Traffic Policing 2-20.........................................................2.4.4 Configure Traffic Shaping 2-22.........................................................2.4.5 Configure Priority Remark 2-23........................................................2.4.6 Configure Traffic Redirection 2-24....................................................2.4.7 Configure Queue Scheduling 2-25...................................................2.4.8 Configure Congestion Avoidance 2-26.............................................2.4.9 Configure Traffic Mirroring 2-27........................................................2.4.10 Configure Port Mirroring 2-28.........................................................2.4.11 Configure Traffic Statistic 2-29.......................................................2.4.12 Display and Debug QoS 2-30.........................................................

2.5 QoS Configuration Example of S3526 Series Switches 2-31...................2.5.1 Traffic Mirroring Configuration Example 2-31...................................

2.6 QoS Configuration Example of S3526E and S3526C 2-32.......................2.6.1 Traffic Policing and Interface Rate Restraint ConfigurationExample 2-32.............................................................................................2.6.2 Traffic Mirroring Configuration Example 2-34...................................

2.7 QoS Configuration Example of S3552 Series Switches 2-35...................2.7.1 Traffic Policing Configuration Example 2-35.....................................2.7.2 Bi-directional Traffic Limit to Packets on Designated VLANConfiguration Example 2-36......................................................................2.7.3 Bi-directional Traffic Limit to Packets at Designated PortConfiguration Example 2-38......................................................................2.7.4 Priority Marking Configuration Example 2-39...................................

Chapter 3 Logon User ACL Control Configuration 3-1.......................................3.1 Overview 3-1...........................................................................................3.2 Configure ACL Control over the TELNET User 3-1................................

3.2.1 Define ACL 3-1...............................................................................3.2.2 Call ACL to Control TELNET User 3-2...........................................

3.2.3 Configuration Example 3-2.............................................................3.3 Configure ACL Control over the SNMP Users 3-3..................................

3.3.1 Define an ACL 3-4..........................................................................3.3.2 Call ACL to Control SNMP User 3-4...............................................3.3.3 Configuration Example 3-5.............................................................

3.4 Configure ACL Control over the HTTP Users 3-6...................................3.4.1 Define an ACL 3-6..........................................................................3.4.2 Call ACL to Control HTTP User 3-6................................................3.4.3 Configuration Example 3-7.............................................................

8. Integrated management

Table of Contents i.........................................................................................Chapter 1 Stack Function Configuration 1-1......................................................

1.1 Stack Function Overview 1-1..................................................................1.2 Configure Stack Function 1-1..................................................................

1.2.1 Configure IP Address Pool for the Stack 1-1..................................1.2.2 Enable/Disable a Stack 1-2............................................................1.2.3 Switch to a Slave Switch view to Perform the Configuration 1-2....

1.3 Display and Debug Stack Function 1-3...................................................1.4 Stack Function Configuration Example 1-3.............................................

Chapter 2 HGMP V2 Configuration 2-1..............................................................2.1 HGMP V2 Overview 2-1..........................................................................

2.1.1 Overview 2-1...................................................................................2.1.2 Role of Switch 2-1...........................................................................2.1.3 Functions 2-3..................................................................................

2.2 Configure NDP 2-4..................................................................................2.2.1 NDP Overview 2-4..........................................................................2.2.2 Enable/Disable System NDP 2-5....................................................2.2.3 Enable/Disable Port NDP 2-5.........................................................2.2.4 Set NDP Holdtime 2-6....................................................................2.2.5 Set NDP Timer 2-6.........................................................................2.2.6 Display and Debug NDP 2-6...........................................................

2.3 Configure NTDP 2-7................................................................................2.3.1 NTDP Overview 2-7........................................................................2.3.2 Enable/Disable System NTDP 2-8..................................................2.3.3 Enable/Disable Port NTDP 2-8.......................................................2.3.4 Set Hop Number for Topology Collection 2-9.................................2.3.5 Set hop-delay and port-delay for Collected Device toForward Topology Collection Request. 2-9.............................................2.3.6 Set Topology Collection Interval 2-10...............................................2.3.7 Start manually Topology Information Collection 2-10.......................

2.3.8 Display and Debug NTDP 2-11........................................................2.4 Configure Cluster 2-11..............................................................................

2.4.1 Cluster Overview 2-11......................................................................2.4.2 Enable/Disable Cluster Function 2-12..............................................2.4.3 Enter cluster view 2-12.....................................................................2.4.4 Configure Cluster IP Address Pool 2-13...........................................2.4.5 Name Administrator device and Cluster 2-13...................................2.4.6 Add/Delete a Cluster Member device 2-14.......................................2.4.7 Set up a Cluster Automatically. 2-14................................................2.4.8 Set Cluster Holdtime 2-15.................................................................2.4.9 Set Cluster Timer to Specify the Handshaking MessageInterval 2-15...............................................................................................2.4.10 Configure Remote Control over the Member device 2-16..............2.4.11 Configure the Cluster Server and Network Managementand Log Hosts 2-17...................................................................................2.4.12 Member Accessing 2-17.................................................................2.4.13 Display and Debug Cluster 2-18.....................................................

2.5 HGMP V2 Configuration Example 2-18....................................................

9. STP

Table of Contents i.........................................................................................Chapter 1 RSTP Configuration 1-1.....................................................................

1.1 STP Overview 1-1...................................................................................1.1.1 Function of STP 1-1........................................................................1.1.2 Implement STP 1-1.........................................................................1.1.3 Implement RSTP on Ethernet Switch 1-7.......................................

1.2 Configure RSTP 1-7................................................................................1.2.1 Enable/Disable RSTP on a Switch 1-8...........................................1.2.2 Enable/Disable RSTP on a Port 1-8...............................................1.2.3 Configure RSTP Operating Mode 1-9.............................................1.2.4 Set Priority of a Specified Bridge 1-9..............................................1.2.5 Specify the Switch as Primary or Secondary Root Switch 1-10.......1.2.6 Set Forward Delay of a Specified Bridge 1-11..................................1.2.7 Set Hello Time of the Specified Bridge 1-12.....................................1.2.8 Set Max Age of the Specified Bridge 1-12........................................1.2.9 Set Timeout Factor of the Bridge 1-13..............................................1.2.10 Set the Maximum Transmission Speed of the SpecifiedPort 1-13....................................................................................................1.2.11 Set Specified Port to be an EdgePort 1-14.....................................1.2.12 Set Path Cost of the Specified Port 1-14........................................1.2.13 Set the Priority of a Specified Port 1-15..........................................

1.2.14 Configure a Specified Port to be Connected toPoint-to-Point Link 1-15.............................................................................1.2.15 Set mCheck of the Specified Port 1-16...........................................1.2.16 Configure the Switch Security Function 1-17..................................

1.3 Display and Debug RSTP 1-18.................................................................1.4 RSTP Configuration Example 1-18...........................................................

Chapter 2 MSTP Region-configuration 2-1........................................................2.1 MSTP Overview 2-1................................................................................

2.1.1 MSTP Concepts 2-1.......................................................................2.1.2 MSTP Principles 2-4.......................................................................

2.2 Configure MSTP 2-10...............................................................................2.2.1 Configure the MST Region for a Switch 2-11...................................2.2.2 Specify the Switch as Primary or Secondary Root Switch 2-12.......2.2.3 Configure the MSTP Running Mode 2-14.........................................2.2.4 Configure the Bridge Priority for a Switch 2-14.................................2.2.5 Configure the Max Hops in an MST Region 2-15.............................2.2.6 Configure the Switching Network Diameter 2-16..............................2.2.7 Configure the Time Parameters of a Switch 2-16.............................2.2.8 Configure the Max Transmission Speed on a Port 2-18...................2.2.9 Configure a Port as an Edge Port 2-19.............................................2.2.10 Configure the Path Cost of a Port 2-20...........................................2.2.11 Configure the Priority of a Port 2-21...............................................2.2.12 Configure the Port (not) to Connect with the Point-to-PointLink 2-22....................................................................................................2.2.13 Configure the mCheck Variable of a Port 2-23...............................2.2.14 Configure the Switch Security Function 2-24..................................2.2.15 Enable MSTP on the Device 2-25..................................................2.2.16 Enable/Disable MSTP on a Port 2-26.............................................

2.3 Display and Debug MSTP 2-26.................................................................

10. Security

Table of Contents i.........................................................................................Chapter 1 802.1x Configuration 1-1...................................................................

1.1 802.1x Overview 1-1...............................................................................1.1.1 802.1x Standard Overview 1-1.......................................................1.1.2 802.1x System Architecture 1-1......................................................1.1.3 802.1x Authentication Process 1-2.................................................1.1.4 Implement 802.1x on Ethernet Switch 1-3......................................

1.2 Configure 802.1x 1-3...............................................................................1.2.1 Enable/Disable 802.1x 1-4..............................................................1.2.2 Set the Port Access Control Mode. 1-4..........................................

1.2.3 Set Port Access Control Method 1-5..............................................1.2.4 Check the Users that Log on the Switch via Proxy 1-5...................1.2.5 Set Supplicant Number on a Port 1-6.............................................1.2.6 Set to Enable DHCP to Launch Authentication 1-6........................1.2.7 Configure Authentication Method for 802.1x User 1-6....................1.2.8 Set the Maximum times of authentication request messageretransmission 1-7...................................................................................1.2.9 Set the handshake period of 802.1x 1-7.........................................1.2.10 Configure Timers 1-8....................................................................1.2.11 Enable/Disable quiet-period Timer 1-9.........................................

1.3 Display and Debug 802.1x 1-9................................................................1.4 802.1x Configuration Example 1-9..........................................................

Chapter 2 AAA and RADIUS Protocol Configuration 2-1...................................2.1 AAA and RADIUS Protocol Overview 2-1...............................................

2.1.1 AAA Overview 2-1..........................................................................2.1.2 RADIUS Protocol Overview 2-1......................................................2.1.3 Implement AAA/RADIUS on Ethernet Switch 2-2...........................

2.2 Configure AAA 2-3..................................................................................2.2.1 Create/Delete ISP Domain 2-3.......................................................2.2.2 Configure Relevant Attributes of ISP Domain 2-4..........................2.2.3 Create a Local User 2-5..................................................................2.2.4 Set Attributes of Local User 2-5......................................................2.2.5 Disconnect a User by Force 2-6.....................................................

2.3 Configure RADIUS Protocol 2-7..............................................................2.3.1 Create/Delete a RADIUS server Group 2-7....................................2.3.2 Set IP Address and Port Number of RADIUS Server 2-8...............2.3.3 Set RADIUS Packet Encryption Key 2-9........................................2.3.4 Set Response Timeout Timer of RADIUS Server 2-10.....................2.3.5 Set Retransmission Times of RADIUS Request Packet 2-10...........2.3.6 Set a Real-time Accounting Interval 2-10.........................................2.3.7 Set Maximum Times of Real-time Accounting RequestFailing to be Responded 2-11....................................................................2.3.8 Enable/Disable Stopping Accounting Request Buffer 2-12..............2.3.9 Set the Maximum Retransmitting Times of StoppingAccounting Request 2-12..........................................................................2.3.10 Set the Supported Type of RADIUS Server 2-13...........................2.3.11 Set RADIUS Server State 2-13.......................................................2.3.12 Set Username Format Transmitted to RADIUS Server 2-14..........2.3.13 Set the Unit of Data Flow that Transmitted to RADIUSServer 2-14................................................................................................2.3.14 Configure Local RADIUS Server Group 2-15.................................

2.4 Display and Debug AAA and RADIUS Protocol 2-15................................

2.5 AAA and RADIUS Protocol Configuration Examples 2-16........................2.5.1 Configuring FTP/Telnet User Authentication at RemoteRADIUS Server 2-16.................................................................................2.5.2 Configuring FTP/Telnet User Authentication at LocalRADIUS Server 2-18.................................................................................

2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting 2-18...Chapter 3 HABP Configuration 3-1....................................................................

3.1 HABP Overview 3-1................................................................................3.2 HABP configuration 3-1...........................................................................

3.2.1 Configuring HABP Server 3-1.........................................................3.2.2 Configuring HABP Client 3-2..........................................................

3.3 Displaying and Debugging HABP Attribute 3-2.......................................Chapter 4 System-guard Configuration 4-1........................................................

4.1 System-guard Overview 4-1....................................................................4.2 System-guard Configuration 4-1.............................................................

4.2.1 Enable system-guard function 4-1..................................................4.2.2 Set the max detection count of the affected hosts 4-2....................4.2.3 Set parameters of address learning 4-2.........................................

4.3 Display and Debug System-guard 4-3....................................................

11. Reliability

Table of Contents i.........................................................................................Chapter 1 VRRP Configuration 1-1....................................................................

1.1 VRRP Overview 1-1................................................................................1.2 Configure VRRP 1-2...............................................................................

1.2.1 Enable/disable the Function to Ping the Virtual IP Address 1-3.....1.2.2 Set Correspondence between Virtual IP Address and MACAddress 1-3.............................................................................................1.2.3 Add/Delete a Virtual IP Address 1-4...............................................1.2.4 Configure the priority of switches in the virtual router. 1-5..............1.2.5 Configure Preemption and Delay for a Switch within aVirtual Router 1-5.....................................................................................1.2.6 Configure Authentication Type and Authentication Key 1-6...........1.2.7 Configure VRRP Timer 1-7.............................................................1.2.8 Configure Switch to Track a Specified Interface 1-7.......................

1.3 Display and Debug VRRP 1-8.................................................................1.4 VRRP Configuration Example 1-8...........................................................

1.4.1 VRRP Single Virtual Router Example 1-8.......................................1.4.2 VRRP Tracking Interface Example 1-10...........................................1.4.3 Multiple Virtual Routers Example 1-11.............................................

1.5 Troubleshoot VRRP 1-12..........................................................................

12. System Management

Table of Contents i.........................................................................................Chapter 1 File System Management 1-1............................................................

1.1 File System 1-1.......................................................................................1.1.1 File System Overview 1-1...............................................................1.1.2 Directory Operation 1-1..................................................................1.1.3 File Operation 1-1...........................................................................1.1.4 Storage Device Operation 1-2........................................................1.1.5 Set the Prompt Mode of the File System 1-2..................................

1.2 Configure File Management 1-3..............................................................1.2.1 Configure File Management Overview 1-3.....................................1.2.2 Display the Current-configuration and Saved-configurationof Ethernet Switch 1-3.............................................................................1.2.3 Save the Current-configuration 1-4.................................................1.2.4 Erase Configuration Files from Flash Memory 1-4.........................

1.3 FTP 1-5...................................................................................................1.3.1 FTP Overview 1-5...........................................................................1.3.2 Enable/Disable FTP Server 1-6......................................................1.3.3 Configure the FTP Server Authentication and Authorization 1-6....1.3.4 Configure the Running Parameters of FTP Server 1-7...................1.3.5 Display and Debug FTP Server 1-7................................................1.3.6 Introduction to FTP Client 1-8.........................................................1.3.7 FTP client configuration example 1-8.............................................1.3.8 FTP server configuration example 1-10............................................

1.4 TFTP 1-11.................................................................................................1.4.1 TFTP Overview 1-11.........................................................................1.4.2 Configure the File Transmission Mode 1-12.....................................1.4.3 Download Files by means of TFTP 1-12..........................................1.4.4 Upload Files by means of TFTP 1-12...............................................1.4.5 TFTP Client Configuration Example 1-13.........................................

Chapter 2 MAC Address Table Management 2-1..............................................2.1 MAC Address Table Management Overview 2-1....................................2.2 MAC Address Table Configuration 2-2...................................................

2.2.1 Set MAC Address Table Entries 2-2...............................................2.2.2 Set MAC Address Aging Time 2-2..................................................2.2.3 Set the Max Count of MAC Address Learned by a Port 2-3...........

2.3 Display and Debug MAC Address Table 2-4..........................................2.4 MAC Address Table Management Configuration Example 2-4..............

Chapter 3 Device management 3-1....................................................................3.1 Device Management Overview 3-1.........................................................

3.2 Device Management Configuration 3-1...................................................3.2.1 Reboot Ethernet Switch 3-1............................................................3.2.2 Designate the APP Adopted When Booting the EthernetSwitch Next Time 3-1...............................................................................3.2.3 Upgrade BootROM 3-2...................................................................

3.3 Display and Debug Device Management Configuration 3-2...................Chapter 4 System Maintenance and Debugging 4-1..........................................

4.1 Basic System Configuration 4-1..............................................................4.1.1 Set Name for Switch 4-1.................................................................4.1.2 Set the System Clock 4-1...............................................................4.1.3 Set the Time Zone 4-1....................................................................4.1.4 Set the Summer Time 4-2...............................................................

4.2 Display the State and Information of the System 4-2..............................4.3 System Debugging 4-3............................................................................

4.3.1 Enable/Disable the Terminal Debugging 4-3..................................4.3.2 Display Diagnostic Information 4-4.................................................

4.4 Testing Tools for Network Connection 4-4..............................................4.5 Logging Function 4-5..............................................................................

4.5.1 Introduction to Info-center 4-5.........................................................4.5.2 Info-center Configuration 4-8..........................................................4.5.3 Sending the Configuration Information to Loghost 4-11...................4.5.4 Sending the Configuration Information to Console terminal 4-13.....4.5.5 Sending the Configuration Information to Telnet Terminal orDumb Terminal 4-15..................................................................................4.5.6 Sending the Configuration Information to Log Buffer 4-18...............4.5.7 Sending the Configuration Information to Trap Buffer 4-20..............4.5.8 Sending the Configuration Information to SNMP NetworkManagement 4-21......................................................................................4.5.9 Turn on/off the Information Synchronization Switch inFabric 4-23.................................................................................................4.5.10 Displaying and Debugging Info-center 4-24...................................4.5.11 Configuration examples of sending log to Unix loghost 4-24..........4.5.12 Configuration examples of sending log to Linux loghost 4-26........4.5.13 Configuration examples of sending log to console terminal 4-29...

Chapter 5 SNMP Configuration 5-1....................................................................5.1 SNMP Overview 5-1................................................................................5.2 SNMP Versions and Supported MIB 5-1.................................................5.3 Configure SNMP 5-2...............................................................................

5.3.1 Set Community Name 5-3..............................................................5.3.2 Set the Method of Identifying and Contacting theAdministrator 5-3.....................................................................................5.3.3 Enable/Disable SNMP Agent to Send Trap 5-4..............................

5.3.4 Set the Destination Address of Trap 5-4.........................................5.3.5 Set Lifetime of Trap Message 5-4...................................................5.3.6 Set SysLocation 5-5........................................................................5.3.7 Set SNMP Version 5-5....................................................................5.3.8 Set the Engine ID of a Local or Remote Device 5-5.......................5.3.9 Set/Delete an SNMP Group 5-6.....................................................5.3.10 Set the Source Address of Trap 5-6.............................................5.3.11 Add/Delete a User to/from an SNMP Group 5-6...........................5.3.12 Create/Update View Information or Deleting a View 5-7..............5.3.13 Set the Size of SNMP Packet Sent/Received by an Agent 5-7....5.3.14 Disable SNMP Agent 5-7..............................................................

5.4 Display and Debug SNMP 5-8................................................................5.5 SNMP Configuration Example 5-8..........................................................

Chapter 6 RMON Configuration 6-1...................................................................6.1 RMON Overview 6-1...............................................................................6.2 Configure RMON 6-2..............................................................................

6.2.1 Add/Delete an Entry to/from the Alarm Table 6-2...........................6.2.2 Add/Delete an Entry to/from the Event Table 6-2...........................6.2.3 Add/Delete an Entry to/from the History Control Table 6-3............6.2.4 Add/Delete an Entry to/from the Extended RMON AlarmTable 6-3..................................................................................................6.2.5 Add/Delete an Entry to/from the Statistics Table 6-3......................

6.3 Display and Debug RMON 6-4................................................................6.4 RMON Configuration Example 6-4..........................................................

Chapter 7 NTP Configuration 7-1.......................................................................7.1 Brief Introduction to NTP 7-1...................................................................

7.1.1 NTP Functions 7-1..........................................................................7.1.2 Basic Operating Principle of NTP 7-1.............................................

7.2 NTP Configuration 7-2............................................................................7.2.1 Configure NTP Operating Mode 7-3...............................................7.2.2 Configure NTP ID Authentication 7-6.............................................7.2.3 Set NTP Authentication Key 7-6.....................................................7.2.4 Set Specified Key as Reliable 7-7..................................................7.2.5 Designate an Interface to Transmit NTP Message 7-7...................7.2.6 Set NTP Master Clock 7-7..............................................................7.2.7 Enable/Disable an Interface to Receive NTP Message 7-8............7.2.8 Set Authority to Access a Local Ethernet Switch 7-8......................7.2.9 Set Maximum Local Sessions 7-9..................................................

7.3 NTP Display and Debugging 7-9.............................................................7.4 Typical NTP Configuration Example 7-9.................................................

Chapter 8 SSH Terminal Services 8-1...............................................................

8.1 SSH Terminal Services 8-1.....................................................................8.1.1 SSH Overview 8-1..........................................................................8.1.2 Configuring SSH Server 8-3...........................................................8.1.3 Configuring SSH Client 8-6.............................................................8.1.4 Displaying and Debugging SSH 8-10...............................................8.1.5 SSH Configuration Example 8-11.....................................................

13. Appendix

Table of Contents i.........................................................................................Appendix A Acronyms A-1..................................................................................

HUAWEI

1. Getting Started

2. Port

3. VLAN

4. Network Protocol

5. Routing Protocol

6. Multicast

7. QoS/ACL

8. Integrated Management

9. STP

10. Security

11. Reliability


13. Appendix

Quidway S3500 Series Ethernet Switches Operation Manual

VRP3.10

Quidway S3500 Series Ethernet Switches

Operation Manual

Manual Version T2-081666-20040712-C-1.03

Product Version VRP3.10

BOM 31160966

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. If you purchase the products from the sales agent of Huawei Technologies Co., Ltd., please contact our sales agent. If you purchase the products from Huawei Technologies Co., Ltd. directly, Please feel free to contact our local office, customer care center or company headquarters.

Huawei Technologies Co., Ltd.

Address: Administration Building, Huawei Technologies Co., Ltd.,

Bantian, Longgang District, Shenzhen, P. R. China

Postal Code: 518129

Website: http://www.huawei.com

Copyright © 2004 Huawei Technologies Co., Ltd.

All Rights Reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks

, HUAWEI, C&C08, EAST8000, HONET, , ViewPoint, INtess, ETS, DMC,

TELLIN, InfoLink, Netkey, Quidway, SYNLOCK, Radium, M900/M1800, TELESIGHT, Quidview, Musa, Airbridge, Tellwin, Inmedia, VRP, DOPRA, iTELLIN, HUAWEI OptiX, C&C08 iNET, NETENGINE, OptiX, iSite, U-SYS, iMUSE, OpenEye, Lansway, SmartAX, infoX, TopEng are trademarks of Huawei Technologies Co., Ltd.

All other trademarks mentioned in this manual are the property of their respective holders.

Notice

The information in this manual is subject to change without notice. Every effort has been made in the preparation of this manual to ensure accuracy of the contents, but all statements, information, and recommendations in this manual do not constitute the warranty of any kind, express or implied.

About This Manual

Release Notes

The product version that corresponds to the manual is VRP3.10.

Related Manuals

The following manuals provide more information about the Quidway S3500 Series Ethernet Switches.

Manual Content

Quidway S3528 Series Ethernet Switches Installation Manual It provides information for the system installation.

Quidway S3552F Ethernet Switch Installation Manual It provides information for the system installation.

Quidway S3526 Ethernet Switch Installation Manual It provides information for the system installation.

Quidway S3526E Ethernet Switch Installation Manual It provides information for the system installation.

Quidway S3526 FM/FS Ethernet Switches Installation Manual It provides information for the system installation.

Quidway S3552 Ethernet Switch Installation Manual It provides information for the system installation.

Quidway S3526C/S3526E FM/S3526E FS Ethernet Switches Installation Manual

It provides information for the system installation.

Quidway S3500 Series Ethernet Switches Command Manual It is used for assisting the users in using various commands.

Organization

Quidway S3500 Series Ethernet Switches Operation Manual consists of the following parts:

Getting Started

This module introduces how to access the Ethernet Switch.

Port

This module introduces Ethernet port and link aggregation configuration.

VLAN

This module introduces VLAN, isolate-user-vlan, GARP, and GVRP configuration.

Network Protocol

This module introduces network protocol configuration, including IP address, ARP, DHCP, access management and IP performance configuration.

Routing Protocol

This module introduces routing protocol configuration, including static route, RIP, OSPF, BGP and routing policy configuration.

Multicast

This module introduces GMRP, IGMP Snooping, IGMP, PIM-DM and PIM-SM configuration.

QoS/ACL

This module introduces QoS/ACL configuration.

Integrated Management

This module introduces integrated configuration.

STP

This module introduces STP configuration.

Security

This module introduces 802.1X, AAA & RADIUS, HABP and system-guard configuration.

Reliability

This module introduces VRRP configuration.

System Management

This module introduces system management and maintenance of Ethernet Switch, including file system management, system maintenance and network management configuration.

Appendix

Intended Audience

The manual is intended for the following readers:

Network engineers Network administrators Customers who are familiar with network fundamentals

Conventions

The manual uses the following conventions:

I. General conventions

Convention Description

Arial Normal paragraphs are in Arial.

Arial Narrow Warnings, Cautions, Notes and Tips are in Arial Narrow.

Boldface Headings are in Boldface.

Courier New Terminal Display is in Courier New.

II. Command conventions


Boldface The keywords of a command line are in Boldface.

italic Command arguments are in italic.

[ ] Items (keywords or arguments) in square brackets [ ] are optional.

{ x | y | ... } Alternative items are grouped in braces and separated by vertical bars. One is selected.

[ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

{ x | y | ... } * Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected.

[ x | y | ... ] * Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

III. GUI conventions


< > Button names are inside angle brackets. For example, click the <OK> button.

[ ] Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window.

/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

IV. Keyboard operation

Format Description

<Key> Press the key with the key name inside angle brackets. For example, <Enter>, <Tab>, <Backspace>, or <A>.

<Key1+Key2> Press the keys concurrently. For example, <Ctrl+Alt+A> means the three keys should be pressed concurrently.

<Key1, Key2> Press the keys in turn. For example, <Alt, A> means the two keys should be pressed in turn.

V. Mouse operation

Action Description

Click Press the left button or right button quickly (left button by default).

Double Click Press the left button twice continuously and quickly.

Drag Press and hold the left button and drag it to a certain position.

VI. Symbols

Eye-catching symbols are also used in the manual to highlight the points worthy of special attention during the operation. They are defined as follows:

Caution, Warning: Means reader be extremely careful during the operation.

Note: Means a complementary description.

HUAWEI


1. Getting Started

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 Product Overview ........................................................................................................ 1-1 1.1 Product Overview............................................................................................................... 1-1 1.2 Function Features.............................................................................................................. 1-2

Chapter 2 Logging in Ethernet Switch ........................................................................................ 2-1 2.1 Set up Configuration Environment via the Console Port ................................................... 2-1 2.2 Set up Configuration Environment through Telnet ............................................................ 2-3

2.2.1 Connect PC to Ethernet Switch through Telnet ...................................................... 2-3 2.2.2 Telnet Ethernet Switch through Ethernet Switch .................................................... 2-5

2.3 Set up Configuration Environment through a Dial-up the Modem..................................... 2-6

Chapter 3 Command Line Interface............................................................................................. 3-1 3.1 Command Line Interface ................................................................................................... 3-1 3.2 Command Line View.......................................................................................................... 3-1 3.3 Feature and Functions of Command Line ......................................................................... 3-6

3.3.1 Online Help of Command Line ................................................................................ 3-6 3.3.2 Displaying Characteristics of Command Line ......................................................... 3-7 3.3.3 History Command of Command Line...................................................................... 3-7 3.3.4 Common Command Line Error Messages.............................................................. 3-8 3.3.5 Editing Characteristics of Command Line............................................................... 3-8

Chapter 4 User Interface Configuration ...................................................................................... 4-1 4.1 User Interface Overview .................................................................................................... 4-1 4.2 User Interface Configuration.............................................................................................. 4-2

4.2.1 Enter User Interface View ....................................................................................... 4-2 4.2.1 Configure the User Interface-supported Protocol ................................................... 4-2 4.2.2 Configure the Attributes of AUX (Console) Port...................................................... 4-3 4.2.3 Configure the Terminal Attributes ........................................................................... 4-4 4.2.4 Manage Users ......................................................................................................... 4-6 4.2.5 Configure Redirection ............................................................................................. 4-9

4.3 Display and Debug User Interface................................................................................... 4-10

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Chapter 1 Product Overview

1-1

Chapter 1 Product Overview

1.1 Product Overview

With the rapid development of the Internet, requirements for high speed broadband communication cannot be satisfied by the traditional low-speed services, such as telephone, fax, telegraph, etc. High speed systems are required to carry out the broadband services, including high-speed Internet access, video telephone, Video on Demand (VOD), etc. The users also require the higher-speed Internet access. In such a background, as a method of broadband access, Ethernet gains much attention on the market for its low cost, high speed and ease of use. Accordingly, Huawei Technologies Co. Ltd. (hereafter referred to as Huawei) launches the Quidway Series Ethernet Switches to meet the fast growing demand for broadband network development.

Quidway S3500 Series Ethernet Switches, the L2/L3 Ethernet switches are independently developed by Huawei to provide the wire speed L2/L3 switching and IP routing functions. The series include the following main types of switches:

S3526 Ethernet switch S3526 FS Ethernet switch S3526 FM Ethernet switch S3526E Ethernet switch S3526C Ethernet switch S3552G Ethernet switch S3552P Ethernet switch S3528G Ethernet switch S3528P Ethernet switch S3552F Ethernet switch

S3526/S3526E/S3526C Ethernet Switches provide 24 fixed 10/100Base-TX Ethernet ports, one Console port and 2 extension module slots.

The only difference between S3526 FS and S3526 FM Ethernet switches is the fixed optical port attribute. S3526 FS Ethernet switch provides 12 100M single-mode optical ports, while S3526 FM Ethernet switch provides 12 100M multi-mode optical ports. Each of them provides 4 extension module slots and 1 Console port.

S3552G Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports, one Console port and four GBIC interface modules.

S3552P Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports, one Console port and four SFP interface modules.


1-2

S3528G Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports, one Console port and four GBIC interface modules.

S3528P Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports, one Console port and four SFP interface modules.

S3552F Ethernet Switch provides 6 100M module slots, one Console port and four GBIC interface modules.

Quidway S3500 Series Ethernet Switches support the following services:

Broadband access to the Internet Enterprise and campus networking Provide multicast service and multicast routing and support multicast audio and

video services.

Hereinafter Quidway S3500 Series Ethernet switches are referred to as S3500 series Ethernet switches.

1.2 Function Features

Table 1-1 Function features

Features Description

VLAN Supports VLAN compliant with IEEE 802.1Q Standard Supports port-based VLAN Supports GARP VLAN Registration Protocol (GVRP)

STP protocol

S3526/S3526 FS/S3526 FM/S3526E/S3526C supports Spanning Tree Protocol (STP) / Rapid Spanning Tree Protocol (RSTP), compliant with IEEE 802.1D/IEEE802.1w Standard S3552G/S3552P/S3528G/S3528P/S3552F supports Spanning Tree Protocol (STP) / Multiple Spanning Tree Protocol (MSTP), compliant with IEEE 802.1D/IEEE 802.1s Standard

Flow control Supports IEEE 802.3x flow control (full-duplex) Supports back-pressure based flow control (half-duplex)

Broadcast Suppression Supports Broadcast Suppression

Multicast

Supports GARP Multicast Registration Protocol (GMRP) Supports Internet Group Management Protocol (IGMP) Snooping (Only S3552G/S3552P/S3528G/S3528P/S3552F support ) Supports Internet Group Management Protocol (IGMP) Supports Protocol-Independent Multicast-Dense Mode (PIM-DM) Supports Protocol-Independent Multicast-Sparse Mode (PIM-SM)

IP routing Supports the static route Supports Routing Information Protocol (RIP) V1/v2 Supports Open Shortest Path First (OSPF) Supports Border Gateway Protocol (BGP)

DHCP Supports Dynamic Host Configuration Protocol (DHCP) Relay Supports DHCP Server (Only S3552G/S3552P/S3528G/S3528P/S3552F support )

Link aggregation Supports link aggregation

Mirror Supports the mirror based on the traffic classification Supports port mirror (Only S3552G/S3552P/S3528G/S3528P/S3552F support )

Security features Supports Multi-level user management and password protect Supports 802.1X authentication Supports Packet filtering


1-3

Features Description Reliability Supports Virtual Redundancy Routing Protocol (VRRP)

Quality of Service (QoS)

Supports traffic classification Supports bandwidth control Supports priority Supports queues of different priority on the port Queue scheduling: supports Strict Priority Queuing (SP), Weighted Round Robin (WRR), Delay bounded WRR (Only S3526E/S3526C supports Delay bounded WRR)

Management and Maintenance

Supports command line interface configuration Supports configuration via Console port Supports remote configuration via Telnet or SSH Supports configuration through dialing the Modem Supports SNMP management (Supports Quidview NMS and RMON MIB Group 1, 2, 3 and 9) Supports system log Supports level alarms Supports Huawei Group Management Protocol (HGMP) V2 Supports output of the debugging information Supports PING and Tracert Supports the remote maintenance via Telnet or Modem or SSH

Loading and update Supports to load and upgrade software via XModem protocol Supports to load and upgrade software via File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP)

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Chapter 2 Logging in Ethernet Switch

2-1

Chapter 2 Logging in Ethernet Switch

2.1 Set up Configuration Environment via the Console Port

Step 1: As shown in the figure below, to set up the local configuration environment, connect the serial port of a PC (or a terminal) to the Console port of the Ethernet switch with the Console cable.

Console port

RS-232 Serial port

Console cable

Figure 2-1 Set up the local configuration environment via the Console port

Step 2: Run terminal emulator (such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X) on the Computer. Set the terminal communication parameters as follows: Set the baud rate to 9600, databit to 8, parity check to none, stopbit to 1, flow control to none and select the terminal type as VT100.

Figure 2-2 Set up new connection


2-2

Figure 2-3 Configure the port for connection

Figure 2-4 Set communication parameters

Step 3: The Ethernet switch is powered on. Display self-test information of the Ethernet switch and prompt you to press Enter to show the command line prompt such as <Quidway>.


2-3

Step 4: Input a command to configure the Ethernet switch or view the operation state. Input a “?” for an immediate help. For details of specific commands, refer to the following chapters.

2.2 Set up Configuration Environment through Telnet

2.2.1 Connect PC to Ethernet Switch through Telnet

After you have correctly configured IP address of a VLAN interface for an Ethernet Switch via Console port (using ip address command in VLAN interface view), and added the port (that connects to a terminal) to this VLAN (using port command in VLAN view), you can telnet this Ethernet switch and configure it.

Step 1: Authenticate the Telnet user via the Console port before the user logs in by Telnet.

Note:

By default, the password is required for authenticating the Telnet user to log in the Ethernet switch. If a user logs in via the Telnet without password, he will see the prompt “password required, but none set.”.

<Quidway> system-view

Enter system view , return user view with Ctrl+Z.

[Quidway] user-interface vty 0

[Quidway-ui-vty0] set authentication password simple xxxx (xxxx is the preset login password of Telnet user)

Step 2: To set up the configuration environment, connect the Ethernet port of the PC to that of the Ethernet switch via the LAN.


2-4

Workstation

WorkstationServ er PC ( for configuring the switchvia Telnet )

Ethernet portEthernet

Workstation

WorkstationServ er PC ( for configuring the switchvia Telnet )

Ethernet portEthernet

Figure 2-5 Set up configuration environment through telnet

Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port.

Figure 2-6 Run Telnet

Step 4: The terminal displays “User Access Verification” and prompts the user to input the logon password. After you input the correct password, it displays the command line prompt (such as <Quidway>). If the prompt “Too many users!” appears, it indicates that too many users are connected to the Ethernet through the Telnet at this moment. In this case, please reconnect later. At most 5 Telnet users are allowed to log on to the Quidway series Ethernet Switches simultaneously.

Step 5: Use the corresponding commands to configure the Ethernet switch or to monitor the running state. Enter “?” to get the immediate help. For details of specific commands, refer to the following chapters.

Note:

1) When configuring the Ethernet switch via Telnet, do not modify the IP address of it unless necessary, for the modification might cut the Telnet connection. 2) By default, when a Telnet user logs in, he can access the commands at Level 0.


2-5

2.2.2 Telnet Ethernet Switch through Ethernet Switch

After a user has logged into a switch, he or she can configure another switch through the switch via Telnet. The local switch serves as Telnet client and the peer switch serves as Telnet server. If the ports connecting these two switches are in a same local network, their IP addresses must be configured in the same network segment. Otherwise, the two switches must establish a route that can reach each other.

As shown in the figure below, after you telnet to an Ethernet switch, you can run telnet command to log in and configure another Ethernet switch.

Telnet ClientPC Telnet Server

Figure 2-7 Provide Telnet Client service

Step 1: Authenticate the Telnet user via the Console port on the Telnet Server (Ethernet switch) before login.

Note:

By default, the password is required for authenticating the Telnet user to log in the Ethernet switch. If a user logs in via the Telnet without password, he will see the prompt “password required, but none set.”.




[Quidway-ui-vty0] set authentication password simple xxxx (xxxx is the preset login password of Telnet user)

Step 2: The user logs in the Telnet Client (Ethernet switch). For the login process, refer to the section describing “Telnet PC to Ethernet Switch”.

Step 3: Perform the following operations on the Telnet Client:

<Quidway> telnet xxxx (xxxx can be the hostname or IP address of the Telnet Server. If it is the hostname, the switch shall have the static resolution function.)


2-6

Step 4: Enter the preset login password and you will see the prompt such <Quidway>. If the prompt “Too many users!” appears, it indicates that too many users are connected to the Ethernet through the Telnet at this moment. In this case, please connect later.

Step 5: Use the corresponding commands to configure the Ethernet switch or view it running state. Enter “?” to get the immediate help. For details of specific commands, refer to the following chapters.

2.3 Set up Configuration Environment through a Dial-up the Modem

Step 1: Authenticate the Modem user via the Console port of the Ethernet switch before he logs in the switch through a dial-up Modem.

Note:

By default, the password is required for authenticating the Modem user to log in the Ethernet switch. If a user logs in via the Modem without password, he will see the prompt “password required, but none set.”.



[Quidway] user-interface aux 0

[Quidway-ui-aux0] set authentication password simple xxxx (xxxx is the preset login password of the Modem user.)

Step 2: Perform the following configurations on the Modem that is directly connected to the Ethernet switch. (You are not required to configure the Modem connected to the terminal.)

AT&F ----------------------- Reset Modem factory settings

ATS0=1 -----------------Set auto response (ring once)

AT&D ----------------------- Ignore DTR signal

AT&K0 ----------------- ------ Disable flow control

AT&R1 ----------------------- Ignore RTS signal

AT&S0 ---------------- ------- Force DSR to be high-level

ATEQ1&W --------------- -------- Bar the modem to send command response

or execution result and save the configurations

After the configuration, key in the AT&V command to verify the Modem settings.


2-7

Note:

1) The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Manual of the Modem. 2) It is recommended that the transmission rate on the Console port must lower than that of Modem, otherwise packets may be lost.

Step 3: As shown in the figure below, to set up the remote configuration environment, connect the Modems to a PC (or a terminal) serial port and the Ethernet switch Console port respectively.

Modem

Telephone lineModem

Modem serial port line

Remote tel:82882285

Console port

PSTN

Figure 2-8 Set up remote configuration environment

Step 4: Dial for connection to the switch, using the terminal emulator and Modem on the remote end. The number dialed shall be the telephone number of the Modem connected to the Ethernet switch. See the two figures below.


2-8

Figure 2-9 Set the dialed number

Figure 2-10 Dial on the remote PC

Step 5: Enter the preset login password on the remote terminal emulator and wait for the prompt such as <Quidway>. Then you can configure and manage the Ethernet switch. Enter “?” to get the immediate help. For details of specific commands, refer to the following chapters.

Note:

By default, when a Modem user logs in, he can access the commands at Level 0.

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Chapter 3 Command Line Interface

3-1

Chapter 3 Command Line Interface

3.1 Command Line Interface

Quidway series Ethernet Switches provide a series of configuration commands and command line interfaces for configuring and managing the Ethernet switch. The command line interface has the following characteristics:

Local configuration via the Console port. Local or remote configuration via Telnet or SSH. Remote configuration through a dial-up Modem to log in the Ethernet switch. Hierarchy command protection to avoid the unauthorized users accessing

Ethernet switch. Enter a “?” to get immediate online help. Provide network testing commands, such as Tracert and Ping, to fast troubleshoot

the network. Provide various detailed debugging information to help with network

troubleshooting. Log in and manage other Ethernet switch directly, using the Telnet command. Provide FTP service for the users to upload and download files. Provide the function similar to Doskey to execute a history command. The command line interpreter searches for target not fully matching the keywords.

It is ok for you to key in the whole keyword or part of it, as long as it is unique and not ambiguous.

3.2 Command Line View

Quidway series Ethernet Switches provide hierarchy protection for the command lines to avoid unauthorized user accessing illegally.

Commands are classified into four levels, namely visit level, monitoring level, configuration level and management level. They are introduced as follows:

Visit level: Commands of this level involve command of network diagnosis tool (such as ping and tracert), command of switch between different language environments of user interface (language-mode) and telnet command etc. The operation of saving configuration file is not allowed on this level of commands.

Monitoring level: Commands of this level, including the display command and the debugging command, are used to system maintenance, service fault diagnosis, etc. The operation of saving configuration file is not allowed on this level of commands.


3-2

Configuration level: Service configuration commands, including routing command and commands on each network layer, are used to provide direct network service to the user.

Management level: They are commands that influence basis operation of the system and system support module, which plays a support role on service. Commands of this level involve file system commands, FTP commands, TFTP commands, XModem downloading commands, user management commands, and level setting commands.

At the same time, login users are classified into four levels that correspond to the four command levels respectively. After users of different levels log in, they can only use commands at the levels that are equal to or lower than its own level.

In order to prevent unauthorized users from illegal intrusion, user will be identified when switching from a lower level to a higher level with super [ level ] command. User ID authentication is performed when users at lower level switch to users at higher level. In other words, user password of the higher level is needed (Suppose the user has set the super password [ level level ] { simple | cipher } password.) For the sake of confidentiality, on the screen the user cannot see the password that he entered. Only when correct password is input for three times, can the user switch to the higher level. Otherwise, the original user level will remain unchanged.

Different command views are implemented according to different requirements. They are related to one another. For example, after logging in the Ethernet switch, you will enter user view, in which you can only use some basic functions such as displaying the running state and statistics information. In user view, key in system-view to enter system view, in which you can key in different configuration commands and enter the corresponding views.

The command line provides the following views:

Note:

For User-defined ACL view, only S3526E and S3526C switches support in S3500 series switches. For MST region view, DHCP address pool view, Conform-level view, and WRED index view, only S3552G/S3552P/S3528G/S3528P/S3552F switches support in S3500 series switches.

User view

System view

Ethernet Port view

VLAN view

VLAN interface view

Local-user view


3-3

User interface view

FTP Client view

Cluster view

MST region view RSA public key view RSA key code view DHCP address pool view

PIM view

RIP view

OSPF view

OSPF area view BGP view Route policy view Basic ACL view Advanced ACL view Layer-2 ACL view User-defined ACL view Conform-level view WRED index view RADIUS server group view ISP domain view

The relation diagram of the views as follows.


3-4

RIP viewOSPF viewBGP view

Route policy view

PIM view

Ethernet port view

FTP client view

User view

OSPF area view

Basic ACL viewAdvanced ACL viewLayer-2 ACL view

User-defined ACL view

VLAN viewVLAN interface view

User interface view

RADIUS server group viewISP domain view

Cluster view

Systemview

Local-user view

RSA public key viewRSA key code view

MST region view

Conform-level viewWRED index view

DHCP address pool view

RIP viewOSPF viewBGP view

Route policy view

PIM view

Ethernet port view

FTP client view

User view

OSPF area view

Basic ACL viewAdvanced ACL viewLayer-2 ACL view


VLAN viewVLAN interface view

User interface view

RADIUS server group viewISP domain view

Cluster view

Systemview

Local-user view

RSA public key viewRSA key code view

MST region view

Conform-level viewWRED index view


Figure 3-1 The relation diagram of the views

The following table describes the function features of different views and the ways to enter or quit.

Table 3-1 Function feature of command view

Command view Function Prompt Command to enter Command to exit

User view Show the basic information about operation and statistics

<Quidway> Enter right after connecting the switch

quit disconnects to the switch

System view Configure system parameters [Quidway] Key in system-view in user

view quit or return returns to user view

[Quidway-Ethernet0/1] 100M Ethernet port view Key in interface ethernet 0/1 in system view Ethernet Port

view Configure Ethernet port parameters

[Quidway-GigabitEthernet1/1] GigabitEthernet port view Key in interface gigabitethernet 1/1 in system view

quit returns to system view

VLAN view Configure VLAN parameters [Quidway-Vlan1] Key in vlan 1 in system view quit returns to

system view


3-5

Command view Function Prompt Command to enter Command to exit

VLAN interface view

Configure IP interface parameters for a VLAN or a VLAN aggregation

[Quidway-Vlan-interface1] Key in interface vlan-interface 1 in system view


Local-user view Configure local user parameters [Quidway-luser-user1] Key in local-user user1 in

system view quit returns to system view

User interface view

Configure user interface parameters [Quidway-ui0] Key in user-interface 0 in


FTP Client view Configure FTP Client parameters [ftp] Key in ftp in user view quit returns to

user view

Cluster view Configure Cluster parameters [Quidway-cluster] Key in cluster in system view quit returns to

system view

MST region view Configure MST region parameters [Quidway-mst-region]

Key in stp region-configuration in system view


RSA public key view

Configure RSA public key of SSH user [Quidway-rsa-public-key] Key in rsa peer-public-key

quidway003 in system view peer-public-key end returns to system view

RSA key code view

Edit RSA public key of SSH user [Quidway-rsa-key-code] Key in public-key-code begin

in RSA public key view

public-key-code end returns to RSA public key view


Configure DHCP address pool parameters [Quidway-dhcp-0] Key in dhcp server ip-pool 0

in system view quit returns to system view

PIM view Configure PIM parameters [Quidway-PIM] Key in pim in system view quit returns to

system view

RIP view Configure RIP parameters [Quidway-rip] Key in rip in system view quit returns to

system view

OSPF view Configure OSPF parameters [Quidway-ospf] Key in ospf in system view quit returns to

system view

OSPF area view Configure OSPF area parameters [Quidway-ospf-0.0.0.1] Key in area 1 in OSPF view quit returns to

OSPF view

BGP view Configure BGP parameters [Quidway-bgp] Key in bgp 100 in system view quit returns to

system view

Route policy view Configure route policy parameters [Quidway-route-policy]

Key in route-policy policy1 permit node 10 in system view


Basic ACL view Define the rule of basic ACL [Quidway-acl- basic-2000] Key in acl number 2000 in


Advanced ACL view

Define the rule of advanced ACL [Quidway-acl-adv-3000] Key in acl number 3000 in


Layer-2 ACL view Define the rule of layer-2 ACL [Quidway-acl-link-4000] Key in acl number 4000 in



Define the rule of user-defined ACL [Quidway-acl-user-5000] Key in acl number 5000 in


Conform-level view

Configure the "DSCP + Conform-level Service group" mapping table and "Local-precedence + Conform-level 802.1p priority" mapping table

[Quidway-conform-level-0] Key in qos conform-level 0 in system view


WRED index view Configure WRED parameters [Quidway-wred-0] Key in wred 0 in system view quit returns to

system view RADIUS server group view

Configure radius parameters [Quidway-radius-1] Key in radius scheme 1 in


ISP domain view Configure ISP domain parameters [Quidway-isp-huawei163.net] Key in domain huawei163.net

in system view quit returns to system view


3-6

3.3 Feature and Functions of Command Line

3.3.1 Online Help of Command Line

The command line interface provides the following online help modes.

Full help Partial help

You can get the help information through these online help commands, which are described as follows.

1) Input “?” in any view to get all the commands in it and corresponding descriptions.

<Quidway> ?

User view commands:

language-mode Specify the language environment

ping Ping function

quit Exit from current command view

super Privilege specified user priority level

telnet Establish one TELNET connection

tracert Trace route function

2) Input a command with a “?” separated by a space. If this position is for keywords, all the keywords and the corresponding brief descriptions will be listed.

<Quidway> language-mode ?

chinese Chinese environment

english English environment

3) Input a command with a “?” separated by a space. If this position is for parameters, all the parameters and their brief descriptions will be listed.

[Quidway] garp timer leaveall ?

INTEGER<65-32765> Value of timer in centiseconds

(LeaveAllTime > (LeaveTime [On all ports]))

Time must be multiple of 5 centiseconds

[Quidway] garp timer leaveall 300 ?

<cr>

<cr> indicates no parameter in this position. The next command line repeats the command, you can press <Enter> to execute it directly.

4) Input a character string with a “?”, then all the commands with this character string as their initials will be listed.

<Quidway>p?

ping


3-7

5) Input a command with a character string and “?”, then all the key words with this character string as their initials in the command will be listed.

<Quidway> display ver?

version

6) Input the first letters of a keyword of a command and press <Tab> key. If no other keywords are headed by this letters, then this unique keyword will be displayed automatically.

7) To switch to the Chinese display for the above information, perform the language-mode command.

3.3.2 Displaying Characteristics of Command Line

Command line interface provides the following display characteristics:

For users’ convenience, the instruction and help information can be displayed in both English and Chinese.

For the information to be displayed exceeding one screen, pausing function is provided. In this case, users can have three choices, as shown in the table below.

Table 3-2 Functions of displaying

Key or Command Function Press <Ctrl+C> when the display pauses Stop displaying and executing command. Enter a space when the display pauses Continue to display the next screen of information. Press <Enter> when the display pauses Continue to display the next line of information.

3.3.3 History Command of Command Line

Command line interface provides the function similar to that of DosKey. The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time later. History command buffer is defaulted as 10. That is, the command line interface can store 10 history commands for each user. The operations are shown in the table below.

Table 3-3 Retrieve history command

Operation Key Result Display history command display history-command Display history command by user inputting Retrieve the previous history command Up cursor key <↑> or <Ctrl+P> Retrieve the previous history command, if there

is any. Retrieve the next history command

Down cursor key <↓> or <Ctrl+N>

Retrieve the next history command, if there is any.


3-8

Note:

Cursor keys can be used to retrieve the history commands in Windows 3.X Terminal and Telnet. However, in Windows 9X HyperTerminal, the cursor keys ↑ and ↓ do not work, because Windows 9X HyperTerminal defines the two keys differently. In this case, use the combination keys <Ctrl+P> and <Ctrl+N> instead for the same purpose.

3.3.4 Common Command Line Error Messages

All the input commands by users can be correctly executed, if they have passed the grammar check. Otherwise, error messages will be reported to users. The common error messages are listed in the following table.

Table 3-4 Common command line error messages

Error messages Causes Cannot find the command. Cannot find the keyword. Wrong parameter type. Unrecognized command

The value of the parameter exceeds the range. Incomplete command The input command is incomplete. Too many parameters Enter too many parameters. Ambiguous command The parameters entered are not specific.

3.3.5 Editing Characteristics of Command Line

Command line interface provides the basic command editing function and supports to edit multiple lines. A command cannot longer than 256 characters. See the table below.

Table 3-5 Editing functions

Key Function

Common keys Insert from the cursor position and the cursor moves to the right, if the edition buffer still has free space.

Backspace Delete the character preceding the cursor and the cursor moves backward. Leftwards cursor key <←> or <Ctrl+B> Move the cursor a character backward

Rightwards cursor key <→> or <Ctrl+F> Move the cursor a character forward

Up cursor key <↑> or <Ctrl+P> Down cursor key <↓> or <Ctrl+N>

Retrieve the history command.

<Tab>

Press <Tab> after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line; if there is not a matched key word or the matched key word is not unique, the system will do no modification but display the originally typed word in a new line.

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Chapter 4 User Interface Configuration

4-1

Chapter 4 User Interface Configuration

4.1 User Interface Overview

User interface configuration is another way provided by the Ethernet switch to configure and manage the port data.

S3500 Series Ethernet Switches support the following configuration methods:

Local configuration via the Console port Local and remote configuration through Telnet or SSH on Ethernet port Remote configuration through dial with modem via the Console port.

According to the above-mentioned configuration methods, there are two types of user interfaces:

AUX user interface

AUX user interface is used to log in the Ethernet switch via the Console port. An Ethernet switch can only have one AUX user interface.

VTY user interface

VTY user interface is used to telnet the Ethernet switch. An Ethernet switch can have up to five VTY user interface.

Note:

For Quidway series Ethernet Switches, AUX port and Console port are the same one. There is only the type of AUX user interface.

User interface is numbered in the following two ways: absolute number and relative number.

1) Absolute number, following the rules below. AUX user interface is numbered as the first interface designated as user interface

0. VTY is numbered after AUX user interface. The absolute number of the first VTY is

incremented by 1 than the AUX user interface number. 2) Relative number, represented by “+ number” assigned to each type of user

interface. It follows the rules below: Number of AUX user interface: AUX 0.


4-2

Number of VTY: The first VTY interface is designated as VTY 0, the second one is designated as VTY 1, and so on.

4.2 User Interface Configuration

User interface configuration includes:

Enter user interface view

Configure the user interface-supported protocol Configure the Attributes of AUX (Console) Port Configure the Terminal Attributes Manage users Configure redirection

4.2.1 Enter User Interface View

The following command is used for entering a user interface view. You can enter a single user interface view or multi user interface view to configure one or more user interfaces respectively.

Perform the following configuration in system view.

Table 4-1 Enter user interface view

Operation Command Enter a single user interface view or multi user interface views user-interface [ type ] first-number [ last-number ]

4.2.1 Configure the User Interface-supported Protocol

The following command is used for setting the supported protocol by the current user interface. You can log in switch only through the supported protocol. The configuration becomes effective when you log in again.

Perform the following configurations in user interface (VTY user interface only) view.

Table 4-2 Configure the user interface-supported protocol

Operation Command

Configure the user interface-supported protocol protocol inbound { all | ssh | telnet }

By default, the user interface only supports Telnet protocol.


4-3

Caution:

1) If Telnet protocol is specified, to ensure a successful login via the Telnet, you must configure the password by default. 2) If SSH protocol is specified, to ensure a successful login, you must configure the local or remote authentication of username and password using the authentication-mode scheme command. The protocol inbound ssh configuration fails if you configure authentication-mode password and authentication-mode none. When you configure SSH protocol successfully for the user interface, then you cannot configure authentication-mode password and authentication-mode none any more.

4.2.2 Configure the Attributes of AUX (Console) Port

The following commands can be used for configuring the attributes of the AUX (Console) port, including speed, flow control, parity, stop bit and data bit.

Perform the following configurations in user interface (AUX user interface only) view.

I. Configure the transmission speed on AUX (Console) port

Table 4-3 Configure the transmission speed on AUX (Console) port

Operation Command Configure the transmission speed on AUX (Console) port speed speed-value Restore the default transmission speed on AUX (Console) port undo speed

By default, the transmission speed on AUX (Console) port is 9600bps.

II. Configure the flow control on AUX (Console) port

Table 4-4 Configure the flow control on AUX (Console) port

Operation Command Configure the flow control on AUX (Console) port flow-control { hardware | none | software } Restore the default flow control mode on AUX (Console) port undo flow-control

By default, the flow control on the AUX (Console) port is none, that is, no flow control will be performed.


4-4

III. Configure parity on the AUX (Console) port

Table 4-5 Configure parity on the AUX (Console) port

Operation Command Configure parity mode on the AUX (Console) port parity { even | mark | none | odd | space } Restore the default parity mode undo parity

By default, the parity on the AUX (Console) port is none, that is, no parity bit.

IV. Configure the stop bit of AUX (Console) port

Table 4-6 Configure the stop bit of AUX (Console) port

Operation Command Configure the stop bit of AUX (Console) port stopbits { 1 | 1.5 | 2 } Restore the default stop bit of AUX (Console) port undo stopbits

By default, AUX (Console) port supports 1 stop bit.

V. Configure the data bit of AUX (Console) port

Table 4-7 Configure the data bit of AUX (Console) port

Operation Command Configure the data bit of AUX (Console) port databits {| 7 | 8 } Restore the default data bit of AUX (Console) port undo databits

By default, AUX (Console) port supports 8 data bits.

4.2.3 Configure the Terminal Attributes

The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length and history command buffer size.

Perform the following configuration in user interface view. Perform lock command in user view.

I. Enable/Disable terminal service

After the terminal service is disabled on a user interface, you cannot log in to the Ethernet switch through the user interface. However, the user logged in through the user interface before disabling the terminal service can continue his operation. After


4-5

such user logs out, he cannot log in again. In this case, a user can log in to the switch through the user interface only when the terminal service is enabled again.

Table 4-8 Enable/disable terminal service

Operation Command Enable terminal service shell Disable terminal service undo shell

By default, terminal service is enabled on all the user interfaces.

Note the following points:

For the sake of security, the undo shell command can only be used on the user interfaces other than AUX user interface.

You cannot use this command on the user interface via which you log in. You will be asked to confirm before using undo shell on any legal user interface.

II. Configure idle-timeout

Table 4-9 Configure idle-timeout

Operation Command Configure idle-timeout idle-timeout minutes [ seconds ] Restore the default idle-timeout undo idle-timeout

By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. That is, the user interface will be disconnected automatically after 10 minutes without any operation.

idle-timeout 0 means disabling idle-timeout.

III. Lock user interface

This configuration is to lock the current user interface and prompt the user to enter the password. This makes it impossible for others to operate in the interface after the user leaves.

Table 4-10 Lock user interface

Operation Command Lock user interface lock


4-6

IV. Set the screen length

If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.

Table 4-11 Set the screen length

Operation Command Set the screen length screen-length screen-length Restore the default screen length undo screen-length

By default, the terminal screen length is 24 lines.

screen-length 0 indicates to disable screen display separation function.

V. Set the history command buffer size

Table 4-12 Set the history command buffer size

Operation Command Set the history command buffer size history-command max-size value Restore the default history command buffer size undo history-command max-size

By default, the size of the history command buffer is 10, that is, 10 history commands can be saved.

4.2.4 Manage Users

The management of users includes the setting of user logon authentication method, level of command which a user can use after logging on, level of command which a user can use after logging on from the specifically user interface, and command level.

I. Configure authentication method

The following command is used for configuring the user login authentication method to deny the access of an unauthorized user.

Perform the following configuration in user interface view.

Table 4-13 Configure authentication method

Operation Command Configure the authentication method authentication-mode { password | scheme } Configure no authentication authentication-mode none


4-7

By default, terminal authentication is not required for users log in via the Console port, whereas the password is required for authenticating the Modem and Telnet users when they log in.

1) Perform local password authentication to the user interface

Using authentication-mode password command, you can perform local password authentication. That is, you need use the command below to configure a login password in order to login successfully.


Table 4-14 Configure the local authentication password

Operation Command Configure the local authentication password set authentication password { cipher | simple }passwordRemove the local authentication password undo set authentication password

# Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to huawei.


[Quidway-ui-vty0] authentication-mode password

[Quidway-ui-vty0] set authentication password simple huawei

2) Perform local or remote authentication of username and password to the user interface

Using authentication-mode scheme command, you can perform local or remote authentication of username and password. The type of the authentication depends on your configuration. For detailed information, see “Security” section.

In the following example, local username and password authentication are configured.

# Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and huawei respectively.

[Quidway-ui-vty0] authentication-mode scheme

[Quidway-ui-vty0] quit

[Quidway] local-user zbr

[Quidway-luser-zbr] password simple huawei

[Quidway-luser-zbr] service-type telnet

3) No authentication

[Quidway-ui-vty0] authentication-mode none


4-8

Note:

By default, the password is required for authenticating the Modem and Telnet users when they log in. If the password has not been set, when a user logs in, he will see the prompt “password required, but none set.”. If the authentication-mode none command is used, the Modem and Telnet users will not be required to input password.

II. Set command level used after a user logging in

The following command is used for setting the command level used after a user logging in.

Perform the following configuration in local-user view.

Table 4-15 Set command level used after a user logging in

Operation Command

Set command level used after a user logging in service-type { ssh [ level level | telnet [ level level ] ] | telnet [ level level | ssh [ level level ] ] }

Restore the default command level used after a user logging in

undo service-type { ssh [ level | telnet [ level ] ] | telnet [ level | ssh [ level ] ] }

By default, the specified logon user can access the commands at Level 1.

III. Set command level used after a user logs in from a user interface

You can use the following command to set the command level after a user logs in from a specific user interface, so that a user is able to execute the commands at such command level.


Table 4-16 Set command level used after a user logging in from a user interface

Operation Command Set command level used after a user logging in from a user interface user privilege level level Restore the default command level used after a user logging in from a user interface undo user privilege level

By default, a user can access the commands at Level 3 after logging in through the AUX user interface, and the commands at Level 0 after logging in through the VTY user interface.


4-9

Note:

When a user logs in the switch, the command level that it can access depends on two points. One is the command level that the user itself can access, the other is the set command level of this user interface. If the two levels are different, the former will be taken. For example, the command level of VTY 0 user interface is 1, however, you have the right to access commands of level 3; if you log in from VTY 0 user interface, you can access commands of level 3 and lower.

IV. Set command priority

The following command is used for setting the priority of a specified command in a certain view. The command levels include visit, monitoring, configuration, and management, which are identified with 0 through 3 respectively. An administrator assigns authorities as per user requirements.


Table 4-17 Set command priority

Operation Command Set the command priority in a specified view. command-privilege level level view view command Restore the default command level in a specified view. Undo command-privilege view view command

Note:

Please do not change the command level at will for it may cause inconvenience of maintenance and operation.

4.2.5 Configure Redirection

I. send command

The following command can be used for sending messages between user interfaces.

Perform the following configuration in user view.

Table 4-18 Configure to send messages between different user interfaces.

Operation Command Configure to send messages between different user interfaces. send { all | number | type number }


4-10

II. auto-execute command

The following command is used to automatically run a command after you log in. After a command is configured to be run automatically, it will be automatically executed when you log in again.

This command is usually used to automatically execute telnet command on the terminal, which will connect the user to a designated device automatically.


Table 4-19 Configure to automatically run the command

Operation Command Configure to automatically run the command auto-execute command text Configure not to automatically run the command undo auto-execute command

Note the following points:

After executing this command, the user interface can no longer be used to carry out the routine configurations for the local system. Use this command with caution.

Make sure that you will be able to log in the system in some other way and cancel the configuration, before you use the auto-execute command command and save the configuration.

# Telnet 10.110.100.1 after the user logs in through VTY0 automatically.

[Quidway-ui-vty0] auto-execute command telnet 10.110.100.1

When a user logs on via VTY 0, the system will run telnet 10.110.100.1 automatically.

4.3 Display and Debug User Interface

After the above configuration, execute display command in any view to display the running of the user interface configuration, and to verify the effect of the configuration.

Execute free command in user view to clear a specified user interface.

Table 4-20 Display and debug user interface

Operation Command Clear a specified user interface free user-interface [ type ] number Display the user application information of the user interface display users [ all ]

Display the physical attributes and some configurations of the user interface display user-interface [ type number ] [ number ]

HUAWEI


2. Port

Operation Manual - Port Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 Ethernet Port Configuration ....................................................................................... 1-1 1.1 Ethernet Port Overview...................................................................................................... 1-1 1.2 Ethernet Port Configuration ............................................................................................... 1-2

1.2.1 Enter Ethernet port view.......................................................................................... 1-2 1.2.2 Enable/Disable Ethernet Port.................................................................................. 1-3 1.2.3 Set Description Character String for Ethernet Port ................................................. 1-3 1.2.4 Set Duplex Attribute of the Ethernet Port................................................................ 1-3 1.2.5 Set Speed on the Ethernet Port .............................................................................. 1-4 1.2.6 Set Cable Type for the Ethernet Port ...................................................................... 1-5 1.2.7 Enable/Disable Flow Control for Ethernet Port ....................................................... 1-5 1.2.8 Set Ethernet Port Broadcast Suppression Ratio..................................................... 1-6 1.2.9 Set link type for Ethernet port.................................................................................. 1-6 1.2.10 Add the Ethernet port to Specified VLANs............................................................ 1-7 1.2.11 Set the Default VLAN ID for the Ethernet Port...................................................... 1-7 1.2.12 Set the VLAN VPN Feature................................................................................... 1-8 1.2.13 Set loopback detection for the Ethernet port......................................................... 1-9 1.2.14 Set the Time Interval of Calculating Port Statistics Information.......................... 1-10

1.3 Display and Debug Ethernet Port .................................................................................... 1-10 1.4 Ethernet Port Configuration Example .............................................................................. 1-11 1.5 Ethernet Port Troubleshooting......................................................................................... 1-11

Chapter 2 Link Aggregation Configuration ................................................................................ 2-1 2.1 Link Aggregation Overview................................................................................................ 2-1 2.2 Link Aggregation Configuration ......................................................................................... 2-1

2.2.1 Aggregate Ethernet Ports........................................................................................ 2-1 2.3 Display and Debug Link Aggregation ................................................................................ 2-2 2.4 Link Aggregation Configuration Example .......................................................................... 2-2 2.5 Ethernet Link Aggregation Troubleshooting ...................................................................... 2-3

Operation Manual - Port Quidway S3500 Series Ethernet Switches Chapter 1 Ethernet Port Configuration

1-1

Chapter 1 Ethernet Port Configuration

1.1 Ethernet Port Overview

S3526 Ethernet Switch provides 24 fixed 10/100Base-T Ethernet ports and two extended module slots and supports 1000Base-SX module, 1000Base-LX module, 1000Base-T module, 1000Base-ZX module, 1000Base-LX GL module and stack module.

S3526E/S3526C Ethernet Switch provides 24 fixed 10/100Base-T Ethernet ports and two extended module slots and supports 100Base-FX multi-mode module, 100Base-FX single-mode module, 1000Base-SX module, 1000Base-LX module, 1000Base-T module, 1000Base-ZX module, 1000Base-LX GL module and stack module.

The only difference between S3526 FS and S3526 FM Ethernet Switches is the fixed optical ports with the different attributes they provide: S3526 FS Ethernet Switches provide 12 100M single-mode optical ports, while S3526 FM Ethernet Switches provide 12 100M multi-mode optical ports. Each of them also provides four extended module slots. The two extended module slots in the front panel support 6-port 10/100Base-T module, 6-port 100Base-FX single-mode module, and 6-port 100Base-FX multi-mode module. The two extended module slots in the rear panel support 1000Base-SX, 1000Base-LX, 1000Base-T, 1000Base-ZX, 1000Base-LX GL module and stack module.

S3552G Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports and four GBIC interface modules.

S3552P Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports and four SFP interface modules.

S3528G Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports and four GBIC interface modules.

S3528P Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports and four SFP interface modules.

S3552F Ethernet Switch provides 6 module slots and four GBIC interface modules. The six slots on the front panel support 8-port 100Base-FX multi-mode modules, 8-port 100Base-FX single-mode modules and 8-port 10/100Base-T modules. The four GBIC module slots can accommodate GBIC gigabit modules.

The Ethernet ports of S3500 Series Ethernet Switches have the following features:


1-2

10/100Base-TX Ethernet ports support MDI/MDI-X auto-sensing and can work in half-/full-duplex and auto-negotiation modes. They can auto-negotiate and auto-select the optimal operating mode and speed with the peers, thereby streamlining the system configuration and management.

100Base-FX single-mode/multi-mode Ethernet port operates in 100M full duplex mode. The duplex mode can be configured as full (full duplex) or auto (auto-negotiation), and the speed can be set to 100 (100Mbps) and auto (auto-negotiation).

For Gigabit Ethernet port, the duplex mode can be configured as full (full duplex) or auto (auto-negotiation), and the speed can be set to 1000 (1000Mbps) and auto (auto-negotiation). For Gigabit Ethernet port of S3552G/S3552P/S3528G/S3528P/S3552F, the duplex mode can be configured as full (full duplex) or auto (auto-negotiation) or half (half duplex), and the speed can only be set to 1000 (1000Mbps), which need not configuring. 1000Base-T Ethernet ports of S3526E/S3526C Ethernet switches can operate in 1000M full-duplex, 100M half-duplex/ full-duplex, and 10M half-duplex/full-duplex modes.

The configurations of these Ethernet ports are basically the same, which will be described in the following sections.

1.2 Ethernet Port Configuration

Ethernet port configuration includes:

Enter Ethernet port view

Enable/Disable Ethernet port Set description character string for Ethernet port Set duplex attribute for Ethernet port Set speed for Ethernet port Set cable type for the Ethernet port Enable/Disable flow control for Ethernet port Set Ethernet port broadcast suppression ratio Set link type for Ethernet port Add the Ethernet port to specified VLANs Set the default VLAN ID for the Ethernet port Set the VLAN VPN Feature (S3552G/S3552P/S3528G/ S3528P/S3552F Ethernet

Switches support) Set loopback detection for the Ethernet port (S3526/S3526 FS/S3526 FM/

S3526E/S3526C Ethernet Switches support) Set the time interval of calculating port statistics information

1.2.1 Enter Ethernet port view

Before configuring the Ethernet port, enter Ethernet port view first.


1-3


Table 1-1 Enter Ethernet port view

Operation Command Enter Ethernet port view interface { interface_type interface_num | interface_name }

1.2.2 Enable/Disable Ethernet Port

The following command can be used for disabling or enabling the port. After configuring the related parameters and protocol of the port, you can use the following command to enable the port. If you do not want a port to forward data any more, use the command to disable it.

Perform the following configuration in Ethernet port view.

Table 1-2 Enable/Disable an Ethernet port

Operation Command Disable an Ethernet port shutdown Enable an Ethernet port undo shutdown

By default, the port is enabled.

1.2.3 Set Description Character String for Ethernet Port

To distinguish the Ethernet ports, you can use the following command to make some necessary descriptions.


Table 1-3 Set description character string for Ethernet port

Operation Command Set description character string for Ethernet port. description text Delete the description character string of Ethernet. undo description

By default, the port description is a null character string.

1.2.4 Set Duplex Attribute of the Ethernet Port

To configure a port to send and receive data packets at the same time, set it to full-duplex. To configure a port to either send or receive data packets at a time, set it to


1-4

half-duplex. If the port has been set to auto-negotiation mode, the local and peer ports will automatically negotiate about the duplex mode.


Table 1-4 Set duplex attribute for Ethernet port

Operation Command Set duplex attribute for Ethernet port. duplex { auto | full | half } Restore the default duplex attribute of Ethernet port. undo duplex

Note that, the 100M electrical Ethernet port supports full duplex, half duplex and auto-negotiation, which can be set as per the requirements.

100M optical Ethernet port supports full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode.

Gigabit Ethernet port can be configured as full (full duplex) or auto (auto-negotiation). (1) For Gigabit Ethernet port of S3552G/S3552P/S3528G/S3528P/S3552F, the duplex mode can also be configured as half (half duplex). (2) 1000Base-T Ethernet ports of S3526E/S3526C Ethernet switches can operate in full-/half-duplex or auto-negotiation mode. However, if the speed has been set to 1000Mbps, the duplex mode can only be set to full (full-duplex) or auto (auto-negotiation).

The port defaults the auto (auto-negotiation) mode.

1.2.5 Set Speed on the Ethernet Port

You can use the following command to set the speed on the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate about the port speed.


Table 1-5 Set speed on Ethernet port

Operation Command Set 100M Ethernet port speed speed { 10 | 100 | auto } Set Gigabit Ethernet port speed speed { 10 | 100 | 1000 | auto } Restore the default speed on Ethernet port undo speed

Note that, the 100M electrical Ethernet port supports 10Mbps, 100Mbps and auto-negotiation, which can be set as per the requirements.

100M optical Ethernet port supports 100Mbps can be configured to operate at a speed of 100 (100Mbps) and auto (auto-negotiation.)


1-5

Gigabit Ethernet port can be set to 1000 (1000Mbps) and auto (auto-negotiation). (1) For Gigabit Ethernet port of S3552G/S3552P/S3528G/S3528P/S3552F, the speed can only be set to 1000 (1000Mbps), which need not configuring. (2) 1000Base-T Ethernet ports of S3526E/S3526C Ethernet switches support 10Mbps, 100Mbps, and 1000Mbps, which can be selected per your requirements. However, if the duplex mode has been set to half-duplex, the speed cannot be set to 1000Mbps.

By default, the speed of the port is in auto mode.

1.2.6 Set Cable Type for the Ethernet Port

The Ethernet port supports the straight-through and cross-over network cables. The following command can be used for configuring the cable type.


Table 1-6 Set the type of the cable connected to the Ethernet port

Operation Command Set the type of the cable connected to the Ethernet port. mdi { across | auto | normal } Restore the default type of the cable connected to the Ethernet port. undo mdi

Note that, the settings only take effect on 10/100Base-T and 1000Base-T ports.

By default, the cable type is auto (auto-recognized).That is, the system can automatically recognize the type of cable connecting to the port.

1.2.7 Enable/Disable Flow Control for Ethernet Port

After enabling flow control in both the local and the peer switch, if congestion occurs in the local switch, the switch will inform its peer to pause packet sending. Once the peer switch receives this message, it will pause packet sending, and vice versa. In this way, packet loss is reduced effectively. The flow control function of the Ethernet port can be enabled or disabled through the following command.


Table 1-7 Enable/Disable Flow Control for Ethernet Port

Operation Command Enable Ethernet port flow control flow-control Disable Ethernet port flow control undo flow-control

By default, Ethernet port flow control is disabled.


1-6

1.2.8 Set Ethernet Port Broadcast Suppression Ratio

You can use the following commands to restrict the broadcast traffic. Once the broadcast traffic exceeds the value set by the user, the system will maintain an appropriate broadcast packet ratio by discarding the overflow traffic, so as to suppress broadcast storm, avoid suggestion and ensure the normal service. The parameter is taken the maximum wire speed ratio of the broadcast traffic allowed on the port. The smaller the ratio is, the smaller the broadcast traffic is allowed. If the ratio is 100%, it means not to perform broadcast storm suppression on the port.


Table 1-8 Set Ethernet port broadcast suppression ratio

Operation Command Set Ethernet port broadcast suppression ratio broadcast-suppression pct Restore the default Ethernet port broadcast suppression ratio undo broadcast-suppression

By default, 100% broadcast traffic is allowed to pass through, that is, no broadcast suppression will be performed.

1.2.9 Set link type for Ethernet port

Ethernet port can operate in three different link types, access, hybrid, and trunk types. The access port carries one VLAN only, used for connecting to the user’s computer. The trunk port can belong to more than one VLAN and receive/send the packets on multiple VLANs, used for connection between the switches. The hybrid port can also carry more than one VLAN and receive/send the packets on multiple VLANs, used for connecting both the switches and user’s computers. The difference between the hybrid port and the trunk port is that the hybrid port allows the packets from multiple VLANs to be sent without tags, but the trunk port only allows the packets from the default VLAN to be sent without tags.


Table 1-9 Set link type for Ethernet port

Operation Command Configure the port as access port port link-type access Configure the port as hybrid port port link-type hybrid Configure the port as trunk port port link-type trunk Restore the default link type, that is, the access port. undo port link-type

You can configure three types of ports concurrently on the same switch, but you cannot switch between trunk port and hybrid port. You must turn it first into access port and


1-7

then set it as other type. For example, you cannot configure a trunk port directly as hybrid port, but first set it as access port and then as hybrid port.

By default, the port is access port.

1.2.10 Add the Ethernet port to Specified VLANs

The following commands are used for adding an Ethernet port to a specified VLAN. The access port can only be added to one VLAN, while the hybrid and trunk ports can be added to multiple VLANs.


Table 1-10 Add the Ethernet port to specified VLANs

Operation Command Add the current access port to a specified VLAN port access vlan vlan_id Add the current hybrid port to specified VLANs port hybrid vlan vlan_id_list { tagged | untagged }Add the current trunk port to specified VLANs port trunk permit vlan { vlan_id_list | all } Remove the current access port from to a specified VLAN. undo port access vlan Remove the current hybrid port from to specified VLANs. undo port hybrid vlan vlan_id_list Remove the current trunk port from specified VLANs. undo port trunk permit vlan { vlan_id_list | all }

Note that the access port shall be added to an existing VLAN other than VLAN 1. The VLAN to which Hybrid port is added must have been existed. The one to which Trunk port is added cannot be VLAN 1.

After adding the Ethernet port to specified VLANs, the local port can forward packets of these VLANs. The hybrid and trunk ports can be added to multiple VLANs, thereby implementing the VLAN intercommunication between peers. For the hybrid port, you can configure to tag some VLAN packets, based on which the packets can be processed differently.

1.2.11 Set the Default VLAN ID for the Ethernet Port

Since the access port can only be included in one VLAN only, its default VLAN is the one to which it belongs. The hybrid port and the trunk port can be included in several VLANs, it is necessary to configure the default VLAN ID. If the default VLAN ID has been configured, the packets without VLAN Tag will be forwarded to the port that belongs to the default VLAN. When sending the packets with VLAN Tag, if the VLAN ID of the packet is identical to the default VLAN ID of the port, the system will remove VLAN Tag before sending this packet.



1-8

Table 1-11 Set the default VLAN ID for the Ethernet port

Operation Command Set the default VLAN ID for the hybrid port. port hybrid pvid vlan vlan_id Set the default VLAN ID for the trunk port port trunk pvid vlan vlan_id Restore the default VLAN ID of the hybrid port to the default value undo port hybrid pvid Restore the default VLAN ID of the trunk port to the default value undo port trunk pvid

Note that:

The Trunk port and isolate-user-vlan cannot be configured simultaneously, while the hybrid port and isolate-user-vlan can be thus configured. However, if the default VLAN has been mapped in isolate-user-vlan, you cannot modify the default VLAN ID until the mapping relationship has been removed.

To guarantee the proper packet transmission, the default VLAN ID of local hybrid port or Trunk port should be identical with that of the hybrid port or Trunk port on the peer switch.

By default, the VLAN of hybrid port and trunk port is VLAN 1 and that of the access port is the VLAN to which it belongs.

1.2.12 Set the VLAN VPN Feature

VLAN Tag consists of 12 bits (defined by IEEE802.1Q), so Ethernet Switches can support up to 4k VLANs. In networking, especially in MAN (Metropolitan Area Network), a large numbers of VLANs are required to segment users. In this case, 4k VLANs are not enough.

VLAN VPN feature can provide duplex VLAN Tags to a packet, i.e. mark the packet with another VLAN Tag besides the original one, thus to provide 4k x 4k VLANs to meet user’s demands. At the same time, VLAN VPN feature provides the following functions: Using the original VLAN Tag to differentiate users and services, and using the new VLAN Tag to load service and VPN users. Through VLAN VPN configuration, Ethernet Switches can meet the requirement of MAN.

If VLAN VPN is enabled on a port, all the packets (no matter whether it carries a VLAN Tag or not) will be given a new Tag that specifies the default VLAN of this port. Therefore, the packets that have had a VLAN Tag get two Tags, and the packets that have not had a VLAN Tag get one.



1-9

Table 1-12 Set the VLAN VPN feature

Operation Command Enable the VLAN VPN feature vlan-vpn enable Disable the VLAN VPN feature undo vlan-vpn

By default, the port VLAN VPN is disabled.

Note that if anyone of GVRP, GMRP, STP, 802.1x, NTDP and NDP has been enabled on a port, VLAN VPN cannot be enabled on it.

S3552G/S3552P/S3528G/S3528P/S3552F Ethernet Switches support this configuration in S3500 series switches.

1.2.13 Set loopback detection for the Ethernet port

The following commands are used for enabling the port loopback detection and setting detection interval for the external loopback condition of each port. If there is a loopback port found, the switch will put it under control.

Perform the following configuration in corresponding view.

Table 1-13 Set loopback detection for the Ethernet port

Operation Command Enable loopback detection on the port (System view/Ethernet port view) loopback-detection enable

Disable loopback detection on the port (System view/Ethernet port view) undo loopback-detection enable

Enable the loopback controlled function of the trunk and hybrid ports (System view/Ethernet port view) loopback-detection control enable

Disable the loopback controlled function of the trunk and hybrid ports (System view/Ethernet port view) undo loopback-detection control enable

Set the external loopback detection interval of the port (System view) loopback-detection interval-time time

Restore the default external loopback detection interval of the port (System view) undo loopback-detection interval-time

Configure that the system performs loopback detection to all VLANs on Trunk and Hybrid ports (Ethernet port view) loopback-detection per-vlan enable

Configure that the system only performs loopback detection to the default VLANs on the port (Ethernet port view)

undo loopback-detection per-vlan enable

By default, the port loopback detection is enabled and the detection interval is 30 seconds. The loopback detection controlled function on Trunk or Hybrid port is enabled. The system performs loopback detection to all VLANs on Trunk and Hybrid ports.

Note that S3526/S3526 FS/S3526 FM/S3526E/S3526C Ethernet Switches support this configuration in S3500 series switches.


1-10

1.2.14 Set the Time Interval of Calculating Port Statistics Information

The following commands are used for configuring a time interval. When calculating port statistics information, the switch calculates the average port speed during the time interval.


Table 1-14 Set the time interval of calculating port statistics information

Operation Command Set the time interval of calculating port statistics information flow-interval interval

Restore the default time interval of calculating port statistics information undo flow-interval

By default, the time interval of calculating port statistics information is 300 seconds.

1.3 Display and Debug Ethernet Port

After the above configuration, execute display command in any view to display the running of the Ethernet port configuration, and to verify the effect of the configuration.

Execute reset command in user view to clear the statistics information of the port.

Execute loopback command in Ethernet port view to check whether the Ethernet port works normally. In the process of the loopback test, the port cannot forward the packets. The loop test will finish automatically after being executed for a while.

Table 1-15 Display and debug Ethernet port

Operation Command Configure to perform loopback test on the Ethernet port loopback { external | internal }

Display all the information of the port display interface { interface_type | interface_type interface_num | interface_name }

Display hybrid port or trunk port display port { hybrid | trunk } Display the state of loopback detection on the port display loopback-detection

Clear the statistics information of the port reset counters interface [ interface_type | interface_type interface_num | interface_name ]

Note that the loopback test cannot be performed on the port disabled by the shutdown command. During the loopback test, the system will disable speed, duplex, mdi and shutdown operation on the port. Some ports do not support the loopback test. If performing this command in these ports, you will see the system prompt.

S3526/S3526 FS/S3526 FM/S3526E/S3526C Ethernet Switches support display loopback-detection command in S3500 series switches.


1-11

1.4 Ethernet Port Configuration Example

I. Networking requirements

Ethernet Switch (Switch A) is connected to the peer (Switch B) via the trunk port Ethernet0/18. The following example configures the default VLAN ID for the trunk port and verifies the port trunk pvid vlan command. As a typical application of the port trunk pvid vlan command, the trunk port will transmit the packets without tag to the default VLAN.

II. Networking diagram

Switch A Switch B

Figure 1-1 Configure the default VLAN for a trunk port

III. Configuration procedure

The following configurations are used for Switch A. Please configure Switch B in the similar way.

# Enter the Ethernet port view of Ethernet0/18.

[Quidway] interface ethernet0/18

# Set the Ethernet0/18 as a trunk port and allows VLAN 2, 6 through 50, and 100 to pass through.

[Quidway-Ethernet0/18] port link-type trunk

[Quidway-Ethernet0/18] port trunk permit vlan 2 6 to 50 100

# Create the VLAN 100.

[Quidway] vlan 100

# Configure the default VLAN ID of Ethernet0/18 as 100.

[Quidway-Ethernet0/18] port trunk pvid vlan 100

1.5 Ethernet Port Troubleshooting

Fault: Default VLAN ID configuration failed.

Troubleshooting: Take the following steps.


1-12

Execute the display interface or display port command to check if the port is a trunk port or a hybrid port. If it is neither of them, configure it as a trunk port or a hybrid port.

Then configure the default VLAN ID.

Operation Manual - Port Quidway S3500 Series Ethernet Switches Chapter 2 Link Aggregation Configuration

2-1

Chapter 2 Link Aggregation Configuration

2.1 Link Aggregation Overview

An S3526 Ethernet Switch supports at most four aggregated groups, with each group containing a maximum of eight fixed ports or two extended ports. The starting port of an aggregated group can only be Ethernet0/1, Ethernet0/9, Ethernet0/17 or Gigabitethernet1/1 and the port numbers in a group must be consecutive.

An S3526E/S3526C Ethernet Switch supports at most six aggregated groups, with each group containing a maximum of eight fixed ports or two extended ports. The port numbers in a group must be consecutive, but no special restrictions on the starting port.

An S3526 FM/S3526 FS Ethernet Switch supports at most four aggregated groups, with each group containing a maximum of eight ports. The starting port of an aggregated group can only be Ethernet0/1, Ethernet0/9, Ethernet1/5 or Gigabitethernet3/1, and the port numbers in a group and on the same slot must be consecutive. If a group contains the ports on two slots, those on the same slots and slot numbers must be consecutive, and the starting port must be the first port on the second slot.

An S3552G/S3552P/S3528G/S3528P/S3552F Ethernet Switch supports at most six aggregated 100M-port groups or one 1000M-port group, with each group containing a maximum of eight 100M ports or four 1000M ports. The port numbers in a group must be consecutive, but no special restrictions on the starting port.

In a link aggregation group, the port with the smallest number serves as the master port, and the others serve as member ports. In one link aggregation group, the link type of the master port and the member ports must be identical. That is, the master port and the member ports should be in Trunk mode together, or be in Access mode together.

2.2 Link Aggregation Configuration

Link aggregation configuration includes:

Aggregate Ethernet ports

2.2.1 Aggregate Ethernet Ports

The following command can be used for aggregating Ethernet ports or removing a configured link aggregation.


2-2


Table 2-1 Aggregating Ethernet ports

Operation Command Aggregate Ethernet ports link-aggregation port_num1 to port_num2 { both | ingress } Remove a configured link aggregation undo link-aggregation { master_port_num | all }

Note that the Ethernet ports to be aggregated can not work in auto-negotiation mode and must work in the same mode, which can be 10M_FULL (10Mbps speed, full duplex), 100M_FULL (100Mbps speed, full duplex), or 1000M_FULL (1000Mbps speed, full duplex), otherwise, they cannot be aggregated.

2.3 Display and Debug Link Aggregation

After the above configuration, execute display command in any view to display the running of the link aggregation configuration, and to verify the effect of the configuration.

Table 2-2 Display the information of the link aggregation

Operation Command Display the information of the link aggregation display link-aggregation [ master_port_num ]

2.4 Link Aggregation Configuration Example


The following example uses the link aggregation commands to aggregate several ports and implement the outgoing/incoming payload balance among all the member ports. The link aggregation is typically used for Trunk ports. Since the Trunk port allows frames from several VLANs to pass through, the heavy traffic needs balancing among all the ports.

Ethernet Switch (Switch A) is connected to the Ethernet Switch (Switch B) in the upstream via the aggregation of three ports, Ethernet0/1 through Ethernet0/3.


2-3


Link aggregation

Switch B

Switch A Switch C

Figure 2-1 Configure link aggregation


The following configurations are used for Switch A, please configure Switch B in the similar way to activate aggregation.

# Aggregate Ethernet0/1 through Ethernet0/3.

[Quidway] link-aggregation ethernet0/1 to ethernet0/3 both

# Display the information of the link aggregation.

[Quidway] display link-aggregation ethernet0/1

Master port: Ethernet0/1 Other sub-ports: Ethernet0/2 Ethernet0/3 Mode: both

2.5 Ethernet Link Aggregation Troubleshooting

Fault: You might see the prompt of configuration failure when configuring link aggregation.

Troubleshooting:

I. For S3526/S3526 FM/S3526 FS Ethernet Switches, take the following steps

Check the input parameter and see whether the starting number of Ethernet port is smaller than the end number. If yes, take the next step.

Check the input parameter and see whether the first number is correct. If yes, take the next step.

Check whether the Ethernet ports that are in the configured range belong to any other existing link aggregations. If not, take the next step.


2-4

Check whether the ports to be aggregated operate in the same speed and full duplex mode. If yes, take the next step.

Check if there are no more than eight ports in one group. If correct, configure the link aggregation again.

II. For S3526E/S3526C/S3552G/S3552P/S3528G/S3528P/S3552F Ethernet Switches, take the following steps

Check the input parameter and see whether the starting number of Ethernet port is smaller than the end number. If yes, take the next step.

Check whether the Ethernet ports that are in the configured range belong to any other existing link aggregations. If not, take the next step.

Check whether the ports to be aggregated operate in the same speed and full duplex mode. If yes, take the next step.

Check if there are no more than eight ports in one group. If correct, configure the link aggregation again.

HUAWEI


3. VLAN

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 VLAN Configuration .................................................................................................... 1-1 1.1 VLAN Overview.................................................................................................................. 1-1 1.2 Configure VLAN................................................................................................................. 1-1

1.2.1 Enable/Disable VLAN Feature ................................................................................ 1-1 1.2.2 Create/Delete a VLAN............................................................................................. 1-2 1.2.3 Add Ethernet Ports to a VLAN ................................................................................ 1-2 1.2.4 Set/Delete VLAN or VLAN interface Description Character String ......................... 1-3 1.2.5 Specify/Remove VLAN Interface............................................................................. 1-3 1.2.6 Assign/Delete IP Address and Mask for/of a VLAN Interface................................. 1-3 1.2.7 Shut down/Enable VLAN Interface.......................................................................... 1-4

1.3 Display and Debug VLAN .................................................................................................. 1-4 1.4 VLAN Configuration Example ............................................................................................ 1-4

Chapter 2 Isolate-User-Vlan Configuration................................................................................. 2-1 2.1 Isolate-user-vlan Overview ................................................................................................ 2-1 2.2 Configure isolate-user-vlan................................................................................................ 2-1

2.2.1 Configure isolate-user-vlan ..................................................................................... 2-1 2.2.2 Configure Secondary VLAN.................................................................................... 2-2 2.2.3 Configure to Map isolate-user-vlan to Secondary VLAN ........................................ 2-2

2.3 Display and Debug isolate-user-vlan................................................................................. 2-3 2.4 isolate-user-vlan Configuration Example........................................................................... 2-3

Chapter 3 GARP/GVRP Configuration......................................................................................... 3-1 3.1 Configure GARP ................................................................................................................ 3-1

3.1.1 GARP Overview ...................................................................................................... 3-1 3.1.2 Set GARP Timer...................................................................................................... 3-2 3.1.3 Display and Debug GARP....................................................................................... 3-3

3.2 Configure GVRP ................................................................................................................ 3-3 3.2.1 GVRP Overview ...................................................................................................... 3-3 3.2.2 Enable/Disable Global GVRP ................................................................................. 3-4 3.2.3 Enable/Disable Port GVRP ..................................................................................... 3-4 3.2.4 Set GVRP Registration Type .................................................................................. 3-4 3.2.5 Display and Debug GVRP....................................................................................... 3-5 3.2.6 GVRP Configuration Example................................................................................. 3-5

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches Chapter 1 VLAN Configuration

1-1

Chapter 1 VLAN Configuration

1.1 VLAN Overview

Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not physically into segments to implement the virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions.

Through VLAN technology, network managers can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same demands. The workstations of a VLAN do not have to belong to the same physical LAN segment.

With VLAN technology, the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, therefore, it is very helpful in controlling network traffic, saving device investment, simplifying network management and improving security.

1.2 Configure VLAN

To configure a VLAN, first create a VLAN according to the requirements.

Main VLAN configuration includes:

Enable/Disable VLAN feature (S3526E/S3526C switches support in S3500 series switches)

Create/Delete a VLAN Add Ethernet ports to a VLAN Set/Delete VLAN or VLAN interface description character string Specify/Remove VLAN interface Assign/Delete IP Address and Mask for/of a VLAN Interface Shut down/Enable VLAN Interface

1.2.1 Enable/Disable VLAN Feature

After the VLAN feature is disabled, the packets will be transmitted according to MAC address but not adding VLAN Tag, thereby disabling the function of VLAN isolation. You still may configure IP address of the default management VLAN interface 1, thereby performing remote management such as Telnet and web management.

You can use the following command to enable or disable the VLAN feature on a device.



1-2

Table 1-1 Enable/Disable VLAN feature

Operation Command Enable/Disable VLAN feature vlan { enable | disable }

By default, VLAN feature is enabled on the switch.

Note that you will see error prompt when creating VLAN after VLAN feature is disabled.

S3526E/S3526C switches support the configuration in S3500 series switches.

1.2.2 Create/Delete a VLAN

You can use the following command to create/delete a VLAN.

Perform the following configurations in system view.

Table 1-2 Create/Delete a VLAN

Operation Command Create a VLAN and enter the VLAN view vlan vlan_id Delete the specified VLAN undo vlan { vlan_id [ to vlan_id ] | all }

If the VLAN to be created exists, enter the VLAN view directly. Otherwise, create the VLAN first, and then enter the VLAN view.

vlan_id specifies the VLAN ID. Note that the default VLAN, namely VLAN 1, cannot be deleted.

1.2.3 Add Ethernet Ports to a VLAN

You can use the following command to add the Ethernet ports to a VLAN.

Perform the following configuration in VLAN view.

Table 1-3 Add Ethernet ports to a VLAN

Operation Command Add Ethernet ports to a VLAN port interface_list Remove Ethernet ports from a VLAN undo port interface_list

By default, the system adds all the ports to a default VLAN, whose ID is 1.

Note that you can add/delete trunk port and hybrid port to/from VLAN by port and undo port commands in Ethernet port view, but not in VLAN view.


1-3

1.2.4 Set/Delete VLAN or VLAN interface Description Character String

You can use the following command to set/delete VLAN or VLAN interface description character string.

Perform the following configuration in VLAN or VLAN interface view.

Table 1-4 Set/Delete VLAN or VLAN interface description character string

Operation Command Set the description character string for VLAN or VLAN interface description string Restore the default description of current VLAN or VLAN interface undo description

By default, VLAN description character string is VLAN ID of the VLAN, e.g. VLAN 0001. VLAN interface description character string is the VLAN interface name, e.g. Vlan-interface1 Interface.

1.2.5 Specify/Remove VLAN Interface

You can use the following command to specify/remove the VLAN interface.


Table 1-5 Specify/Remove VLAN interface

Operation Command Create a new VLAN interface and enter VLAN interface view interface vlan-interface vlan_id Remove the specified VLAN interface undo interface vlan-interface vlan_id

Create a VLAN first before create an interface for it.

For this configuration task, vlan_id takes the VLAN ID.

1.2.6 Assign/Delete IP Address and Mask for/of a VLAN Interface

To implement the network layer function on a VLAN interface, VLAN interface should be set the IP address and mask. You can use the following command to set or delete the IP address and mask for the VLAN interface.

Generally, it is enough to configure one IP address for an interface. You can also configure 10 IP addresses for an interface, so that it can be connected to several subnets. Among these IP addresses, one is the primary IP address and all others are secondary.

Perform the following configuration in VLAN interface view.


1-4

Table 1-6 Assign/Delete IP address and mask for/of a VLAN interface

Operation Command Assign the IP address and mask for a VLAN interface ip address ip-address net-mask [ sub ] Delete the IP address and mask of a VLAN interface undo ip address [ ip-address net-mask [ sub ] ]

1.2.7 Shut down/Enable VLAN Interface

You can use the following command to shut down/enable VLAN interface.


Table 1-7 Shut down/Enable VLAN interface

Operation Command Shut down the VLAN interface shutdown Enabling the VLAN interface undo shutdown

The operation of shutting down or enabling the VLAN interface has no effect on the UP/DOWN status of the Ethernet ports on the local VLAN.

By default, when all the Ethernet ports belonging to a VLAN are in DOWN status, this VLAN interface is also DOWN, i.e. this VLAN interface is shut down. When there is one or more Ethernet ports in UP status, this VLAN interface is also UP, i.e. this VLAN interface is enabled.

1.3 Display and Debug VLAN

After the above configuration, execute display command in any view to display the running of the VLAN configuration, and to verify the effect of the configuration.

Table 1-8 Display and debug VLAN

Operation Command Display the related information about VLAN interface display interface vlan-interface [ vlan_id ] Display the related information about VLAN display vlan[ vlan_id | all | static | dynamic ]

1.4 VLAN Configuration Example


Create VLAN2 and VLAN3. Add Ethernet port 0/1 and Ethernet port 0/2 to VLAN2 and add Ethernet 0/3 and Ethernet 0/4 to VLAN3.


1-5


VLAN3

Switch

E0/3E0/2

VLAN2 VLAN3

E0/4E0/1

Switch

VLAN3

Switch

E0/3E0/2

VLAN2 VLAN3

E0/4E0/1

Switch

Figure 1-1 VLAN configuration example


# Create VLAN 2 and enters its view.

[Quidway] vlan 2

# Add Ethernet 0/1 and Ethernet 0/2 to VLAN2.

[Quidway-vlan2] port ethernet 0/1 to ethernet 0/2

# Create VLAN 3 and enters its view.

[Quidway-vlan2] vlan 3

# Add Ethernet 0/3 and Ethernet 0/4 to VLAN3.

[Quidway-vlan3] port ethernet0/3 to ethernet 0/4

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches Chapter 2 Isolate-User-Vlan Configuration

2-1

Chapter 2 Isolate-User-Vlan Configuration

2.1 Isolate-user-vlan Overview

Isolate-user-vlan is a new feature of the Ethernet Switches launched by Huawei Technologies Co., Ltd., through which can save the VLAN source. isolate-user-vlan adopts the Layer-2 VLAN architecture. (On an Ethernet Switch configure the isolate-user-vlan and Secondary VLAN.) An isolate-user-vlan corresponds to several Secondary VLANs. The isolate-user-vlan includes all the ports and Uplink ports of the corresponding Secondary VLANs. In this way, a upstream switch only needs recognizing the isolate-user-vlan of the downstream switch and ignores those Secondary VLANs, thereby streamlining the configuration and saving the VLAN source. You can use isolate-user-vlan to implement the isolation of the Layer-2 packets through assigning a Secondary VLAN for each user, which only includes the ports and the Uplink ports connected to the user. You can put the ports connected to different users into one Secondary VLAN to implement the Layer-2 packet intercommunication.

2.2 Configure isolate-user-vlan

Isolate-user-vlan configuration includes:

Configure isolate-user-vlan Configure secondary VLAN

Configure to map isolate-user-vlan to secondary VLAN

The tasks above are required to be configured once you enable the isolate-user-vlan.

2.2.1 Configure isolate-user-vlan

You can use the following commands to create an isolate-user-vlan for an Ethernet switch and add new ports to it.

Create a VLAN in system view, configure it as an isolate-user-vlan and add new ports to it in VLAN view.


2-2

Table 2-1 Configure isolate-user-vlan

Operation Command Create a VLAN vlan vlan-id Configure the VLAN as isolate-user-vlan isolate-user-vlan enable Cancel the configuration of VLAN as isolate-user-vlan undo isolate-user-vlan enable Add new ports to isolate-user-vlan port interface-list

An Ethernet switch can have several isolate-user-vlans, each of which can include more than one port. isolate-user-vlan cannot be configured together with the Trunk port. That is to say, you cannot configure a Trunk port on the Ethernet switch already configured with the isolate-user-vlan, and vise versa. In addition, the Uplink port has to be added into the isolate-user-vlan.

2.2.2 Configure Secondary VLAN

You can use the following commands to create a Secondary VLAN and add new ports to it.

Create a secondary VLAN in system view and add new ports to it in VLAN view.

Table 2-2 Configure Secondary VLAN

Operation Command Create a Secondary VLAN vlan vlan-id Add new ports to the Secondary VLAN port interface-list

You can add more than one port (other than Uplink ports) to a Secondary VLAN.

2.2.3 Configure to Map isolate-user-vlan to Secondary VLAN

You can use the following command to configure the isolate-user-vlan to map the Secondary VLAN.


Table 2-3 Configure to map isolate-user-vlan to secondary VLAN

Operation Command Configure to map isolate-user-vlan to secondary VLAN

isolate-user-vlan isolate-user-vlan_num secondary secondary_vlan_numlist [ to secondary_vlan_numlist ]

Cancel to map isolate-user-vlan to secondary VLAN

undo isolate-user-vlan isolate-user-vlan_num [ secondary secondary_vlan_numlist [ to secondary_vlan_numlist ]


2-3

Note that, before you execute this command, the isolate-user-vlan and Secondary VLAN shall have ports. You can map an isolate-user-vlan to no more than 30 Secondary VLANs.

After the mapping relationship is configured, the system does not allow you to add/remove any ports to/from the isolate-user-vlan or Secondary VLAN or remove a VLAN. You can perform these operations after removing the mapping relationship.

Without the specified secondary secondary_vlan_numlist parameter, the undo isolate-user-vlan command will remove the mapping relationship between the specified isolate-user-vlan and all the Secondary VLANs. Otherwise the relationship between the specified isolate-user-vlan and the specified Secondary VLAN will be removed.

2.3 Display and Debug isolate-user-vlan

After the above configuration, execute display command in any view to display the running of the isolate-user-vlan configuration, and to verify the effect of the configuration.

Table 2-4 Display and debug isolate-user-vlan

Operation Command Display the mapping relationship between the isolate-user-vlan and Secondary VLAN display isolate-user-vlan [ isolate-user-vlan_num ]

2.4 isolate-user-vlan Configuration Example


Switch A is connected to Switch B and Switch C in the downstream. The VLAN5 carried by Switch B is the isolate-user-vlan, including the Uplink Ethernet1/1 and two Secondary VLANs, VLAN2 and VLAN3. VLAN3 includes Ethernet0/1 and VLAN2 includes Ethernet0/2. The VLAN6 carried by Switch C is the isolate-user-vlan including the Uplink Ethernet1/1 and two Secondary VLAN, VLAN3 and VLAN4. VLAN3 includes Ethernet0/3 and VLAN4 includes Ethernet0/4. Seen from the Switch A, either Switch B or Switch C carries one VLAN, VLAN 5 and VLAN 6 respectively.


2-4


Switch C

vlan 5 vlan 6

vlan 3

Switch A

E1/1

E0/3 E0/4

E1/1

Switch BE0/1 E0/2

vlan 2 vlan 4vlan 3

Figure 2-1 isolate-user-vlan configuration example


Hereafter only listed the configuration procedure of the Switch B and Switch C.

Configure Switch B:

# Configure isolate-user-vlan

[Quidway] vlan 5

[Quidway-vlan5] isolate-user-vlan enable

[Quidway-vlan5] port ethernet1/1

# Configure Secondary VLAN





# Configure the isolate-user-vlan to Map the Secondary VLAN

[Quidway-vlan2] quit

[Quidway] isolate-user-vlan 5 secondary 2 to 3

Configure Switch C:

# Configure isolate-user-vlan

[Quidway] vlan 6


2-5

[Quidway-vlan6] isolate-user-vlan enable


# Configure Secondary VLAN





# Configure the isolate-user-vlan to Map the Secondary VLAN


[Quidway] isolate-user-vlan 6 secondary 3 to 4

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches Chapter 3 GARP/GVRP Configuration

3-1

Chapter 3 GARP/GVRP Configuration

3.1 Configure GARP

3.1.1 GARP Overview

Generic Attribute Registration Protocol (GARP) offers a mechanism that is used by the members in the same switching network to distribute, propagate and register such information as VLAN and multicast addresses.

GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP and GMRP. GVRP is described in the GVRP Configuration section and GMRP will be described in Multicast Configuration. When a GARP participant is on a port of the switch, each port corresponds to a GARP participant.

Through GARP mechanism, the configuration information on one GARP member will be advertised rapidly in the whole switching network. GARP member can be a terminal workstation or bridge. A GARP member can notify other members to register or remove its attribute information by sending declarations or withdrawal declarations. It can also register or remove the attribute information of other GARP members according to the received declarations/withdrawal declarations.

GARP members exchange information through sending messages. There mainly are 3 types of GARP messages including Join, Leave, and LeaveAll. When a GARP participant wants to register its attribute information on other switches, it will send Join message outward. When it wants to remove some attribute values from other switches, it will send Leave message. LeaveAll timer will be started at the same time when each GARP participant is enabled and LeaveAll message will be sent upon timeout. Join message and Leave message cooperate to ensure the logout and the re-registration of a message. Through exchanging messages, all the attribute information to be registered can be propagated to all the switches in the same switching network.

The destination MAC addresses of the packets of the GARP participants are specific multicast MAC addresses. A GARP-supporting switch will classify the packets received from the GARP participants and process them with corresponding GARP applications (GVRP or GMRP).

GARP and GMRP are described in details in the IEEE 802.1p standard (which has been added to the IEEE802.1D standard). Quidway Series Ethernet Switches fully support the GARP compliant with the IEEE standards.


3-2

Main GARP configuration includes:

Set GARP timer

Note:

1) The value of GARP timer will be used in all the GARP applications, including GVRP and GMRP, running in one switching network. 2) In one switching network, the GARP timers on all the switching devices should be set to the same value. Otherwise, GARP application cannot work normally.

3.1.2 Set GARP Timer

GARP timers include Hold timer, Join timer, Leave timer and LeaveAll timer.

The GARP participant sends Join Message regularly when Join timer timeouts so that other GARP participants can register its attribute values.

When the GARP participant wants to remove some attribute values, it will send Leave Message outward. The GARP participant receiving the information will start the Leave timer. If Join Message is not received again before the Leave timer expires, the GARP attribute values will be removed

LeaveAll timer will be started as soon as the GARP participant is enabled. LeaveAll message will be sent upon timeout so that other GARP participants will remove all the attribute values of this participant. Then, Leaveall timer is restarted and a new cycle begins.

When the switch receives some GARP registration information, it will not send Join Message immediately. Instead, it will enable a hold timer and send the Join Message outward upon timeout of the hold timer. In this way, all the VLAN registration information received within the time specified by the Hold timer can be sent in one frame so as to save the bandwidth resource.

Configure Hold timer, Join timer and Leave timer in Ethernet port view. Configure LeaveAll timer in system view.

Table 3-1 Set GARP timer

Operation Command Set GARP Hold timer, Join timer and Leave timer garp timer { hold | join | leave } timer_value Set GARP LeaveAll timer garp timer leaveall timer_value Restore the default GARP Hold timer, Join timer and Leave timer settings undo garp timer { hold | join | leave }

Restore the default GARP LeaveAll timer settings. undo garp timer leaveall


3-3

Note that, the value of Join timer should be no less than the doubled value of Hold timer, and the value of Leave timer should be greater than the doubled value of Join timer and smaller than the Leaveall timer value. Otherwise, the system will prompt message of error.

By default, Hold timer is 10 centiseconds, Join timer is 20 centiseconds, Leave timer is 60 centiseconds, and LeaveAll timer is 1000 centiseconds.

3.1.3 Display and Debug GARP

After the above configuration, execute display command in any view to display the running of GARP configuration, and to verify the effect of the configuration. Execute reset command in user view to reset the configuration of GARP. Execute debugging command in user view to debug the configuration of GARP.

Table 3-2 Display and debug GARP

Operation Command Display GARP statistics information display garp statistics [ interface interface-list ] Display GARP timer display garp timer [ interface interface-list ] Clear GARP statistics information reset garp statistics [ interface interface-list ] Enable GARP event debugging debugging garp event Disable GARP event debugging undo debugging garp event

3.2 Configure GVRP

3.2.1 GVRP Overview

GARP VLAN Registration Protocol (GVRP) is a GARP application. Based on GARP operating mechanism, GVRP provides maintenance of the dynamic VLAN registration information in the switch and propagates the information to other switches. All the GVRP-supporting switches can receive VLAN registration information from other switches and dynamically update the local VLAN registration information including the active members and through which port those members can be reached. All the GVRP-supporting switches can propagate their local VLAN registration information to other switches so that the VLAN information can be consistent on all GVRP-supporting devices in one switching network. The VLAN registration information propagated by GVRP includes both the local static registration information configured manually and the dynamic registration information from other switches.

GVRP is described in details in the IEEE 802.1Q standard. Quidway Series Ethernet Switches fully support the GARP compliant with the IEEE standards.

Main GVRP configuration includes:


3-4

Enable/Disable global GVRP Enable/Disable port GVRP Set GVRP registration type

In the above-mentioned configuration tasks, GVRP should be enabled globally before it is enabled on the port. Configuration of GVRP registration type can only take effect after the port GVRP is enabled. Besides, GVRP must be configured on the Trunk port.

3.2.2 Enable/Disable Global GVRP

You can use the following command to enable/disable global GVRP.


Table 3-3 Enable/Disable global GVRP

Operation Command Enable global GVRP gvrp Disable global GVRP undo gvrp

By default, global GVRP is disabled.

3.2.3 Enable/Disable Port GVRP

You can use the following command to enable/disable the GVRP on a port.

Perform the following configurations in Ethernet port view.

Table 3-4 Enable/Disable port GVRP

Operation Command Enable port GVRP gvrp Disable port GVRP undo gvrp

GVRP should be enabled globally before it is enabled on the port. The GVRP can only be enabled/disabled on Trunk port.

By default, port GVRP is disabled.

3.2.4 Set GVRP Registration Type

The GVRP registration types include Normal, Fixed and Forbidden (see IEEE 802.1Q).

When an Ethernet port is set to be in Normal registration mode, the dynamic and manual creation, registration and logout of VLAN are allowed on this port.


3-5

When one Trunk port is set as fixed, the system will add the port to the VLAN if a static VLAN is created on the switch and the Trunk port allows the VLAN passing. GVRP will also add this VLAN item to the local GVRP database, one link table for GVRP maintenance. However, GVRP cannot learn dynamic VLAN through this port. The learned dynamic VLAN from other ports of the local switch will not be able to send statements to outside through this port.

When an Ethernet port is set to be in Forbidden registration mode, all the VLANs except VLAN1 will be logged out and no other VLANs can be created and registered on this port.


Table 3-5 Set GVRP registration type

Operation Command Set GVRP registration type gvrp registration { normal | fixed | forbidden } Restore the default GVRP registration type undo gvrp registration

By default, GVRP registration type is normal.

3.2.5 Display and Debug GVRP

After the above configuration, execute display command in any view to display the running of GVRP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug the configuration of GVRP.

Table 3-6 Display and debug GVRP

Operation Command Display GVRP statistics information display gvrp statistics [ interface interface-list ] Display GVRP global status information display gvrp status Enable GVRP packet or event debugging debugging gvrp { packet | event} Disable GVRP packet or event debugging undo debugging gvrp { packet | event }

3.2.6 GVRP Configuration Example


To dynamically register and update VLAN information among switches, GVRP needs to be enabled on the switches.


3-6


E0/10

Sw itch A Sw itch B

E0/11E0/10

Sw itch A Sw itch B

E0/11

Figure 3-1 GVRP configuration example


Configure Switch A:

# Enable GVRP globally.

[Quidway] gvrp

# Set Ethernet0/10 as a Trunk port and allows all the VLANs to pass through.



[Quidway-Ethernet0/10] port trunk permit vlan all

# Enable GVRP on the Trunk port.

[Quidway-Ethernet0/10] gvrp

Configure Switch B:

# Enable GVRP globally.

[Quidway] gvrp

# Set Ethernet0/11 as a Trunk port and allows all the VLANs to pass through.



[Quidway-Ethernet0/11] port trunk permit vlan all

# Enable GVRP on the Trunk port.

[Quidway-Ethernet0/11] gvrp

HUAWEI


4. Network Protocol

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 IP Address Configuration ........................................................................................... 1-1 1.1 IP Address Overview ......................................................................................................... 1-1

1.1.1 IP Address Classification and Indications ............................................................... 1-1 1.1.2 Subnet and Mask .................................................................................................... 1-2

1.2 Configure IP Address......................................................................................................... 1-3 1.2.1 Configure Hostname and Host IP Address ............................................................. 1-3 1.2.2 Configure IP Address of the VLAN Interface .......................................................... 1-4

1.3 Display and debug IP Address .......................................................................................... 1-4 1.4 IP Address Configuration Example.................................................................................... 1-4 1.5 Troubleshoot IP Address Configuration............................................................................. 1-5

Chapter 2 ARP Configuration....................................................................................................... 2-1 2.1 Introduction to ARP............................................................................................................ 2-1 2.2 Configure ARP................................................................................................................... 2-2

2.2.1 Manually Add/Delete Static ARP Mapping Entries ................................................. 2-2 2.2.2 Configure ARP Timed Probing Function................................................................. 2-2 2.2.3 Configure the Dynamic ARP Aging Timer............................................................... 2-3 2.2.4 Configure ARP Source Address Suppression ........................................................ 2-3

2.3 Display and debug ARP..................................................................................................... 2-4

Chapter 3 DHCP Relay Configuration ......................................................................................... 3-1 3.1 Brief Introduction to DHCP Relay ...................................................................................... 3-1 3.2 Configure DHCP Relay...................................................................................................... 3-2

3.2.1 Configure IP Address of a DHCP Server ................................................................ 3-2 3.2.2 Configure Corresponding DHCP Server Group of the VLAN Interface .................. 3-3 3.2.3 Configure the Address Table Entry ......................................................................... 3-3 3.2.4 Enable/Disable DHCP security features ................................................................. 3-4 3.2.5 Enable/Disable DHCP pseudo-server detection ..................................................... 3-4

3.3 Display and debug DHCP Relay........................................................................................ 3-5 3.4 DHCP Relay Configuration Example................................................................................. 3-5 3.5 Troubleshoot DHCP Relay Configuration.......................................................................... 3-6

Chapter 4 DHCP Configuration .................................................................................................... 4-1 4.1 DHCP Overview................................................................................................................. 4-1

4.1.1 DHCP Fundamentals .............................................................................................. 4-1 4.1.2 DHCP Relay ............................................................................................................ 4-4

4.2 DHCP Public Configuration ............................................................................................... 4-4 4.2.1 Enable/Disable the DHCP Service.......................................................................... 4-5 4.2.2 Define DHCP Message Handling Method............................................................... 4-5

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Table of Contents

ii

4.2.3 Enable/Disable Pseudo-DHCP Server Detection ................................................... 4-6 4.3 DHCP Server Configuration............................................................................................... 4-6

4.3.1 Create Global DHCP Address Pool ........................................................................ 4-7 4.3.2 Configure Address Allocation Method for a DHCP Address Pool........................... 4-8 4.3.3 Configure IP Addresses Forbidden in Automatic Allocation ................................... 4-9 4.3.4 Configure IP Address Lease Duration for a DHCP Address Pool ........................ 4-10 4.3.5 Configure DHCP Client Domain Name ................................................................. 4-11 4.3.6 Configure DNS Server Addresses for DHCP Clients............................................ 4-12 4.3.7 Configure NetBIOS Server Addresses for DHCP Clients ..................................... 4-13 4.3.8 Define NetBIOS Node Type of DHCP Clients....................................................... 4-14 4.3.9 Configure a DHCP Option..................................................................................... 4-15 4.3.10 Configure IP Addresses of Egress Gateways for DHCP clients ......................... 4-16 4.3.11 Configure the Ping Mechanism on DHCP Server ............................................... 4-17

4.4 DHCP Relay Configuration .............................................................................................. 4-18 4.4.1 Configure the DHCP Servers to Which the Received Packets Are Relayed........ 4-18 4.4.2 Distribute Load among DHCP Servers ................................................................. 4-19 4.4.3 Release Client IP Address through DHCP Relay ................................................. 4-19 4.4.4 Configure Address Map Entry for Security Check ................................................ 4-19 4.4.5 Enable/Disable DHCP Security Feature on VLAN Interface................................. 4-20

4.5 Display and Debug DHCP ............................................................................................... 4-20 4.6 DHCP Configuration Example ......................................................................................... 4-21

4.6.1 DHCP Server Configuration Example................................................................... 4-21 4.6.2 DHCP Relay Configuration Example .................................................................... 4-23

4.7 DHCP Troubleshooting.................................................................................................... 4-24

Chapter 5 Access Management Configuration .......................................................................... 5-1 5.1 Access Management Overview ......................................................................................... 5-1 5.2 Configure Access Management......................................................................................... 5-2

5.2.1 Enable Access Management Function ................................................................... 5-2 5.2.2 Configure the Access IP Address Pool Based on the Physical Port....................... 5-3 5.2.3 Configure Layer 2 Isolation between Ports ............................................................. 5-3 5.2.4 Configure Port, IP Address and MAC Address Binding.......................................... 5-3 5.2.5 Enable/Disable Access Management Trap............................................................. 5-4

5.3 Display and debug Access Management .......................................................................... 5-5 5.4 Access Management Configuration Example.................................................................... 5-5

Chapter 6 IP Performance Configuration.................................................................................... 6-1 6.1 IP Performance Configuration ........................................................................................... 6-1

6.1.1 Configure TCP Attributes ........................................................................................ 6-1 6.2 Display and debug IP Performance................................................................................... 6-2 6.3 Troubleshoot IP Performance............................................................................................ 6-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Chapter 1 IP Address Configuration

1-1

Chapter 1 IP Address Configuration

1.1 IP Address Overview

1.1.1 IP Address Classification and Indications

IP address is a 32-bit address allocated to the devices which access into the Internet. It consists of two fields: net-id field and host-id field. There are five types of IP address. See the following figure.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

0

1 0

1 1 0

1 1 1 0

1 1 1 1 0

net-id

net-id

net-id

Multicast address

Reserved address

host-id

host-id

host-id

Class A

Class B

Class C

Class D

Class E

Figure 1-1 Five classes of IP address

Where, Class A, Class B and Class C are unicast addresses, while Class D addresses are multicast ones and class E addresses are reserved for special applications in future. The first three types are commonly used.

The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, e.g.10.110.50.101.

When using IP addresses, it should also be noted that some of them are reserved for special uses, and are seldom used. The IP addresses you can use are listed in the following table.


1-2

Table 1-1 IP address classes and ranges

Network class

Address range IP network range Note

A 0.0.0.0 to 127.255.255.255

1.0.0.0 to 126.0.0.0

Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e. broadcast to all hosts on the network. IP address 0.0.0.0 is used for the host that is not put into use after starting up. The IP address with network number as 0 indicates the current network and its network can be cited by the router without knowing its network number. Network ID with the format of 127.X.Y.Z is reserved for self-loop test and the packets sent to this address will not be output to the line. The packets are processed internally and regarded as input packets.

B 128.0.0.0 to 191.255.255.255

128.0.0.0 to 191.254.0.0

Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e. broadcast to all hosts on the network.

C 192.0.0.0 to 223.255.255.255

192.0.0.0 to 223.255.254.0

Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e. broadcast to all hosts on the network.

D 224.0.0.0 to 239.255.255.255

None Addresses of class D are multicast addresses.

E 240.0.0.0 to 255.255.255.254

None The addresses are reserved for future use.

Other addresses

255.255.255.255 255.255.255.255 255.255.255.255 is used as LAN broadcast address.

1.1.2 Subnet and Mask

Nowadays, with rapid development of the Internet, IP addresses are depleting very fast. The traditional IP address allocation method wastes IP addresses greatly. In order to make full use of the available IP addresses, the concept of mask and subnet is proposed.

A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address. The bits 1s in the address and the mask indicate the subnet address and the other bits indicate the host address. If there is no sub-net division, then its sub-net mask is the default value and the length of "1" indicates the net-id length. Therefore, for IP addresses of classes A, B and C, the


1-3

default values of corresponding sub-net mask are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively.

The mask can be used to divide a Class A network containing more than 16,000,000 hosts or a Class B network containing more than 60,000 hosts into multiple small networks. Each small network is called a subnet. For example, for the Class B network address 202.38.0.0, the mask 255.255.224.0 can be used to divide the network into 8 subnets: 202.38.0.0, 202.38.32.0, 202.38.64.0, 202.38.96.0, 202.38.128.0, 202.38.160.0, 202.38.192.0 and 202.38.224.0 (Refer to the following figure). Each subnet can contain more than 8000 hosts.

Subnet number

Host number

11001010, 00100110, 000 00000, 00000000Class B202.38.0.0

Subnet m ask255.255.224.0

11111111, 11111111, 111 00000, 00000000

11111111, 11111111, 000 00000, 00000000Standard m ask255.255.0.0

Subnet address:000 Subnet address: 202.38. 0. 0001 Subnet address: 202.38. 32. 0010 Subnet address: 202.38. 64. 0011 Subnet address: 202.38. 96. 0100 Subnet address: 202.38.128. 0101 Subnet address: 202.38.160. 0110 Subnet address: 202.38.192. 0111 Subnet address: 202.38.224. 0

Figure 1-2 Subnet division of IP address

1.2 Configure IP Address

The IP address configuration includes:

Configure Hostname and Host IP Address Configure IP Address of the VLAN Interface

1.2.1 Configure Hostname and Host IP Address

Perform the following configuration in System view.

Table 1-2 Configure the host name and the corresponding IP address

Operation Command Configure the hostname and the corresponding IP address ip host hostname ip-address Delete the hostname and the corresponding IP address undo ip host hostname [ ip-address ]


1-4

By default, there is no host name associated to any host IP address.

1.2.2 Configure IP Address of the VLAN Interface

You can configure an IP address for every VLAN interface of the Ethernet Switch. Generally, it is enough to configure one IP address for an interface. You can also configure 10 IP addresses for an interface at most, so that it can be connected to several subnets. Among these IP addresses, one is the primary IP address and all others are secondary.


Table 1-3 Configure IP address for a VLAN interface

Operation Command Configure IP address for a VLAN interface ip address ip-address net-mask [ sub ] Delete the IP address of a VLAN interface undo ip address [ ip-address net-mask [ sub ] ]

By default, the IP address of a VLAN interface is null.

1.3 Display and debug IP Address

After the above configuration, execute display command in any view to display the IP addresses configured on interfaces of the network device, and to verify the effect of the configuration.

Table 1-4 Display and debug IP address

Operation Command Display all hosts on the network and the corresponding IP addresses display ip host Display the configurations of each interface display ip interface vlan-interface vlan-id

1.4 IP Address Configuration Example


Configure the IP address as 129.2.2.1 and sub-net mask as 255.255.255.0 for the VLAN interface 1 of the Ethernet Switch.


1-5


Console cable

Switch

PC

Console cable

Switch

PC

Figure 1-3 IP address configuration networking


# Enter VLAN interface 1.

[Quidway] interface vlan 1

# Configure the IP address for VLAN interface 1.

[Quidway-vlan-interface1] ip address 129.2.2.1 255.255.255.0

1.5 Troubleshoot IP Address Configuration

Fault 1: The Ethernet Switch cannot ping through a certain host in the LAN.

Troubleshooting can be performed as follows:

Check the configuration of the Ethernet Switch. Use display arp command to view the ARP entry table that the Switch maintains.

Troubleshooting: First check which VLAN includes the port of the switch used to connect to the host. Check whether the VLAN has been configured with the VLAN interface. Then check whether the IP address of the VLAN interface and the host are on the same network segment.

If the configuration is correct, enable the ARP debugging on the switch, and check whether the switch can correctly send and receive ARP packets. If it can only send but cannot receive the ARP packets, possibly errors occur on the Ethernet physical layer.

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Chapter 2 ARP Configuration

2-1

Chapter 2 ARP Configuration

2.1 Introduction to ARP

I. Necessity of ARP

An IP address cannot be directly used for communication between network devices because network devices can only identify MAC addresses. An IP address is only an address of a host in the network layer. To send the data packets transmitted through the network layer to the destination host, physical address of the host is required. So the IP address must be resolved into a physical address.

II. ARP implementation procedure

When two hosts on the Ethernet communicate, they must know the MAC addresses of each other. Every host will maintain the IP-MAC address translation table, which is known as ARP mapping table. A series of maps between IP addresses and MAC addresses of other hosts which were recently used to communicate with the local host are stored in the ARP mapping table. When a dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for switch to search ARP mapping table.

Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP address of Host B is IP_B. Host A will transmit messages to Host B. Host A checks its own ARP mapping table first to make sure whether there are corresponding ARP entries of IP_B in the table. If the corresponding MAC address is detected, Host A will use the MAC address in the ARP mapping table to encapsulate the IP packet in frame and send it to Host B. If the corresponding MAC address is not detected, Host A will store the IP packet in the queue waiting for transmission, and broadcast it throughout the Ethernet. The ARP request packet contains the IP address of Host B and IP address and MAC address of Host A. Since the ARP request packet is broadcast, all hosts on the network segment can receive the request. However, only the requested host (i.e., Host B) needs to process the request. Host B will first store the IP address and the MAC address of the request sender (Host A) in the ARP request packet in its own ARP mapping table. Then Host B will generate an ARP reply packet into which, it will add MAC address of Host B, and then send it to Host A. The reply packet will be directly sent to Host A in stead of being broadcast. Receiving the reply packet, Host A will extract the IP address and the corresponding


2-2

MAC address of Host B and add them to its own ARP mapping table. Then Host A will send Host B all the packets standing in the queue.

Normally, dynamic ARP executes and automatically searches for the resolution from the IP address to the Ethernet MAC address without the administrator.

2.2 Configure ARP

The ARP mapping table can be maintained dynamically or manually. Usually, the manually configured mapping from the IP addresses to the MAC addresses is known as static ARP. The user can display, add or delete the entries in the ARP mapping table through relevant manual maintenance commands.

The static ARP configuration includes:

Manually Add/delete static ARP Mapping Entries Configure ARP timed probing function (S3526/S3526 FM/S3526 FS support) Configure the dynamic ARP aging timer Configure ARP Source Address Suppression

2.2.1 Manually Add/Delete Static ARP Mapping Entries


Table 2-1 Manually add/delete static ARP mapping Entries

Operation Command

Manually add a static ARP mapping entry arp static ip-address mac-address [ vlan-id { interface_type interface_num | interface_name } ]

Manually delete a static ARP mapping entry undo arp ip-address

Static ARP map entry will be always valid as long as Ethernet switch works normally. But if the VLAN corresponding ARP mapping entry is deleted, the ARP mapping entry will be also deleted. The valid period of dynamic ARP map entries will last only 20 minutes by default.

The parameter vlan-id must be the ID of a VLAN that has been created by the user, and the Ethernet port specified behind this parameter must belong to the VLAN.

By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP.

2.2.2 Configure ARP Timed Probing Function

After an Ethernet switch is configured with the IP addresses requiring ARP timed probing, it will send ARP Request packets to probe these IP addresses without being


2-3

requested for the purpose of maintaining the latest IP-MAC address maps. Thus, the normal communications between devices can be ensured.


Table 2-2 Configure ARP timed probing function

Operation Command Configure IP addresses requiring ARP timed probing arp probe ip ip-address Remove the IP addresses requiring ARP timed probing undo arp probe ip [ ip-address ] Configure a probing interval arp timer probe time Restore the default ARP probing interval undo arp timer probe

By default, no IP addresses requiring ARP timed probing, and the probing interval is set to five seconds.

In S3500 Series Ethernet Switches, only S3526/S3526 FM/S3526 FS supports this configuration.

2.2.3 Configure the Dynamic ARP Aging Timer

For purpose of flexible configuration, the system provides the following commands to assign dynamic ARP aging period. When the system learns a dynamic ARP entry, its aging period is based on the current value configured.


Table 2-3 Configure the dynamic ARP aging timer

Operation Command Configure the dynamic ARP aging timer arp timer aging aging-time restore the default dynamic ARP aging time undo arp timer aging

By default, the aging time of dynamic ARP aging timer is 20 minutes.

2.2.4 Configure ARP Source Address Suppression

ARP Source Address Suppression allows the Ethernet switch to suppress malicious ARP requests from the host. If a host of a certain source IP address sends a large amount of different ARP requests during a 5-second interval, the system will discard the ARP requests that exceed the limit. After the interval, the switch will come back to process the ARP request from this source IP address.

Perform the following configuration in the system view.


2-4

Table 2-4 Configure ARP Source Address Suppression

Operation Command Enable ARP source address suppression arp source-suppression enable Disable ARP source address suppression undo arp source-suppression enable Configure the number of source IP addresses to be suppressed arp source-suppression cache cache-value

Restore the number of source IP addresses to default undo arp source-suppression cache

Configure the maximum number of ARP requests within 5-second interval arp source-suppression limit limit-value

Restore the maximum number of ARP requests within 5 seconds to default undo arp source-suppression limit

By default, ARP source-suppression is not enabled. The default number of source IP addresses to be depressed is 16, and the number of ARP requests within the 5-second interval is 10.

2.3 Display and debug ARP

After the above configuration, execute display command in any view to display the running of the ARP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug ARP configuration. Execute reset command in user view to clear ARP mapping table.

Table 2-5 Display and debug ARP

Operation Command Display ARP mapping table display arp [ static | dynamic | ip-address ] Display the ARP timed probing information display arp probe [ interface vlan-interface vlan-id ] Display the current setting of the dynamic ARP map aging timer display arp timer aging

Display ARP source suppression information display arp source-suppression

Reset ARP mapping table reset arp [ dynamic | static | interface { interface_type interface_num | interface_name } ]

Enable ARP information debugging debugging arp packet Disable ARP information debugging undo debugging arp packet

Note that display arp probe [ interface vlan-interface vlan-id ] command is supported by S3526/S3526 FM/S3526 FS switches.

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Chapter 3 DHCP Relay Configuration

3-1

Chapter 3 DHCP Relay Configuration

Note:

This chapter only applies to S3500 series switches except S3552G, S3552P, S3528G, S3528P and S3552F.

3.1 Brief Introduction to DHCP Relay

With the extension of network and improving of network complexity, network configuration is becoming more and more complex. Dynamic Host Configuration Protocol (DHCP) is issued to ease user’s fast accessing and exiting the network and improve utilization of the IP addresses in places where computers should be often moved (e.g., portable computer or wireless network is used) or the host number exceeds the number of IP addresses which can be allocated. DHCP works in Client/Server mode. With this protocol, the DHCP Client can dynamically request configuration information and the DHCP Server can configure the information for the Client conveniently.

In the early days, the DHCP was only suitable for the case, when the DHCP Client and DHCP Server locate on the same subnet, and could not work across the network segments. If the early DHCP is used to dynamically configure the host, each subnet should be equipped with a DHCP Server, which is obviously uneconomical. The introduction of DHCP relay solves this difficulty. The DHCP relay serves as relay between the DHCP Client and the DHCP Server located on different subnets. The DHCP packets can be relayed to the destination DHCP Server (or Client) across network segments. Thereby, the DHCP clients on different networks can use the same DHCP Server. This is economical and convenient for centralized management.


3-2

Ethernet Internet

DHCP client

DHCP clientDHCP client

DHCP client

Switch ( DHCP Relay)

DHCP Server

Figure 3-1 DHCP Relay typical application

DHCP Relay work on this principle:

In the startup and DHCP initialization, DHCP Client advertises configuration request messages to the local network.

If there is a DHCP Server in the local network, you can initiate DHCP configuration directly, with DHCP Relay unnecessary.

Otherwise, when a device with DHCP Relay enabled which is connected with the local network receives the messages, it will make necessary processing and forward them to the designated DHCP Server on other network.

DHCP Server makes configurations according to the information from DHCP Client and sends the configuration result via DHCP Relay back to DHCP Client.

In practice, several times of interaction behaviors may be required in the dynamic configuration of DHCP Client.

3.2 Configure DHCP Relay

DHCP relay configuration includes:

Configure IP Address of a DHCP Server Configure Corresponding DHCP Server Group of the VLAN Interface Configure the Address Table Entry Enable/Disable DHCP security features Enable/Disable DHCP pseudo-server detection

3.2.1 Configure IP Address of a DHCP Server



3-3

Table 3-1 Configure/Delete the IP address of the DHCP Server

Operation Command

Configure the IP address of the DHCP Server dhcp-server groupNo ip ipaddress1 [ ipaddress2 ]

Remove all the IP addresses of the DHCP Server (namely, set the IP addresses of the primary and secondary DHCP Servers to 0)

undo dhcp-server groupNo

Note that the backup DHCP Server IP address cannot be configured independently, instead, it has to be configured together with the master DHCP Server IP address.

By default, the corresponding IP address of the DHCP Server is not configured. That is, The DHCP Server address must be configured before DHCP relay can be used.

3.2.2 Configure Corresponding DHCP Server Group of the VLAN Interface


Table 3-2 Configure/Delete the corresponding DHCP Server group of VLAN interface

Operation Command Configure Corresponding DHCP Server Group of the VLAN Interface dhcp-server groupNo Delete the corresponding DHCP Server group of the VLAN interface undo dhcp-server

When associating a VLAN interface to a new DHCP Server group, you can configure the association without disassociating it from the previous group.

By default, no VLAN interface corresponds to any DHCP Server group.

3.2.3 Configure the Address Table Entry

To make the valid user with fixed IP address in the VLAN configured with DHCP Relay pass the address validity check of DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and an MAC address.

If another illegal user configures a static IP address which is in conflict with the fixed IP address of a valid user, the switch with DHCP Relay function enabled can identify the valid user and reject the illegal user's request for binding the IP address with the MAC address.



3-4

Table 3-3 Configure/Delete the address table entry

Operation Command Add an entry to the address table dhcp-security static ip_address mac_address Delete an entry from the address table undo dhcp-security ip_address

3.2.4 Enable/Disable DHCP security features

Enable DHCP security features will start address check on VLAN interface while disable DHCP security features will cancel address check.


Table 3-4 Enable/Disable DHCP security features on VLAN interface

Operation Command Enable DHCP security features address-check enable Disable DHCP security features on VLAN interface address-check disable

By default, the switch disables DHCP security features function.

3.2.5 Enable/Disable DHCP pseudo-server detection

Suppose there is a DHCP server placed on a network without permission. When there is a user request for an IP address, the DHCP server will interact with the DHCP client, leading the user to get a wrong IP address. In this case, the user will be unable to access the network. Such a DHCP server is called DHCP pseudo-server.

After a DHCP pseudo-server detection-enabled, switch will record the information of the DHCP servers such as their IP addresses so that the administrator can discover the DHCP pseudo-servers.


Table 3-5 Enable/Disable DHCP pseudo-server detection

Operation Command Enable DHCP pseudo-server detection dhcp-server detect Disable DHCP pseudo-server detection undo dhcp-server detect

By default, DHCP pseudo-server detection is disabled.


3-5

3.3 Display and debug DHCP Relay

After the above configuration, execute display command in any view to display the running of the DHCP Relay configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug DHCP Relay configuration.

Table 3-6 Display and debug DHCP Relay

Operation Command Display the information about the DHCP Server group display dhcp-server groupNo Display the information about the DHCP Server group corresponding to the VLAN interface.

display dhcp-server interface vlan-interface vlan-id

Enable the DHCP relay debugging debugging dhcp-relay Disable the DHCP relay debugging undo debugging dhcp-relay Display the address information of all the legal clients of the DHCP Server group. display dhcp-security [ ip_address ]

3.4 DHCP Relay Configuration Example


The segment address for DHCP Client is 10.110.0.0, which is connected to a port in the VLAN2 on the switch. The IP address of DHCP Server is 202.38.1.2. The DHCP packets should be forwarded via the switch with DHCP Relay enabled. DHCP Client can get IP address and other configuration information from DHCP Server.


Ethernet

Ethernet

Internet

DHCP client DHCP client

Switch ( DHCP Relay )

10.110.0.0DHCP Server

202.38.1.2

10.110.1.1

202.38.0.0

202.38.1.1

Figure 3-2 Networking diagram of configuring DHCP relay


# Configure the group number of DHCP Server as 1 and the IP address as 202.38.1.2.

[Quidway] dhcp-server 1 ip 202.38.1.2


3-6

# Associate the VLAN interface 2 with DHCP Server group 1.


[Quidway-Vlan-interface2] dhcp-server 1

# Configure the IP address of the VLAN interface 2, which must be in the same segment as DCHP Client.

[Quidway-Vlan-interface2] ip address 10.110.1.1 255.255.0.0

To allocate IP address successfully for DHCP Client, you need to make necessary configuration on DHCP Server, which varies, depending on device type.

3.5 Troubleshoot DHCP Relay Configuration

Fault 1: The user cannot apply for IP address dynamically.

Troubleshoot: Perform the following procedures:

Firstly, use the display dhcp-server groupNo command to check if the IP address of the corresponding DHCP Server has been configured.

Secondly, use the display vlan and display ip commands to check if the VLAN and the corresponding interface IP address have been configured.

Then make sure to ping the configured DHCP Server to ensure that the link is connected.

Ping the IP address of the VLAN interface of the switch to which the DHCP user is connected from the DHCP Server to make sure that the DHCP Server can correctly find the route of the network segment the user is on. If the ping execution fails, check if the default gateway of the DHCP Server has been configured as the address of the VLAN interface that it locates on.

If there is no problem found in the last two steps, use the display dhcp-server groupNo command to view what packet has been received. If you only see the Discover packet and there is no response packet, it means the DHCP Server has not sent the message to the Ethernet Switch. In this case, you shall check if the DHCP Server has been configured properly. If the numbers of request and response packets are normal, enable the debugging dhcp-relay in User view and then use the terminal debugging command output the debugging information to the console. In this way, you can view the detailed information of all DHCP packets on the console during applying for the IP address, thereby conveniently locating the problem.

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Chapter 4 DHCP Configuration

4-1

Chapter 4 DHCP Configuration

Note:

This chapter only applies to S3552G, S3552P, S3528G, S3528P and S3552F in S3500 series switches.

4.1 DHCP Overview

4.1.1 DHCP Fundamentals

This is a world where networks are ever-growing with configurations getting complex, computers (such as laptop computers and wireless networks) are often moved, and the available IP addresses are far from adequate for the ever-increasing number of computers. In such a background dynamic host configuration protocol (DHCP) was introduced. DHCP operates in Client/Server model, where the DHCP client dynamically requests the DHCP server for configuration information and the DHCP server returns the configuration information (an IP address for example) based on the adopted policy.

A typical DHCP application network usually comprises a DHCP server and multiple clients such as PCs and laptop computers (see the following figure):

LAN

DHCP Server

DHCP Client DHCP Client

DHCP Client DHCP Client

Figure 4-1 Typical networking application of DHCP Server

I. Allocating IP addresses using DHCP

1) IP address allocation policy


4-2

The time duration for a client to occupy an IP address depends on the type of the client. A server tends to use a fixed IP address for a long time, some hosts perhaps need to use some dynamic IP addresses for a long period too, but some individuals may only need temporarily assigned IP addresses for a short period of time.

Commensurate with these demands, DHCP servers provide three types of IP address allocation policy:

Manual allocation, with which fixed IP addresses are assigned to a small amount of special hosts such as World Wide Web (WWW) servers.

Automatic allocation, with which fixed IP addresses are assigned to some hosts connected to the network for the first time and these hosts are allowed to use the addresses for a long period of time.

Dynamic allocation, with which some addresses are “leased” to clients. Upon the expiration of the leases, the clients need to request again. In fact, the addresses assigned to most clients are dynamic addresses.

2) IP address allocation order

DHCP server selects an IP address for a client in the following order:

The IP address bound with the MAC address of the client in the address pool of the DHCP server.

The client's previous IP address, that is, the address requested in the Requested IP Addr Option carried in the DHCP_Discover message sent by the client.

A new address allocated from the DHCP server's pool of available addresses. This address is the one found first in the address pool.

If the DHCP server does not find an available address, it looks up the expired leased IP addresses and then conflicting IP addresses to find a valid one for assignment. If the attempt fails, the server reports error.

3) Following are address pools that a DHCP server may have: Global address pool: it has significance within the scope of the switch and can be

created using the dhcp server ip-pool command in system view. VLAN interface address pool: it has significance only at the VLAN interface where

it is created using the dhcp select interface command in VLAN interface view after a valid unicast IP address is assigned to the VLAN interface. Its address range is the network segment connected to the VLAN interface.

II. Interacting between DHCP client and server

In order to obtain a valid dynamic IP address, a DHCP client should exchange different information with the server in several stages, which are different in the following three situations:

1) The first login of DHCP client

In this case, the DHCP client undergoes four stages in order to set up a connection with a DHCP server.


4-3

Discover stage where the DHCP client looks for a DHCP server. In this stage, the client broadcasts a DHCP_Discover message on the network and only DHCP servers respond to it.

Offer stage where DHCP servers offer IP addresses. Upon the receipt of the DHCP_Discover message from the client, each DHCP server sends a DHCP_Offer message carrying an unassigned IP address selected from its IP address pool and other settings to the client.

Selecting stage where the DHCP client picks one IP address out of all the offers. If several DHCP servers return DHCP_Offer messages, the client accepts only the one reaching first. Then, it broadcasts to all the DHCP servers a DHCP_Request message containing the IP address for which it will request the selected DHCP server.

Acknowledgement stage where the selected DHCP server acknowledges the offered IP address. In response to the received DHCP_Request message, the DHCP server sends a DHCP_ACK message carrying the provided IP address and other settings to the client. Then the DHCP client binds its TCP/IP protocol components to its MAC address.

Except for the selected DHCP server, all other DHCP servers can allocate their offered IP addresses to other requesting clients.

2) The non-first login of DHCP client

If it is not the first time for the DHCP client to log into the network, it undergoes the following stages in order to set up a connection with a DHCP server.

When the DHCP client logs into the network again after the first successful login, it only needs to broadcast a DHCP_Request message containing the IP address assigned to it the last time instead of sending a DHCP_Discover message.

Upon the receipt of the DHCP_Request message, the DHCP server sends back a DHCP_ACK message allowing the client to use the requested address if it is still available.

If the IP address is not available because it has been assigned for example, the DHCP server returns a DHCP_NAK message. Upon the receipt of the message, the client sends a DHCP_Discover message requesting a new IP address.

3) IP address lease renewal

DHCP server takes back the dynamic IP address allocated to a DHCP client when the lease expires. If the DHCP client still wants to use this address, it must renew the IP address lease.

In practice, when half of the address lease period passes, the DHCP client by default automatically sends a DHCP_Request message to renew the lease. If the current IP address is still valid, the DHCP server sends back a DHCP_ACK message notifying the DHCP client that it has extended the IP address lease.


4-4

4.1.2 DHCP Relay

In the early days, the DHCP was only suitable for the case, when the DHCP Client and DHCP Server locate on the same subnet, and could not work across the network segments. If the early DHCP is used to dynamically configure the host, each subnet should be equipped with a DHCP Server, which is obviously uneconomical. The introduction of DHCP relay solves this difficulty. The DHCP relay serves as relay between the DHCP Client and the DHCP Server located on different subnets. The DHCP packets can be relayed to the destination DHCP Server (or Client) across network segments. Thereby, the DHCP clients on different networks can use the same DHCP Server. This is economical and convenient for centralized management.

Ethernet Internet

DHCP client

DHCP clientDHCP client

DHCP client

Switch ( DHCP Relay)

DHCP Server

Figure 4-2 DHCP Relay typical application

DHCP Relay work on this principle:

In the startup and DHCP initialization, DHCP Client advertises configuration request messages to the local network.

If there is a DHCP Server in the local network, you can initiate DHCP configuration directly, with DHCP Relay unnecessary.

Otherwise, when a device with DHCP Relay enabled which is connected with the local network receives the messages, it will make necessary processing and forward them to the designated DHCP Server on other network.

DHCP Server makes configurations according to the information from DHCP Client and sends the configuration result via DHCP Relay back to DHCP Client.

In practice, several times of interaction behaviors may be required in the dynamic configuration of DHCP Client.

4.2 DHCP Public Configuration

DHCP public configurations refer to those configurations suitable for both DHCP server and DHCP Relay. The configuration includes:


4-5

Enable/Disable the DHCP service Define DHCP message handling method Enable/Disable Pseudo-DHCP server detection

4.2.1 Enable/Disable the DHCP Service

Before you can configure a DHCP server or DHCP relay, you must enable the DHCP service. Only after the service is enabled can other DHCP configurations take effect.


Table 4-1 Enable/Disable the DHCP service

Operation Command Enable the DHCP service dhcp enable Disable the DHCP service undo dhcp enable

By default, the DHCP service is enabled.

4.2.2 Define DHCP Message Handling Method

The switch handles the received DHCP messages destined to it based on the configured DHCP message handling method.

Perform the following configuration in VLAN interface view to define how to handle DHCP messages on the current VLAN interface.

Table 4-2 Define DHCP message handling method on the current VLAN interface

Operation Command Send DHCP messages to the local DHCP server where addresses are to be allocated from a global address pool dhcp select global

Send DHCP messages to the local DHCP server where addresses are to be allocated from the appropriate VLAN interface address pool dhcp select interface

Relay DHCP messages to an external DHCP server for address allocation dhcp select relay

Restore the DHCP message handling method to the default undo dhcp select

Perform the following configuration in system view to define how to handle DHCP messages on multiple VLAN interfaces.


4-6

Table 4-3 Configure a DHCP message handling method on multiple VLAN interfaces

Operation Command

Send DHCP messages to the local DHCP server where addresses are to be allocated from a global address pool

dhcp select global { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Send DHCP messages to the local DHCP server where addresses are to be allocated from the appropriate VLAN interface address pool

dhcp select interface { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Relay DHCP messages to an external DHCP server for address allocation

dhcp select relay { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Restore the DHCP message handling method to the default undo dhcp select { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

DHCP handling method defaults to global, meaning DHCP messages are sent to the local DHCP server where addresses are to be allocated from a global address pool.

4.2.3 Enable/Disable Pseudo-DHCP Server Detection

On a network, pseudo-DHCP server refers to an unauthorized DHCP server. Such a server can communicate with a client requesting for IP address and allocate an incorrect IP address to the client, thus preventing it from accessing the network.

With the function of pseudo-DHCP server detection enabled, the switch can record DHCP server information such as IP address, thus allowing administrators discover and deal with pseudo-DHCP servers.


Table 4-4 Enable/Disable pseudo-DHCP server detection

Operation Command Enable pseudo-DHCP server detection dhcp server detect Disable pseudo-DHCP server detection undo dhcp server detect

By default, pseudo-DHCP server detection is disabled.

4.3 DHCP Server Configuration

DHCP server configuration includes:

Create DHCP global address pool Configure address allocation method for a DHCP address pool Configure IP addresses forbidden in automatic allocation Configure IP address lease duration for a DHCP address pool Configure domain name for DHCP clients


4-7

Specify DNS server addresses for DHCP clients Specify NetBIOS server addresses for DHCP clients Configure NetBIOS node type of DHCP clients Configure a DHCP option Configure IP addresses of egress gateways for DHCP clients Configure the ping mechanism on DHCP server

Note:

For the sake of convenience, you are allowed to configure some DHCP configuration options specific to global DHCP address pools, the DHCP address pool on the current VLAN interface, and DHCP address pools on multiple specified VLAN interfaces. Such configuration include configuring IP address lease duration for a DHCP address pool, specifying domain name for DHCP clients, specifying DNS server for DHCP clients, specifying NetBIOS server for DHCP clients, configuring the NetBIOS node type of DHCP clients, and configuring DHCP user-defined options.

4.3.1 Create Global DHCP Address Pool

A DHCP server allocates IP addresses from its address pools. After receiving a DHCP request from a DHCP client, the DHCP server selects an appropriate address pool according to the configuration, picks out a free IP address, and sends it back along with other related parameters (address lease for example). A DHCP server can have multiple address pools and at present support up to 128 global address pools.

Address pools on DHCP servers are in tree structure, with the natural segment address as root, subnet addresses as branches, and manually bound client addresses as leaf nodes. Such a tree structure allows configuration inheritance, meaning subnets inherit configurations of their natural segments and clients inherit configurations of subnets. Thus, when configuring some public parameters, domain name for example, you can just configure them on natural segments or subnets. You can view the structure of address pools using the display dhcp server tree command. The address pools at the same level are displayed in the order in which they are configured.

When configuring a DHCP global address pool, you can directly access the view of the address pool if it has existed; if not, you should create the DHCP address pool first before you can access the address pool view.



4-8

Table 4-5 Create global DHCP address pool

Operation Command Create a DHCP address pool and/or access the DHCP address pool view dhcp server ip-pool pool-name

Delete a DHCP address pool undo dhcp server ip-pool pool-name

By default, no DHCP global address pool is created.

Note that the VLAN interface address pool for a VLAN interface is created by the system after you assign a unicast address to the VLAN interface and in the VLAN interface view specify to allocate addresses from VLAN interface address pools by using the dhcp select interface command.

4.3.2 Configure Address Allocation Method for a DHCP Address Pool

You can select static address binding or dynamic address allocation as needed. For a global DHCP address pool, you can only configure either method. For the address pool on a VLAN interface, however, you can use both except that the address range of the pool is the IP address segment connected to the VLAN interface when dynamic allocation applies.

Dynamic address allocation requires an address range for allocation whereas static address bindings can be regarded as a special DHCP address pool containing only the bindings.

I. Configure static address binding for a global DHCP address pool

Some DHCP clients may require fixed IP addresses, that is, IP addresses bound with their MAC address. When such a DHCP client requests for an IP address, the DHCP server looks up the maintained IP-MAC address bindings and allocate to the client the IP address bound with its MAC address. At present, each global DHCP address pool supports only one IP-MAC address binding.

Perform the following configuration in DHCP address pool view.

Table 4-6 Configure a static address binding for the global DHCP address pool

Operation Command Specify an IP address for the static binding static-bind ip-address ip-address [ mask netmask ] Delete the IP address in the static binding undo static-bind ip-address Specify a client MAC address for the static binding static-bind mac-address mac-address Delete the client MAC address in the static binding undo static-bind mac-address

By default, no static address binding is configured for any global DHCP address pool.


4-9

Note:

The static-bind ip-address command must be used along with the static-bind mac-address command. If you use the command repeatedly, the new configuration will overwrite the previous one.

II. Configure static address binding for a VLAN interface address pool

Perform the following configuration in VLAN interface view. Each VLAN interface address pool supports multiple IP-MAC address bindings.

Table 4-7 Configure static address binding for the VLAN interface address pool

Operation Command Configure a static address binding in the current VLAN interface address pool

dhcp server static-bind ip-address ip-address mac-address mac-address

Delete the static address binding in the current VLAN interface address pool

undo dhcp server static-bind { ip-address ip-address | mac-address mac-address }

By default, no static address binding is configured for any VLAN interface address pool.

III. Configure dynamic address allocation

To dynamically allocate addresses to clients (including permanent and temporary leases) using an address pool, you should assign an address range to the pool.


Table 4-8 Configure an IP address range for dynamic allocation

Operation Command Configure an IP address range for dynamic allocation. network ip-address [ mask netmask ] Delete the IP address range for dynamic allocation. undo network

By default, no IP address range is configured for dynamic allocation.

Each DHCP address pool can have only one network segment. If an address pool has already had a segment, the new one configured using the network command replaces the old one.

4.3.3 Configure IP Addresses Forbidden in Automatic Allocation

In configuring address allocation by the DHCP server, you should exclude those IP addresses in use such as IP addresses of gateway and FTP server to avoid address conflict resulted from allocating one IP address to two hosts.


4-10


Table 4-9 Configure IP addresses forbidden in automatic allocation

Operation Command

Configure IP addresses forbidden in automatic allocation dhcp server forbidden-ip low-ip-address [ high-ip-address ]

Cancel the configuration of IP addresses forbidden in automatic allocation

undo dhcp server forbidden-ip low-ip-address [ high-ip-address ]

By default, all addresses in a DHCP address pool participate in automatic allocation.

Using this command repeatedly, you can exclude multiple IP address ranges from automatic allocation.

4.3.4 Configure IP Address Lease Duration for a DHCP Address Pool

A DHCP server can assign different lease duration to an address pool, but this duration applies to all the addresses in this address pool.

I. Configure lease duration for a global DHCP address pool


Table 4-10 Configure IP address lease duration for the global DHCP address pool

Operation Command Configure IP address lease duration for the global DHCP address pool

expired { day day [ hour hour [ minute minute ] ] | unlimited }

Restore the IP address lease duration of the DHCP address pool to the default undo expired

II. Configure lease duration for the DHCP address pool on a VLAN interface


Table 4-11 Configure IP address lease duration for the DHCP address pool on the current interface

Operation Command Configure IP address lease duration for the DHCP address pool on the current VLAN interface

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }

Restore the IP address lease duration for the DHCP address pool on the current interface to the default undo dhcp server expired

III. Configure lease duration for multiple VLAN interface DHCP address pools



4-11

Table 4-12 Configure IP address lease duration for multiple VLAN interface DHCP address pools

Operation Command

Configure IP address lease duration for multiple VLAN interface DHCP address pools

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Restore the IP address lease duration of DHCP address pools on multiple VLAN interfaces to the default

undo dhcp server expired { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, an IP address lease can last one day disregarding the address pool is global or on an VLAN interface.

4.3.5 Configure DHCP Client Domain Name

On a DHCP server, you can associate a client domain name with each address pool.

I. Configure client domain name in a global DHCP address pool


Table 4-13 Configure client domain name in the global DHCP address pool

Operation Command Configure client domain name in the global DHCP address pool domain-name domain-name Delete the domain name configuration of the global DHCP address pool undo domain-name

II. Configure client domain name in the DHCP address pool on the current VLAN interface


Table 4-14 Configure client domain name in the DHCP address pool on the current VLAN interface

Operation Command Configure domain name to be allocated to the clients using the DHCP address pool on the current VLAN interface

dhcp server domain-name domain-name

Delete the domain name configuration of the DHCP address pool on the current VLAN interface undo dhcp server domain-name

III. Configure client domain name in multiple VLAN interface DHCP address pools



4-12

Table 4-15 Configure client domain name in multiple VLAN interface DHCP address pools

Operation Command Configure domain name to be allocated to the clients using the DHCP address pools on multiple VLAN interfaces

dhcp server domain-name domain-name { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Delete the domain name configuration of the DHCP address pools on multiple VLAN interfaces

undo dhcp server domain-name domain-name { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, no DHCP client domain name is configured in any global or VLAN interface address pool.

If you configure domain name for multiple times, the latest domain name replaces the previous one.

4.3.6 Configure DNS Server Addresses for DHCP Clients

Internet access of a host using domain name involves a domain name system (DNS) to resolve domain name to IP address. To ensure that the host can successfully access the Internet, the DHCP server should specify a DNS server address for the client as well when allocating IP address to it. So far, each DHCP address pool can have up to eight DNS server addresses.

I. Configure DNS server addresses in a global DHCP address pool


Table 4-16 Assign DNS server addresses to the global DHCP address pool

Operation Command Assign DNS server addresses to the global DHCP address pool dns-list ip-address [ ip-address ]

Remove one or all DNS server addresses from the global DHCP address pool undo dns-list { ip-address | all }

II. Configure DNS server addresses in the VLAN current interface DHCP address pool


Table 4-17 Assign DNS IP addresses to the DHCP address pool on the VLAN current interface

Operation Command Assign DNS server addresses to the DHCP address pool on the current VLAN interface dhcp server dns-list ip-address [ ip-address ]

Remove one or all DNS server addresses from the DHCP address pool on the current VLAN interface undo dhcp server dns-list { ip-address | all }


4-13

III. Configure DNS server addresses in multiple VLAN interface DHCP address pools


Table 4-18 Configure DNS server addresses in DHCP address pools on multiple VLAN interfaces

Operation Command

Assign DNS server addresses to DHCP address pools on multiple VLAN interfaces

dhcp server dns-list ip-address [ ip-address ] { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Remove one or all DNS server addresses from DHCP address pools on multiple VLAN interfaces

undo dhcp server dns-list { ip-address | all } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, no DNS server address is assigned to any global or VLAN interface address pool.

If you configure DNS server list for multiple times, the latest DNS server list replaces the previous one.

4.3.7 Configure NetBIOS Server Addresses for DHCP Clients

For a client running a Microsoft operating system, Windows Internet Naming Service (WINS) server can resolve its hostname to IP address if the client communicates through the NetBIOS protocol. Therefore, the setting of WINS is required on most clients installed with Windows. Each DHCP address pool by far can contain up to eight NetBIOS server addresses.

I. Configure NetBIOS server addresses in a global DHCP address pool


Table 4-19 Configure NetBIOS server addresses in the global DHCP address pool

Operation Command Configure NetBIOS server addresses in the global DHCP address pool nbns-list ip-address [ ip-address ]

Remove one or all NetBIOS server addresses from the global DHCP address pool undo nbns-list { ip-address | all }

II. Configure NetBIOS server addresses in the DHCP address pool on the current VLAN interface



4-14

Table 4-20 Configure NetBIOS server addresses in the DHCP address pool on the current VLAN interface

Operation Command Configure NetBIOS server addresses in the DHCP address pool on the current VLAN interface dhcp server nbns-list ip-address [ ip-address ]

Remove one or all NetBIOS server addresses from the DHCP address pool on the current VLAN interface undo dhcp server nbns-list { ip-address | all }

III. Configure NetBIOS server addresses in multiple VLAN interface DHCP address pools


Table 4-21 Configure NetBIOS server addresses in multiple VLAN interface DHCP address pools

Operation Command Configure NetBIOS server addresses in DHCP address pools on multiple VLAN interfaces

dhcp server nbns-list ip-address [ ip-address ] { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Remove one or all NetBIOS server addresses from DHCP address pools on multiple VLAN interfaces

undo dhcp server nbns-list { ip-address | all } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, no NetBIOS server address is assigned to any global or VLAN interface address pool.

If you configure NetBIOS server list for multiple times, the latest DNS server list replaces the previous one.

4.3.8 Define NetBIOS Node Type of DHCP Clients

When a DHCP client uses the NetBIOS protocol to communicate over Wide Area Network (WAN), its hostname must be mapped to an IP address. In terms of map establishment mode, NetBIOS nodes fall into the following four categories:

b-nodes, where “b” stands for broadcast. Such nodes get mapped through broadcast.

p-nodes, where “p” stands for peer-to-peer. Such nodes get mapped by communicating with the NetBIOS server.

m-nodes, where “m” stands for mixed. Such nodes are p-nodes with the broadcast feature.

h-nodes, where “h” stands for hybrid. Such nodes are b-nodes with the peer-to-peer communication mechanism.

I. Configure NetBIOS node type of clients in a global DHCP address pool



4-15

Table 4-22 Configure NetBIOS node type of clients in the global DHCP address pool

Operation Command Configure NetBIOS node type of clients in the global DHCP address pool

netbios-type { b-node | h-node | m-node | p-node }

Delete the NetBIOS node type configuration of clients in the global DHCP address pool

undo netbios-type { b-node | h-node | m-node | p-node }

II. Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface


Table 4-23 Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface

Operation Command Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface

dhcp server netbios-type { b-node | h-node | m-node | p-node }

Delete the configuration of the NetBIOS node type of clients in the DHCP address pool on the current VLAN interface

undo dhcp server netbios-type { b-node | h-node | m-node | p-node }

III. Configure NetBIOS node type of clients in multiple VLAN interface DHCP address pools


Table 4-24 Configure NetBIOS node type of clients in DHCP address pools on multiple VLAN interfaces

Operation Command

Configure NetBIOS node type of clients in DHCP address pools on multiple VLAN interfaces

dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Delete the configuration of NetBIOS node type of clients in DHCP address pools on multiple VLAN interfaces

undo dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

For both global and VLAN interface address pools, NetBIOS node type of clients defaults to h-node.

4.3.9 Configure a DHCP Option

New configurable DHCP options may emerge as the result of DHCP development. You can support these options by manually adding them into the attribute list maintained by the DHCP server.


4-16

I. Configure a DHCP option for a global DHCP address pool


Table 4-25 Configure a DHCP option for the global DHCP address pool

Operation Command

Configure a DHCP option for the global DHCP address pool option code { ascii ascii-string | hex hex-string | ip-address ip-address [ ip-address ] }

Delete a DHCP option of the global DHCP address pool undo option code

II. Configure a DHCP option for the DHCP address pool on the current VLAN interface


Table 4-26 Configure a DHCP option for the DHCP address pool on the current VLAN interface

Operation Command Configure a DHCP option in the DHCP address pool on the current VAN interface

dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address [ ip-address ] }

Delete a DHCP option of the DHCP address pool on the current VLAN interface undo dhcp server option code

III. Configure a DHCP option for DHCP address pools on multiple VLAN interfaces


Table 4-27 Configure a DHCP option for DHCP address pools on multiple VLAN interfaces

Operation Command

Configure a DHCP option for DHCP address pools on multiple VLAN interfaces

dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address [ ip-address ] } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Delete a DHCP option of DHCP address pool on multiple VLAN interfaces

undo dhcp server option code { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

If you configure a DHCP option for multiple times, the latest one replaces the previous one.

4.3.10 Configure IP Addresses of Egress Gateways for DHCP clients

When a DHCP client accesses a server or host beyond the local network segment, its data must be forwarded by its egress gateway. By far, each DHCP address pool can contain up to eight egress gateway addresses.


4-17


Table 4-28 Configure a list of egress gateway addresses for DHCP clients

Operation Command Configure IP addresses of egress gateways for DHCP clients gateway-list ip-address [ ip-address ]

Remove IP address of one or all egress gateways for clients undo gateway-list { ip-address | all }

By default, no egress gateway of DHCP clients is configured.

If egress gateway list is configured for multiple times, the latest one replaces the previous one.

4.3.11 Configure the Ping Mechanism on DHCP Server

To prevent IP address conflict, the DHCP server checks whether an address is available before allocating it to a client. The server pings this address and waits for a response in the specified time duration. If receiving no response when the duration times out, the server continues its ping attempt. If receiving no response yet after the allowed number of ping attempts, the server regards that no device on the local segment is using the IP address and thus ensures that this IP address to be allocated is unique.


Table 4-29 Configure the ping mechanism on DHCP server

Operation Command Configure the maximum number of ping packets that the DHCP server can send dhcp server ping packets number

Restore the default maximum number of ping packets that the DHCP server can send undo dhcp server ping packets

Configure the time limit for the DHCP server to receive a ping response dhcp server ping timeout milliseconds

Restore the default time limit for the DHCP server to receive a ping response undo dhcp server ping timeout

By default, the DHCP server can send up to two ping packets and wait 500 milliseconds for the response.

DHCP servers check for address conflict by sending ping packets whereas DHCP clients by sending ARP packets.


4-18

4.4 DHCP Relay Configuration

DHCP Relay configuration includes:

Configure the DHCP servers to which the received packets are relayed Distribute load among DHCP servers Release client IP addresses through DHCP Relay Configure address map entry for security check Enable/Disable the DHCP security feature on VLAN interface

4.4.1 Configure the DHCP Servers to Which the Received Packets Are Relayed

To use the DHCP Relay function on a specified VLAN interface, you need to configure DHCP server addresses to which the DHCP packets received on the interface can be relayed. Each VLAN interface can provide the relay service for up to 20 DHCP servers.

I. Configure DHCP server address to which the current VLAN interface relays packets


Table 4-30 Configure DHCP server address to which the current VLAN interface relays packets

Operation Command Configure DHCP server address to which the current VLAN interface relays packets ip relay address ip-address

Remove one or all the DHCP server addresses to which the current VLAN interface relays packets undo ip relay address { ip-address | all }

II. Configure DHCP server address to which the specified multiple VLAN interfaces relays packets


Table 4-31 Configure DHCP server address to which the specified multiple VLAN interfaces relays packets

Operation Command

Configure DHCP server address to which the specified multiple VLAN interfaces relays packets

ip relay address ip-address { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

Remove one or all the DHCP server addresses to which the specified multiple VLAN interfaces relay packets

undo ip relay address { ip-address | all } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }


4-19

4.4.2 Distribute Load among DHCP Servers

When multiple DHCP servers are configured corresponding to a DHCP Relay, it can distribute among them the requests from DHCP clients by means of polling, thus distributing the load.


Table 4-32 Distribute the load among DHCP servers

Operation Command Distribute the load among DHCP servers. ip relay address cycle Disable load sharing among DHCP servers. undo ip relay address cycle

By default, DHCP servers do not share the load and all the requests from DHCP clients are to be handled by the DHCP server configured first.

4.4.3 Release Client IP Address through DHCP Relay

Sometimes you may need to manually release the IP address allocated to a client through the DHCP Relay.

Perform the following configuration in VLAN interface view or system view.

Table 4-33 Release client IP address by the DHCP Relay

Operation Command Request the DHCP server for releasing a client IP address

dhcp relay release client-ip mac-address [ server-ip ]

If no DHCP server is specified, the release request is sent to all DHCP servers in system view but in VLAN interface view only to the DHCP servers of the current VLAN interface.

4.4.4 Configure Address Map Entry for Security Check

To make the valid user with fixed IP address in the VLAN configured with DHCP Relay pass the address validity check of DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and an MAC address.

If another illegal user configures a static IP address which is in conflict with the fixed IP address of a valid user, the switch with DHCP Relay function enabled can identify the valid user and reject the illegal user's request for binding the IP address with the MAC address.


4-20


Table 4-34 Configure Address Map Entry for Security Check

Operation Command Add an address map entry for security check dhcp relay security ip_address mac_address static Delete an address map entry for security check undo dhcp relay security ip_address

4.4.5 Enable/Disable DHCP Security Feature on VLAN Interface

Enable DHCP security features will enable address check on VLAN interface while disable DHCP security features will cancel address check.


Table 4-35 Enable/Disable the DHCP security feature on the VLAN interface

Operation Command Enable the DHCP security feature on the VLAN interface dhcp relay security address-check enable

Disable the DHCP security feature on the VLAN interface dhcp relay security address-check disable

By default, the switch disables DHCP security features function.

4.5 Display and Debug DHCP

After the above configuration, execute display command in any view to display the running of the DHCP configuration, and to verify the effect of the configuration. Execute reset command to reset DHCP related information and debugging command to debug DHCP.

Table 4-36 Display and debug DHCP

Operation Command

View available addresses in DHCP address pools display dhcp server free-ip

View information of DHCP address conflicts display dhcp server conflict { all | ip ip-address }

View expired leases in DHCP address pools display dhcp server expired { ip ip-address | pool [ pool-name ] | interface [ vlan-interface vlan_id ] | all }

View address bindings in DHCP address pools display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ vlan-interface vlan_id ] | all }

View statistics about DHCP server display dhcp server statistics

View tree structure of DHCP address pools display dhcp server tree { pool [ pool-name ] | interface [ vlan-interface vlan_id ] | all }

View DHCP relay information display dhcp relay statistics View address configurations on VLAN interfaces for DCHP relay

display dhcp relay address [ interface vlan-interface vlan_id | all ]


4-21

Operation Command View secure address map information in DHCP relay display dhcprelay-security [ ip-address ]

Clear address bindings reset dhcp server ip-in-use{ all | interface [ vlan-interface vlan_id ] | ip ip-address | pool [ pool-name ] }

Clear statistics about address conflicts reset dhcp server conflict { ip ip-address | all } Clear statistics related to DHCP servers reset dhcp server statistics Clear statistics related to DHCP relay reset dhcp relay statistics

Disable/Enable DHCP server debugging [ undo ] debugging dhcp server { all | error | event | packet }

Disable/Enable DHCP relay debugging [ undo ] debugging dhcp relay { error | event | packet [ client mac mac-address ] }

4.6 DHCP Configuration Example

4.6.1 DHCP Server Configuration Example

There are two types of networking for DHCP: one is that a DHCP server and its clients are on the same subnet and can directly interact; the other is that the DHCP server and its clients are on different subnets and thus must allocate/obtain IP addresses through a DHCP Relay. Despite such differences, DHCP is configured in the same way.

I. Networking requirement

DHCP Server dynamically allocates IP addresses to the DHCP clients on the same subnet. The address pool segment 10.1.1.0/24 is divided into two sub-segments: 10.1.1.0/25 and 10.1.1.128/25. The addresses of the two VLAN interfaces on DHCP Server are 10.1.1.1/25 and 10.1.1.129/25.

In the segment 10.1.1.0/25, addresses can be leased for up to 10 days and 12 hours, domain name is domain.com, DNS address is 10.1.1.2, no NetBIOS is configured, and the egress gateway address is 10.1.1.126. In the segment 10.1.1.128/25, addresses can be leased for up to 5 days, domain name is domain.com, DNS address is 10.1.1.2, NetBIOS address is 10.1.1.4, and egress gateway address is 10.1.1.254.


4-22


LANLAN

NetBIOS Server Client

DNS Server

Client

ClientClient

Client

Client

DHCP ServerSwitch A Switch B

Figure 4-3 DHCP Server and clients on the same subnet


# Enable the DHCP service.

[Quidway] dhcp enable

# Configure IP addresses forbidden in automatic address allocation (including addresses of DNS server, NetBIOS server and egress gateway)

[Quidway] dhcp server forbidden-ip 10.1.1.2



# Configure public attributes of DHCP address pool 0 (including address pool range, domain name, and DNS address)

[Quidway] dhcp server ip-pool 0

[Quidway-dhcp-0] network 10.1.1.0 mask 255.255.255.0

[Quidway-dhcp-0] domain-name domain.com

[Quidway-dhcp-0] dns-list 10.1.1.2

# Configure attributes for DHCP address pool 1 (address pool range, egress gateway address, and address lease)



[Quidway-dhcp-1] gateway-list 10.1.1.126

[Quidway-dhcp-1] expired day 10 hour 12


4-23

# Configure attributes of DHCP address pool 2 (address pool range, egress gateway address, NetBIOS address, and address lease).



[Quidway-dhcp-2] expired day 5

[Quidway-dhcp-2] nbns-list 10.1.1.4

[Quidway-dhcp-2] gateway-list 10.1.1.254

4.6.2 DHCP Relay Configuration Example


The segment address for DHCP Client is 10.110.0.0, which is connected to a port in the VLAN2 on the switch. The IP address of DHCP Server is 202.38.1.2. The DHCP packets should be forwarded via the switch with DHCP Relay enabled. DHCP Client can get IP address and other configuration information from DHCP Server.

Configure an IP address pool on the DHCP Server and assign the network segment 10.110.0.0 to the pool for allocating IP addresses to the DHCP clients on this segment. In addition, configure a route for the DHCP Server to reach the segment 10.110.0.0.


Ethernet

Ethernet

Internet

DHCP client DHCP client

Switch ( DHCP Relay )

10.110.0.0DHCP Server

202.38.1.2

10.110.1.1

202.38.0.0

202.38.1.1

Figure 4-4 Networking application of DHCP relay


Configure DHCP Relay:

# Enable the DHCP service.

[Quidway] dhcp enable


4-24

# Enable DHCP Relay to relay DHCP messages to an external DHCP server for address allocation.


[Quidway-Vlan-interface2] dhcp select relay

# Assign to VLAN interface 2 an IP address in the same network segment where the DHCP clients reside.


# Configure on VLAN interface 2 the DHCP server address to which DHCP messages are to be relayed.

[Quidway-Vlan-interface2] ip relay-address 202.38.1.2

To enable the DHCP clients to obtain IP addresses from the DHCP server, you still need to make more configurations on the DHCP server. These configurations vary by DHCP server device and are beyond the scope of this manual.

4.7 DHCP Troubleshooting

I. DHCP server

Fault: Dynamic IP address conflict presented at a client.

Troubleshooting:

Check for the host using the IP address by pinging the address at relatively long intervals for several times;

If such a host exists, forbid the IP address in automatic allocation by using the dhcp server forbidden-ip command.

At the client, you can release the current dynamic IP address by executing the ipconfig/release_all command in DOS or [winipcfg/Release] in GUI, and then request a new one by executing the ipconfig/renew_all command or [winipcfg/Update].

II. DHCP relay

Fault: DHCP clients could not obtain configuration information.

Troubleshooting:

Check that:

An address pool with the network segment where DHCP clients reside is available on the DHCP server;

Routes are available on both the DHCP Relay-enabled network device (switch for example) and the DHCP server for them to reach each other.


4-25

The correct IP relay address is configured on the VLAN interface connected to the network segment where the DHCP clients reside and no conflict presents due to the existence of multiple IP relay addresses.

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Chapter 5 Access Management Configuration

5-1

Chapter 5 Access Management Configuration

Note:

S3526/S3526 FM/S3526 FS/S3526E/S3526C switches support the chapter in S3500 series switches.

5.1 Access Management Overview

One of the typical Ethernet access networking scenario is that the users access external network through the Ethernet switches. In this case, the external network is connected to the Ethernet switch. The Ethernet switch connects to the Hubs, each of which centralizes several PCs. The following figure illustrates the networking scenario.

External network

Ethernet Switch

Port 1 Port 2 Port n...

HUB_1 HUB_mHUB_2

Port

...... ...... ......PC1_1 PC1_1 PC1_a PC2_1 PC2_2 PC2_b PCn_1 PCn_2 PCn_x

...Organization 1 Organization 2 Organization n

Figure 5-1 Typical Ethernet access networking scenario

If not-so-many users are connected to the switch, the ports allocated to different enterprises need to belong to the same VLAN in the light of cost. Every enterprise is allocated to the fixed IP address range simultaneously. Only those IP addresses in the fixed IP address range can be accessed to external networks from the port. Different enterprises should be isolated considering security. All these requirements can be achieved with the access management function by the Ethernet switches, specifically,


5-2

binding a port with IP addresses and L2 isolation between ports. See Figure 5-1Typical Ethernet access networking scenario.

In the figure, organization 1 and organization 2 belong to the same VLAN, which are connected to the external networks via an Ethernet switch. The IP addresses 202.10.20.1 ~ 202.10.20.20 are allocated to organization 1, that is, they are bound to the port 1. On the PCs with IP addresses in this range can be connected to external networks. The IP addresses 202.10.20.21 ~ 202.10.20.50 are allocated to organization 2, or bound to the port 2.

Isolation measure is required, because otherwise the PCs in two organizations may interwork with each other. The L2 isolation function at the switch port can ensure two ports do not receive the packets from the other port, so that only those PCs in the same organization can communicate with each other.

5.2 Configure Access Management

Access management configuration includes:

Enable access management function Configure the access IP address pool based on the physical port Configure Layer 2 isolation between ports Configure port, IP address and MAC address binding (S3526E/S3526C switches

support) Enable/Disable access management trap

5.2.1 Enable Access Management Function

You can use the following command to enable access management function. Only after the access management function is enabled will the access management features (IP and port binding and Layer 2 port isolation) take effect.


Table 5-1 Enable/Disable access management function

Operation Command Enable access management function am enable Disable access management function undo am enable

By default, the system disables the access management function.


5-3

5.2.2 Configure the Access IP Address Pool Based on the Physical Port

You can use the following command to set the IP address pool for access management on a port. The packet whose source IP address is in the specified pool is allowed to be forwarded on Layer 3 via the port of the switch.

Perform the following configuration in Ethernet interface view.

Table 5-2 Configure the access IP address pool based on the physical port

Operation Command Configure the access management IP address pool based on the physical port am ip-pool address-list

Cancel part or all of the IP addresses in the access management IP address pool of the port undo am ip-pool { all | address-list }

By default, the IP address pools for access control on the port are null and all the packets are permitted through.

Note that if the IP address pool to be configured contains the IP addresses configured in the static ARP at other ports, then the system prompts you to delete the static ARP to make the later binding effective.

5.2.3 Configure Layer 2 Isolation between Ports

You can use the following command to set Layer 2 isolation on a port so as to prevent the packets from being forwarded on Layer 2 between the specified port and some other ports (group).


Table 5-3 Configure Layer 2 isolation between ports

Operation Command Configure Layer 2 isolation between ports am isolate interface-list Cancel Layer 2 isolation between ports undo am isolate interface-list

By default, the isolation port pool is null and the packets are allowed to be forwarded between the specified port and all other ports on Layer 2.

5.2.4 Configure Port, IP Address and MAC Address Binding

Perform the following actions to bind the port, IP address and MAC address.

The system supports the following binding combination: Port+IP, Port+MAC, Port+IP+MAC, and IP+MAC.


5-4

Port+IP binding: binding the packet’s receiving port and its source IP address. The specified port will only allow the packet with specified IP address to pass; meanwhile the packet with specified IP address can only pass through the specified port.

Port+MAC binding: binding the packet’s receiving port and its source MAC address. The specified port will only allow the packet with specified MAC address to pass; meanwhile the packet with specified MAC address can only pass through the specified port.

Port+IP+MAC binding: binding the packet’s receiving port, source IP address and source MAC address. The specified port will only allow the packet with specified IP and MAC address to pass. The packet with specified IP address can only pass through the specified port. Likewise, the packet with specified MAC address can only pass from the specified port.

IP+MAC binding: binding the packet’s source IP address and its source MAC address. If the packet’s source IP address and its specified IP is the same, then the packet is relayed only when its source MAC address is the specified MAC address. Likewise, if the packet’s source MAC is the same as the specified MAC address, then the packet is relayed only when its source IP address is the same as the specified IP address.


Table 5-4 Binding Port, IP Address and MAC Address

Operation Command bind port, IP address and MAC address am user-bind { interface { interface-name | interface-type

interface-num } { mac-addr mac | ip-addr ip }* | mac-addr mac { interface { interface-name | interface-type interface-num } | ip-addr ip }* | ip-addr ip { interface { interface-name | interface-type interface-num } | mac-addr mac }* }

Remove the binding of port, IP address and MAC address binding

undo am user-bind { interface { interface-name | interface-type interface-num } { mac-addr mac | ip-addr ip }* | mac-addr mac { interface { interface-name | interface-type interface-num } | ip-addr ip }* | ip-addr ip { interface { interface-name | interface-type interface-num } | mac-addr mac }* }

Note that:

One MAC address or one IP address cannot be bound more than once. The maximum binding number is 128. Do not perform “Port+IP+MAC” and “Port+IP” on the same port. S3526E/S3526C switches support this configuration in S3500 series switches.

5.2.5 Enable/Disable Access Management Trap

You can use the following command to enable/disable access management trap.



5-5

Table 5-5 Enable/Disable access management trap

Operation Command Enable access management trap am trap enable Disable access management trap undo am trap enable

By default, the access management trap is disabled.

5.3 Display and debug Access Management

After the above configuration, execute display command in any view to display the current configurations of access management on the ports, and to verify the effect of the configuration.

Table 5-6 Display current configuration of access management

Operation Command Display current configuration of access management

display am [ interface-list ]

Display Port, IP address and MAC address binding

display am user-bind [ interface { interface-name | interface-type interface-num } | mac-addr mac | ip-addr ip ]

Note that S3526E/S3526C switches support display am user-bind command in S3500 series switches.

5.4 Access Management Configuration Example


Organization 1 is connected to the port 1 of the switch, and organization 2 to the port 2. The ports 1 and 2 belong to the same VLAN. The IP addresses ranging 202.10.20.1~202.10.20.20 can be accessed from the port 1 and those ranging 202.10.20.21~202.10.20.50 from the port 2. Organization 1 and organization 2 cannot communicate with each other.


See Figure 5-1.


# Enable access management globally.

[Quidway] am enable

# Configures the IP address pool for access management on port 1.


5-6

[Quidway-Ethernet0/1] am ip-pool 202.10.20.1 20

# Configures Layer 2 isolation between port 1 and port 2.

[Quidway-Ethernet0/1] am isolate ethernet0/2

# Configures the IP address pool for access management on port 2

[Quidway-Ethernet0/2] am ip-pool 202.10.20.21 30

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Chapter 6 IP Performance Configuration

6-1

Chapter 6 IP Performance Configuration

6.1 IP Performance Configuration

IP performance configuration includes:

Configure TCP attributes

6.1.1 Configure TCP Attributes

TCP attributes that can be configured include:

synwait timer: When sending the syn packets, TCP starts the synwait timer. If response packets are not received before synwait timeout, the TCP connection will be terminated. The timeout of synwait timer ranges 2 to 600 seconds and it is 75 seconds by default.

finwait timer: When the TCP connection state turns from FIN_WAIT_1 to FIN_WAIT_2, finwait timer will be started. If FIN packets are not received before finwait timer timeout, the TCP connection will be terminated. Finwait timer ranges 76 to 3600 seconds. By default, finwait timer is 675 seconds.

The receiving/sending buffer size of connection-oriented Socket is in the range from 1 to 32K bytes and is 4K bytes by default.


Table 6-1 Configure TCP attributes

Operation Command Configure synwait timer time for TCP connection establishment tcp timer syn-timeout time-value

Restore synwait timer time for TCP connection establishment to default value undo tcp timer syn-timeout

Configure FIN_WAIT_2 timer time of TCP tcp timer fin-timeout time-value Restore FIN_WAIT_2 timer time of TCP to default value undo tcp timer fin-timeout Configure the Socket receiving/sending buffer size of TCP tcp window window-size Restore the socket receiving/sending buffer size of TCP to default value undo tcp window

By default, the TCP finwait timer is 675 seconds, the synwait timer is 75 seconds, and the receiving/sending buffer size of connection-oriented Socket is 4K bytes.


6-2

6.2 Display and debug IP Performance

After the above configuration, execute display command in any view to display the running of the IP Performance configuration, and to verify the effect of the configuration. Execute reset command in user view to clear IP and TCP statistics information.

Table 6-2 Display and debug IP performance

Operation Command Display TCP connection state display tcp status Display TCP connection statistics data display tcp statistics Display IP statistics information display ip statistics Display ICMP statistics information display icmp statistics Display socket interface information of current system

display ip socket [ socktype sock-type ] [ task-id socket-id ]

Display the summary of the Forwarding Information Base display fib

Reset IP statistics information reset ip statistics Reset TCP statistics information reset tcp statistics

6.3 Troubleshoot IP Performance

Fault: IP layer protocol works normally but TCP and UDP cannot work normally.

In the event of such a fault, you can enable the corresponding debugging information output to view the debugging information.

Use the terminal debugging command to output the debugging information to the console.

Use the command debugging udp packet to enable the UDP debugging to trace the UDP packet.

The following are the UDP packet formats:

UDP output packet:

Source IP address:202.38.160.1

Source port:1024

Destination IP Address 202.38.160.1

Destination port: 4296

Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets.

Operations include:

[Quidway] terminal debugging

<Quidway> debugging tcp packet

Then the TCP packets received or sent can be checked in real time. Specific packet formats include:


6-3

TCP output packet:

Source IP address:202.38.160.1

Source port:1024

Destination IP Address 202.38.160.1

Destination port: 4296

Sequence number :4185089

Ack number: 0

Flag :SYN

Packet length :60

Data offset: 10

HUAWEI


5. Routing Protocol

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 IP Routing Protocol Overview .................................................................................... 1-1 1.1 Introduction to IP Route and Routing Table ...................................................................... 1-1

1.1.1 IP Route and Route Segment ................................................................................. 1-1 1.1.2 Route Selection through the Routing Table ............................................................ 1-2

1.2 Routing Management Policy.............................................................................................. 1-4 1.2.1 Routing protocols and the preferences of the corresponding routes ...................... 1-4 1.2.2 Support Load Sharing and Route Backup .............................................................. 1-4 1.2.3 Routes Shared between Routing Protocols ............................................................ 1-5

Chapter 2 Static Route Configuration ......................................................................................... 2-1 2.1 Introduction to Static Route ............................................................................................... 2-1

2.1.1 Attributes and Functions of Static Route................................................................. 2-1 2.1.2 Default Route .......................................................................................................... 2-1

2.2 Static Route Configuration................................................................................................. 2-2 2.2.1 Configure a static route ........................................................................................... 2-2 2.2.2 Configure a default route......................................................................................... 2-3 2.2.3 Configure the default preference of static routes .................................................... 2-3

2.3 Display and Debug Static Route........................................................................................ 2-3 2.4 Typical Static Route Configuration Example ..................................................................... 2-4 2.5 Static Route Fault Diagnosis and Troubleshooting ........................................................... 2-5

Chapter 3 RIP Configuration ........................................................................................................ 3-1 3.1 Brief Introduction to RIP..................................................................................................... 3-1 3.2 RIP Configuration............................................................................................................... 3-2

3.2.1 Enable RIP and Enter RIP view .............................................................................. 3-3 3.2.2 Enable RIP Interface ............................................................................................... 3-3 3.2.3 Configure Unicast of the Message.......................................................................... 3-3 3.2.4 Specify RIP Version of the Interface ....................................................................... 3-4 3.2.5 Configure RIP-1 zero field check of the interface packet........................................ 3-4 3.2.6 Specify the operating state of the interface............................................................. 3-5 3.2.7 Disable host route ................................................................................................... 3-6 3.2.8 RIP-2 Route Aggregation Function ......................................................................... 3-6 3.2.9 Set RIP-2 Packet Authentication............................................................................. 3-6 3.2.10 Configure Split Horizon ......................................................................................... 3-7 3.2.11 Configure RIP to Import Routes of Other Protocols.............................................. 3-7 3.2.12 Configure Default Cost for the Imported Route..................................................... 3-8 3.2.13 Set the RIP Preference ......................................................................................... 3-8 3.2.14 Set Additional Routing Metric................................................................................ 3-9 3.2.15 Configure Route Filtering ...................................................................................... 3-9


ii

3.3 Display and Debug RIP ................................................................................................... 3-10 3.4 Typical RIP Configuration Example................................................................................. 3-10

3.4.1 Networking requirements ...................................................................................... 3-10 3.4.2 Networking diagram .............................................................................................. 3-11 3.4.3 Configuration procedure........................................................................................ 3-11

3.5 RIP Fault Diagnosis and Troubleshooting ....................................................................... 3-12

Chapter 4 OSPF Configuration .................................................................................................... 4-1 4.1 OSPF Overview ................................................................................................................. 4-1

4.1.1 Introduction to OSPF............................................................................................... 4-1 4.1.2 Process of OSPF Route Calculation....................................................................... 4-1 4.1.3 OSPF Packets......................................................................................................... 4-2 4.1.4 Basic Concepts Related to OSPF........................................................................... 4-3

4.2 OSPF Configuration........................................................................................................... 4-4 4.2.1 Enable OSPF and Enter OSPF View...................................................................... 4-5 4.2.2 Enter OSPF Area view ............................................................................................ 4-5 4.2.3 Specify interface...................................................................................................... 4-6 4.2.4 Configure Router ID ................................................................................................ 4-6 4.2.5 Configure the Network Type on the OSPF Interface .............................................. 4-7 4.2.6 Configure the Cost for Sending Packets on an Interface........................................ 4-8 4.2.7 Set the Interface Priority for DR Election ................................................................ 4-8 4.2.8 Set the Peer ............................................................................................................ 4-9 4.2.9 Set the Interval of Hello Packet Transmission ...................................................... 4-10 4.2.10 Set a dead timer for the neighboring routers ...................................................... 4-10 4.2.11 Configure an Interval required for sending LSU packets .................................... 4-11 4.2.12 Set an Interval for LSA Retransmission between Neighboring Routers ............. 4-11 4.2.13 Set a Shortest Path First (SPF) Calculation Interval for OSPF........................... 4-12 4.2.14 Configure STUB Area of OSPF........................................................................... 4-12 4.2.15 Configure NSSA of OSPF................................................................................... 4-13 4.2.16 Configure the Route Summarization of OSPF Area ........................................... 4-14 4.2.17 Configure Summarization of Imported Routes by OSPF .................................... 4-15 4.2.18 Configure OSPF Virtual Link ............................................................................... 4-16 4.2.19 Configure the OSPF Area to Support Packet Authentication ............................. 4-17 4.2.20 Configure OSPF Packet Authentication.............................................................. 4-17 4.2.21 Configure OSPF to import Routes of Other Protocols ........................................ 4-18 4.2.22 Configure Parameters for OSPF to Import External Routes............................... 4-19 4.2.23 Configure OSPF to Import the Default Route ..................................................... 4-19 4.2.24 Set OSPF Route Preference............................................................................... 4-20 4.2.25 Configure OSPF Route Filtering ......................................................................... 4-20 4.2.26 Configure to Fill the MTU Field When an Interface Transmits DD Packets........ 4-21 4.2.27 Disable the Interface to Send OSPF Packets ..................................................... 4-21 4.2.28 Reset the OSPF Process .................................................................................... 4-22

4.3 Display and Debug OSPF................................................................................................ 4-22


iii

4.4 Typical OSPF Configuration Example ............................................................................. 4-23 4.4.1 Configuring DR Election Based on OSPF Priority ................................................ 4-23 4.4.2 Configuring OSPF Virtual Link .............................................................................. 4-25 4.4.3 OSPF Fault Diagnosis and Troubleshooting......................................................... 4-27

Chapter 5 BGP Configuration ...................................................................................................... 5-1 5.1 Brief Introduction to BGP ................................................................................................... 5-1 5.2 BGP Configuration............................................................................................................. 5-2

5.2.1 Enable BGP............................................................................................................. 5-3 5.2.2 Configure Networks for BGP Distribution................................................................ 5-3 5.2.3 Configure BGP Peer (Group) .................................................................................. 5-3 5.2.4 Configure BGP Timer............................................................................................ 5-10 5.2.5 Configure the local preference.............................................................................. 5-10 5.2.6 Configure MED for AS........................................................................................... 5-11 5.2.7 Comparing the MED Routing Metrics from the Peers in Different ASs................. 5-11 5.2.8 Configure BGP Community................................................................................... 5-12 5.2.9 Configure BGP Route Summarization .................................................................. 5-12 5.2.10 Configure BGP Route Reflector .......................................................................... 5-13 5.2.11 Configure BGP AS Confederation Attribute ........................................................ 5-15 5.2.12 Configure BGP route dampening........................................................................ 5-17 5.2.13 Configure the repeating time of local AS ............................................................ 5-17 5.2.14 Configure the Redistribution of BGP and IGP..................................................... 5-18 5.2.15 Define ACL, AS Path List, and Route-policy....................................................... 5-18 5.2.16 Configure BGP Route Filtering............................................................................ 5-19 5.2.17 Clear BGP Connection........................................................................................ 5-20

5.3 Display and Debug BGP.................................................................................................. 5-20 5.4 Typical BGP Configuration Example ............................................................................... 5-21

5.4.1 Configure BGP AS Confederation Attribute .......................................................... 5-21 5.4.2 Configure BGP Route Reflector ............................................................................ 5-23 5.4.3 Configure BGP Routing......................................................................................... 5-26

5.5 Fault Diagnosis and BGP Troubleshooting ..................................................................... 5-29

Chapter 6 IP Routing Policy Configuration ................................................................................ 6-1 6.1 Brief Introduction to IP Routing Policy ............................................................................... 6-1 6.2 IP Routing Policy Configuration ......................................................................................... 6-3

6.2.1 Define a route-policy ............................................................................................... 6-3 6.2.2 Define If-match clauses for a Route-policy ............................................................. 6-4 6.2.3 Define apply clauses for a Route-policy.................................................................. 6-5 6.2.4 Importing Routing Information Discovered by Other Routing Protocols ................. 6-6 6.2.5 Define ip-Prefix........................................................................................................ 6-6 6.2.6 Configure Route Filtering ........................................................................................ 6-7

6.3 Display and Debug the Routing Policy .............................................................................. 6-8 6.4 Typical IP Routing Policy Configuration Example ............................................................. 6-8

6.4.1 Configure to Filter the Received Routing Information............................................. 6-8


iv

6.5 Routing Policy Fault Diagnosis and Troubleshooting...................................................... 6-10

Chapter 7 Route Capacity Configuration.................................................................................... 7-1 7.1 Route Capacity Configuration Overview............................................................................ 7-1

7.1.1 Introduction.............................................................................................................. 7-1 7.1.2 Route Capacity Limitation Implemented by S3500 Ethernet Switch....................... 7-1

7.2 Route Capacity Configuration............................................................................................ 7-2 7.2.1 Set the Lower Limit of the Ethernet switch Memory................................................ 7-2 7.2.2 Set the Safety Value of the Ethernet switch Memory.............................................. 7-2 7.2.3 Set the Lower Limit and the Safety Value Simultaneously ..................................... 7-3 7.2.4 Disable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically .................................................................................................................... 7-4 7.2.5 Enable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically .................................................................................................................... 7-4

7.3 Display and Debug Route Capacity................................................................................... 7-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview

1-1

Chapter 1 IP Routing Protocol Overview

Note:

When an Ethernet switch runs a routing protocol, it can perform the router functions. Router that is referred to in the following and its icon represent a generalized router or an Ethernet switch running routing protocols. To improve readability, this will not be described in the other parts of the manual.

1.1 Introduction to IP Route and Routing Table

1.1.1 IP Route and Route Segment

Routers are implemented for route selection in the Internet. A router works in the following way: It selects an appropriate path (through a network) according to the destination address of its received packet and forwards the packet to the next router. It works in this way hop by hop and the last router in the path is responsible for submitting the packet to the destination host to complete the IP packet forwarding and the routing across network segments.

In a network, the router regards a path for sending a packet as a logical route unit, and calls it a Hop. For example, in the figure below, a packet sent from Host A to Host C, a packet should go through 2 routers and the packet is transmitted through two hops and router segments. Therefore, when a node is connected to another node through a network, there is a hop between these two nodes and these two nodes are deemed as adjacent in the Internet. In the same principle, the adjacent routers refer to two routers connected to the same network. The number of route segments between a router and hosts in the same network counted as zero. In the following figure, the bold arrows represent the hops. A router can be connected to any physical link that constitutes a route segment for routing packets via the network.


1-2

A

Routesegment

B

C

A

R R

Routesegment

RR

R

A

Figure 1-1 About hop

As the networks may have different sizes, the segment lengths connected between two different pairs of routers are also different. The number of route segments multiplies a weighted coefficient can serve as a weighted measurement for the actual length of the signal transmission path.

If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network. Message routed through the shortest route may not always be the optimal way route. For example, routing through 3 LAN route segments may be much faster than that through 2 WAN route segments.

1.1.2 Route Selection through the Routing Table

The key for a router to forward packets is the routing table. Each router saves a routing table in its memory, and each entry of this table specifies the physical port of the router through which the packet is sent to a subnet or a host. Therefore, it can reach the next router in via a particular path or reach a destination host via directly connected network.

A routing table has the following key entries:

Destination address: It is used to identify the destination IP address or the destination network of IP packet, which is 32 bits in length.

Network mask: It is made up of several consecutive "1"s, which can be expressed either in the dotted decimal format or by the number of the consecutive "1" s in the mask. Combining with the destination address, it is used to identify the network address of the destination host or router. If the destination address is ANDed with the network mask, you will get the address of the network segment where the


1-3

destination host or router is located. For example, if the destination address is 129.102.8.10, the address of the network where the host or the router with the mask 255.255.0.0 is located will be 129.102.0.0.

Output interface: It indicates an interface through which an IP packet should be forwarded.

Next hop address: Indicates the next router that an IP packet will pass through. Priority added to the IP routing table for a route: There may be different next hops

to the same destination. These routes may be discovered by different routing protocols, or they can just be the static routes configured manually. The one with the highest priority (the smallest numerical value) will be selected as the current optimal route.

According to different destinations, the routes can be divided into the following:

Subnet route: The destination is a subnet. Host route: The destination is a host

In addition, according to whether the network of the destination host is directly connected to the router, there are the following types of routes:

Direct route: The router is directly connected to the network where the destination locates.

Indirect route: The router is not directly connected to the network where the destination locates.

In order to limit the size oft the routing table, an option is available to set a default route. All the packets that fail to find the suitable entry will be forwarded through this default route.

In a complicated Internet as shown in the following figure, the number in each network is the network address. The router R8 is connected with three networks, so it has three IP addresses and three physical ports, and its routing table is shown in the diagram below:

Forwarding Portrouter passed

10.0.0.0 Directly11.0.0.012.0.0.0 11.0.0.213.0.0.0 3

14.0.0.0 13.0.0.2 315.0.0.0 10.0.0.2 216.0.0.0 10.0.0.2 2

15.0.0.0

16.0.0.0

10.0.0.0

13.0.0.0

12.0.0.0

14.0.0.011.0.0.0

R4R1

R3

R2

R6

R5

R7

R81

11.0.0.2

2

12.0.0.1

12.0.0.2

12.0.0.3

14.0.0.1

14.0.0.213.0.0.1

13.0.0.4 11.0.0.1

310.0.0.1

10.0.0.2

16.0.0.316.0.0.2

15.0.0.2

15.0.0.113.0.0.2

16.0.0.2

13.0.0.3

The routing table of router R8Destinationhostlocation

Directly

Directly

211

Forwarding Portrouter passed

10.0.0.0 Directly11.0.0.012.0.0.0 11.0.0.213.0.0.0 3

14.0.0.0 13.0.0.2 315.0.0.0 10.0.0.2 216.0.0.0 10.0.0.2 2

15.0.0.0

16.0.0.0

10.0.0.0

13.0.0.0

12.0.0.0

14.0.0.011.0.0.0

R4R1

R3

R2

R6

R5

R7

R81

11.0.0.2

2

12.0.0.1

12.0.0.2

12.0.0.3

14.0.0.1

14.0.0.213.0.0.1

13.0.0.4 11.0.0.1

310.0.0.1

10.0.0.2

16.0.0.316.0.0.2

15.0.0.2

15.0.0.113.0.0.2

16.0.0.2

13.0.0.3

The routing table of router R8Destinationhostlocation

Directly

Directly

211

Figure 1-2 The routing table


1-4

1.2 Routing Management Policy

The Quidway S3500 Series Ethernet Switches support the configuration of a series of dynamic routing protocols such as RIP, OSPF and BGP, as well as the static routes. The static routes configured by the user are managed together with the dynamic routes as detected by the routing protocol. The static routes and the routes learned or configured by different routing protocols can also be shared with each other.

1.2.1 Routing protocols and the preferences of the corresponding routes

Different routing protocols (as well as the static configuration) may generate different routes to the same destination, but not all these routes are optimal. In fact, at a certain moment, only one routing protocol can determine a current route to a specific destination. Thus, each of these routing protocols (including the static configuration) is set a preference, and when there are multiple routing information sources, the route discovered by the routing protocol with the highest preference will become the current route. Routing protocols and the default preferences (the smaller the value, the higher the preference is) of the routes learned by them are shown in the following table.

Table 1-1 Routing protocols and the default preferences for the routes learned by them

Routing protocol or route type The preference of the corresponding route DIRECT 0 OSPF 10 STATIC 60 RIP 100 OSPF ASE 150 OSPF NSSA 150 IBGP 256 EBGP 256 UNKNOWN 255

In the table, 0 indicates a direct route. 255 indicates any route from unreliable source.

Except for direct routing and BGP (IBGP and EBGP), the preferences of various dynamic routing protocols can be manually configured to meet the user requirements. In addition, the preferences for individual static routes can be different.

1.2.2 Support Load Sharing and Route Backup

Load sharing: Support multi-route mode, permitting to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via multiple different paths, whose precedences are equal. When there is no route that can reach the same destination with a higher precedence, the multiple routes will be adopted by IP, which will forward the packets to the destination via these paths so as to implement load sharing.


1-5

Route backup: Support route backup. When main route is in failure, the system will automatically switch to a backup route to improve the network reliability.

In order to achieve route backup, the user can configure multiple routes to the same destination according to actual situation. One of the routes has the highest precedence and is called as main route. The other routes have descending precedences and are called as backup routes. Normally, the router sends data via main route. When the line is in failure, the main route will hide itself and the router will choose one from the left routes as a backup route whose precedence is higher than others’ to send data. In this way, the switchover from the main route to the backup route is realized. When the main route recovers, the router will restore it and re-select route. As the main route has the highest precedence, the router will choose the main route to send data. This process is the automatic switchover from the backup route to the main route.

For the same destination, a specified routing protocol may find multiple different routes. If the routing protocol has the highest precedence among all active routing protocols, these multiple routes will be regarded as currently valid routes. Thus, load sharing of IP traffic is ensured in terms of routing protocols. Among S3500 Series Ethernet Switches, only S3552, S3528 Series and S3552F support load-sharing. Each of them supports four routes to implement this function.

1.2.3 Routes Shared between Routing Protocols

As the algorithms of various routing protocols are different, different protocols may generate different routes, thus bringing about the problem of how to resolve the differences when different routes are generated by different routing protocols. The Quidway S3500 Series Ethernet Switches can import the information of another routing protocol. Each protocol has its own route redistribution mechanism. For details, please refer to the description about "Importing an External Route" in the operation manual of the corresponding routing protocol.

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 2 Static Route Configuration

2-1

Chapter 2 Static Route Configuration

2.1 Introduction to Static Route

2.1.1 Attributes and Functions of Static Route

A static route is a special route. You can set up an interconnecting network with the static route configuration. The problem for such configuration is when a fault occurs to the network, the static route cannot change automatically to steer away from the node causing the fault, if without the help of an administrator.

In a relatively simple network, you only need to configure the static routes to make the router work normally. The proper configuration and usage of the static route can improve the network performance and ensure the bandwidth of the important applications.

All the following routes are static routes:

Reachable route: A normal route is of this type. That is, the IP packet is sent to the next hop via the route marked by the destination. It is a common type of static routes.

Unreachable route: When a static route to a destination has the "reject" attribute, all the IP packets to this destination will be discarded, and the originating host will be informed destination unreachable.

Blackhole route: When a static route to a destination is of the "blackhole" attribute, all the IP packets to this destination will be discarded, and the originating host will not be informed.

The attributes "reject" and "blackhole" are usually used to control the range of reachable destinations of this router, and help troubleshooting the network.

2.1.2 Default Route

A default route is a static route, too. A default route is a route used only when no suitable routing table entry is matched and when no proper route is found, the default route is used. In a routing table, the default route is in the form of the route to the network 0.0.0.0 (with the mask 0.0.0.0). You can see whether it has been set via the output of the command display ip routing-table. If the destination address of a packet fails in matching any entry of the routing table, the router will select the default route to forward this packet. If there is no default route and the destination address of the packet fails in matching any entry in the routing table, this packet will be discarded, and


2-2

an Internet Control Message Protocol (ICMP) packet will be sent to the originating host to inform that the destination host or network is unreachable.

Default route is very useful in the networks. Suppose that there is a typical network, which consists of hundreds of routers. In that network, far from less bandwidth would be consumed if you put all kinds of dynamic routing protocols into use without configuring a default route. Using the default route could provide an appropriate bandwidth, even not achieving a high bandwidth, for communications between large numbers of users.

2.2 Static Route Configuration

Static Route Configuration includes:

Configure a static route Configure a default route Configure the default preference of static routes

2.2.1 Configure a static route


Table 2-1 Configure a static route

Operation Command

Add a static route ip route-static ip-address { mask | mask-length } { null null-interface-number | gateway-address } [ preference value ] [ reject | blackhole ]

Delete a static route undo ip route-static ip-address {mask | mask-length } [ null null-interface-number | gateway-address ] [ preference value ]

The parameters are explained as follows:

IP address and mask

The IP address and mask are in a dotted decimal format. As "1"s in the 32-bit mask is required to be consecutive, the dotted decimal mask can also be replaced by the mask-length (which refers to the digits of the consecutive "1"s in the mask).

Next hop address and NULL interface

When configuring a static route, you can specify the gateway-address to decide the next hop address, depending on the actual conditions.

In fact, for all the routing items, the next hop address must be specified. When IP layer transmits a packet, it will first search the matching route in the routing table according to the destination address of the packet. Only when the next hop address of the route is specified can the link layer find the corresponding link layer address, and then forward the packet according to this address.


2-3

The packets sent to NULL interface, a kind of virtual interface, will be discarded at once. This can decrease the system load.

Preference

For different configurations of preference-value, you can flexibly apply the routing management policy.

Other parameters

The attributes reject and blackhole respectively indicate the unreachable route and the blackhole route.

2.2.2 Configure a default route


Table 2-2 Configure a default route

Operation Command

Configure a default route ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { null null-interface-number | gateway-address } [ preference value ] [ reject | blackhole ]

Delete a default route undo ip route-static 0.0.0.0 { 0.0.0.0 | 0 } [ null null-interface-number | gateway-address ] [ preference value ]

The meanings of parameters in the command are the same as those of the static route.

2.2.3 Configure the default preference of static routes

The default-preference will be the preference of the static route if its preference is not specified when configured. You can change the default preference value of the static routes to be configured by using the following command.


Table 2-3 Configure the default preference of static routes

Operation Command Configure the default preference value of static routes ip route-static default-preference default-preference-value

By default, its value is 60.

2.3 Display and Debug Static Route

After the above configuration, execute display command in any view to display the running of the Static Route configuration, and to verify the effect of the configuration.


2-4

Table 2-4 Display and debug the routing table

Operation Command View routing table summary display ip routing-table View routing table details display ip routing-table verbose

View the detailed information of a specific route display ip routing-table ip_address [ mask ] [ longer-match ] [ verbose ]

View the route information in the specified address range

display ip routing-table ip_address1 mask1 ip_address2 mask2 [ verbose ]

view the route filtered through specified basic access control list (ACL)

display ip routing-table acl { acl-number | acl-name } [ verbose ]

view the route information that through specified ip prefix list

display ip routing-table ip-prefix ip-prefix-number [ verbose ]

View the routing information found by the specified protocol

display ip routing-table protocol protocol [ inactive | verbose ]

View the tree routing table display ip routing-table radix view the integrated routing information display ip routing-table statistics

2.4 Typical Static Route Configuration Example


As shown in the figure below, the masks of all the IP addresses in the figure are 255.255.255.0. It is required that all the hosts or S3500 series Ethernet Switches can be interconnected in pairs by configuring static routes.


A

BC

Host 1.1.5.1

1.1.5.2/24

1.1.2.2/24

1.1.2.1/24

1.1.1.2/24

Host 1.1.1.1 Host 1.1.4.2

1.1.3.1/24

1.1.3.2/24

1.1.4.1/24Switch A Switch B

Switch C

Figure 2-1 Networking diagram of the static route configuration example


# Configure the static route for Ethernet Switch A


2-5

[Switch A] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2



# Configure the static route for Ethernet Switch B

[Switch B] ip route-static 1.1.2.0 255.255.255.0 1.1.3.1



# Configure the static route for Ethernet Switch C

[Switch C] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1

[Switch C] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2

# Configure the default gateway of the Host A to be 1.1.1.2

# Configure the default gateway of the Host B to be 1.1.5.2

# Configure the default gateway of the Host C to be 1.1.4.1

By then, all the hosts or Ethernet Switches in the figure can be interconnected in pairs.

2.5 Static Route Fault Diagnosis and Troubleshooting

Fault:

The S3500 Ethernet Switch is not configured with the dynamic routing protocol and both the physical status and the link layer protocol status of the interface is UP, but the IP packets cannot be forwarded normally.

Troubleshooting:

Use the display ip routing-table protocol static command to view whether the corresponding static route is correctly configured.

Use the display ip routing-table command to view whether the corresponding route is valid.

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 3 RIP Configuration

3-1

Chapter 3 RIP Configuration

3.1 Brief Introduction to RIP

Routing Information Protocol (RIP) is a relatively simple dynamic routing protocol, but it has a wide application. RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges routing information via UDP packets. It employs Hop Count to measure the distance to the destination host, which is called Routing Cost. In RIP, the hop count from a router to its directly connected network is 0, and that to a network which can be reached through another router is 1, and so on. To restrict the time to converge, RIP prescribes that the cost value is an integer ranging 0 and 15. The hop count equal to or exceeding 16 is defined as infinite, that is to say, the destination network or the host is unreachable.

RIP sends routing refreshing message every 30 seconds. If no routing refreshing message is received from one network neighbor in 180 seconds, RIP will tag all routes of the network neighbor to be unreachable. If no routing refreshing message is received from one network neighbor in 300 seconds, RIP will finally remove the routes of the network neighbor from the routing table.

To improve the performances and avoid route loop, RIP supports Split Horizon, Poison Reverse and allows importing the routes discovered by other routing protocols.

Each router running RIP manages a route database, which contains routing entries to all the reachable destinations in the network. These routing entries contain the following information:

Destination address: IP address of a host or network. Next hop address: The address of the next router that an IP packet will pass

through for reaching the destination. Output interface: The interface through which the IP packet should be forwarded. Cost: The cost for the router to reach the destination, which should be an integer in

the range of 0 to 16. Timer: Duration from the last time that the routing entry is modified till now. The

timer is reset to 0 whenever a routing entry is modified. Route tag: Discriminate whether the route is generated by an interior routing

protocol or by an exterior routing protocol.

The whole process of RIP startup and running can be described as follows:

1) If RIP is enabled on a router for the first time, the router will broadcast or multicast the request packet to the adjacent routers. Upon receiving the request packet, the adjacent routers (on which, RIP should have been enabled) respond to the


3-2

request by returning the response packets containing information of their local routing tables.

2) After receiving the response packets, the router, which has sent the request, will modify its own routing table.

3) At the same time, RIP broadcasts its routing table to the adjacent routers every 30 seconds. The adjacent routers will maintain their own routing table after receiving the packets and will select an optimal route, and then advertise the modification information to their respective adjacent network so as to make the updated route globally known. Furthermore, RIP uses the timeout mechanism to handle the out-timed routes so as to ensure the real-timeliness and validity of the routes. With these mechanisms, RIP, an interior routing protocol, enables the router to learn the routing information of the whole network.

RIP has become one of the actual standards of transmitting router and host routes by far. It can be used in most of the campus networks and the regional networks that are simple yet extensive. For larger and more complicated networks, RIP is not recommended.

3.2 RIP Configuration

In the configuration tasks, only after RIP is enabled can other functional features be configured. But the configuration of the interface related functional features is not restricted by the limit of whether RIP has been enabled. It should be noted that after RIP is disabled, the interface related features also become invalid.

The RIP configuration includes:

Enable RIP and Enter RIP view Enable RIP Interface Configure Unicast of the Message Specify RIP Version of the Interface Configure zero field check of the interface packet Specify the operating state of the interface Disable host route Route Aggregation Function Set RIP Packet Authentication Configure Split Horizon Configure RIP to Import Routes of Other Protocols Configure Default Cost for the Imported Route Set the RIP Preference Set Additional Routing Cost Configure Route Filtering


3-3

3.2.1 Enable RIP and Enter RIP view


Table 3-1 Enable RIP and Enter RIP View

Operation Command Enable RIP and enter the RIP view rip Disable RIP undo rip

By default, RIP is not enabled.

3.2.2 Enable RIP Interface

To flexibly control RIP operation, you can specify the interface and configure the network where it is located to the RIP network, so that these interfaces can send and receive RIP packets.

Perform the following configurations in RIP view.

Table 3-2 Enable RIP Interface

Operation Command Enable RIP on the specified network interface network network-address Disable RIP on the specified network interface undo network network-address

Note that after the RIP task is enabled, you should also specify its operating network segment, for RIP only operates on the interface on the specified network. For an interface that is not on the specified network, RIP does not receive or send routes on it, nor forwards its interface route, as if this interface does not exist at all. network-address is the address of the enabled or disabled network, and it can also be configured as the IP network address of respective interfaces.

When a command network is used for an address, the effect is to enable the interface of the network with this address. For example, for network 129.102.1.1, you can see network 129.102.0.0 either using display current-configuration or using display rip command.

By default, RIP is disabled on all the interfaces after it is started up.

3.2.3 Configure Unicast of the Message

RIP is a broadcast protocol. It exchanges routing information with non-broadcasting networks in unicast mode.


3-4

Please perform the following configuration in the RIP view.

Table 3-3 Configure unicast of the message

Operation Command Configure unicast of the message peer ip-address Cancel unicast of the message undo peer ip-address

By default, RIP does not send any message to any unicast address.

Usually, this command is not recommended, because the opposite side does not need to receive two same messages at a time. It should be noted that peer should also be restricted by rip work, rip output, rip input and network.

3.2.4 Specify RIP Version of the Interface

RIP has two versions, RIP-1 and RIP-2. You can specify the version of the RIP packet processed by the interface.

RIP-1 broadcasts the packets. RIP-2 can transmit packets by both broadcast and multicast. By default, multicast is adopted for transmitting packets. In RIP-2, the multicast address is 224.0.0.9. The advantage of transmitting packets in the multicast mode is that the hosts not operating RIP in the same network can avoid receiving RIP broadcast packets. In addition, this mode can also make the hosts running RIP-1 avoid incorrectly receiving and processing the routes with subnet mask in RIP-2. When an interface is running RIP-2 broadcast, the RIP-1 packets can also be received.

Perform the following configuration in VLAN interface view:

Table 3-4 Specify RIP Version of the Interface

Operation Command Specify the interface version as RIP-1 rip version 1 Specify the interface version as RIP-2 rip version 2 [ broadcast | multicast ] Restore the default RIP version running on the interface undo rip version

By default, the interface receives and sends the RIP-1 packets. It will transmit packets in multicast mode by default when the interface RIP version is set to RIP-2.

3.2.5 Configure RIP-1 zero field check of the interface packet

According to the RFC1058, some fields in the RIP-1 packet must be 0, and they are called zero fields. Therefore, when an interface version is set as RIP-1, the zero field check should be performed on the packet. But if the value in the zero filed is not zero,


3-5

processing will be refused. As there is no zero fields in the RIP-2 packet, this configuration is invalid for RIP-2.


Table 3-5 Configure zero field check of the interface packet

Operation Command Configure zero field check on the RIP-1 packet checkzero Disable zero field check on the RIP-1 packet undo checkzero

By default, RIP-1 performs zero field check on the packet.

3.2.6 Specify the operating state of the interface

In the VLAN interface view, you can specify the operating state of RIP on the interface. For example, whether RIP operates on the interface, namely, whether RIP update packets are sent and received on the interface. In addition, whether an interface sends or receives RIP update packets can be specified separately.


Table 3-6 Specify the operating state of the interface

Operation Command Enable the interface to run RIP rip work Disable the interface to run RIP undo rip work Enable the interface to receive RIP update packet rip input Disable the interface to receive RIP update packet undo rip input Enable the interface to send RIP update packet rip output Disable the interface to send RIP update packet undo rip output

The undo rip work command and the undo network command have similar but not all the same functions. Neither of the two commands configures interface receiving or sending RIP route. But in the undo rip work status, other interfaces still forward the route of the interface applying this command, while in the undo network status, other interface will no more forward the route of the interface applying this command, and it seems that this interface has been removed.

In addition, rip work is functionally equivalent to both rip input and rip output commands.

By default, all interfaces except loopback interfaces both receive and transmit RIP update packets.


3-6

3.2.7 Disable host route

In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources. Routers can be configured to reject host routes by using undo host-route command.


Table 3-7 Disable host route

Operation Command Enable receiving host route host-route Disable receiving host route undo host-route

By default, the router receives the host route.

3.2.8 RIP-2 Route Aggregation Function

The so-called route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to the outside (i.e. other network). Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table.

RIP-1 only sends the route with natural mask, that is, it always sends routes in the route aggregation form. RIP-2 supports subnet mask and classless interdomain routing. To advertise all the subnet routes, the route aggregation function of RIP-2 can be disabled.


Table 3-8 Route Aggregation Function

Operation Command Activate the automatic aggregation function of RIP-2 summary Disable the automatic aggregation function of RIP-2 undo summary

By default, RIP-2 automatic route summarization is enabled.

3.2.9 Set RIP-2 Packet Authentication

RIP-1 does not support packet authentication. But when the interface operates RIP-2, the packet authentication can be configured.

RIP-2 supports two authentication modes: Simple authentication and MD5 authentication. MD5 authentication uses two packet formats: One follows RFC1723


3-7

(RIP Version 2 Carrying Additional Information) and another one follows the RFC2082 (RIP-2 MD5 Authentication).

The simple authentication does not ensure security. The authentication key not encrypted is sent together with the packet, so the simple authentication cannot be applied to the case with high security requirements.


Table 3-9 Set RIP-2 Packet Authentication

Operation Command Configure RIP-2 simple authentication key rip authentication-mode simple password-string Configure RIP-2 MD5 authentication key rip authentication-mode md5 key-string password-string Configure RIP-2 MD5 authentication identifier rip authentication-mode md5 key-id key-id Set the packet format type of RIP-2 MD5 authentication rip authentication-mode md5 type { nonstandard | usual }

Cancel authentication of RIP-2 packet undo rip authentication-mode

MD5 authentication is taken by default. If MD5 authentication type is not set, the nonstandard packet format type following RFC2082 will be taken.

3.2.10 Configure Split Horizon

Split horizon means that the route received via an interface will not be sent via this interface again. The split horizon is necessary for reducing routing loop. But in some special cases, split horizon must be disabled so as to get correct advertising at the cost of efficiency. Disabling the split horizon has no effect on the p2p connected links but is applicable on the Ethernet.


Table 3-10 Configure Split Horizon

Operation Command Enable split horizon rip split-horizon Disable split horizon undo rip split-horizon

By default, split horizon of the interface is enabled.

3.2.11 Configure RIP to Import Routes of Other Protocols

RIP allows users to import the route information of other protocols into the routing table.

RIP can import the routes of Direct, Static, OSPF and BGP, etc.



3-8

Table 3-11 Configure RIP to import Routes of Other Protocols

Operation Command

Configure RIP to import routes of other protocols import-route protocol [ cost value | route-policy route-policy-name ]*

Cancel the imported routing information of other protocols undo import-route protocol

By default, RIP does not import the route information of other protocol.

3.2.12 Configure Default Cost for the Imported Route

When using the import-route command to import the routes of other protocols, you can specify the cost of them. If you do not specify the cost of the imported route, RIP will set it to the default cost, specified by the default cost parameter.


Table 3-12 Configure default cost for the imported route

Operation Command Configure default cost for the imported route default cost value Restore the default cost of the imported route. undo default cost

By default, the cost value for the RIP imported route is 1.

3.2.13 Set the RIP Preference

Each kind of routing protocol has its own preference, by which the routing policy will select the optimal one from the routes of different protocols. The greater the preference value is, the lower the preference becomes. The preference of RIP can be set manually.


Table 3-13 Set the RIP Preference

Operation Command Set the RIP Preference preference value Restore the default value of RIP preference undo preference

By default, the preference of RIP is 100.


3-9

3.2.14 Set Additional Routing Metric

Additional routing metric is the input or output routing metric added to an RIP route. It does not change the metric value of the route in the routing table, but adds a specified metric value when the interface receives or sends a route.


Table 3-14 Set additional routing metric

Operation Command Set the additional routing metric of the route when the interface receives an RIP packet rip metricin value

Disable the additional routing metric of the route when the interface receives an RIP packet undo rip metricin Set the additional routing metric of the route when the interface sends an RIP packet ip metricout value

Disable the additional routing metric of the route when the interface sends an RIP packet undo rip metricout

By default, the additional routing metric added to the route when RIP sends the packet is 1. The additional routing metric when RIP receives the packet is 0 by default.

3.2.15 Configure Route Filtering

The router provides the route filtering function. You can configure the filter policy rules through specifying the ACL and ip-prefix for route redistribution and distribution. Besides, to import a route, the RIP packet of a specific router can also be received by designating a neighbor router.


I. Configure filtering the route received by RIP

Table 3-15 Configure RIP to filter the received routes

Operation Command Configure filtering the received routing information distributed by the specified address filter-policy gateway ip-prefix-name import

Cancel filtering the received routing information distributed by the specified address undo filter-policy gateway ip-prefix-name import

Configure filtering the received global routing information

filter-policy {acl-number | ip-prefix ip-prefix-name } import

Cancel filtering the received global routing information

undo filter-policy { acl-number | ip-prefix ip-prefix-name } import


3-10

II. Configure filtering the route distributed by RIP

Table 3-16 Configure RIP to filter the distributed routes

Operation Command Configure RIP to filter the distributed routing information

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]

Cancel the RIP filtering of the routing information

undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]

By default, RIP will not filter the received and distributed routing information.

3.3 Display and Debug RIP

After the above configuration, execute display command in any view to display the running of the RIP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug the RIP module. Execute reset command in RIP view to reset the system configuration parameters of RIP.

Table 3-17 Display and debug RIP

Operation Command Display the current RIP running state and configuration information. display rip

Enable the RIP debugging information debugging rip packet Disable the RIP debugging information undo debugging rip packet Enable the debugging of RIP receiving packet. debugging rip receive Disable the debugging of RIP receiving packet undo debugging rip receive Enable the debugging of RIP sending packet. debugging rip send Disable the debugging of RIP sending packet undo debugging rip send Restore to the default setting of RIP reset

3.4 Typical RIP Configuration Example

3.4.1 Networking requirements

As shown in the following figure, the S3500 Ethernet Switch C connects to the subnet 117.102.0.0 through the Ethernet port. The Ethernet ports of S3500 Ethernet Switch A and Switch B are respectively connected to the network 155.10.1.0 and 196.38.165.0. Switch C, Switch A and Switch B are connected via Ethernet 110.11.2.0. Correctly configure RIP to ensure that Switch C, Switch A and Switch B can interconnect.


3-11

3.4.2 Networking diagram

Ethernet

Network address:110.11.2.2/24



Interface address:110.11.2.1/24





SwitchA

SwitchBSwitchC

Figure 3-1 RIP configuration networking

3.4.3 Configuration procedure

Note:

The following configuration only shows the operations related to RIP. Before performing the following configuration, please make sure the Ethernet link layer can work normally.

1) Configure Switch A:

# Configure RIP

[Switch A] rip

[Switch A-rip] network 110.11.2.0

[Switch A-rip] network 155.10.1.0

2) Configure Switch B:

# Configure RIP

[Switch B] rip

[Switch B-rip] network 196.38.165.0

[Switch B-rip] network 110.11.2.0


3-12

3) Configure Switch C:

# Configure RIP

[Switch C] rip

[Switch C-rip] network 117.102.0.0

[Switch C-rip] network 110.11.2.0

3.5 RIP Fault Diagnosis and Troubleshooting

Fault: The S3500 Ethernet Switch cannot receive the update packets when the physical connection to the peer routing device is normal.

Troubleshooting: RIP does not operate on the corresponding interface (for example, the undo rip work command is executed) or this interface is not enabled through the network command. The peer routing device is configured to be in the multicast mode (for example, the rip version 2 multicast command is executed) but the multicast mode has not been configured on the corresponding interface of the local Ethernet Switch.

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 4 OSPF Configuration

4-1

Chapter 4 OSPF Configuration

4.1 OSPF Overview

4.1.1 Introduction to OSPF

Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. At present, OSPF version 2 (RFC2328) is used, which is available with the following features:

Applicable scope: It can support networks in various sizes and can support several hundred routers at maximum.

Fast convergence: It can transmit the update packets instantly after the network topology changes so that the change is synchronized in the AS.

Loop-free: Since the OSPF calculates routes with the shortest path tree algorithm according to the collected link states, it is guaranteed that no loop routes will be generated from the algorithm itself.

Area partition: It allows the network of AS to be divided into different areas for the convenience of management so that the routing information transmitted between the areas is abstracted further, hence to reduce the network bandwidth consumption.

Equal-cost multi-route: Support multiple equal-cost routes to a destination. Routing hierarchy: OSPF has a four-level routing hierarchy. It prioritizes the routes

to be intra-area, inter-area, external type-1, and external type-2 routes. Authentication: It supports the interface-based packet authentication so as to

guarantee the security of the route calculation. Multicast transmission: Support multicast address to receive and send packets.

4.1.2 Process of OSPF Route Calculation

The routing calculation process of the OSPF protocol is as follows:

Each OSPF-capable router maintains a Link State Database (LSDB), which describes the topology of the whole AS. According to the network topology around itself, each router generates a Link State Advertisement (LSA). The routers on the network transmit the LSAs among them by transmitting the protocol packets to each others. Thus, each router receives the LSAs of other routers and all these LSAs compose its LSDB.

LSA describes the network topology around a router, so the LSDB describes the network topology of the whole network. Routers can easily transform the LSDB to


4-2

a weighted directed graph, which actually reflects the topology architecture of the whole network. Obviously, all the routers get a graph exactly the same.

A router uses the SPF algorithm to calculate the shortest path tree with itself as the root, which shows the routes to the nodes in the autonomous system. The external routing information is leave node. A router, which advertises the routes, also tags them and records the additional information of the autonomous system. Obviously, the Routing tables obtained by different routers are different.

Furthermore, suppose that the routers are directly connected without other in-between routing devices in a broadcast network. To enable the individual routers to broadcast the information of their local statuses to the whole AS, any two routers in the environment should establish adjacency between them. In this case, however, the changes that any router takes will result in multiple transmissions, which are not only unnecessary but also waste the precious bandwidth resources. To solve this problem, “Designated Router” (DR) is defined in the OSPF. Thus, all the routers only send information to the DR for broadcasting the network link states in the network. Thereby, the number of router adjacent relations on the multi-access network is reduced.

OSPF supports interface-based packet authentication to guarantee the security of route calculation. Also, it transmits and receives packets by IP multicast.

4.1.3 OSPF Packets

OSPF uses five types of packets:

Hello Packet:

It is the commonest packet, which is periodically sent by a router to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor.

Database Description (DD) Packet:

When two routers synchronize their databases, they use the DD packets to describe their own LSDBs, including the digest of each LSA. The digest refers to the HEAD of an LSA, which can be used to uniquely identify the LSA. Such reduces the traffic size transmitted between the routers, since the HEAD of a LSA only occupies a small portion of the overall LSA traffic. With the HEAD, the peer router can judge whether it already has had the LSA.

Link State Request (LSR) Packet:

After exchanging the DD packets, the two routers know which LSAs of the peer routers are lacked in the local LSDBs. In this case, they will send LSR packets requesting for the needed LSAs to the peers. The packets contain the digests of the needed LSAs.

Link State Update (LSU) Packet:

The packet is used to transmit the needed LSAs to the peer router. It contains a collection of multiple LSAs (complete contents).


4-3

Link State Acknowledgment (LSAck) Packet

The packet is used for acknowledging the received LSU packets. It contains the HEAD(s) of LSA(s) requiring acknowledgement.

4.1.4 Basic Concepts Related to OSPF

I. Router ID

To run OSPF, a router must have a router ID. If no ID is configured, the system will automatically select an IP address from the IP addresses of the current interface as the Router ID.

II. DR and BDR

Designated Router (DR)

Suppose there is a broadcast network environment, in which, the routers are directly connected without other in-between routing devices. To enable the individual routers to broadcast the information of their local statuses to the whole AS, all routers in the environment should establish adjacency. In this case, however, the changes that any router takes will result in multiple transmissions, which is not only unnecessary but also wastes the precious bandwidth resources. In order to solve the problem, OSPF defines the "Designated Router" (DR). All the routers only need to transmit information to the DR for broadcasting the network link states.

Which router can be the DR in its segment is not manually specified. Instead, DR is elected by all the routers in the segment.

Backup Designated Router (BDR)

If the DR fails for some faults, a new DR must be elected and synchronized with the other routers on the segment. This process will take a relatively long time, during which, the route calculation is incorrect. To shorten the process, BDR is brought forth in OSPF. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them. After the existing DR fails, the BDR will become a DR immediately.

III. Area

The network size grows increasingly larger. If all the routers on a huge network are running OSPF, the large number of routers will result in an enormous LSDB, which will consume an enormous storage space, complicate the SPF algorithm, and add the CPU load as well. Furthermore, as a network grows larger, the topology becomes more likely to take changes. Hence, the network will always in “turbulence”, and a great deal of OSPF packets will be generated and transmitted in the network. This will lower the


4-4

network bandwidth utility. In addition, each change will cause all the routes on the network to recompute the route.

OSPF solves the above problem by partition an AS into different areas. Areas logically group the routers. The borders of areas are formed by routers. Thus, some routers may belong to different areas. A router connects the backbone area and a non-backbone area is called Area Border Router (ABR). An ABR can connect to the backbone area physically or logically.

IV. Backbone area and virtual link

Backbone Area

After the area division of OSPF, not all the areas are equal. In which, an area is different from all the other areas. Its area-id is 0 and it is usually called the backbone area.

Virtual link

Since all the areas should be connected logically, virtual link is adopted so that the physically separated areas can still maintain the logic connectivity.

V. Route summary

AS is divided into different areas that are interconnected via OSPF ABRs. The routing information between areas can be reduced through route summary. Thus, the size of routing table can be reduced and the calculation speed of the router can be improved. After finding an intra-area route of an area, the ABR will look up the routing table and encapsulate each OSPF route into an LSA and send it outside the area.

4.2 OSPF Configuration

In various configurations, you must first enable OSPF, specify the interface and area ID before configuring other functions. But the configuration of the functions related to the interface is not restricted by whether the OSPF is enabled or not. It should be noted that after OSPF is disabled, the OSPF-related interface parameters also become invalid.

OSPF configuration includes:

Enable OSPF and Enter the OSPF View Enter OSPF Area View Specify Interface Configure Router ID Configure the Network Type on an OSPF Interface Configure the Cost for Sending Packets on an Interface Set the Interface Priority for DR Election Set the peer Set the Interval of Hello Packet Transmission


4-5

Set a dead timer for the neighboring routers Configure an Interval required for sending LSU packets Set an Interval for LSA Retransmission between Neighboring Routers Set a Shortest Path First (SPF) Calculation Interval for OSPF Configure STUB Area of OSPF Configure NSSA of OSPF Configure the Route Summarization of OSPF Area Configure OSPF Area Route Summary Configure OSPF Virtual Link Configure Summarization of Imported Routes by OSPF Configure the OSPF Area to Support Packet Authentication Configure OSPF Packet Authentication Configure OSPF to import Routes of Other Protocols Configure Parameters for OSPF to Import External Routes Configure OSPF to Import the Default Route Set OSPF Route Preference Configure OSPF Route Filtering Configure to Fill the MTU Field When an Interface Transmits DD Packets Disable the Interface to Send OSPF Packets Reset the OSPF Process

4.2.1 Enable OSPF and Enter OSPF View


Table 4-1 Enable OSPF process

Operation Command Enable OSPF process ospf Disable the OSPF process undo ospf

By default, OSPF is not enabled.

4.2.2 Enter OSPF Area view

Perform the following configurations in OSPF view.

Table 4-2 Enter OSPF Area view

Operation Command Enter OSPF Area view area area-id delete a designated OSPF area undo area area-id

area-id: ID of the OSPF area, which can be a decimal integer or in IP address format.


4-6

4.2.3 Specify interface

OSPF further divides the AS into different areas. An area logically groups the routers. Some routers belong to different areas (such routers are called ABRs), but one segment can only belong to an area. In other words, you must specify each OSPF interface to belong to a particular area identified by area ID. The areas transfer routing information between them via the ABRs.

In addition, parameters of all the routers in the same area should be identical. Therefore, when configuring the routers in the same area, please note that most configurations should be based upon the area. Wrong configuration may disable the neighboring routers to transmit information between them, and even lead to congestion or self-loop of the routing information.

Perform the following configuration in OSPF Area view.

Table 4-3 Specify interface

Operation Command Specify interface to run OSPF network ip-address ip-mask Disable OSPF on the interface. undo network ip-address ip-mask

You must specify the segment to which the OSPF will be applied after enabling the OSPF tasks.

4.2.4 Configure Router ID

Router ID is a 32-bit unsigned integer that uniquely identifies a router within an AS. Router ID can be configured manually. If Router ID is not configured, the system will select the IP address of an interface automatically. When you do that manually, you must guarantee that the IDs of any two routers in the AS are unique. A common undertaking is to set the router ID to be the IP address of an interface on the router.


Table 4-4 Configure router ID

Operation Command Configure Router ID router id router-id Remove the router ID undo router id

To ensure stability of OSPF, the user should determine the division of router IDs and manually configure them when implementing network planning.


4-7

4.2.5 Configure the Network Type on the OSPF Interface

The route calculation of OSPF is based upon the topology of the adjacent network of the local router. Each router describes the topology of its adjacent network and transmits it to all the other routers.

OSPF divides networks into four types by link layer protocol:

Broadcast: If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast.

Non-Broadcast Multi-access (nbma): If Frame Relay, ATM, HDLC or X.25 is adopted, OSPF defaults the network type to NBMA.

Point-to-Multipoint (p2mp): OSPF will not default the network type of any link layer protocol to p2mp. The general undertaking is to change a partially connected NBMA network to p2mp network if the NBMA network is not fully connected.

Point-to-point (p2p): If PPP, LAPB or POS is adopted, OSPF defaults the network type to p2p.

NBMA means that a network is non-broadcast and multi-accessible. ATM is a typical example for it. The user can configure the polling interval to specify the interval of sending polling hello packets before the adjacency of the neighboring routers is formed.

Configure the interface type to nonbroadcast on a broadcast network without multi-access capability.

Configure the interface type to p2mp if not all the routers are directly accessible on an NBMA network.

Change the interface type to p2p if the router has only one peer on the NBMA network.

The differences between NBMA and p2mp are listed below:

In OSPF, NBMA refers to the networks that are fully connected, non-broadcast and multi-accessible. However, p2mp network is not required to be fully connected.

DR and BDR are required on a NBMA network but not on p2mp network. NBMA is the default network type. For example, if ATM is adopted as the link layer

protocol, OSPF defaults the network type on the interface to NBMA, regardless of whether the network is fully connected. P2mp is not the default network type. No link layer protocols will be regarded as p2mp. You must change the network type to p2mp by force. The commonest undertaking is to change a partially connected NBMA network to a p2mp network.

NBMA forwards packets by unicast and requires to configure neighbors manually. P2mp forward packets by multicast.



4-8

Table 4-5 Configure a Network Type on the Interface That Starts OSPF Protocol

Operation Command Configure network type on the interface ospf network-type { broadcast | nbma | p2mp | p2p }

After the interface has been configured with a new network type, the original network type of the interface is removed automatically.

4.2.6 Configure the Cost for Sending Packets on an Interface

The user can control the network traffic by configuring different message sending costs for different interfaces. Otherwise, OSPF will automatically calculate the cost according to the baud rate on the current interface.


Table 4-6 Configure the cost for sending packets on Interface

Operation Command Configure the cost for sending packets on Interface ospf cost value Restore the default cost for packet transmission on the Interface undo ospf cost

4.2.7 Set the Interface Priority for DR Election

The priority of the router interface determines the qualification of the interface in DR election, and the router of higher priority will be considered first if there is a collision in the election.

DR is not designated manually; instead, it is elected by all the routers on the segment. Routers with the priorities > 0 in the network are eligible “candidates”. Among all the routers self-declared to be the DR, the one with the highest priority will be elected. If two routers have the same priority, the one with the highest router ID will be elected as the DR. Votes are the hello packets. Each router writes the expected DR in the packet and sends it to all the other routers on the segment. If two routers attached to the same segment concurrently declare themselves to be the DR, choose the one with higher priority. If the priorities are the same, choose the one with greater router ID. If the priority of a router is 0, it will not be elected as DR or BDR.

If DR fails due to some faults, the routers on the network must elect a new DR and synchronize with the new DR. The process will take a relatively long time, during which, the route calculation is incorrect. In order to speed up this process, OSPF puts forward the concept of BDR. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them. When the


4-9

DR fails, the BDR will become the DR instantly. Since no re-election is needed and the adjacencies have already been established, the process is very short. But in this case, a new BDR should be elected. Although it will also take a quite long period of time, it will not exert any influence upon the route calculation.

But please note:

The DR on the network is not necessarily the router with the highest priority. Likewise, the BDR is not necessarily the router with the second highest priority. If a new router is added after DR and BDR election, it is impossible for the router to become the DR even if it has the highest priority.

DR is based on the router interface in a certain segment. Maybe a router is a DR on one interface, but can be a BDR or DROther on the other interface.

DR election is only required for the broadcast or NBMA interfaces. For the p2p or p2mp interfaces, DR election is not required.


Table 4-7 Set the Interface Priority for DR Election

Operation Command Configure the interface with a priority for DR election ospf dr-priority priority_num Restore the default interface priority undo ospf dr-priority

By default, the priority of the Interface is 1 in the DR election. The value can be taken from 0 to 255.

4.2.8 Set the Peer

For a NBMA network, some special configurations are required. Since an NBMA interface on the network cannot discover the adjacent router through broadcasting the Hello packets, you must manually specify an IP address for the adjacent router for the interface, and whether the adjacent router is eligible for election. This can be done by configuring the peer ip-address command. If dr-priority-number is not specified, the adjacent router will be regarded as ineligible.

Perform the following configuration in OSPF view.

Table 4-8 Configure the peer

Operation Command Configure a peer for the NBMA interface. peer ip-address [ dr-priority dr-priority-number ] Remove the configured peer for the NBMA interface undo peer ip-address

By default, the preference for the neighbor of NBMA interface is 1.


4-10

4.2.9 Set the Interval of Hello Packet Transmission

Hello packets are a kind of most frequently used packets, which are periodically sent to the adjacent router for discovering and maintaining the adjacency, and for electing DR and BDR. The user can set the hello timer.

According to RFC2328, the consistency of hello intervals between network neighbors should be kept. The hello interval value is in inverse proportion to the route convergence rate and network load.


Table 4-9 Set the Interval of Hello Packet Transmission

Operation Command Set the hello interval of the interface ospf timer hello seconds Restore the default hello of the interface undo ospf timer hello Set the poll interval on the NBMA interface ospf timer poll seconds Restore the default poll interval undo ospf timer poll

By default, p2p and broadcast interfaces send Hello packets every 10 seconds, and p2mp and nbma interfaces send the packets every 30 seconds.

4.2.10 Set a dead timer for the neighboring routers

The dead timer of neighboring routers refers to the interval in which a router will regard the neighboring router as dead if no Hello packet is received from it. The user can set a dead timer for the neighboring routers.


Table 4-10 Set a dead timer for the neighboring routers

Operation Command Configure a dead timer for the neighboring routers ospf timer dead seconds Restore the default dead interval of the neighboring routers undo ospf timer dead

By default, the dead interval for the neighboring routers of p2p or broadcast interfaces is 40 seconds and that for the neighboring routers of p2mp or nbma interface is 120 seconds.

Note that both hello and dead timer will restore to the default values after the user modify the network type.


4-11

4.2.11 Configure an Interval required for sending LSU packets

Trans-delay seconds should be added to the aging time of the LSA in an LSU packet. Setting the parameter like this mainly considers the time duration that the interface requires for transmitting the packet.

The user can configure the interval of sending LSU message. Obviously, more attention should be paid on this item over low speed network.


Table 4-11 Configure an Interval required for sending LSU packets

Operation Command Configure an interval for sending LSU packets ospf trans-delay seconds Restore the default interval of sending LSU packets undo ospf trans-delay

By default, the LSU packets are transmitted per second.

4.2.12 Set an Interval for LSA Retransmission between Neighboring Routers

If a router transmits an LSA (Link State Advertisements) to the peer, it requires the acknowledgement packet from the peer. If it does not receive the acknowledgement packet within the retransmit, it will retransmit this LSA to the neighbor. The value of retransmit is user-configurable.


Table 4-12 Set an Interval for LSA Retransmission between Neighboring Routers

Operation Command Configure the interval of LSA retransmission for the neighboring routers ospf timer retransmit interval Restore the default LSA retransmission interval for the neighboring routers undo ospf timer retransmit

By default, the interval for neighboring routers to retransmit LSAs is five seconds.

The value of interval should be bigger than the interval in which a packet can be transmitted and returned between two routers.

Note that you should not set the LSA retransmission interval too small. Otherwise, unnecessary retransmission will be caused.


4-12

4.2.13 Set a Shortest Path First (SPF) Calculation Interval for OSPF

Whenever the LSDB of OSPF takes changes, the shortest path requires recalculation. Calculating the shortest path upon change will consume enormous resources as well as affect the operation efficiency of the router. Adjusting the SPF calculation interval, however, can restrain the resource consumption due to frequent network changes.


Table 4-13 Set the SPF calculation interval

Operation Command Set the SPF calculation interval spf-schedule-interval seconds Restore the SPF calculation interval undo spf-schedule-interval seconds

By default, the interval of SPF recalculation is 5 seconds.

4.2.14 Configure STUB Area of OSPF

STUB areas are some special LSA areas, in which the ABRs do not propagate the learned external routes of the AS. In these areas, the routing table sizes of routers and the routing traffic are significantly reduced.

The STUB area is an optional configuration attribute, but not every area conforms to the configuration condition. Generally, STUB areas, located at the AS boundaries, are those non-backbone areas with only one ABR. Even if this area has multiple ABRs, no virtual links are established between these ABRs.

To ensure that the routes to the destinations outside the AS are still reachable, the ABR in this area will generate a default route (0.0.0.0) and advertise it to the non-ABR routers in the area.

Please pay attention to the following items when configuring a STUB area:

The backbone area cannot be configured to be the STUB area and the virtual link cannot pass through the STUB area.

If you want to configure an area to be the STUB area, then all the routers in this area should be configured with this attribute.

No ASBR can exist in a STUB area. In other words, the external routes of the AS cannot be propagated in the STUB area.



4-13

Table 4-14 Configure STUB area of OSPF

Operation Command Configure an area to be the STUB area stub [ no-summary ] Remove the configured STUB area undo stub Configure the cost of the default route transmitted by OSPF to the STUB area default-cost value

Remove the cost of the default route to the STUB area undo default-cost

By default, the STUB area is not configured, and the cost of the default route to the STUB area is 1.

4.2.15 Configure NSSA of OSPF

NSSA areas are areas that can import external routing by itself and advertise in the autonomous system, not accepting external routing generated by other area in the autonomous system. Actually NSSA area is one deformation of Stub area, which can conditionally import AS external routing. A new area-NSSA Area and a new LSA-NSSA LSA (or called Type-7 LSA) are added in the RFC1587 OSPF NSSA Option.

NSSA and Stub area are similar in many ways. Neither of them generates or imports AS-External-LSA (namely Type-5 LSA), and both of them can generate and import Type-7 LSA. Type-7 LSA is generated by ASBR of NSSA area, which can only advertise in NSSA area. When Type-7 LSA reaches ABR of NSSA, ABR will select whether to transform Type-7 LSA into AS-External-LSA so as to advertise to other areas.

For example, in the networking below, the AS running OSPF comprises three areas: Area 1, Area 2 and Area 0. Among them, Area 0 is the backbone area. Also, there are other two ASs respectively running RIP. Area 1 is defined as an NSSA. After RIP routes of the Area 1 are propagated to the NSSA ASBR, the NSSA ASBR will generate type-7 LSAs which will be propagated in Area 1. When the type-7 LSAs reach the NSSA ABR, the NSSA ABR will transform it into type-5 LSA, which will be propagated to Area 0 and Area 2. On the other hand, RIP routes of the AS running RIP will be transformed into type-5 LSAs that will be propagated in the OSPF AS. However, the type-5 LSAs will not reach Area 1 because Area 1 is an NSSA. NSSAs and STUB areas have the same approach in this aspect.

Similar to a STUB area, the NSSA cannot be configured with virtual links.


4-14

area 0

area 1NSSA

area 2

RIP

RIP

NSSAASBR

NSSAABR

area 0

area 1NSSA

area 2

RIP

RIP

NSSAASBR

NSSAABR

Figure 4-1 NSSA area


Table 4-15 Configure NSSA of OSPF

Operation Command

Configure an area to be the NSSA area nssa [ default-route-advertise ] [ no-import-route ] [ no-summary ]

Cancel the configured NSSA undo nssa Configure the default cost value of the route to the NSSA default-cost cost

Restore the default cost value of the route to the NSSA area undo default-cost

All the routers connected to the NSSA should use the nssa command to configure the area with the NSSA attribute.

The keyword default-route-advertise is used to generate the default type-7 LSAs. The default type-7 LSA route will be generated on the ABR, even though no default route 0.0.0.0 is in the routing table. On an ASBR, however, the default type-7 LSA route can be generated only if the default route 0.0.0.0 is in the routing table.

Executing the keyword no-import-route on the ASBR will prevent the external routes that OSPF imported through the import-route command from advertising to the NSSA. Generally, if an NSSA router is both ASBR and ABR, this argument will be used.

The keyword default-cost is used on the ABR attached to the NSSA. Using this command, you can configure the default route cost on the ABR to NSSA.

By default, the NSSA is not configured, and the cost of the default route to the NSSA is 1.

4.2.16 Configure the Route Summarization of OSPF Area

Route summary means that ABR can aggregate information of the routes of the same prefix and advertise only one route to other areas. An area can be configured with multiple aggregate segments, thereby OSPF can summarize them. When the ABR transmits routing information to other areas, it will generate Sum_net_Lsa (type-3 LSA)


4-15

per network. If some continuous networks exist in this area, you can use the abr-summary command to summarize these segments into one segment. Thus, the ABR only needs to send an aggregate LSA, and all the LSAs in the range of the aggregate segment specified by the command will not be transmitted separately.

Once the aggregate segment of a certain network is added to the area, all the internal routes of the IP addresses in the range of the aggregate segment will no longer be separately broadcast to other areas. Only the route summary of the whole aggregate network will be advertised. But if the range of the segment is restricted by the keyword "not-advertise", the route summary of this segment will not be advertised. This segment is represented by IP address and mask.

Route summarization can take effect only when it is configured on ABRs.


Table 4-16 Configure the route summarization of OSPF area

Operation Command Configure the Route Summarization of OSPF Area abr-summary ip-address mask [ advertise | not-advertise ]

Cancel route summarization of OSPF Area undo abr-summary ip-address mask

By default, the inter-area routes will not be summarized.

4.2.17 Configure Summarization of Imported Routes by OSPF

OSPF of Quidway S3500 Series Ethernet Switches support route summarization of imported routes.

Perform the following configurations in OSPF view.

Table 4-17 configure summarization of imported routes by OSPF

Operation Command configure summarization of imported routes by OSPF asbr-summary ip-address mask [ not-advertise | tag value ]

Remove summarization of routes imported into OSPF undo asbr-summary ip-address mask

By default, summarization of imported routes is disabled.

After the summarization of imported routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported Type-7 LSA in the summary address range.


4-16

If the local router works as an area border router (ABR) and a router in the NSSA, this command summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the router in the NSSA, the summarization is disabled.

4.2.18 Configure OSPF Virtual Link

According to RFC2328, after the area division of OSPF, not all the areas are equal. In which, an area is different from all the other areas. Its area-id is 0.0.0.0 and it is usually called the backbone Area. The OSPF routes between non-backbone areas are updated with the help of the backbone area. OSPF stipulates that all the non-backbone areas should maintain the connectivity with the backbone area. That is, at least one interface on the ABR should fall into the area 0.0.0.0. If an area does not have a direct physical link with the backbone area 0.0.0.0, a virtual link must be created.

If the physical connectivity cannot be ensured due to the network topology restriction, a virtual link can satisfy this requirement. The virtual link refers to a logic channel set up through the area of a non-backbone internal route between two ABRs. Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configured. The virtual link is identified by the ID of the remote router. The area, which provides the ends of the virtual link with a non-backbone area internal route, is called the transit area. The ID of the transit area should be specified when making configuration.

The virtual link is activated after the route passing through the transit area is calculated, which is equivalent to a p2p connection between two ends. Therefore, similar to the physical interfaces, you can also configure various interface parameters on this link, such as hello timer.

The "logic channel" means that the multiple routers running OSPF between two ABRs only take the role of packet forwarding (the destination addresses of the protocol packets are not these routers, so these packets are transparent for them and the routers forward them as common IP packets). The routing information is directly transmitted between the two ABRs. The routing information herein refers to the type-3 LSAs generated by the ABRs, for which the synchronization mode of the routers in the area will not be changed.


Table 4-18 Configure OSPF Virtual Link

Operation Command

Create and configure a virtual link vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ]*

Remove the created virtual link undo vlink-peer router-id


4-17

area-id and router-id have no default value. By default, hello timer is 10 seconds, retransmit 5 seconds, trans-delay 1 second, and the dead 40 seconds.

4.2.19 Configure the OSPF Area to Support Packet Authentication

All the routers in one area must use the same authentication mode (no authentication, simple text authentication or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key. To configure a simple text authentication key, use the ospf authentication-mode simple command. And, use the ospf authentication-mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode.


Table 4-19 Configure the OSPF Area to Support Packet Authentication

Operation Command Configure the area to support authentication type authentication-mode [ simple | md5 ] Cancel the configured authentication key undo authentication-mode

By default, the area does not support packet authentication.

4.2.20 Configure OSPF Packet Authentication

OSPF supports simple authentication or MD5 authentication between neighboring routers.


Table 4-20 Configure OSPF Packet Authentication

Operation Command Specify a password for OSPF simple text authentication ospf authentication-mode simple password

Cancel simple authentication on the interface undo ospf authentication-mode simple Specify the key-id and key for OSPF MD5 authentication ospf authentication-mode md5 key_id key

Disable the interface to use MD5 authentication undo ospf authentication-mode md5

By default, the interface is not configured with either simple authentication or MD5 authentication.


4-18

4.2.21 Configure OSPF to import Routes of Other Protocols

The dynamic routing protocols on the router can share the routing information. As far as OSPF is concerned, the routes discovered by other routing protocols are always processed as the external routes of AS. In the import-route commands, you can specify the route cost type, cost value and tag to overwrite the default route receipt parameters (refer to “Configure Parameters for OSPF to import External Routes”).

The OSPF uses the following four types of routes (in priority):

Intra-area route Inter-area route External route type 1 External route type 2

Intra-area and inter-area routes describe the internal AS topology whereas the external routes describes how to select the route to the destinations beyond the AS.

The external routes type-1 refer to the imported IGP routes (such as static route and RIP). Since these routes are more reliable, the calculated cost of the external routes is the same as the cost of routes within the AS. Also, such route cost and the route cost of the OSPF itself are comparable. That is, cost to reach the external route type 1 = cost to reach the corresponding ASBR from the local router + cost to reach the destination address of the route from the ASBR

The external routes type-2 refer to the imported EGP routes. Since these routes have lower credibility, OSPF assumes that the cost spent from the ASBR to reach the destinations beyond the AS is greatly higher than that spent from within the AS to the ASBR. So in route cost calculation, the former is mainly considered, that is, the cost spent to reach the external route type 2 = cost spent to the destination address of the route from the ASBR. If the two values are equal, then the cost of the router to the corresponding ASBR will be considered.


Table 4-21 Configure OSPF to Import Routes of Other Protocols

Operation Command Configure OSPF to import routes of other protocols

import-route protocol [ cost value | type value | tag value | route-policy route-policy-name ]*

Cancel importing routing information of other protocols undo import-route protocol

By default, OSPF will not import the routing information of other protocols.

protocol specifies a source routing protocol that can be imported. By far, it can be Direct, Static, RIP, or BGP.


4-19

4.2.22 Configure Parameters for OSPF to Import External Routes

When the OSPF imports the routing information discovered by other routing protocols in the autonomous system, some additional parameters need configuring, such as default route cost and default tag of route distribution, etc. Route ID can be used to identify the protocol-related information. For example, OSPF can use it to identify the AS number when receiving BGP.


Table 4-22 Configure Parameters for OSPF to Import External Routes

Operation Command Configure the minimum interval for OSPF to import the external routes default interval seconds Restore the default value of the minimum interval for OSPF to import the external routes undo default interval Configure the upper limit to the routes that OSPF import each time default limit routes Restore the default upper limit to the external routes that can be imported at a time undo default limit Configure the default cost for the OSPF to import external routes default cost value Restore the default cost for the OSPF to import external routes undo default cost Configure the default tag for the OSPF to import external routes default tag tag Restore the default tag for the OSPF to import external routes undo default tag Configure the default type of external routes that OSPF will import default type { 1 | 2 } Restore the default type of the external routes imported by OSPF undo default type

By default, no default cost and tag are available when importing external routes, and the type of imported route is type-2. The interval of importing the external route is 1 second. The upper limit to the external routes imported is 1000 per second.

4.2.23 Configure OSPF to Import the Default Route

The import-route command cannot be used to import the default route. Using the command as follows, you can import the default route into the routing table.


Table 4-23 Configure OSPF to Import the Default Route

Operation Command

Import the default route to OSPF default-route-advertise [ always | cost value | type type-value | route-policy route-policy-name ]*

Remove the imported default route undo default-route-advertise [ always | cost | type | route-policy ]*

By default, OSPF does not import the default route.


4-20

4.2.24 Set OSPF Route Preference

Since maybe multiple dynamic routing protocols are run on one router concurrently, the problem of route sharing and selection between various routing protocols occurs. The system sets a priority for each routing protocol, which will be used in tie-breaking in the case that different protocols discover the same route.


Table 4-24 Set OSPF Route Preference

Operation Command Configure a priority for OSPF for comparing with the other routing protocols preference [ ase ] preference Restore the default protocol priority undo preference [ ase ]

By default, the OSPF preference is 10, and the imported external routing protocol is 150.

4.2.25 Configure OSPF Route Filtering


I. Configure OSPF to filter the imported external routes

Table 4-25 Enable OSPF to filter the imported routes

Operation Command Disable to filter the imported global routing information

filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list- name } import

Cancel to filter the imported global routing information undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix- list-name } import

II. Configure filtering the routes distributed by OSPF

Table 4-26 Enable OSPF to filter the distributed routes

Operation Command

Enable OSPF to filter the distributed routes filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing- process ]

Disable OSPF to filter the distributed routes undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing- process ]

By default, OSPF will not filter the imported and distributed routing information.

For detailed description, please refer to the "Configure Route Filtering" part in " IP Routing Policy Configuration ".


4-21

4.2.26 Configure to Fill the MTU Field When an Interface Transmits DD Packets

OSPF-running routers use the DD (Database Description) packets to describe their own LSDBs when synchronizing the databases.

You can manually specify an interface to fill in the MTU field in a DD packet when it transmits the packet. The MTU should be set to the real MTU on the interface.


Table 4-27 Configure Whether the MTU Field will be Filled in when an Interface Transmits DD Packets

Operation Command Enable an interface to fill in the MTU field when transmitting DD packets ospf mtu-enable Disable the interface to fill MTU when transmitting DD packets undo ospf mtu-enable

By default, the interface does not fill in the MTU field when transmitting DD packets. In other words, MTU in the DD packets is 0.

4.2.27 Disable the Interface to Send OSPF Packets

To prevent OSPF routing information from being acquired by the routers on a certain network, use the silent-interface command to disable the interface to transmit OSPF packets.


Table 4-28 Disable the interface to send OSPF packets

Operation Command Disable the interface to send OSPF packets silent-interface silent-interface-type silent-interface-number

Enable the interface to send OSPF packets undo silent-interface silent-interface-type silent-interface-number

By default, all the interfaces are allowed to transmit and receive OSPF packets.

After an OSPF interface is set to be in silent status, the interface can still advertise its direct route. However, the OSPF hello packets of the interface will be blocked, and no neighboring relationship can be established on the interface. Thereby, the capability for OSPF to adapt to the networking can be enhanced, which will hence reduce the consumption of system resources.


4-22

4.2.28 Reset the OSPF Process

If the undo ospf command is executed on a router and then the ospf command is used to restart the OSPF process, the previous OSPF configuration will lose. With the reset ospf all command, you can restart the OSPF process without losing the previous OSPF configuration.


Table 4-29 Reset the OSPF process

Operation Command Reset the OSPF process reset ospf all

Resetting the OSPF process can immediately clear the invalid LSAs, make the modified Router ID effective or re-elect the DR and BDR.

4.3 Display and Debug OSPF

After the above configuration, execute display command in any view to display the running of the OSPF configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug the OSPF module.

Table 4-30 Display and debug OSPF

Operation Command Display the brief information of the OSPF routing process display ospf brief

Display OSPF statistics display ospf cumulative

Display LSDB information of OSPF display ospf [ area-id ] lsdb [ brief | [ asbr | ase | network | nssa | router | summary ] [ ip-address ] [ originate-router ip-address | self-originate ] ]

Display OSPF peer information display ospf peer [ brief ] Display OSPF next hop information display ospf nexthop Display OSPF routing table display ospf routing Display OSPF virtual links display ospf vlink Display OSPF request list display ospf request-queue Display OSPF retransmission list display ospf retrans-queue Display the information of OSPF ABR and ASBR display ospf abr-asbr Display the summary information of OSPF imported route display ospf asbr-summary [ ip-address mask ]

Display OSPF interface information display ospf interface Display OSPF errors display ospf error


4-23

4.4 Typical OSPF Configuration Example

4.4.1 Configuring DR Election Based on OSPF Priority


Four S3500 series Ethernet Switches, Switch A, Switch B, Switch C and Switch D, which can perform the router functions and run OSPF, are located on the same segment, as shown in the following figure. Correctly make the configuration to enable Switch A and Switch C to be DR and BDR respectively. The priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. Switch C has the second highest priority, so it is elected as the BDR. The priority of Switch B is 0, which means that it cannot be elected as the DR. And Switch D does not have a priority, which takes 1 by default.


BDR

196.1.1.4/24

196.1.1.3/24196.1.1.2/24

DR

Switch A Switch D

Switch B Switch C

1.1.1.1 4.4.4.4

3.3.3.32.2.2.2

196.1.1.1/24

Figure 4-2 Networking for configuring DR election based on OSPF priority


# Configure Switch A:

[Switch A] interface Vlan-interface 1

[Switch A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0

[Switch A-Vlan-interface1] ospf dr-priority 100

[Switch A] router id 1.1.1.1

[Switch A] ospf

[Switch A-ospf] area 0

[Switch A-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255


4-24

# Configure Switch B:

[Switch B] interface Vlan-interface 1

[Switch B-Vlan-interface1] ip address 196.1.1.2 255.255.255.0

[Switch B-Vlan-interface1] ospf dr-priority 0

[Switch B] router id 2.2.2.2

[Switch B] ospf

[Switch B-ospf] area 0

[Switch B-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255

# Configure Switch C:

[Switch C] interface Vlan-interface 1

[Switch C-Vlan-interface1] ip address 196.1.1.3 255.255.255.0

[Switch C-Vlan-interface1] ospf dr-priority 2

[Switch C] router id 3.3.3.3

[Switch C] ospf

[Switch C-ospf] area 0

[Switch C-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255

# Configure Switch D:

[Switch D] interface Vlan-interface 1

[Switch D-Vlan-interface1] ip address 196.1.1.4 255.255.255.0

[Switch D] router id 4.4.4.4

[Switch D] ospf

[Switch D-ospf] area 0

[Switch D-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255

On Switch A, run display ospf peer to display the OSPF peers. Please note that Switch A has three peers.

The state of each peer is full, which means that adjacency is set up between Switch A and each peer. Switch A and Switch C should set up adjacencies with all the routers on the network so that they can serve as the DR and BDR on the network respectively. Switch A is DR, while Switch C is BDR on the network. And all the other neighbors are DR others (which means that they are neither DRs nor BDRs).


4-25

# Modify the priority of Switch B to 200:

[Switch B-Vlan-interface2000] ospf dr-priority 200

In Switch A, execute display ospf peer to show its OSPF neighbors. Please note the priority of Switch B has been modified to 200, but it is still not the DR.

Only when the current DR is offline, will the DR be changed. Shut down Switch A, and run display ospf peer command on Switch D to display its neighbors. Please note the original BDR (Switch C) becomes the DR, and Switch B is BDR now.

If all Ethernet Switches on the network are removed and added back again, Switch B will be elected as the DR (with the priority of 200), and Switch A becomes the BDR (with a priority of 100). To switch off and restart all of the switches will bring about a new round of DR/BDR selection.

4.4.2 Configuring OSPF Virtual Link


In the following figure, Area 2 and Area 0 are not directly connected. Area 1 is required to be taken as transit area for connecting Area 2 and Area 0. Correctly configure a virtual link between Switch B and Switch C in Area 1.


152.1.1.1/24

196.1.1.2/24

Switch A1.1.1.1

Switch B2.2.2.2

VirtualLink

197.1.1.2/24

Area 2

Area 1

Area 0

Switch C3.3.3.3

197.1.1.1/24

196.1.1.1/24

Figure 4-3 OSPF virtual link configuration networking




4-26




[Switch A] ospf




[Switch B] interface vlan-interface 7





[Switch B] ospf



[Switch B-ospf-area-0.0.0.0] quit



[Switch B-ospf-area-0.0.0.1] vlink-peer 3.3.3.3






[Switch C] router id 3.3.3.3

[Switch C] ospf




4-27

[Switch C-ospf-area-0.0.0.1] vlink-peer 2.2.2.2

[Switch C-ospf-area-0.0.0.1] quit



4.4.3 OSPF Fault Diagnosis and Troubleshooting

Fault 1: OSPF has been configured in accordance with the above-mentioned steps, but OSPF on the router cannot run normally.

Troubleshooting: Please check according to the following procedure.

Troubleshooting locally: Check whether the protocol between two directly connected routers is in normal operation. The normal sign is the peer state machine between the two routers reaches the FULL state. (Note: On a broadcast or NBMA network, if the interfaces for two routers are in DROther state, the peer state machine for the two routers are in 2-way state, instead of FULL state. The peer state machine between DR/BDR and all the other routers is in FULL state.

Execute the display ospf peer command to view peers. Execute the display ospf interface command to view OSPF information in the

interface. Check whether the physical connections and the lower level protocol operate

normally. You can execute the ping command to test. If the local router cannot ping the peer router, it indicates that faults have occurred to the physical link and the lower level protocol.

If the physical link and the lower layer protocol are normal, please check the OSPF parameters configured on the interface. The parameters should be the same parameters configured on the router adjacent to the interface. The same area ID should be used, and the networks and the masks should also be consistent. (The p2p or virtually linked segment can have different segments and masks.)

Ensure that the dead timer on the same interface is at least four times the value of the hello timer.

If the network type is NBMA, the peer must be manually specified, using the peer ip-address command.

If the network type is broadcast or NBMA, there must be at least one interface with a priority greater than zero.

If an area is set as the STUB area, to which the routers are connected. The area on these routers must be also set as the STUB area.

The same interface type should be adopted for the neighboring routers. If more than two areas are configured, at least one area should be configured as

the backbone area (that is to say, the area ID is 0). Ensure the backbone area to connect with all the areas.


4-28

The virtual links cannot pass through the STUB area.

Troubleshooting globally: If OSPF cannot discover the remote routes yet in the case that the above steps are correctly performed, proceed to check the following configurations.

If more than two areas are configured on a router, at least one area should be configured as the backbone area.

As shown in the following figure: RTA and RTD are configured to belong to only one area, whereas RTB (area0 and area1) and RTC (area1 and area 2) are configured to belong to two areas. In which, RTB also belongs to area0, which is compliant with the requirement. However, none of the areas to which RTC belongs is area0. Therefore, a virtual link should be set up between RTC and RTB. Ensure that area2 and area0 (backbone area) is connected.

RTA RTB RTC RTDarea0 area1 area2

RTA RTB RTC RTDarea0 area1 area2

Figure 4-4 OSPF areas

The backbone area (area 0) cannot be configured as the STUB area and the virtual link cannot pass through the STUB area. That is, if a virtual link has been set up between RTB and RTC, neither area1 nor area0 can be configured as a stub area. In the above figure, only area 2 can be configured as stub area.

Routers in the STUB area cannot redistribute the external routes. Backbone area must guarantee the connectivity of all nodes.

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 5 BGP Configuration

5-1

Chapter 5 BGP Configuration

5.1 Brief Introduction to BGP

Border Gateway Protocol (BGP) is an inter-autonomous system (AS) dynamic route discovery protocol.

Three early versions of BGP are RFC1105 (BGP-1), RFC1163 (BGP-2) and RFC1267 (BGP-3). The presently used version is RFC1771 (BGP-4) that is applied to distributed structures and supports Classless Inter-Domain Routing (CIDR). Besides, it is also used to implement policies configured by users. Actually, BGP-4 is becoming the actual external routing protocol standard of Internet, which is frequently used between ISPs.

The characteristics of BGP are as follows:

BGP is an external routing protocol. Different from such internal routing protocols as OSPF and RIP, it focuses on route propagation control and selection of best routes other than discovery and calculation of routes.

Eliminating route loop completely by adding AS path information to BGP routes. Using TCP as transport layer protocol so as to enhance reliability of the protocol. BGP-4 supports CIDR, which is an important improvement to BGP-3. CIDR

addresses IP addresses in an entirely new way, that is, it does not divide networks into Class A, Class B and Class C. For example, an invalid Class C network address 192.213.0.0 (255.255.0.0) can be expressed as 192.213.0.0/16 in CIDR mode, which is a valid super network. Here /16 means that the subnet mask is composed of the first 16 bits from the left. The introduction of CIDR simplifies route aggregation. Actually, route aggregation is the process of aggregating several different routes, which turns advertisement processes of several routes to the advertisement of single route so as to simplify the routing table.

When routes are updated, BGP only transmits incremental routes, which greatly reduces bandwidth occupation by route propagation and can be applied to propagation of great amount of routing information on Internet.

In consideration of management and security, users desire to perform control over outgoing and incoming routing information of each AS. BGP-4 provides abundant route policies to implement flexible filtering and selecting of routes, which can be extended easily to support new developments of the network.

BGP, as an upper-layer protocol, runs on a special router. On the first startup of the BGP system, the BGP router exchanges routing information with its peers by transmitting the complete BGP routing table, after that only update messages are


5-2

exchanged. In the operating of the system, keep-alive messages are received and transmitted to check the correctness of the connections between various neighbors.

The router transmitting BGP messages is called a BGP speaker, which receives and generates new routing information continuously and advertises the information to the other BGP speakers. When a BGP speaker receives a new route advertisement from another AS, it will advertise the route, if the route is better than the current route that has been learned or is a new route, to all the other BGP speakers in the AS. A BGP speaker calls other BGP speakers that exchange information with it peers and multiple related peers compose a peer group.

BGP runs on a router in any of the following modes:

IBGP (Internal BGP) EBGP (External BGP)

The BGP is called IBGP when it runs in an AS and is called EBGP when it runs among different ASs.

Running of BGP is driven by messages of the following four types:

open message update message notification message keep-alive message

The open message is the first message sent after the creation of a connection, which is used to create the connection relation between BGP peers. The notification message is used to notify errors. The keep-alive message is used to check the validity of a connection. The update message is the most important information in BGP system, which is used to exchange routing information between peers. It is composed of up to three parts that are unreachable route, path attributes and network layer reachability information (NLRI).

5.2 BGP Configuration

The BGP configuration includes:

Enable BGP Configure Networks for BGP Distribution Configure BGP Peer (Group) Configure BGP Timer Configure the local preference Configure MED for AS Compare MED values from different AS neighbors Configure BGP Community Configure the BGP Route Aggregation


5-3

Configure BGP Route Reflector Configure AS confederation attributes Configure BGP route dampening Configure the Redistribution of BGP and IGP Configure BGP Route Filtering Define ACL, AS path list and route map Clear BGP Connection

5.2.1 Enable BGP

To enable BGP, local AS number should be specified. After the enabling of BGP, local router listens to BGP connection requests sent by adjacent routers. To make the local router send BGP connection requests to adjacent routers, refer to the configuration of the peer command. When BGP is disabled, all established BGP connections will be disconnected.


Table 5-1 Enable/Disable BGP

Operation Command Enable BGP and enter the BGP view bgp as-number Disable BGP undo bgp [ as-number ]

By default, BGP is not enabled.

5.2.2 Configure Networks for BGP Distribution

Perform the following configurations in BGP view.

Table 5-2 Configure Networks for BGP Distribution

Operation Command Configure the local network route network ip-address address-mask [ route-policy route-policy-name ]

Remove the local network route undo network ip-address address-mask [ route-policy route-policy-name ]

By default, no network is configured for BGP distribution.

5.2.3 Configure BGP Peer (Group)

BGP speakers exchanging BGP packets compose BGP peers. To configure multiple peers to use same route update policy, users may distribute them to a BGP peer group to facilitate the configuration.


5-4

In the case of any change in the configuration of the group, configuration of each group member changes accordingly. Users may, however, configure certain attributes for certain member by designating its IP address so that the member is not affected by the group’s configuration in terms of these attributes.


I. Configure AS number

To configure a BGP peer (group) as the neighbor of local router, the AS to which the peer (group) belongs should be specified first. Exchange of routing information between two ends is disabled until the peer ends and AS to which the peer ends belong are specified.

Table 5-3 Configure AS number

Operation Command Configure the AS number of the peer (group) peer { peer-address | group-name } as-number as-number

delete the AS number of peer (group). undo peer { peer-address | group-name } as-number as-number

If the AS numbers specified by the as-number and bgp commands are the same, the configured neighbor is an internal neighbor, otherwise it is an external neighbor.

If this command is not used to configure the AS number for a peer group, each peer to be added to the peer group should have its AS number pre-configured. If the AS number is configured for a peer group, all peers to be added to the group should be configured (if configured) the same AS numbers with the peer group.

II. Create a peer group and add a member

By default, IBGP peers will be added into a default peer group that is invisible. The configuration of route update policy for each IBGP peer is only effective for the other IBGP peers in the same group. If the router is not a route reflector, all IBGP peers are grouped into the same group, otherwise all route reflector clients are grouped into a group and all non-clients are grouped into another group.

Members of EBGP peer group must be located on the same network segment, or it is possible for some EBGP peers to discard the route update messages sent by the local router.

IBGP peers and EBGP peers cannot be added to the same group.


5-5

Table 5-4 Create a peer group and add a member

Operation Command Create a peer group group group-name Delete a specified peer group undo group group-name Create a peer in the peer group peer peer-address group group-name Delete a peer from the peer group undo peer peer-address group group-name Reset connections of all members in the peer group (in user view) reset bgp group group-name

III. Configure description of a peer (group)

Description of a peer (group) can be configured to facilitate learning the characteristics of the peer.

Table 5-5 Configure description of a peer (group)

Operation Command Configure description of a peer (group) peer { peer-address | group-name } description description-line Delete description of a peer (group) undo peer { peer-address | group-name } description

By default, no BGP peer (group) description is set.

IV. Configure to Permit Connections with EBGP Peers (groups) on Indirectly Connected Networks

Generally, EBGP peers must be connected physically. Otherwise the command below can be used to perform the configuration in order to make them communicate with each other normally.

Table 5-6 Configure to permit connections with EBGP peers (groups) on indirectly connected networks

Operation Command Configure to permit connections with EBGP peers (groups) on indirectly connected networks

peer { peer-address | group-name } ebgp-max-hop [ ttl ]

Configure to permit connections with EBGP peers (groups) on directly connected network only.

undo peer { peer-address | group-name } ebgp-max-hop [ ttl ]

By default, only the connections with EBGP peers (groups) on directly connected networks are permitted. ttl refers to time-to-live in the range of 1 to 255 with the default value as 64.


5-6

V. Configure timer of peer (group)

The peer timer command is used to configure timers of BGP peer (group), including the keep-alive message interval and the hold timer. The preference of this command is higher than the timer command that is used to configure timers for the whole BGP peers.

Table 5-7 Configure timer of peer (group)

Operation Command Configure keep-alive message interval and hold timer of peer (group)

peer { group-name | peer-address } timer keep-alive keepalive-interval hold holdtime-interval}

Restore the default value of keep-alive message interval and hold timer of a peer (group)

undo peer { group-name | peer-address } timer

By default, the keep-alive message is sent every 60 seconds and the value of the hold timer is 180 seconds.

VI. Configure the interval at which route update messages are sent by a peer (group)

Table 5-8 Configure the interval at which route update messages are sent by a peer (group)

Operation Command Configure the route update message interval of a peer (group)

peer { peer-address | group-name } route-update-interval seconds

Restore the default route update message interval of a peer (group) undo peer { peer-address | group-name } route-update-interval

By default, the intervals at which route update messages are sent by an IBGP and EBGP peer (group) are 5 seconds and 30 seconds respectively.

VII. Configure to send the community attributes to a peer (group)

Table 5-9 Configure to send the community attributes to a peer (group)

Operation Command Configure to send the community attributes to a peer (group) peer { peer-address | group-name } advertise-community Configure not to send the community attributes to a peer (group) undo peer { peer-address | group-name } advertise-community


5-7

VIII. Configure a peer (group) to be a client of a route reflector

Generally, this command is not configured for peer groups because IBGP neighbors are in the default group. Instead the peer peer-address reflect-client command, which is used to configure the peer address, can be set as the clients of a route reflector.

Table 5-10 Configure a peer (group) to be a client of a route reflector

Operation Command Configure a peer (group) to be a client of a route reflector peer { peer-address | group-name } reflect-client Cancel the configuration of making the peer (group) as the client of the BGP route reflector

undo peer { peer-address | group-name } reflect-client

For detailed information on route reflector, refer to “Configure Route Reflector” section of this manual.

IX. Configure to send default route to a peer (group)

Table 5-11 Configure to send default route to a peer (group)

Operation Command

Configure to send default route to a peer (group) peer { peer-address | group-name } default-route-advertise

Configure not to send default route to a peer (group) undo peer { peer-address | group-name } default-route-advertise

By default, local router does not send default route to any peer (group).The local router will send a default route with the next hop as itself to the peer unconditionally, even if there is no default route in BGP routing table.

X. Configure itself as the next hop in advertising route

A BGP router can specify itself as the next hop while advertising route to a peer (group).

Table 5-12 Configure itself as the next hop in advertising route

Operation Command Configure itself as the next hop in advertising route peer { peer-address | group-name } next-hop-local

Disable the specification of itself as the next hop in advertising route undo peer { peer-address | group-name } next-hop-local

By default, local router does not specify itself as the next hop while advertising route to a peer (group).


5-8

XI. Configure route map for a peer (group)

By configuring the route map for a peer (group), the routes coming from the peer (group) or advertised to the peer (group) can be controlled. The route map of advertised routes configured for each member of a peer group must be same with that of the peer group but their route maps of coming routes may be different.

Table 5-13 Configure route map for a peer (group)

Operation Command

Configure route map for a peer (group) peer { peer-address | group-name } route-policy route-policy-name { import | export }

Remove the route map policy of a peer (group)

undo peer { peer-address | group-name } route-policy policy-name { import | export }

By default, no route map is applied on peer (group).

XII. Configure route filtering policy based on IP ACL for a peer (group)

Table 5-14 Configure route filtering policy based on IP ACL for a peer (group)

Operation Command Configure route filtering policy based on IP ACL for a peer (group)

peer { peer-address | group-name } filter-policy acl-number { import | export }

Remove the route filtering policy based on IP ACL of a peer (group)

undo peer { peer-address | group-name } filter-policy acl-number { import | export }

By default, route filtering based on IP ACL for a peer (group) is disabled.

XIII. Configure route filtering policy based on AS path list for a peer (group)

Table 5-15 Configure route filtering policy based on AS path list for a peer (group)

Operation Command Configure route filtering policy based on AS path list for a peer (group)

peer { peer-address | group-name } as-path-acl acl-number { import | export }

Remove the route filtering policy based on AS path list of a peer (group)

undo peer { peer-address | group-name } as-path-acl acl-number { import | export }

By default, route filtering based on AS path list for a peer (group) is disabled.


5-9

XIV. Configure route filtering policy based on address prefix list for a peer (group)

Table 5-16 Configure route filtering policy based on address prefix list for a peer (group)

Operation Command Configure route filtering policy based on address prefix list for a peer (group)

peer { peer-address | group-name } ip-prefix prefixname { import | export }

Remove the route filtering policy based on address prefix list of a peer (group)

undo peer { peer-address | group-name } ip-prefix prefixname { import | export }

By default, route filtering based on address prefix list for a peer (group) is disabled.

XV. Remove private AS numbers while transmitting BGP update messages

Generally, the AS numbers (public AS numbers or private AS numbers) are included in the AS paths while transmitting BGP update messages. This command is used to configure certain outbound routers to ignore the private AS numbers while transmitting update messages.

Table 5-17 Remove private AS numbers while transmitting BGP update messages

Operation Command Remove private AS numbers while transmitting BGP update messages peer { peer-address | group-name } public-as-only Include private AS numbers while transmitting BGP update messages undo peer { peer-address | group-name } public-as-only

By default, the private AS numbers are included while transmitting BGP update messages.

XVI. Specify the source interface of a route update packet

Generally, the system specified the source interface of a route update packet. When the interface fails to work, in order to keep the TCP connection valid, the interior BGP session can be configured to specify the source interface. This command is usually used the Loopback interface.

Table 5-18 specify the source interface of a route update packet

Operation Command

specify the source interface of a route update packet peer { peer-address | group-name } connect-interface interface-type interface-name

Use the best source interface undo peer { peer-address | group-name } connect-interface interface-type interface-name

By default, BGP carries out TCP connection with the optimal source interface.


5-10

XVII. Enable/disable a peer/peer group

The BGP speakers do not exchange routing information with the disable peer or peer group.


Table 5-19 Enable/disable a peer/peer group

Operation Command Enable a peer/peer group peer { group-name | peer-address } enable disable a peer/peer group undo peer { group-name | peer-address } enable

By default, a peer or peer group is enabled.

5.2.4 Configure BGP Timer

When receiving an OPEN message to set up a BGP connection, a BGP speaker needs to calculate a hold timer. The smaller between its own Hold time and the one received in the message will be selected as the negotiated Hold Timer. Then, BGP will send a KeepAlive message and set a KeepAlive timer. If the negotiation result is 0, no keepalive Message will be transmitted and whether the hold-time has timed out will not be cared.


Table 5-20 Configure BGP Timer

Operation Command

Configure BGP Timer peer { group-name | peer-address } timer keep-alive keepalive-interval hold holdtime-interval

Restore the default value of the timer undo peer { group-name | peer-address } timer

By default, the interval of sending keepalive packet is 60 seconds. The interval of sending holdtime packet is 180 seconds.

5.2.5 Configure the local preference

Different local preferences can be configured to affect the BGP routing. When a router running BGP gets routes with the same destination address but different next hops through different internal peers, it will select the route of the highest local preference.



5-11

Table 5-21 Configure the local preference

Operation Command Configure the local preference default local-preference value Restore the default local preference undo default local-preference

The local preference is transmitted only when the IBGP peers exchange the update packets and it will not be transmitted beyond the local AS.

By default, the local preference is 100.

5.2.6 Configure MED for AS

Multi-Exit Discriminators (MED) attribute is the external metric for a route. It is exchanged between ASs. However, it will not be transmitted beyond an AS once it is imported into the AS.

AS uses the local preference to select the route to the outside and MED to determine the optimum route for entering the AS. When a router running BGP gets routes with the same destination address but different next hops through different external peers, it will select the route of the smallest MED as the optimum route, provided that all the other conditions are the same.


Table 5-22 Configure an MED metric for the system

Operation Command Configure an MED metric for the system default med med-value Restore the default MED metric of the system undo default med

The router configured above only compares the route MED metrics of different EBGP peers in the same AS. Using the compare-different-as-med command, you can compare the route MED metrics of the peers in different ASs.

By default, MED metric is 0.

5.2.7 Comparing the MED Routing Metrics from the Peers in Different ASs

It is used to select the best route. The route with smaller MED value will be selected.



5-12

Table 5-23 Comparing the MED Routing Metrics from the Peers in Different ASs

Operation Command Comparing the MED Routing Metrics from the Peers in Different ASs compare-different-as-med Configure not to compare the MED routing metrics from the peers in different ASs undo compare-different-as-med

By default, MED comparison is not allowed among the routes from the neighbors in different ASs.

It is not recommended to use this configuration unless you can make sure that the ASs adopt the same IGP and routing method.

5.2.8 Configure BGP Community

Community attributes are optional and transitive. Some community attributes are globally recognized, which are called standard community attributes, whereas some are for special purposes which are called extended community attributes. You may define not only the standard community but also the extended community attributes.

Community-list is used to identify a community, which falls into standard community-list and extended community-list.

In addition, a route can have more than one community attributes. In a route, the speaker of multiple community attributes can act according to one, several or all the attributes. Router can choose to change the community attribute or leave it unchanged before transmitting the route to its peers.


Table 5-24 Configure community

Operation Command

Configure a standard community list

ip community-list standard-community-list-number { permit | deny } { aa:nn | internet | no-export-subconfed | no-advertise | no-export }

Configure an extended community list

ip community-list extended-community-list-number { permit | deny } as-regular-expression

Remove the configured community list

undo ip community-list { standard-community-list-number | extended-community-list-number }

By default, no BGP community is configured.

5.2.9 Configure BGP Route Summarization

The CIDR supports route summarization. There are two modes of BGP route summarization: summary automatic and aggregate. The summary automatic is the summary of the BGP subnet routes. After the configuration of the summary automatic,


5-13

the BGP will not be able to receive subnets imported by the IGP; the aggregate is the aggregation of the BGP local routes. A series of parameters can be configured in the aggregate. In general, the preference of the aggregation is higher than that of the summarization.

Please perform the following configuration in the BGP view:

Table 5-25 Configure BGP route summarization

Operation Command Configure the summary automatic function of the subnet routes summary automatic

Cancel the summary automatic function of the subnet routes undo summary automatic

Configure local route aggregation function aggregate address mask [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]*

Cancel local route aggregation function undo aggregate address mask [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]*

By default, the BGP will not perform local route aggregation.

5.2.10 Configure BGP Route Reflector

To ensure the interconnection between IBGP peers, it is necessary to establish fully connected network. In some networks, there are large numbers of IBGP peers, and the internal BGP network becomes very large, consequently the costs to establish fully meshed network are very large. Thus, it is required to utilize new peer technology. The basic idea of route reflector conception is to specify a centralized router as the focus of the internal session. Multiple BGP routers can peer one central point, and then multiple route reflectors will peer again.

Route reflector is the centralized point of other routers, and other routers are called the clients. The client is the peer of the route reflector and switching the routing information with it. The route reflector will reflect the information in order among the clients.

In the following figure, Router A receives an update packet from the external peer and transmits it to Router C. Router C is a route reflector with two peer clients: Router A and Router B.

Router C reflects the update packet from client Router A to client Router B. Under such configuration, the peer session between Router A and Router B is actually eliminated because the route reflector will transfer the BGP information to Router B.


5-14

Router

EBGPEBGP

Route reflectorRoute reflected

Route updated

Router A Router B

Router C

Router

EBGPEBGP

Route reflectorRoute reflected

Route updated

Router A Router B

Router C

Figure 5-1 The route reflector diagram

The reflector is the router that can complete the route reflection function. The route reflector regards the IBGP peers as client and non-client. All peers that do not belong to such cluster in the autonomous system are the non-clients. The designation of route reflector and the addition of the client peer are implemented with the command peer reflect-client.

The client peer shall not establish peer-relationship with IBGP outside the relevant cluster. The non-client peer and the route reflector, as well as one non-client peer and the other non-client peer, forms a fully meshed network because they follow the basic principles of IBGP fully meshed network. The route reflection function is only completed on route reflector, and all client peers and non-client peers are routine BGP peers. The client peers are client peers just because the route reflector lists them as client peers.

I. Configure the route reflection between clients


Table 5-26 Configure the route reflection between clients

Operation Command Enable route reflection between clients reflect between-clients Disable route reflection between clients undo reflect between-clients

By default, the reflection between clients is disabled.

II. Configure the cluster ID

Generally, there is only one route reflector in a cluster.



5-15

Table 5-27 Configure the Cluster_ID of the route reflector

Operation Command Configure the Cluster_ID of the route reflector reflector cluster-id { cluster-id | address } Canceling the Cluster_ID of the route reflector undo reflector cluster-id

By default, the router ID of the route reflector is used as the cluster ID.

III. Two kinds of measures to avoid looping inside AS

As route reflector is imported, it is possible that path looping will be generated in AS. Path update packets already left the cluster may attempt to return to the cluster. The conventional AS path method can’t detect the internal AS looping, because the path update packet hasn’t left AS. Upon configuring route reflector, BGP provides the following measures to avoid internal AS looping:

1) Configure the Originator_ID of the route reflector

The Originator_ID is established by route reflector. The originator will drop the update packet returning to the originator should it be improper configuration.

The parameter is not necessarily configured, and it will automatically function upon enabling BGP.

2) Configure the Cluster_ID of the route reflector

5.2.11 Configure BGP AS Confederation Attribute

Confederation provides the method to handle the booming IBGP network connections inside AS. It divides the AS into multiple sub-AS, in each of which all IBGP peers are fully connected, and are connected with other sub-AS of the confederation.

The shortcomings of confederation: it is required that the route be re-configured upon switching from non-confederation to confederation solution, and that the logic topology be basically changed. Furthermore, the path selected via confederation may not be the best path if there is no manually-set BGP policy.

I. Configure confederation_ID

In the eye of the BGP speakers that are not included in the confederation, multiple sub-ASs that belong to the same confederation are a whole. The external network does not need to know the status of internal sub-ASs, and the confederation ID is the AS number identifying the confederation as a whole.



5-16

Table 5-28 Configure confederation_ID

Operation Command Configure confederation_ID confederation id as-number Canceling confederation_ID undo confederation id

By default, the confederation_ID is not configured.

II. Configure sub-AS belonging to the confederation

Configure confederation_ID first, and then configure the sub-AS belonging to the confederation. One confederation includes up to 32 sub-AS. The as-number used upon configuring sub-AS belonging to the confederation is valid within the confederation.


Table 5-29 Configure sub-AS belonging to the confederation

Operation Command Configure a confederation consisting of which sub-ASs confederation peer-as as-number-1 [ ... as-number-n ]

Cancel the specified sub-AS in the confederation undo confederation peer-as [ as-number-1 ] [ ...as-number-n ]

By default, no autonomous system is configured as a member of the confederation.

III. Configure the autonomous system confederation nonstandard

If it is necessary to perform the interconnection with the devices whose implementation mechanism is different from that of RFC1965, you must configure all the routers in the confederation.


Table 5-30 Configure AS confederation attribute compatible with nonstandard

Operation Command Configure AS confederation attribute compatible with nonstandard router confederation nonstandard

Cancel AS confederation attribute compatible with nonstandard router undo confederation nonstandard

By default, the configured confederation is consistent with RFC1965.


5-17

5.2.12 Configure BGP route dampening

The main possible reason for unstable route is the intermittent disappearance and re-emergence of the route that formerly existed in the routing table, and this situation is called the flapping. When the flapping occurs, update packet will be propagated on the network repeatedly, which will occupy much bandwidth and much processing time of the router. We have to find measures to avoid it. The technology controlling unstable route is called route dampening.

The dampening divides the route into the stable route and unstable route, the latter of which shall be suppressed (not to be advertised). The history performance of the route is the basis to evaluate the future stability. When the route flapping occurs, penalty will be given, and when the penalty reaches a specific threshold, the route will be suppressed. With time going, the penalty value will decrease according to power function, and when it decreases to certain specific threshold, the route suppression will be eliminated and the route will be re-advertised.


Table 5-31 Configure BGP route dampening

Operation Command

Configure BGP route dampening dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling ] [ route-policy route-policy-name ]

Clear route attenuation information and eliminating the suppression of the route reset dampening [ network-address [ mask ] ]

Cancel BGP route dampening undo dampening

By default, route dampening is disabled.

It must be noted that the parameters in the command are dependent on one another. If one parameter is configured, other parameters must be specified.

5.2.13 Configure the repeating time of local AS

Using peer allow-as-loop command, the repeating time of local AS can be configured.


Table 5-32 configure the repeating time of as-path

Operation Command configure the repeating time of local AS peer { group-name | peer-address } allow-as-loop [ number ]remove the repeating time of local AS undo peer { group-name | peer-address } allow-as-loop


5-18

5.2.14 Configure the Redistribution of BGP and IGP

BGP can transmit the internal network information of local AS to other AS. To reach such objective, the network information about the internal system learned by the local router via IGP routing protocol can be transmitted.


Table 5-33 Importing IGP routing information

Operation Command

Configure BGP to import routes of IGP protocol import-route protocol [ process-id ] [ med med ] [ route-policy route-policy-name ]

Configure BGP not to import routes of IGP protocol undo import-route protocol

By default, BGP does not import the route information of other protocol.

The specified and imported source route protocols can be direct, static, rip, ospf, ospf-ase, and ospf-nssa.

For detailed description of routing information, refer to “Importing other Protocol Route” in “Configure Route Policy”.

5.2.15 Define ACL, AS Path List, and Route-policy

This section describes the configuration of ACL, AS path list, and Route-policy.

I. Define the ACL

Refer to “Define ACL” in QoS/ACL Operation Manual and Command Manual.

II. Define the AS path list

The routing information packet of the BGP includes an autonomous system path domain. The as path-list can be used to match with the autonomous system path domain of the BGP routing information so as to filter the routing information, which does not conform to the requirements. For the same list number, the user can define multiple pieces of as path-list, i.e. a list number stands for a group of as path ACLs. Each AS path list is identified with digit.

Please perform the following configurations in the system view:


5-19

Table 5-34 Define the AS path list

Operation Command Define the AS path list ip as-path-acl acl-number { permit | deny } as-regular-expression Delete the specified AS list undo ip as-path-acl acl-number

By default, no AS path list is defined.

During the matching, the relationship of “OR” is available between the members (acl-number) of the ACLs, i.e., when the routing information passes through one piece of this group of lists, it means that the routing information has been filtered by this group of as-path lists identified with this list number.

III. Define route-policy

Refer to the “Define a route-policy” part of the “IP Routing Policy Configuration”.

IV. Define match principle

Refer to the “Define if-match clauses for a Route-policy” part in the “IP Routing Policy Configuration”.

V. Define evaluation rules

Refer to the “Define apply clauses for a Route-policy” part in the “IP Routing Policy Configuration”.

5.2.16 Configure BGP Route Filtering

I. Configure BGP to filter the received route information


The routes received by the BGP can be filtered, and only those routes that meet the certain conditions will be received by the BGP.

Table 5-35 Configure imported route filtering

Operation Command

Configure received route filtering filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import

Cancel the received route filtering undo filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import

For details, please refer to the “Configure Route Filtering” part in the “Routing Policy”.


5-20

II. Configure to filter the routes distributed by the BGP

The routes distributed by the BGP can be filtered, and only those routes, which meet the certain conditions, will be distributed by the BGP.

Please perform the following configuration in the BGP view:

Table 5-36 Configure to filter the routes distributed by the BGP

Operation Command Configure to filter the routes distributed by the BGP

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-process ]

Cancel the filtering of the routes distributed by the BGP

undo filter-policy acl-number | ip-prefix ip-prefix-name } export [ routing-process ]

By default, the BGP will not filter the received and distributed routes.

For details, please refer to the “Configure Route Filtering” part in the “Routing Policy”.

5.2.17 Clear BGP Connection

After the user changes BGP policy or protocol configuration, they must cut off the current connection so as to enable the new configuration.


Table 5-37 Clear BGP connection

Operation Command Clear the connection between BGP and the specified peers reset bgp peer-address [ flap-info ] Clear all connections of BGP reset bgp all Clear the connections between the BGP and all the members of a group reset bgp group group-name

5.3 Display and Debug BGP

After the above configuration, execute display command in any view to display the running of the BGP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of the configuration. Execute debugging command in user view to debug the configuration. Execute reset command in user view to reset the statistic information of BGP.


5-21

Table 5-38 Display and debug BGP

Operation Command Display the routing information of the BGP display bgp routing-table [ ip-address ] Display filtered AS path information in the BGP display ip as-path-acl acl-number Display CIDR routes display bgp routing-table cidr

Display the routing information of the specified BGP community

display bgp routing-table community [ aa:nn | no-export-subconfed | no-advertise | no-export ] [ whole-match ]

Display the routing information allowed by the specified BGP community list

display bgp routing-table community-list community-list-number [ whole-match ]

Display BGP dampened paths display bgp routing-table dampening

Display the routing information the specified BGP peer advertised or received

display bgp routing-table peer peer-address { advertised | received } [ network-address [ mask ] | statistic ]

Display the routes matching with the specified access-list display bgp routing-table as-path-acl acl-number

Display route flapping statistics information display bgp routing-table flap-info [ { regular-expression as-regular-expression } | { as-path-acl acl-number } | { network-address [ mask [ longer-match ] ] } ]

View routes with different source ASs display bgp routing-table different-origin-as

Display neighbors information display bgp peer peer-address verbose display bgp peer [ verbose ]

Display the routing information that has been configured display bgp network

Display AS path information display bgp paths as-regular-expression Display peer group information display bgp group [ group-name ] Display the information on BGP routes which is mapped to a certain regular expression

display bgp routing-table regular-expression as-regular-expression

Display configured route-policy information display route-policy [ policy-name ] Enable information debugging of all BGP packets debugging bgp all Enable BGP event debugging debugging bgp event

Enable BGP Keepalive debugging debugging bgp keepalive [ receive | send ] [ verbose ]

Enable BGP Open debugging debugging bgp open [ receive | send ] [ verbose ] Enable BGP packet debugging debugging bgp packet [ receive | send ] [ verbose ]

Enable BGP Update packet debugging debugging bgp route-refresh [ receive | send ] [ verbose ]

Enable BGP Update packet debugging debugging bgp update [ receive | send ] [ verbose ]Reset BGP flap information reset bgp flap-info [ regular-expression

as-regular-expression | as-path-acl acl-number | network-address [ mask ] } ]

5.4 Typical BGP Configuration Example

5.4.1 Configure BGP AS Confederation Attribute


Divide the following AS 100 into three sub-AS: 1001, 1002, and 1003, and configure EBGP, confederation EBGP, and IBGP.


5-22


AS200

AS100

AS1002AS1001

AS1003

Ethernet172.68.10.1 172.68.10.2

172.68.10.3

172.68.1.2

172.68.1.1

156.10.1.1

156.10.1.2

Switch A Switch B

Switch C Switch D

Switch E

Figure 5-2 Networking diagram of configuring AS confederation



[Switch A] bgp 1001

[Switch A-bgp] confederation id 100

[Switch A-bgp] confederation peer-as 1002 1003

[Switch A-bgp] peer 172.68.10.2 as-number 1002



[Switch B] bgp 1002

[Switch B-bgp] confederation id 100

[Switch B-bgp] confederation peer-as 1001 1003

[Switch B-bgp] peer 172.68.10.1 as-number 1001




5-23

[Switch C] bgp 1003

[Switch C-bgp] confederation id 100

[Switch C-bgp] confederation peer-as 1001 1002

[Switch C-bgp] peer 172.68.10.1 as-number 1001




5.4.2 Configure BGP Route Reflector


Switch B receives an update packet passing EBGP and transmits it to Switch C. Switch C is a reflector with two clients: Switch B and Switch D. When Switch C receives a route update from Switch B, it will transmit such information to Switch D. It is required to establish an IBGP connection between Switch B and Switch D, because Switch C reflects information to Switch D.


IBGP IBGPEBGP

ClientClient

Route reflectorVLAN 4194.1.1.1/24

VLAN 3193.1.1.1/24

VLAN 3193.1.1.2/24

VLAN 4194.1.1.2/24

VLAN 2192.1.1.2/24

VLAN 2192.1.1.1/24

AS100

AS200Network1.0.0.0

VLAN 1001.1.1.1/8

Switch A Switch B

Switch C

Switch D

Figure 5-3 Networking diagram of configuring BGP route reflector



[Switch A] interface vlan-interface 2


[Switch A] bgp 100


5-24

[Switch A-bgp] network 1.0.0.0 255.0.0.0



# Configure VLAN 2:



# Configure VLAN 3:



[Switch B] ospf



# Configure peers.

[Switch B] bgp 200




# Configure VLAN 3:



# Configure VLAN 4:

[Switch C] interface vlan-Interface 4


[Switch C] ospf



# Configure BGP peers and route reflector.

[Switch C] bgp 200



5-25

[Switch C-bgp] peer 193.1.1.2 reflect-client


[Switch C-bgp] peer 194.1.1.2 reflect-client

4) Configure Switch D:

# Configure VLAN 4:

[Switch D] interface vlan-interface 4


[Switch D] ospf



# Configure BGP peers

[Switch D] bgp 200

[Switch D-bgp] peer 194.1.1.1 as-number 200

Using display bgp routing-table command, you can view BGP routing table on Switch B. Note: Switch B has known the existence of network 1.0.0.0.

<Switch B> display bgp routing-table

Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Pref Next-Hop Med Local-Pref Origin As-Path *> 1.0.0.0/8 192.1.1.1 0 IGP 100

Using display bgp routing-table command ,you can view the BGP routing table on Switch D. Note: Switch D also knows the existence of network 1.0.0.0.

<Switch D> display bgp routing-table

Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S – aggregate suppressed Dest/Mask Pref Next-Hop Med Local-Pref Origin As-Path *> 1.0.0.0/8 192.1.1.1 0 IGP 100


5-26

5.4.3 Configure BGP Routing


This example illustrates how the administrators manage the routing via BGP attributes. All Ethernet switches are configured with BGP, and IGP in AS 200 utilizes OSPF. Switch A is in AS 100, and acts as Switch B of AS 200 and BGP neighbor of Switch C. Both Switch B and Switch C operates IBGP to Switch D. Switch D is also in AS 200.


VLAN 4194.1.1.2/24

VLAN 2192.1.1.1/24

VLAN 3193.1.1.1/24 VLAN 3

193.1.1.2/24VLAN 5195.1.1.2/24

VLAN 2192.1.1.2/24

2.2.2.2

4.4.4.4

3.3.3.3

1.1.1.1

AS100

AS200

VLAN 4194.1.1.1/24

VLAN 5195.1.1.1/24

IBGP

IBGPEBGP

EBGP

To network1.0.0.0

To network2.0.0.0

To network4.0.0.0To network

3.0.0.0

Switch A

Switch B

Switch C

Switch D

Figure 5-4 Networking diagram of configuring BGP routing







# Enable BGP.

[Switch A] bgp 100

# Specify the network that BGP sends to.

[Switch A-bgp] network 1.0.0.0

# Configure the peers.



5-27


# Configure the MED attribute of Switch A.

Add an ACL on Switch A, enable network 1.0.0.0.

[Switch A] acl number 2000

[Switch A-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255

Define two route policies, one is called apply_med_50 and the other is called apply_med_100. The first MED attribute with the route policy as network 1.0.0.0 is set as 50, while the MED attribute of the second is 100.

[Switch A] route-policy apply_med_50 permit node 10

[Switch A-route-policy] if-match acl 2000

[Switch A-route-policy] apply cost 50

[Switch A-route-policy] quit

[Switch A] route-policy apply_med_100 permit node 10

[Switch A-route-policy] if-match acl 2000

[Switch A-route-policy] apply cost 100

[Switch A-route-policy] quit

Apply route policy set_med_50 to egress route update of Switch C (193.1.1.2), and apply route policy set_med_100 on the egress route of Switch B (192.1.1.2)

[Switch A] bgp 100

[Switch A-bgp] peer 193.1.1.2 route-policy apply_med_50 export

[Switch A-bgp] peer 192.1.1.2 route-policy apply_med_100 export






[Switch B] ospf




[Switch B] bgp 200


5-28

[Switch B-bgp] undo synchronization






[Switch C] interface vlan-interface 5


[Switch C] ospf




[Switch C] bgp 200



4) Configure Switch D:





[Switch D] ospf





[Switch D] bgp 200




5-29

To enable the configuration, all BGP neighbors will be reset using reset bgp all command.

After above configuration, due to the fact that the MED attribute of route 1.0.0.0 discovered by Switch C is less than that of Switch B, Switch D will first select the route 1.0.0.0 from Switch C.

If the MED attribute of Switch A is not configured, the local preference on Switch C is configured as follows:

# Configure the local preference attribute of Switch C

Add ACL 2000 on Switch C and permit network 1.0.0.0

[Switch C] acl number 2000

[Switch C-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255

Define the route policy with the name of localpref, of those, the local preference matching ACL 2000 is set as 200, and that of not matching is set as 100.

[Switch C] route-policy localpref permit node 10

[Switch C-route-policy] if-match acl 2000

[Switch C-route-policy] apply local-preference 200

[Switch C-route-policy] route-policy localpref permit node 20

[Switch C-route-policy] apply local-preference 100

[Switch C-route-policy] quit

Apply such route policy to the BGP neighbor 193.1.1.1 (Switch A)

[Switch C] bgp 200

[Switch C-bgp] peer 193.1.1.1 route-policy localpref import

By then, due to the fact that the Local preference attribute value (200)of the route 1.0.0.0 learned by Switch C is more than that of Switch B(Switch B is not configured with local Preference attribute, 100 by default), Switch D will also first select the route 1.0.0.0 from Switch C.

5.5 Fault Diagnosis and BGP Troubleshooting

Fault 1: The neighborhood cannot be established (The Established state cannot be entered).

Troubleshooting: The establishment of BGP neighborhood needs the router able to establish TCP connection through port 179 and exchange Open packets correctly. Perform the check according to the following steps:


5-30

Check whether the configuration of the neighbor's AS number is correct. Check whether the neighbor's IP address is correct. If using the Loopback interface, check whether the connect-source loopback

has been configured. By default, the router uses the optimal local interface to establish the TCP connection, not using the loopback interface.

If it is the EBGP neighbor not directly connected, check whether the peer ebgp-max-hop has been configured.

Use the ping command to check whether the TCP connection is normal. Since one router may have several interfaces able to reach the peer, the extended ping -a ip-address command should be used to specify the source IP address sending ping packet.

If the Ping operation fails, use display ip routing-table command to check if there is available route in the routing table to the neighbor.

If the Ping operation succeeds, check if there is an ACL denying TCP port 179.If the ACL is configured, cancel the denying of port 179.

Fault 2: BGP route cannot be advertised correctly after importing route of IGP with the command network.

Troubleshooting: Route imported by command network should be same as a route in current routing table, which should include destination segment and mask. Route covering large network segment cannot be imported. For example, route 10.1.1.0/24 can be imported, while 10.0.0.0/8 may cause error.

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration

6-1

Chapter 6 IP Routing Policy Configuration

6.1 Brief Introduction to IP Routing Policy

When a router distributes or receives routing information, it possibly needs to implement some policies to filter the routing information, so as to receive or distribute the routing information which can meet the specified condition only. A routing protocol, e.g. RIP, maybe need import the routing information discovered by other protocols to enrich its routing knowledge. While importing the routing information, it possibly only needs import the information meeting the conditions and set some special attributes to make them meet its requirement.

For implementing the routing policy, you need define a set of matching rules by specifying the characteristics of the routing information to be filtered. You can set the rules based on such attributes like destination address and source address of the information. The matching rules can be set in advance and then used in the routing policy to advertise, receive and import the route information.

In Quidway S3500 Series Ethernet Switches, five kinds of filters, Route-policy, acl, as-path, community-list, and ip-prefix, are provided to be called by the routing protocols. The following sections introduce these filters respectively.

I. Route-policy

Route map is used for matching some attributes in given routing information and the attributes of the information will be set if the conditions are satisfied.

A route map can comprise multiple nodes. Each node is a unit for match testing, and the nodes will be matched in a sequence-number-based order on the basis of. Each node comprises a set of if-match and apply clauses. The if-match clauses define the matching rules and the matching objects are some attributes of routing information. The relationship of if-match clauses for a node is “AND”. As a result, a match can be found unless all the matching conditions specified by the if-match clauses are satisfied. The apply clause specifies the actions performed after the node match test, concerning the attribute settings of the route information.

The relationships of different nodes in a route-policy are “OR”. As a result, the system will examine the nodes in the route-policy in sequence. Once the route is permitted by a node in the route-policy, it will pass the matching test of the route-policy without entering the test of the next node.


6-2

II. acl

The access control list (ACL) used by routing policy can be divided into three types: advanced ACL, basic ACL and interface ACL.

For routing information filtering, the basic ACL is generally used. When the user defines the ACL, he will define the range of an IP address or subnet to the destination network segment address or the next-hop address of the routing information. If an advanced ACL is used, perform the matching operation by the specified source address range.

For the configuration related to acl, refer to the QoS/ACL Operation Manual and Command Manual contained in the security section of this manual.

III. ip-prefix

The function of the ip-prefix is similar to that of the acl, but it is more flexible and easy for the users to understand. When the ip-prefix is applied to the routing information filtering, its matching objects are the destination address information domain of the routing information, and furthermore, in the ip-prefix, the users can specify the gateway options and specify it to receive only the routing information distributed by some certain routers.

An ip-prefix is identified by the ip-prefix name. Each ip-prefix can include multiple list items, and each list item can independently specify the match range of the network prefix forms and is identified with an index-number. The index-number designates the matching check sequence in the ip-prefix.

During the matching, the router checks list items identified by the sequence-number in the ascending order. Once a single list item meets the condition, it means that it has passed the ip-prefix filtering and will not enter the testing of the next list item.

IV. as-path list

The as-path list is only used in the BGP. The routing information packet of the BGP includes an autonomous system path domain (During the process of routing information exchanging of the BGP, the autonomous system paths the routing information has passed through will be recorded in this domain). Targeting at the AS path domain, the as-path specifies the match condition.

The definition of the as-path has already been implemented in the BGP configuration. For the related configurations, please refer to the ip as-path-acl command in the BGP Configuration.


6-3

V. Community-list

The community-list is only used in the BGP. The routing information packet of the BGP includes a community attribute domain to identify a community. Targeting at the community attribute, the community-list specifies the match condition.

The definition of the community-list has already been implemented in the BGP configuration. For the relevant configurations, please refer to the ip community-list command in the BGP Configuration.

6.2 IP Routing Policy Configuration

The routing policy configuration includes:

Define a route-policy Define if-match clauses for a Route-policy Define apply clauses for a Route-policy Import the routes of other protocols Define ip-prefix Configure Route Filtering

6.2.1 Define a route-policy

A route-policy can comprise multiple nodes. Each node is a unit for matching operation. The nodes will be tested against by node-number.


Table 6-1 Define a route-policy

Operation Command

Enter Route policy view route-policy route-policy-name { permit | deny } node { node-number }

Remove the specified route-policy undo route-policy route-policy-name [ permit | deny | node node-number ]

The argument permit specifies the matching mode for a defined node in the route-policy to be in permit mode. If a route satisfies all the if-match clauses of the node, it will pass the filtering of the node, and the apply clauses for the node will be executed without taking the test of the next node. If not, however, the route should take the test of the next node.

The deny argument specifies the matching mode for a defined node in the route-policy to be in deny mode. In this mode, the apply clauses will not be executed. If a route satisfies all the if-match clauses of the node, it will be denied by the node and will not


6-4

take the test of the next node. If not, however, the route will take the test of the next node.

The nodes have the “OR” relationship. In other words, the router will test the route against the nodes in the route-policy in sequence, once a node is matched, the route-policy filtering will be passed.

By default, the Route-policy is not defined.

Note: if multiple nodes are defined in a route-policy, at least one of them should be in permit mode. Apply the route-policy to filter routing information. If the routing information does not match any node, the routing information will be denied by the route-policy. If all the nodes in the route-policy are in deny mode, all routing information will be denied by the route-policy.

6.2.2 Define If-match clauses for a Route-policy

The if-match clauses define the matching rules. That is, the filtering conditions that the routing information should satisfy for passing the route-policy. The matching objects are some attributes of routing information.

Perform the following configurations in Route policy view.

Table 6-2 Define if-match conditions

Operation Command Match the AS path domain of the BGP routing information if-match as-path acl-number

Cancel the matched AS path domain of the BGP routing information undo if-match as-path

Match the community attribute of the BGP routing information

if-match community { standard-community-number [ exact-match ] | extended-community-number }

Cancel the matched community attribute of the BGP routing information undo if-match community

Match the destination address of the routing information if-match { acl acl-number | ip-prefix ip-prefix-name }Cancel the matched destination address of the routing information

undo if-match [ acl acl-number | ip-prefix ip-prefix-name ]

Match the next-hop interface of the routing information if-match interface [ interface-type interface-number ]Cancel the matched next-hop interface of the routing information undo if-match interface

Match the next-hop of the routing information if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name }

Cancel the matched next-hop of the routing information undo if-match ip next-hop [ip-prefix ip-prefix-name ]

Match the routing cost of the routing information if-match cost cost Cancel the matched routing cost of the routing information undo if-match cost

Match the tag domain of the OSPF routing information if-match tag value Cancel the tag domain of the matched OSPF routing information undo if-match tag

By default, no matching will be performed.


6-5

But please note:

The if-match clauses for a node in the route-policy have the relationship of “AND” for matching. That is, the route must satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed.

If no if-match clauses are specified, all the routes will pass the filtering on the node.

6.2.3 Define apply clauses for a Route-policy

The apply clauses specify actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clauses. Thereby, some attributes of the route can be modified.

Perform the following configurations in Route policy view.

Table 6-3 Define apply clauses

Operation Command Add the specified AS number before the as-path series of the BGP routing information

apply as-path as-number-1 [ as-number-2 [ as-number-3 ... ] ]

Cancel the specified AS number added before the as-path series of the BGP routing information undo apply as-path

Set the community attribute in the BGP routing information

apply community { [ { aa:nn | no-export-subconfed | no-advertise | no-export ]... } | [ additive | none ]

Cancel the set community attribute in the BGP routing information undo apply community

Set the next-hop address of the routing information apply ip next-hop { ip-address [ ip-address ] | acl acl-number }

Cancel the next-hop address of the routing information undo apply ip next-hop [ ip-address [ ip-address ] | acl acl-number ]

Set the local preference of the BGP routing information apply local-preference localpref Cancel the local preference of the BGP routing information undo apply local-preference

Set the routing cost of the routing information apply cost value Cancel the routing cost of the routing information undo apply cost set the cost type of the routing information apply cost-type [ internal | external ]

remove the setting of the cost type undo apply cost-type Set the route origin of the BGP routing information apply origin { igp | egp as-number | incomplete } Cancel the route origin of the BGP routing information undo apply origin Set the tag domain of the OSPF routing information apply tag value Cancel the tag domain of the OSPF routing information undo apply tag

By default, perform no settings.

Please note that if the routing information meets the match conditions specified in the Route-policy and also notifies the MED value configured with apply cost-type internal when notifying the IGP route to the EBGP peers, then this value will be regarded as the MED value of the IGP route. The preference configured with the apply cost-type internal is lower than that configured with the apply cost command, but higher than that configured with the default med command.


6-6

6.2.4 Importing Routing Information Discovered by Other Routing Protocols

A routing protocol can import the routes discovered by other routing protocols to enrich its route information. And the Route-policy can be used for route information filtering to implement the purposeful redistribution. If the destination routing protocol importing the routes cannot directly reference the route costs of the source routing protocol, you should satisfy the requirement of the protocol by specifying a route cost for the imported route.

Perform the following configuration in routing protocol view.

Table 6-4 Configure to import the routes of other protocols

Operation Command

Set to import routes of other protocols import-route protocol [ med med | cost cost ] [ tag value ] [ type 1 | 2 ] [ route-policy route-policy-name ]

Cancel the setting for importing routes of other protocols undo import-route protocol

By default, the routes discovered by other protocols will not be distributed.

Note:

In different routing protocol views, the parameter options are different. For details, respectively refer to the import-route command in different protocols.

6.2.5 Define ip-Prefix

A prefix-list is identified by the ip-prefix name. Each ip-prefix can include multiple items, and each item can independently specify the matching range of the network prefix forms. The index-number specifies the matching sequence in the prefix-list.


Table 6-5 Define Prefix-list

Operation Command

Define Prefix-list ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network len [ greater-equal greater-equal ] [ less-equal less-equal ]

Remove Prefix-list undo ip ip-prefix ip-prefix-name [ index index-number | permit | deny ]


6-7

During the matching, the router checks list items identified by the index-number in the ascending order. If only one list item meets the condition, it means that it has passed the ip-prefix filtering (will not enter the testing of the next list item).

Please note that if more than one ip-prefix item are defined, then the match mode of at least one list item should be the permit mode. The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement, but if all the items are in the deny mode, no route will pass the ip-prefix filtering. You can define an item of permit 0.0.0.0/0 greater-equal 0 less-equal 32 after the multiple list items in the deny mode so as to let all the other routes pass.

6.2.6 Configure Route Filtering

I. Configure to filter the received routes


Define a policy to filter the routing information not satisfying the conditions while receiving routes with the help of an ACL or address prefix-list. gateway specifies that only the update packets from a particular neighboring router will be received.

Table 6-6 Configure to filter the received route

Operation Command Configure to filter the received routing information distributed by the specified address filter-policy gateway ip-prefix-name import

Cancel the filtering of the received routing information distributed by the specified address undo filter-policy gateway ip-prefix-name import

Configure to filter the received global routing information filter-policy { acl-number | ip-prefix ip-prefix-name } [ gateway ] import

Cancel the filtering of the received global routing information

undo filter-policy { acl-number | ip-prefix ip-prefix-name } [ gateway ] import

II. Configure to filter the distributed routes

Define a policy concerning route distribution to filter the routing information not satisfying the conditions while distributing routes with the help of an ACL or address ip-prefix.


Table 6-7 Configure to filter the distributed routes

Operation Command

Configure to filter the routes distributed by the protocol filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-process ]

Cancel the filtering of the routes distributed by the protocol undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-process ]


6-8

By far, the route policy supports importing the routes discovered by the following protocols into the routing table:

direct: The hop (or host) to which the local interface is directly connected.

static: Static Route Configuration

rip: Route discovered by RIP

ospf: Route discovered by OSPF

ospf-ase: External route discovered by OSPF

ospf-nssa: NSSA route discovered by OSPF

bgp: Route acquired by BGP

If routing-process is BGP, you should also specify the process number or AS number accordingly.

By default, the filtering of the received and distributed routes will not be performed.

6.3 Display and Debug the Routing Policy

After the above configuration, execute display command in any view to display the running of the routing policy configuration, and to verify the effect of the configuration.

Table 6-8 Display and debug the route policy

Operation Command Display the routing policy display route-policy [ route-policy-name ] Display the path information of the AS filter in BGP display ip as-path-acl [ acl-number ] Display the address prefix list information display ip ip-prefix [ ip-prefix-name ]

6.4 Typical IP Routing Policy Configuration Example

6.4.1 Configure to Filter the Received Routing Information


Switch A communicates with Switch B, running OSPF protocol. Import three static routes through enabling the OSPF protocol on the Switch A. The route filtering rules can be configured on Switch B to make the received three

static routes partially visible and partially shielded. It means that routes in the network segments 20.0.0.0 and 40.0.0.0 are visible while those in the network segment 30.0.0.0 are shielded.


6-9


area 0static 20.0.0.1/830.0.0.1/840.0.0.1/8

1.1.1.1 2.2.2.2

Sw itch A Sw itch B

area 0static 20.0.0.1/830.0.0.1/840.0.0.1/8

1.1.1.1 2.2.2.2

Sw itch A Sw itch B

Figure 6-1 Filtering the received routing information


Configure Switch A:

# Configure the IP address of VLAN interface.





# Configure three static routes.




# Enable OSPF protocol and specifies the number of the area to which the interface belongs.


[Switch A] ospf



# Import the static routes

[Switch A-ospf] import-route static

Configure Switch B:

# Configure the IP address of VLAN interface.



6-10


# Configure the access control list.

[Switch B] acl number 2000

[Switch B-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255

[Switch B-acl-basic-2000] rule permit source any

# Enable OSPF protocol and specifies the number of the area to which the interface belongs.


[Switch B] ospf



# Configure OSPF to filter the external routes received.

[Switch B-ospf] filter-policy 2000 import

6.5 Routing Policy Fault Diagnosis and Troubleshooting

Fault 1: Routing information filtering cannot be implemented in normal operation of the routing protocol

Please check for the following faults:

The if-match mode of at least one node of the Route-policy should be the permit mode. When a Route-policy is used for the routing information filtering, if a piece of routing information does not pass the filtering of any node, then it means that the route information does not pass the filtering of the Route-policy. When all the nodes of the Route-policy are in the deny mode, then all the routing information cannot pass the filtering of the Route-policy.

The if-match mode of at least one list item of the ip-prefix should be the permit mode. The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement, but if all the items are in the deny mode, any routes will not pass the ip-prefix filtering. You can define an item of permit 0.0.0.0/0 less-equal 32 after the multiple list items in the deny mode so as to let all the other routes pass the filtering (If less-equal 32 is not specified, only the default route will be matched).

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches Chapter 7 Route Capacity Configuration

7-1

Chapter 7 Route Capacity Configuration

7.1 Route Capacity Configuration Overview

7.1.1 Introduction

In practical networking applications, there is always a large number of routes in the routing table especially OSPF routes and BGP routes. The routing information is usually stored in the memory of the Ethernet switch. When the size of the routing table increases, the total memory of the Ethernet switch will not change (unless the hardware is upgraded but upgrading cannot be guaranteed to solve all problems).

In order to solve such problem, Quidway S3500 Series Ethernet Switches provide a mechanism to control the size of the routing table: Monitor the free memory in the system to determine whether to add new routes to the routing table and whether to keep connection with a routing protocol.

Note:

It should be noted that the default value meets the requirements normally. The user is not recommended to modify the configuration to avoid improper configuration to avoid reducing of stability and availability of the system.

7.1.2 Route Capacity Limitation Implemented by S3500 Ethernet Switch

Usually, the huge size of the routing table is caused by BGP routes and OSPF routes. Therefore, the route capacity limitation of S3500 Series Ethernet Switches is only effective to these two types of routes and has no impact on static routes and other dynamic routing protocols.

When the free memory of a Ethernet switch reduces to the lower limit value, the system will disconnect BGP and OSPF and remove corresponding routes from the routing table so that the memory occupied is released. The system checks the free memory periodically. When the free memory is detected to restore to the safety value, BGP and OSPF connection will be restored.


7-2

7.2 Route Capacity Configuration

Route capacity configuration includes:

Set the lower limit of the Ethernet switch memory Set the safety value of the Ethernet switch memory Set the lower limit and the safety value of the Ethernet switch memory

simultaneously Restore the lower limit and the safety value of the Ethernet switch memory to the

default value Disable the Ethernet switch to recover the disconnected routing protocol

automatically Enable the Ethernet switch to recover the disconnected routing protocol

automatically

7.2.1 Set the Lower Limit of the Ethernet switch Memory

When the Ethernet switch memory is equal to or lower than the lower limit, BGP and OSPF will be disconnected.


Table 7-1 Set the lower limit of the Ethernet switch memory

Operation Command Set the lower limit of the Ethernet switch memory memory limit value

By default, the lower limit of the Ethernet switch memory is 2Mbytes, that is, when the available memory is less than 2Mbytes, BGP and OSPF will be disconnected and BGP routes and OSPF routes will be removed from the routing table.

The lower limit value set for the memory must be smaller than the safety value.

7.2.2 Set the Safety Value of the Ethernet switch Memory

When the free memory value reduces to the safety value but does not reach the lower limit value yet, the display memory limit command can be used to see that the Ethernet switch is in an exigent state.

If memory automatic restoration is enabled, when the free memory of the Ethernet switch exceeds the safety value, the disconnected BGP and OSPF will be restored.



7-3

Table 7-2 Set the safety value of the Ethernet switch memory

Operation Command Set the safety value of the Ethernet switch memory memory safety value

By default, the safety value of the Ethernet switch memory is 4Mbytes.

The safety value of the Ethernet switch memory must be larger than the lower limit value.

7.2.3 Set the Lower Limit and the Safety Value Simultaneously

When you need to modify both the lower limit and the safety value of the Ethernet switch memory, you can (and are recommended to) simultaneously modify the two configurations.

You can also restore the lower limit and the safety value of the Ethernet switch memory to the default value at the same time if it is necessary.


Table 7-3 Set the lower limit and the safety value of the Ethernet switch memory simultaneously

Operation Command Set the lower limit and the safety value of the Ethernet switch memory simultaneously memory { safety safety-value | limit limit-value }*

Restore the lower limit and the safety value of the Ethernet switch memory to the default value undo memory [ safety | limit ]

The default values of the lower limit and the safety value of the Ethernet switch memory are 2Mbytes and 4Mbytes respectively.

Please be noted that the safety-value must be more than the limit-value during the configuration.

Note:

It should be noted that the safety-value must be more than the limit-value during the configuration.


7-4

7.2.4 Disable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically

If memory automatic restoration function of a Ethernet switch is disabled, connection of routing protocols will not be restored even if the free memory restores to the safety value. Therefore, this configuration should be performed cautiously.


Table 7-4 Disable the Ethernet switch to recover the disconnected routing protocol automatically

Operation Command Disable memory automatic restoration function of a Ethernet switch memory auto-establish disable

By default, memory automatic restoration function of a Ethernet switch is enabled.

7.2.5 Enable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically


Table 7-5 Enable the Ethernet switch to recover the disconnected routing protocol automatically

Operation Command Enable memory automatic restoration function memory auto-establish enable

By default, memory automatic restoration function is enabled.

7.3 Display and Debug Route Capacity

After the above configuration, execute display command in any view to display the running of the Route capacity configuration.

Table 7-6 Display and debug route capacity

Operation Command Display the route capacity related memory setting and state information display memory limit

HUAWEI


6. Multicast

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 IP Multicast Overview.................................................................................................. 1-1 1.1 IP Multicast Overview ........................................................................................................ 1-1 1.2 Multicast Addresses........................................................................................................... 1-2

1.2.1 IP Multicast Addresses............................................................................................ 1-2 1.2.2 Ethernet Multicast MAC Addresses ........................................................................ 1-4

1.3 IP Multicast Protocols ........................................................................................................ 1-4 1.3.1 Internet Group Management Protocol..................................................................... 1-4 1.3.2 Multicast Routing Protocol ...................................................................................... 1-5

1.4 IP Multicast Packet Forwarding ......................................................................................... 1-6 1.5 Application of Multicast ...................................................................................................... 1-6

Chapter 2 GMRP Configuration ................................................................................................... 2-1 2.1 GMRP Overview ................................................................................................................ 2-1 2.2 Configure GMRP................................................................................................................ 2-1

2.2.1 Enable/Disable GMRP Globally .............................................................................. 2-1 2.2.2 Enable/Disable GMRP on the Port.......................................................................... 2-2

2.3 Display and debug GMRP ................................................................................................. 2-2 2.4 GMRP Configuration Example........................................................................................... 2-2

Chapter 3 IGMP Snooping Configuration ................................................................................... 3-1 3.1 IGMP Snooping Overview ................................................................................................. 3-1

3.1.1 IGMP Snooping Principle ........................................................................................ 3-1 3.1.2 Implement IGMP Snooping ..................................................................................... 3-3

3.2 Configure IGMP Snooping................................................................................................. 3-5 3.2.1 Enable/Disable IGMP Snooping.............................................................................. 3-5 3.2.2 Configure Router Port Aging Time.......................................................................... 3-6 3.2.3 Configure Maximum Response Time...................................................................... 3-6 3.2.4 Configure Aging Time of Multicast Group Member................................................. 3-6

3.3 Display and debug IGMP Snooping................................................................................... 3-7 3.4 IGMP Snooping Configuration Example............................................................................ 3-7

3.4.1 Enable IGMP Snooping........................................................................................... 3-7 3.5 Troubleshoot IGMP Snooping ........................................................................................... 3-8

Chapter 4 Common Multicast Configuration.............................................................................. 4-1 4.1 Introduction to Common Multicast Configuration............................................................... 4-1 4.2 Common Multicast Configuration....................................................................................... 4-1

4.2.1 Enable Multicast ...................................................................................................... 4-1 4.3 Display and Debug Common Multicast Configuration ....................................................... 4-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Table of Contents

ii

Chapter 5 IGMP Configuration ..................................................................................................... 5-1 5.1 IGMP Overview.................................................................................................................. 5-1 5.2 IGMP Configuration ........................................................................................................... 5-2

5.2.1 Enable Multicast ...................................................................................................... 5-2 5.2.2 Configure the IGMP Version ................................................................................... 5-3 5.2.3 Configure a Router to Join Specified Multicast Group............................................ 5-3 5.2.4 Limit Multicast Groups An Interface Can Access.................................................... 5-4 5.2.5 Configure the Interval to Send IGMP Query Message............................................ 5-4 5.2.6 Configure the Present Time of IGMP Querier......................................................... 5-4 5.2.7 Configure Maximum Response Time for IGMP Query Message............................ 5-5

5.3 Display and Debug IGMP .................................................................................................. 5-5

Chapter 6 PIM-DM Configuration ................................................................................................. 6-1 6.1 PIM-DM Configuration ....................................................................................................... 6-2

6.1.1 Enable Multicast ...................................................................................................... 6-3 6.1.2 Enable PIM-DM....................................................................................................... 6-3 6.1.3 Configure the Interface Hello Message Interval...................................................... 6-3

6.2 Display and Debug PIM-DM .............................................................................................. 6-4 6.3 PIM-DM Configuration Example ........................................................................................ 6-4

Chapter 7 PIM-SM Configuration ................................................................................................. 7-1 7.1 PIM-SM Overview.............................................................................................................. 7-1

7.1.1 Introduction to PIM-SM ........................................................................................... 7-1 7.1.2 PIM-SM Operating Principle.................................................................................... 7-1 7.1.3 Preparations before Configuring PIM-SM ............................................................... 7-2

7.2 PIM-SM Configuration ....................................................................................................... 7-3 7.2.1 Enable Multicast ...................................................................................................... 7-4 7.2.2 Enable PIM-SM ....................................................................................................... 7-4 7.2.3 Configure the Interface Hello Message Interval...................................................... 7-4 7.2.4 Configure the PIM-SM Domain Border ................................................................... 7-5 7.2.5 Enter PIM View........................................................................................................ 7-5 7.2.6 Configure Candidate-BSRs..................................................................................... 7-5 7.2.7 Configure Candidate-RPs ....................................................................................... 7-6 7.2.8 Configure Static RP................................................................................................. 7-7 7.2.9 Configure RP to Filter the Register Messages Sent by DR .................................... 7-7 7.2.10 Set the Threshold of Switchover from the RPT to the SPT .................................. 7-8

7.3 Display and Debug PIM-SM .............................................................................................. 7-8 7.4 PIM-SM Configuration Example ........................................................................................ 7-9

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 1 IP Multicast Overview

1-1

Chapter 1 IP Multicast Overview

Note:

When an Ethernet switch runs a multicast protocol, it can perform the router functions. Router that is referred to in the following represents a generalized router or an Ethernet switch running multicast protocols. To improve readability, this will not be described in the other parts of the manual.

1.1 IP Multicast Overview

Various transmission methods can be used when the destination of the information (including data, voice and video) is the minority part of users on the network. The unicast mode can be used, i.e., you should establish an independent data transmission path for each user. Or the broadcast mode can be used, i.e., you should send the information to all users on the network. No matter whether the users need the information, they will receive it from the broadcast. For example, if the same information is required by 200 users on the network, the traditional solution is to send the information 200 times respectively in unicast mode so that these users can receive the data they need. In the broadcast mode, the data is broadcast over the entire network. Users who need the data can get it directly on the network. Both of the methods greatly waste the precious bandwidth resources. In addition, the broadcast mode cannot ensure security and secrecy of the information.

Emergence of the IP multicast technology solves the problem in time. The multicast source sends the information only once. Multicast routing protocols establish tree-type routing for multicast packets. The information being sent will be replicated and distributed at the cross as far as possible (see Figure 1-1). Therefore, the information can be correctly sent to each user who needs it with high efficiency.


1-2

Server

Unicast

ServerMulticast

Receiver

Receiver

Receiver

Receiver

Receiver

Receiver

Figure 1-1 Comparison between the unicast and multicast transmission

It should be noted that a multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously.

A router that does not support multicast may exist on the network. A multicast router can encapsulate the multicast packets in unicast IP packets with tunneling and send them to the neighboring multicast router. The neighboring multicast router will remove the unicast IP header and continue the multicast transmission. This avoids the network architecture from changing greatly.

Multicast advantages:

Enhanced efficiency: Reduce network traffic and relieve server and CPU loads. Optimized performance: Decrease traffic redundancy. Distributed applications: Make multipoint applications possible.

1.2 Multicast Addresses

1.2.1 IP Multicast Addresses

The destination addresses of multicast packets use Class D IP addresses ranging from 224.0.0.0 to 239.255.255.255. Class D addresses cannot appear in the source IP address fields of IP packets.

During unicast data transmission, a packet is transmitted along a path from the source address to the destination address with the "hop-by-hop" principle on the IP network. However, in environments of IP multicast, a packet has more than one destination


1-3

address, i.e., a group of addresses. All the information receivers join a group. Once a receiver joins the group, data flowing to the group is sent to the receiver immediately. All members in the group can receive the packets. Membership of a multicast group is dynamic, that is, hosts can join and leave groups at any time.

A multicast group can be either permanent or temporary. Part of addresses in the multicast group is allocated by the official, known as the permanent multicast group. IP addresses of a permanent group keep unchanged but the members in the group can change. The number of members in a permanent multicast group can be random or even 0. Those IP multicast addresses that are not reserved for permanent multicast groups can be used by temporary groups.

Ranges and meanings of Class D addresses are shown in Table 1-1.

Table 1-1 Ranges and meanings of Class D addresses

Class D address range Meaning

224.0.0.0∼224.0.0.255 Reserved multicast addresses (addresses of permanent groups). Address 224.0.0.0 is reserved. The other addresses can be used by routing protocols.

224.0.1.0∼238.255.255.255 Multicast addresses available for users (addresses of temporary groups). They are valid in the entire network.

239.0.0.0∼239.255.255.255 Multicast addresses for local management. They are valid only in the specified local range.

Reserved multicast addresses that are commonly used are shown in the following table:

Table 1-2 Reserved multicast address list

Class D address Meaning 224.0.0.0 Base Address (Reserved) 224.0.0.1 Addresses of all hosts 224.0.0.2 Addresses of all multicast routers 224.0.0.3 Unassigned 224.0.0.4 DVMRP routers 224.0.0.5 OSPF routers 224.0.0.6 OSPF DR (designated router) 224.0.0.7 ST routers 224.0.0.8 ST hosts 224.0.0.9 RIP-2 routers 224.0.0.10 IGRP routers 224.0.0.11 Mobile agents 224.0.0.12 DHCP server/Relay agent 224.0.0.13 All PIM routers 224.0.0.14 RSVP encapsulation 224.0.0.15 All CBT routers 224.0.0.16 Designated SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP …… ……


1-4

1.2.2 Ethernet Multicast MAC Addresses

When unicast IP packets are transmitted on the Ethernet, the destination MAC address is the MAC address of the receiver. However, when multicast packets are transmitted, the destination is no longer a specific receiver but a group with unspecific members. Therefore, the multicast MAC address should be used. Multicast MAC addresses are correspondent to multicast IP addresses. IANA (Internet Assigned Number Authority) stipulates that higher 24 bits of the multicast MAC address are 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address.

111 0XX XX

32 bits IP address

48 bits MAC address 5 bits not mapped Lower 23 bits directly mapped

XXXXXXX X XXXXXXXX XXXX X X X X

XXXXXXXX XXXXXXXX XXXXXX XX XXXX X X X X XXXX X X XX XXXX X X X X

Figure 1-2 Mapping between the multicast IP address and the Ethernet MAC address

Because only 23 bits of the last 28 bits in the IP multicast address are mapped into the MAC address, 32 IP multicast addresses are mapped into the same MAC address.

1.3 IP Multicast Protocols

Multicast involves the multicast group management protocol and multicast routing protocol. At present, the multicast group management protocol uses the IGMP that is used as IP multicast basic signaling protocol. It is run between hosts and routers, enabling routers to know whether there are members of the multicast group on the network segment. The multicast routing protocol is run between multicast routers, creating and maintaining multicast routes and implementing correct and high-efficient multicast packet forwarding. At present, multicast routing protocols mainly include PIM-SM, PIM-DM and MSDP. While the unicast routing protocol BGP can also be expanded to support transmitting multicast routing protocol information between domains.

1.3.1 Internet Group Management Protocol

Internet Group Management Protocol is the only protocol that hosts can use. It defines the membership establishment and maintenance mechanism between hosts and routers and is the basis of the entire IP multicast. Hosts report the group membership to a router through IGMP and inform the router of the conditions of other members in the group through the directly connected host. If a user on the network joins a multicast group through IGMP declaration, the multicast router on the network will transmit the


1-5

information sent to the multicast group through the multicast routing protocol. Finally, the network will be added to the multicast tree as a branch. When the host, as a member of a multicast group, begins receiving the information, the router will query the group periodically to check whether members in the group are involved. As long as one host is involved, the router will continue to receive data. When all users on the network quit the multicast group, the related branches are removed from the multicast tree.

1.3.2 Multicast Routing Protocol

A multicast group address is a virtual address. Unicast allows packets to be routed from the data source to the specified destination address, which is impossible for multicast. The multicast application sends the packets to a group of receivers (with multicast addresses) who want to receive the data but not only to one receiver (with unicast address).

The multicast routing creates a loop-free data transmission path from one data source to multiple receivers. The task of the multicast routing protocol is to build up the distribution tree architecture. A multicast router can use multiple methods to build up a path for data transmission, i.e., the distribution tree.

PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM)

PIM dense mode is suitable for small networks. It assumes that each subnet in the network contains at least one receiver who is interested in the multicast source. Therefore, multicast packets are flooded to all points of the network. Subsequent resources related (such as bandwidth and CPU of routers) will be consumed. In order to decrease the consumption of these precious network resources, branches that do not have members send Prune messages toward the source to prune off the unwanted/unnecessary traffic. To enable the receivers in the pruned branches who have multicast data forwarding requirement to receive multicast data streams, the pruned branches can be restored to forwarding state periodically. To reduce the latency time during which the pruned branches wait for being restored, PIM dense mode uses the prune mechanism to actively restore the forwarding of multicast packets. The periodical flood and prune are characteristics of PIM dense mode. Generally, the forwarding path in dense mode is a “source tree” rooted at the source with multicast members as the branches. Since the source tree uses the shortest path from the multicast source and the receiver, it is also called the shortest path tree (SPT).

PIM-SM (Protocol-Independent Multicast Sparse Mode, PIM-SM)

Dense mode uses the flood-prune technology, which is not applicable for WAN. In WAN, multicast receivers are sparse and the sparse mode are mostly used. In sparse mode, all hosts do not need to receive multicast packets unless there is an explicit request for the packets by default. A multicast router must send a join message to the RP (Rendezvous Point, which needs to be built up in the network and is the virtual place for data exchange) corresponding to the group to receive the multicast data traffic from the


1-6

specified group. The join message passes routers and finally reaches the root, i.e., the RP. The path the join message passed becomes a branch of the shared tree. In PIM sparse mode, multicast packets are sent to the RP first and then are forwarded along the shared tree rooted at the RP and with members as the branches. To prevent the branches of the shared tree from being deleted for they not updated, PIM sparse mode sends join messages to branches periodically to maintain the multicast distribution tree.

To send data to the specified address, senders should register with the RP first before forwarding data to the RP. When the data reaches the RP, the multicast packets are replicated and sent to receivers along the path of the distribution tree. Replicate only happens at the branches of the distribution tree. This process can be automatically repeated until the packets reach the destination.

1.4 IP Multicast Packet Forwarding

In the multicast model, the source host sends information to the host group represented by the multicast group address within the destination address fields of the IP packets. Different from the unicast model, the multicast model must forward the multicast packets to multiple external interfaces so that the packets can be sent to all receivers. Therefore, the multicast forwarding process is much more complex than the unicast forwarding process.

RPF (Reverse Path Forwarding)

To ensure that a multicast packet reaches the router along the shortest path, the multicast must depend on the unicast routing table or a unicast routing table independently provided for multicast (such as the MBGP multicast routing table) to check the receiving interface of multicast packets. This check mechanism is the basis for most multicast routing protocols performing multicast forwarding, which is known as RPF (Reverse Path Forwarding) check. A multicast router uses the source address at which the multicast packet arrives to query the unicast routing table or the independent multicast routing table so as to determine that the incoming interface at which the packet arrives is on the shortest path from the receiver to the source address. If a source tree is used, the source address is the address of the source host sending the multicast packet. If a shared tree is used, the source address is the address of the root of the shared tree. When a multicast packet arrives at the router, if RPF check succeeds, the packet will be forwarded according to the multicast forwarding entry. Otherwise, the packet will be dropped.

1.5 Application of Multicast

IP multicast technology effectively solves the problem of packet forwarding from single-point to multi-point. It implements high-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network


1-7

bandwidth and reduce network loads. New value-added services that take advantage of multicast can be delivered in the Internet information service area including direct broadcasting, Web TV, distance learning, distance medicine, net broadcasting station and real-time audio/video conferencing.

Multimedia and streaming media applications Communications of the training and corporate sites Data repository and finance (stock) applications Any “point-to-multipoint” data distribution

With the increase of multimedia services on IP networks, multicast has huge market potential and multicast services will become popular gradually.

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 2 GMRP Configuration

2-1

Chapter 2 GMRP Configuration

2.1 GMRP Overview

GMRP (GARP Multicast Registration Protocol), based on GARP, is used for maintaining dynamic multicast registration information of the switch. All the switches supporting GMRP can receive multicast registration information from other switches and dynamically update local multicast registration information. Besides, local multicast registration information can be transmitted to other switches. This information switching mechanism keeps consistency of the multicast information maintained by every GMRP-supporting device in the same switching network.

A host transmits GMRP Join message, if it is interested in joining a multicast group. After receiving the message, the switch adds the port to the multicast group, and broadcasts the message throughout the VLAN, thereby the multicast source in the VLAN knows the multicast member joined. When the multicast source multicasts packets to its group, the switch only forwards the packets to the ports connected to the members, thereby implementing the Layer 2 multicast in VLAN.

The multicast information transmitted by GMRP includes local static multicast registration information configured manually and the multicast registration information dynamically registered by other switches.

2.2 Configure GMRP

The main tasks in GMRP configuration include:

Enable/Disable GMRP Enable/Disable GMRP on the port

In the configuration process, GMRP must be enabled globally before it is enabled on the port.

2.2.1 Enable/Disable GMRP Globally


Table 2-1 Enable/Disable GMRP globally

Operation Command Enable GMRP globally. gmrp Disable GMRP globally. undo gmrp


2-2

By default, GMRP is disabled.

2.2.2 Enable/Disable GMRP on the Port


Table 2-2 Enable/Disable GMRP on the port

Operation Command Enable GMRP on the port gmrp Disable GMRP on the port undo gmrp

GMRP should be enabled globally before enabled on a port.

By default, GMRP is disabled on the port.

2.3 Display and debug GMRP

After the above configuration, execute display command in any view to display the running of the GMRP configuration, and to verify the effect of the configuration.

Execute debugging command in user view to debug GMRP configuration.

Table 2-3 Display and debug GMRP

Operation Command Display GMRP statistics. display gmrp statistics [ interface interface_list ] Display GMRP global status. display gmrp status Enable GMRP debugging debugging gmrp event Disable GMRP debugging undo debugging gmrp event

2.4 GMRP Configuration Example


Implement dynamic registration and update of multicast information between switches.


2-3


Switch_A Switch_B

Figure 2-1 GMRP networking


Configure LS_A:

# Enable GMRP globally.

[Quidway] gmrp

# Enable GMRP on the port.

[Quidway] interface Ethernet 0/1

[Quidway-Ethernet0/1] gmrp

Configure LS_B:

# Enable GMRP globally.

[Quidway] gmrp

# Enable GMRP on the port.

[Quidway] interface Ethernet 0/1

[Quidway-Ethernet0/1] gmrp

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 3 IGMP Snooping Configuration

3-1

Chapter 3 IGMP Snooping Configuration

Note:

Among S3500 Series Ethernet Switches, S3552 Series, S3528 Series and S3552F support IGMP Snooping.

3.1 IGMP Snooping Overview

3.1.1 IGMP Snooping Principle

IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on the Layer 2 Ethernet switch and it is used for multicast group management and control.

IGMP Snooping runs on the link layer. When receiving the IGMP messages transmitted between the host and router, the Layer 2 Ethernet switch uses IGMP Snooping to analyze the information carried in the IGMP messages. If the switch hears IGMP host report message from an IGMP host, it will add the host to the corresponding multicast table. If the switch hears IGMP leave message from an IGMP host, it will remove the host from the corresponding multicast table. The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2. And then it can forward the multicast packets transmitted from the upstream router according to the MAC multicast address table.

When IGMP Snooping is disabled, the packets are multicast on Layer 2. See the following figure:


3-2

Internet / Intranet

Video stream

VOD ServerLayer 2 Ethernet Switch

Video stream

Multicast group member Non-multicast group member

Multicast router

Video streamVideo stream

Video stream

Non-multicastgroup member

Figure 3-1 Multicast packet transmission without IGMP Snooping

When IGMP Snooping runs, the packets are not broadcast on Layer 2. See the following figure:

Internet / Intranet

Video stream

VOD ServerLayer 2 Ethernet Switch

Video stream

Multicast group member Non-multicast group member

Multicast router

Video stream Video streamVideo stream

Non-multicastgroup member

Figure 3-2 Multicast packet transmission when IGMP Snooping runs


3-3

3.1.2 Implement IGMP Snooping

I. Related concepts of IGMP Snooping

To facilitate the description, this section first introduces some related switch concepts of IGMP Snooping:

Router Port: The port of the switch, directly connected to the multicast router. Multicast member port: The port connected to the multicast member. The

multicast member refers to a host joined a multicast group. MAC multicast group: The multicast group is identified with MAC multicast

address and maintained by the Ethernet switch. Router port aging time: Time set on the router port aging timer. If the switch has

not received any IGMP general query message before the timer times out, it considers the port no longer as a router port.

Multicast group member port aging time: When a port joins an IP multicast group, the aging timer of the port will begin timing. The multicast group member port aging time is set on this aging timer. If the switch has not received any IGMP report message before the timer times out, it transmits IGMP specific query message to the port.

Maximum response time: When the switch transmits IGMP specific query message to the multicast member port, the Ethernet switch starts a response timer, which times before the response to the query. If the switch has not received any IGMP report message before the timer times out, it will remove the port from the multicast member ports

II. Implement Layer 2 multicast with IGMP Snooping

The Ethernet switch runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address. To implement IGMP Snooping, the Layer 2 Ethernet switch processes different IGMP messages in the way illustrated in the figure below:


3-4

Internet

IGMP packets

A Ethernet Switch running IGMP Snooping

A router running IGMP

IGMP packets

Figure 3-3 Implement IGMP Snooping

1) IGMP general query message: Transmitted by the multicast router to the multicast group members to query which multicast group contains member. When an IGMP general query message arrives at a router port, the Ethernet switch will reset the aging timer of the port. When a port other than a router port receives the IGMP general query message, the Ethernet switch will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port.

2) IGMP specific query message: Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried.

3) IGMP report message: Transmitted from the host to the multicast router and used for applying to a multicast group or responding to the IGMP query message. When received the IGMP report message, the switch checks if the MAC multicast group, corresponding to the IP multicast group the packet is ready to join exists. If the corresponding MAC multicast group does not exist, the switch only notifies the router that a member is ready to join a multicast group, creates a new MAC multicast group, adds the port received the message to the group, starts the port aging timer, and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table, and meanwhile creates an IP multicast group and adds the port received the report message to it. If the corresponding MAC multicast group exists but does not contains the port received the report message, the switch adds the port into the multicast group and starts the port aging timer. And then the switch checks if the corresponding IP multicast group exists. If it does not exist, the switch creates a new IP multicast group and adds the port received the report message to it. If it exists, the switch adds the port to it. If the MAC


3-5

multicast group corresponding to the message exists and contains the port received the message, the switch will only reset the aging timer of the port.

4) IGMP leave message: Transmitted from the multicast group member to the multicast router to notify that a router host left the multicast group. When received a leave message of an IP multicast group, the Ethernet switch transmits the specific query message concerning that group to the port received the message, in order to check if the host still has some other member of this group and meanwhile starts a maximum response timer. If the switch has not receive any report message from the multicast group, the port will be removed from the corresponding MAC multicast group. If the MAC multicast group does not have any member, the switch will notify the multicast router to remove it from the multicast tree.

3.2 Configure IGMP Snooping

The main IGMP Snooping configuration includes:

Enable/disable IGMP Snooping Configure the aging time of router port Configure maximum response time Configure the aging time of multicast group member port

Among the above configuration tasks, enabling IGMP Snooping is required, while others are optional for your requirements.

3.2.1 Enable/Disable IGMP Snooping

You can use the following commands to enable/disable IGMP Snooping to control whether MAC multicast forwarding table is created and maintained on Layer 2.


Table 3-1 Enable/Disable IGMP Snooping

Operation Command Enable/disable IGMP Snooping igmp-snooping { enable | disable } Restore the default setting undo igmp-snooping

IGMP Snooping and GMRP cannot run at the same time. You can check if GMRP is running, using the display gmrp status command, in any view, before enabling IGMP Snooping.

By default, IGMP Snooping is disabled.


3-6

3.2.2 Configure Router Port Aging Time

This task is to manually configure the router port aging time. If the switch has not received any general query message from the router before the router port is aged, it will remove the port from all the MAC multicast group.


Table 3-2 Configure router port aging time

Operation Command Configure router port aging time igmp-snooping router-aging-time seconds Restore the default aging time undo igmp-snooping router-aging-time

By default, the port aging time is 260s.

3.2.3 Configure Maximum Response Time

This task is to manually configure the maximum response time. If the Ethernet switch receives no report message from a port in the maximum response time, it will remove the port from the multicast group.


Table 3-3 Configure the maximum response time

Operation Command Configure the maximum response time igmp-snooping max-response-time seconds Restore the default setting undo IGMP-snooping max-response-time

By default, the maximum response time is 10 seconds.

3.2.4 Configure Aging Time of Multicast Group Member

This task is to manually set the aging time of the multicast group member port. If the switch receives no multicast group report message during the member port aging time, it will transmit the specific query message to that port and starts a maximum response timer.


Table 3-4 Configure aging time of the multicast member

Operation Command Configure aging time of the multicast member igmp-snooping host-aging-time seconds Restore the default setting undo igmp-snooping host-aging-time


3-7

By default, the aging time of the multicast member is 260 seconds.

3.3 Display and debug IGMP Snooping

After the above configuration, execute display command in any view to display the running of the IGMP Snooping configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug IGMP Snooping configuration.

Table 3-5 Display and debug IGMP Snooping

Operation Command Display the information about current IGMP Snooping configuration display igmp-snooping configuration Display IGMP Snooping statistics of received and sent messages display igmp-snooping statistics

Display IP/MAC multicast group information in the VLAN display igmp-snooping group [ vlan vlanid ] Enable/disable IGMP Snooping debugging (abnormal, group, packet, timer).

debugging igmp-snooping { all | abnormal | group | packet | timers }

Disable IGMP Snooping debugging (abnormal, group, packet, timer).

undo debugging igmp-snooping { all | abnormal | group | packet | timers }

3.4 IGMP Snooping Configuration Example

3.4.1 Enable IGMP Snooping


To implement IGMP Snooping on the switch, first enable it. The switch is connected with the router via the router port, and with user PC through the non-router ports.


3-8


Internet

Multicast

Switch

Router

Figure 3-4 IGMP Snooping configuration networking


# Display the status of GMRP.

<Quidway> display gmrp status

# Display the current status of IGMP Snooping when GMRP is disabled.

<Quidway> display igmp-snooping configuration

# Enable IGMP Snooping if it is disabled.

[Quidway] igmp-snooping enable

3.5 Troubleshoot IGMP Snooping

Fault: Multicast function cannot be implemented on the switch.

Troubleshooting:

1) IGMP Snooping is disabled. Input the display current-configuration command to display the status of IGMP

Snooping. If the switch disabled IGMP Snooping, you can input igmp-snooping enable in

the system view to enable IGMP Snooping. 2) Multicast forwarding table set up by IGMP Snooping is wrong.

Input the display igmp-snooping group command to display if the multicast group is the expected one.


3-9

If the multicast group created by IGMP Snooping is not correct, turn to professional maintenance personnel for help.

Continue with diagnosis 3 if the second step is completed. 3) Multicast forwarding table set up on the bottom layer is wrong.

Enable IGMP Snooping group in user view and then input the command display igmp-snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent. You may also input the display mac vlan command in any view to check if MAC multicast forwarding table under vlanid in the bottom layer and that created by IGMP Snooping is consistent.

If they are not consistent, please contact the maintenance personnel for help.

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 4 Common Multicast Configuration

4-1

Chapter 4 Common Multicast Configuration

4.1 Introduction to Common Multicast Configuration

The multicast common configuration is for both the multicast group management protocol and the multicast routing protocol. The configuration include enabling multicast and displaying multicast routing table and multicast forwarding table, etc.

4.2 Common Multicast Configuration

Common multicast configuration includes:

Enable multicast

4.2.1 Enable Multicast

Enable multicast first before enabling the multicast routing protocol. Enabling multicast will automatically enable IGMP V2 on all interfaces.


Table 4-1 Enable multicast

Operation Command Enable multicast multicast routing-enable Disable multicast undo multicast routing-enable

By default, multicast is disabled.

4.3 Display and Debug Common Multicast Configuration

After the above configuration, execute display command in any view to display the running of the multicast configuration, and to verify the effect of the configuration.

Execute debugging command in user view for the debugging of multicast.

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 4 Common Multicast Configuration

4-2

Table 4-2 Display and Debug Common Multicast Configuration

Operation Command

Display the multicast routing table display multicast routing-table [ group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface { interface-type interface-number | register } ]*

Display the multicast forwarding table display multicast forwarding-table [ group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface { interface-type interface-number | register } ]*

Display the multicast virtual interface information display multicast vif Enable multicast packet forwarding debugging debugging multicast forwarding Disable multicast packet forwarding debugging undo debugging multicast forwarding Enable multicast forwarding status debugging debugging multicast status-forwarding Disable multicast forwarding status debugging undo debugging multicast status-forwarding Enable multicast kernel routing debugging debugging multicast kernel-routing Disable multicast kernel routing debugging undo debugging multicast kernel-routing

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 5 IGMP Configuration

5-1

Chapter 5 IGMP Configuration

5.1 IGMP Overview

IGMP (Internet Group Management Protocol) is a protocol in the TCP/IP suite responsible for management of IP multicast members. It is used to establish and maintain multicast membership among IP hosts and their directly connected neighboring routers. IGMP excludes transmitting and maintenance of membership information among multicast routers, which are completed by multicast routing protocols. All hosts participating in multicast must implement IGMP.

Hosts participating in IP multicast can join and leave a multicast group at any time. The number of members of a multicast group can be any integer and the location of them can be anywhere. A multicast router does not need and cannot keep the membership of all hosts. It only uses IGMP to learn whether receivers (i.e., group members) of a multicast group are present on the subnet connected to each interface. A host only needs to keep which multicast groups it has joined.

IGMP is not symmetric on hosts and routers. Hosts need to respond to IGMP query messages from the multicast router, i.e., report the group membership to the router. The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages. When the router receives the report that hosts leave the group, the router will send a group-specific query (IGMP Version 2) to discover whether no member exists in the group.

Up to now, IGMP has three versions, namely, IGMP Version 1 (defined by RFC1112), IGMP Version 2 (defined by RFC2236) and IGMP Version 3. At present, IGMP Version 2 is the most widely used version.

IGMP Version 2 boasts the following improvements over IGMP Version 1:

I. Election mechanism of multicast routers on the shared network segment

A shared network segment means that there are multiple multicast routers on a network segment. In this case, all routers running IGMP on the network segment can receive the membership report from hosts. Therefore, only one router is necessary to send membership query messages. In this case, the router election mechanism is required to specify a router as the querier.

In IGMP Version 1, selection of the querier is determined by the multicast routing protocol. While IGMP Version 2 specifies that the multicast router with the lowest IP


5-2

address is elected as the querier when there are multiple multicast routers on the same network segment.

II. Leaving group mechanism

In IGMP Version 1, hosts leave the multicast group quietly without informing the multicast router. In this case, the multicast router can only depend on the timeout of the response time of the multicast group to confirm that hosts leave the group. In Version 2, when a host is intended to leave, it will send a leave group message if it is the host who responds to the latest membership query message.

III. Specific group query

In IGMP Version 1, a query of a multicast router is targeted at all the multicast groups on the network segment, which is known as General Query.

In IGMP Version 2, Group-Specific Query is added besides general query. The destination IP address of the query packet is the IP address of the multicast group. The group address domain in the packet is also the IP address of the multicast group. This prevents the hosts of members of other multicast groups from sending response messages.

IV. Max response time

The Max Response Time is added in IGMP Version 2. It is used to dynamically adjust the allowed maximum time for a host to response to the membership query message.

5.2 IGMP Configuration

IGMP configuration includes:

Enable multicast Configure the IGMP version Configure a router to join specified multicast group Control the access to IP multicast groups Configure the IGMP query message interval Configure the IGMP querier present timer Configure the maximum query response time

To enable multicast is mandatory for IGMP configuration and the others are optional.


After multicast is enabled, IGMP will automatically run on all interfaces.

For details, refer to “Common Multicast Configuration”.


5-3

5.2.2 Configure the IGMP Version

Perform the following configuration in interface view.

Table 5-1 Select the IGMP version

Operation Command Select the IGMP version that the router uses igmp version { 2 | 1 } Restore the default setting undo igmp version

By default, IGMP Version 2 is used.

Caution:

All routers on a subnet must support the same version of IGMP..

5.2.3 Configure a Router to Join Specified Multicast Group

Usually, the host operating IGMP will respond to IGMP query packet of the multicast router. In case of response failure, the multicast router will consider that there is no multicast member on this network segment and will cancel the corresponding path. Configuring one interface of the router as multicast member can avoid such problem. When the interface receives IGMP query packet, the router will respond, thus ensuring that the network segment where the interface is connected can normally receive multicast packets.

For an ethernet switch, you can configure a port in a VLAN interface to join a multicast group.


Table 5-2 Configure a router to join specified multicast group

Operation Command Configure a router to join specified multicast group

igmp host-join group-address port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ]

Quit from specified multicast group

undo igmp host-join group-address port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ]

By default, a router joins no multicast group.


5-4

5.2.4 Limit Multicast Groups An Interface Can Access

A multicast router learns whether there are members of a multicast group on the network via the received IGMP membership message. A filter can be set on an interface so as to limit the range of allowed multicast groups.


Table 5-3 Limit multicast groups an interface can access

Operation Command Limit the range of allowed multicast groups on current interface

igmp group-policy acl-number [ 1 | 2 | port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ] ]

Remove the filter set on the interface

undo igmp group-policy [ port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ] ]

By default, no filter is configured, that is, all multicast groups are allowed on the interface.

5.2.5 Configure the Interval to Send IGMP Query Message

Multicast routers send IGMP query messages to discover which multicast groups are present on attached networks. Multicast routers send query messages periodically to refresh their knowledge of members present on their networks.


Table 5-4 Configure the interval to send IGMP query message

Operation Command Configure the interval to send IGMP query message igmp timer query seconds Restore the default value undo igmp timer query

When there are multiple multicast routers on a network segment, the querier is responsible for sending IGMP query messages to all hosts on the LAN.

By default, the interval is 60 seconds.

5.2.6 Configure the Present Time of IGMP Querier

The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages, after the previous querier has stopped doing so.



5-5

Table 5-5 Configure the present time of IGMP querier

Operation Command Change the present time of IGMP querier igmp timer other-querier-present seconds Restore the default value undo igmp timer other-querier-present

By default, the value is 120 seconds. If the router has received no query message within twice the interval specified by the igmp timer query command, it will regard the previous querier invalid.

5.2.7 Configure Maximum Response Time for IGMP Query Message

When a router receives a query message, the host will set a timer for each multicast group it belongs to. The value of the timer is randomly selected between 0 and the maximum response time. When any timer becomes 0, the host will send the membership report message of the multicast group.

Setting the maximum response time reasonably can enable the host to respond to query messages quickly. In this case, the router can fast master the existing status of the members of the multicast group.


Table 5-6 Configure the maximum response time for IGMP query message

Operation Command Configure the maximum response time for IGMP query message igmp max-response-time seconds Restore the maximum query response time to the default value undo igmp max-response-time

The smaller the maximum query response time value, the faster the router prunes groups. The actual response time is a random value in the range from 1 to 25 seconds. By default, the maximum query response time is 10 seconds.

5.3 Display and Debug IGMP

After the above configuration, execute display command in any view to display the running of IGMP configuration, and to verify the effect of the configuration.

Execute debugging command in user view for the debugging of IGMP.


5-6

Table 5-7 Display and debug IGMP

Operation Command Display the information about members of IGMP multicast groups

display igmp group [ group-address | interface interface-type interface-number ]

Display the IGMP configuration and running information about the interface display igmp interface [ interface-type interface-number ]

Enable the IGMP information debugging debugging igmp { all | event | host | packet | mpm | timer }

Disable the IGMP information debugging undo debugging igmp { all | event | host | packet | mpm | timer }

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 6 PIM-DM Configuration

6-1

Chapter 6 PIM-DM Configuration

PIM-DM (Protocol Independent Multicast-Dense Mode) belongs to dense mode multicast routing protocols. PIM-DM is suitable for small networks. Members of multicast groups are relatively dense in such network environments.

The working procedures of PIM-DM include neighbor discovery, flood & prune and graft.

I. Neighbor discovery

The PIM-DM router needs to use Hello messages to perform neighbor discovery when it is started. All network nodes running PIM-DM keep in touch with one another with Hello messages, which are sent periodically.

II. Flood&Prune

PIM-DM assumes that all hosts on the network are ready to receive multicast data. When a multicast source "S" begins to send data to a multicast group "G", after the router receives the multicast packets, the router will perform RPF check according to the unicast routing table first. If the RPF check is passed, the router will create an (S, G) entry and then flood the data to all downstream PIM-DM nodes. If the RPF check is not passed, that is, multicast packets enter from an error interface, the packets will be discarded. After this process, an (S, G) entry will be created in the PIM-DM multicast domain.

If the downstream node has no multicast group members, it will send a Prune message to the upstream nodes to inform the upstream node not to forward data to the downstream node. Receiving the prune message, the upstream node will remove the corresponding interface from the outgoing interface list corresponding to the multicast forwarding entry (S, G). In this way, a SPT (Shortest Path Tree) rooted at Source S is built. The pruning process is initiated by leaf routers first.

This process is called “flood & prune” process. In addition, nodes that are pruned provide timeout mechanism. Each router re-starts the “flood & prune” process upon pruning timeout. The consistent “flood & prune” process of PIM-DM is performed periodically.

During this process, PIM-DM uses the RPF check and the existing unicast routing table to build a multicast forwarding tree rooted at the data source. When a packet arrives, the router will first judge the correctness of the path. If the interface that the packet arrives is the one indicated by the unicast routing to the multicast source, the packet is


6-2

regarded to be from the correct path. Otherwise, the packet will be discarded as a redundancy packet without the multicast forwarding. The unicast routing information as path judgment can come from any unicast routing protocol independent of any specified unicast routing protocol such as the routing information learned by RIP and OSPF

III. Assert mechanism

As shown in the following figure, both routers A and B on the LAN have their own receiving paths to multicast source S. In this case, when they receive a multicast packet sent from multicast source S, they will both forward the packet to the LAN. Multicast Router C at the downstream node will receive two copies of the same multicast packet.

Receiver

Router ARouter B

Router C

Multicast packets forwarded by theupstream node

Figure 6-1 Assert mechanism diagram

When they detect such a case, routers need to select a unique sender by using the assert mechanism. Routers will send Assert packets to select the best path. If two or more than two paths have the same priority and metric, the path with a higher IP address will be the upstream neighbor of the (S, G) entry, which is responsible for forwarding the (S, G) multicast packet.

IV. Graft

When the pruned downstream node needs to be restored to the forwarding state, the node will send a graft packet to inform the upstream node.

6.1 PIM-DM Configuration

PIM-DM configuration include:

Enable PIM-DM Configure the interface hello message interval


6-3

When the router is run in the PIM-DM domain, it is recommended to enable PIM-DM on all interfaces of the non-border router.


Refer to “Common Multicast Configuration” of Chapter 2.

6.1.2 Enable PIM-DM

PIM-DM needs to be enabled in configuration of all interfaces.

After PIM-DM is enabled on an interface, it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors.


Table 6-1 Enable PIM-DM

Operation Command Enable PIM-DM on an interface pim dm Disable PIM-DM on an interface undo pim dm

It’s recommended to configure PIM-DM on all interfaces in non-special cases. This configuration is effective only after the multicast routing is enabled in system view.

Once enabled PIM-DM on an interface, PIM-SM cannot be enabled on the same interface and vice versa.

6.1.3 Configure the Interface Hello Message Interval

After PIM is enabled on an interface, it will send Hello messages periodically on the interface. The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to the interface.


Table 6-2 Configure hello message interval on an interface

Operation Command Configure the hello message interval on an interface pim timer hello seconds Restore the interval to the default value undo pim timer hello

The default interval is 30 seconds. You can configure the value according to different network environments. Generally, this parameter does not need to be modified.


6-4

This configuration can be performed only after PIM (PIM-DM or PIM-SM) is enabled in interface view.

6.2 Display and Debug PIM-DM

After the above configuration, execute display command in any view to display the running of PIM-DM configuration, and to verify the effect of the configuration.

Execute debugging command in user view for the debugging of PIM-DM.

Table 6-3 Display and debug PIM-DM

Operation Command

Display the PIM multicast routing table

display pim routing-table [ { { *g [ group-address [ mask { mask-length | mask } ] ] | **rp [ rp-address [ mask { mask-length | mask } ] ] } | { group-address [ mask { mask-length | mask } ] | source-address [ mask { mask-length | mask } ] } * } | incoming-interface { interface interface-type interface-number | null } | { dense-mode | sparse-mode } ] *

Display the PIM interface information display pim interface [ interface interface-type interface-number ] Display the information about PIM neighboring routers display pim neighbor [ interface interface-type interface-number ]

Enable the PIM debugging debugging pim common { all | event | packet | timer } Disable the PIM debugging undo debugging pim common { all | event | packet | timer }

Enable the PIM-DM debugging debugging pim dm { all | mbr | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } }

Disable the PIM-DM debugging undo debugging pim dm { all | mbr | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } }

6.3 PIM-DM Configuration Example


LS_A has a port carrying Vlan 10 to connect Multicast Source, a port carrying Vlan11 to connect LS_B and a port carrying Vlan12 to connect LS_C. Configure to implement multicast between Multicast Source and Receiver 1 and Receiver 2.


6-5


LS_C

LS_A

RECEIVER 1LS_B

VLAN10 VLAN11

VLAN12Multicast Source

RECEIVER 2LS_C

LS_A

RECEIVER 1LS_B

VLAN10 VLAN11

VLAN12Multicast Source

RECEIVER 2

Figure 6-2 PIM-DM configuration networking


This section only introduces LS_A configuration procedure, while LS_B and LS_C configuration procedures are similar.

# Enable the multicast routing protocol.

[Quidway] multicast routing-enable

# Enable PIM-DM.

[Quidway] vlan 10

[Quidway-vlan10] port Ethernet 0/2 to Ethernet 0/3


[Quidway] vlan 11



[Quidway] vlan 12



[Quidway] interface vlan-interface 10


[Quidway-vlan-interface10] pim dm

[Quidway-vlan-interface10] quit


6-6








Operation Manual - Multicast Quidway S3500 Series Ethernet Switches Chapter 7 PIM-SM Configuration

7-1

Chapter 7 PIM-SM Configuration

7.1 PIM-SM Overview

7.1.1 Introduction to PIM-SM

PIM-SM (Protocol Independent Multicast-Sparse Mode) belongs to sparse mode multicast routing protocols. PIM-SM is mainly applicable to large-scale networks with broad scope in which group members are relatively sparse.

Different from the flood & prune principle of the dense mode, PIM-SM assumes that all hosts do not need to receive multicast packets, unless there is an explicit request for the packets.

PIM-SM uses the RP (Rendezvous Point) and the BSR (Bootstrap Router) to advertise multicast information to all PIM-SM routers and uses the join/prune information of the router to build the RP-rooted shared tree (RPT), thereby reducing the bandwidth occupied by data packets and control packets and reducing the process overhead of the router. Multicast data flows along the shared tree to the network segments the multicast group members are on. When the data traffic is sufficient, the multicast data flow can switch over to the SPT (Shortest Path Tree) rooted on the source to reduce network delay. PIM-SM does not depend on the specified unicast routing protocol but uses the present unicast routing table to perform the RPF check.

Running PIM-SM needs to configure candidate RPs and BSRs. The BSR is responsible for collecting the information from the candidate RP and advertising the information.

7.1.2 PIM-SM Operating Principle

The PIM-SM working process is as follows: neighbor discovery, building the RP-rooted shared tree (RPT), multicast source registration and SPT switchover etc. The neighbor discovery mechanism is the same as that of PIM-DM, which will not be described any more.

I. Build the RP shared tree (RPT)

When hosts join a multicast group G, the leaf routers that directly connect with the hosts send IGMP messages to learn the receivers of multicast group G. In this way, the leaf routers calculate the corresponding rendezvous point (RP) for multicast group G and


7-2

then send join messages to the node of a higher level toward the rendezvous point (RP). Each router along the path between the leaf routers and the RP will generate (*, G) entries in the forwarding table, indicating that all packets sent to multicast group G are applicable to the entries no matter from which source they are sent. When the RP receives the packets sent to multicast group G, the packets will be sent to leaf routers along the path built and then reach the hosts. In this way, an RP-rooted tree (RPT) is built as shown in the following figure.

Multicast Source S

RPT

join

Multicast source registration

RP

Receiver

Figure 7-1 RPT schematic diagram

II. Multicast source registration

When multicast source S sends a multicast packet to the multicast group G, the PIM-SM multicast router directly connected to S will encapsulate the received packet into a registration packet and send it to the corresponding RP in unicast form. If there are multiple PIM-SM multicast routers on a network segment, the Designated Router (DR) will be responsible for sending the multicast packet.

III. SPT switchover

When a multicast router detects that the multicast packet with the destination address of G from the RP is sent at a rate greater than the threshold, the multicast router will send a join message to the node of a higher level toward the source S, which results in switchover from the RPT to the SPT.

7.1.3 Preparations before Configuring PIM-SM

I. Configure candidate RPs

In a PIM-SM network, multiple RPs (candidate-RPs) can be configured. Each Candidate-RP (C-RP) is responsible for forwarding multicast packets with the destination addresses in a certain range. Configuring multiple C-RPs is to implement


7-3

load balancing of the RP. These C-RPs are equal. All multicast routers calculate the RPs corresponding to multicast groups according to the same algorithm after receiving the C-RP messages that the BSR advertises.

It should be noted that one RP can serve multiple multicast groups or all multicast groups. Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs.

II. Configure BSRs

The BSR is the management core in a PIM-SM network. Candidate-RPs send announcement to the BSR, which is responsible for collecting and advertising the information about all candidate-RPs.

It should be noted that there can be only one BSR in a network but you can configure multiple candidate-BSRs. In this case, once a BSR fails, you can switch over to another BSR. A BSR is elected among the C-BSRs automatically. The C-BSR with the highest priority is elected as the BSR. If the priority is the same, the C-BSR with the largest IP address is elected as the BSR.

III. Configure static RP

RP is the kernel router for the multicast routing. If the dynamic RP elected by BSR mechanism fails, a static RP can be configured. As the backup of dynamic RP, static RP improves robustness and operability of the multicast network.

7.2 PIM-SM Configuration

PIM-SM configuration includes:

Enable Multicast Enable PIM-SM Configure the interface hello message interval Configure the PIM-SM domain border Enter PIM view Configure candidate-BSRs Configure candidate-RPs Configure static RP Configure RP to filter the register messages sent by DR Set the threshold of switchover from the RPT to the SPT

The first four items of configuration are mandatory. The remaining can use the default configuration. It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate-RPs and Candidate-BSRs.


7-4


Refer to “Common Multicast Configuration” of Chapter 2.

7.2.2 Enable PIM-SM

This configuration can be effective only after multicast is enabled.


Table 7-1 Enable PIM-SM

Operation Command Enable PIM-SM on an interface pim sm Disable PIM-SM on an interface undo pim sm

Repeat this configuration to enable PIM-SM on other interfaces. Only one multicast routing protocol can be enabled on an interface at a time.

Once enabled PIM-SM on an interface, PIM-DM cannot be enabled on the same interface and vice versa.

7.2.3 Configure the Interface Hello Message Interval

Generally, PIM-SM advertises Hello messages periodically on the interface enabled with it to detect PIM neighbors and discover which router is the Designated Router (DR).


Table 7-2 Configure the interface hello message interval

Operation Command Configure the interface hello message interval pim timer hello seconds Restore the interval to the default value undo pim timer hello

By default, the hello message interval is 30 seconds. Users can configure the value according to different network environments.

This configuration can be performed only after the PIM (PIM-DM or PIM-SM) is enabled in VLAN interface view.


7-5

7.2.4 Configure the PIM-SM Domain Border

After the PIM-SM domain border is configured, bootstrap messages cannot cross the border in any direction. In this way, the PIM-SM domain can be split.


Table 7-3 Configure the PIM-SM domain border

Operation Command Set the PIM-SM domain border pim bsr-boundary Remove the PIM-SM domain border configured undo pim bsr-boundary

By default, no domain border is set. After this configuration is performed, a bootstrap message cannot cross the border but other PIM packets can. This configuration can effectively divide a network into domains using different BSRs.

7.2.5 Enter PIM View

Global parameters of PIM should be configured in PIM view.


Table 7-4 Enter PIM view

Operation Command Enter PIM view pim Back to system view undo pim

Using undo pim command, you can clear the configuration in PIM view, and back to system view.

7.2.6 Configure Candidate-BSRs

In a PIM domain, one or more candidate BSRs should be configured. A BSR (Bootstrap Router) is elected among candidate BSRs. The BSR takes charge of collecting and advertising RP information.

The automatic election among candidate BSRs is described as follows:

One interface which has started PIM-SM must be specified when configuring the router as the candidate BSR.

At first, each candidate BSR considers itself as the BSR of the PIM-SM domain, and sends Bootstrap message by taking the IP address of the interface as the BSR address.


7-6

When receiving Bootstrap messages from other routers, the candidate BSR will compare the BSR address of the newly received Bootstrap message with that of itself. Comparison standards include priority and IP address. The bigger IP address is considered better when the priority is the same. If the new BSR address is better, the candidate BSR will replace its BSR address and stop regarding itself as the BSR. Otherwise, the candidate BSR will keep its BSR address and continue to regard itself as the BSR.

Perform the following configuration in PIM view.

Table 7-5 Configure candidate-BSRs

Operation Command

Configure a candidate-BSR c-bsr interface interface-type interface-number hash-mask-len [ priority ]

Remove the candidate-BSR configured undo c-bsr

Candidate-BSRs should be configured on the routers in the network backbone. By default, no BSR is set. The default priority is 0.

Caution:

One router can only be configured with one candidate-BSR. When a candidate-BSR is configured on another interface, it will replace the previous configuration.

7.2.7 Configure Candidate-RPs

In PIM-SM, the shared tree built by the multicast routing data is rooted at the RP. There is a mapping from a multicast group to an RP. A multicast group can be mapped to an RP. Different groups can be mapped to one RP.


Table 7-6 Configure candidate-RPs

Operation Command Configure a candidate-RP c-rp interface-type interface-number [ group-policy acl-number ] Remove the candidate-RP configured undo c-rp interface-type interface-number

When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the


7-7

multicast group in the specified range. It is suggested to configure Candidate RP on the backbone router.

7.2.8 Configure Static RP

A static RP can be the backup of a dynamic RP, to raise network robusticity.

Please perform the following configurations in PIM view.

Table 7-7 Configure static RP

Operation Command Configure static RP static-rp rp-address [ acl-number ] Remove the static RP configured undo static-rp

Basic ACL can be used to control the range of multicast group served by a static RP.

If a static RP is in use, all routers in the PIM domain must adopt the same configuration. If the configured static RP address is the interface address of the local router under UP state, the router will function as the static RP. It is unnecessary to enable PIM on the interface that functions as static RP.

When the RP elected by BSR mechanism is valid, static RP does not work.

7.2.9 Configure RP to Filter the Register Messages Sent by DR

In the PIM-SM network, the register message filtering mechanism can control which sources to send messages to which groups on the RP, i.e., RP can filter the register messages sent by DR to accept specified messages only.


Table 7-8 Configure RP to filter the register messages sent by DR

Operation Command Configure RP to filter the register messages sent by DR register-policy acl-number Cancel the configured filter of messages undo register-policy

If an entry of a source group is denied by the ACL, or the ACL does not define operation to it, or there is no ACL defined, the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream.


7-8

Caution:

Only the register messages matching the ACL permit clause can be accepted by the RP. Specifying an undefined ACL will make the RP to deny all register messages.

7.2.10 Set the Threshold of Switchover from the RPT to the SPT

The PIM-SM router uses the shared tree to forward multicast data packets initially. If the rate of the multicast data exceeds the threshold, the last hop router the packet passes will initiate a switch from the shared tree to the shortest path tree.


Table 7-9 Set the threshold of switchover from the RPT to the SPT

Operation Command Set the threshold of switchover from the RPT to the SPT

spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number ]

Restore the default setting undo spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number ]

By default, the threshold is 0. That is, the last hop router initiates the switch to the shortest path tree upon the arrival of the first multicast data packet.

7.3 Display and Debug PIM-SM

After the above configuration, execute display command in any view to display the running of PIM-SM configuration, and to verify the effect of the configuration.

Execute debugging command in user view for the debugging of PIM-SM.

Table 7-10 Display and debug PIM-SM

Operation Command Display the BSR information display pim bsr-info Display the RP information display pim rp-info [ group-address ]

Enable the PIM-SM debugging debugging pim sm { all | mbr | verbose | mrt | timer | warning | { recv | send } { assert | graft | graft-ack | join | prune } }

Disable the PIM-SM debugging undo debugging pim sm { all | mbr | verbose | mrt | timer | warning | { recv | send } { assert | graft | graft-ack | join | prune } }


7-9

7.4 PIM-SM Configuration Example


In actual network, we assume that the switches can intercommunicate.

Suppose that Host A is the receiver of the multicast group at 225.0.0.1. Host B begins transmitting data destined to 225.0.0.1. LS_A receives the multicast data from Host B via LS_B.


LSD

LS_B

LS_CLS_A

Host A Host B

VLAN11 VLAN12

VLAN10

VLAN10 VLAN11

VLAN12

VLAN12 VLAN10

VLAN11

LSD

LS_B

LS_CLS_A

Host A Host B

VLAN11 VLAN12

VLAN10

VLAN10 VLAN11

VLAN12

VLAN12 VLAN10

VLAN11

Figure 7-2 PIM-SM configuration networking


1) Configure LS_A

# Enable PIM-SM.


[Quidway] vlan 10




[Quidway-vlan-interface10] pim sm



7-10

[Quidway] vlan 11






[Quidway] vlan 12






2) Configure LS_B

# Enable PIM-SM.


[Quidway] vlan 10






[Quidway] vlan 11






[Quidway] vlan 12



7-11





# Configure the C-BSR.

[Quidway] pim

[Quidway-pim] c-bsr vlan-interface 10 30 2

# Configure the C-RP.

[Quidway] acl number 2000

[Quidway-acl-basic-2000] rule permit source 225.0.0.0 0.255.255.255

[Quidway] pim

[Quidway-pim] c-rp vlan-interface 10 group-policy 2000

# Configure PIM domain boundary.


[Quidway-vlan-interface12] pim bsr-boundary

After VLAN-interface 12 is configured as PIM domain boundary, the LS_D will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LS_B any more.

3) Configure LS_C.

# Enable PIM-SM.


[Quidway] vlan 10






[Quidway] vlan 11



7-12





[Quidway] vlan 12






HUAWEI


7. QoS/ACL

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 ACL Configuration....................................................................................................... 1-1 1.1 Brief Introduction to ACL.................................................................................................... 1-1

1.1.1 ACL Overview ......................................................................................................... 1-1 1.1.2 ACL Supported by Ethernet Switch......................................................................... 1-3

1.2 Configure ACL of S3526 Series Ethernet Switches .......................................................... 1-4 1.2.1 Configure Time-Range............................................................................................ 1-4 1.2.2 Define ACL.............................................................................................................. 1-5 1.2.3 Activate ACL............................................................................................................ 1-7 1.2.4 Display and Debug ACL.......................................................................................... 1-9

1.3 Configure ACL of S3526E and S3526C ............................................................................ 1-9 1.3.1 Configure Time-Range.......................................................................................... 1-10 1.3.2 Define ACL............................................................................................................ 1-10 1.3.3 Activate ACL.......................................................................................................... 1-14 1.3.4 Display and Debug ACL........................................................................................ 1-14

1.4 Configure ACL of S3552 Series Ethernet Switches ........................................................ 1-15 1.4.1 Configure Time-Range.......................................................................................... 1-15 1.4.2 Define ACL............................................................................................................ 1-16 1.4.3 Activate ACL.......................................................................................................... 1-18 1.4.4 Display and Debug ACL........................................................................................ 1-18

1.5 ACL Configuration Example of S3526 Series Switches .................................................. 1-19 1.5.1 Advanced ACL Configuration Example................................................................. 1-19 1.5.2 Basic ACL Configuration Example........................................................................ 1-20 1.5.3 Link ACL Configuration Example .......................................................................... 1-21

1.6 ACL Configuration Example of S3526E and S3526C ..................................................... 1-22 1.6.1 Advanced ACL Configuration Example................................................................. 1-22 1.6.2 Basic ACL Configuration Example........................................................................ 1-24 1.6.3 Link ACL Configuration Example .......................................................................... 1-25 1.6.4 User-defined ACL Configuration Example ............................................................ 1-26

Chapter 2 QoS configuration ....................................................................................................... 2-1 2.1 QoS Overview.................................................................................................................... 2-1

2.1.1 Traffic ...................................................................................................................... 2-1 2.1.2 Traffic Classification ................................................................................................ 2-1 2.1.3 Packet Filter ............................................................................................................ 2-2 2.1.4 Traffic Policing......................................................................................................... 2-2 2.1.5 Port traffic limit......................................................................................................... 2-2 2.1.6 Redirection .............................................................................................................. 2-2 2.1.7 Traffic Priority .......................................................................................................... 2-2


ii

2.1.8 Queue Scheduling................................................................................................... 2-2 2.1.9 Traffic Mirroring ....................................................................................................... 2-4 2.1.10 Traffic Counting..................................................................................................... 2-4

2.2 Configure QoS of S3526 Series Switches......................................................................... 2-4 2.2.1 Set the Port Priority ................................................................................................. 2-7 2.2.2 Configure Trust Packet Priority ............................................................................... 2-7 2.2.3 Configure Priority Marking....................................................................................... 2-8 2.2.4 Configure Queue Scheduling .................................................................................. 2-8 2.2.5 Configure Traffic Mirroring .................................................................................... 2-10 2.2.6 Configure Traffic Statistics .................................................................................... 2-10 2.2.7 Display and Debug QoS........................................................................................ 2-11

2.3 Configure QoS of S3526E and S3526C .......................................................................... 2-11 2.3.1 Set the Port Priority ............................................................................................... 2-12 2.3.2 Configure Trust Packet Priority ............................................................................. 2-12 2.3.3 Traffic Policing....................................................................................................... 2-12 2.3.4 Port Traffic limit ..................................................................................................... 2-13 2.3.5 Configure Packet Redirection ............................................................................... 2-13 2.3.6 Configure Priority Marking..................................................................................... 2-14 2.3.7 Configure Queue Scheduling ................................................................................ 2-15 2.3.8 Configure Traffic Mirroring .................................................................................... 2-17 2.3.9 Configure Traffic Statistics .................................................................................... 2-17 2.3.10 Display and Debug QoS...................................................................................... 2-18

2.4 QoS Configuration for S3552 Series Ethernet Switches ................................................. 2-18 2.4.2 Configure Service Group Allocation Rule ............................................................. 2-19 2.4.3 Configure Traffic Policing ...................................................................................... 2-20 2.4.4 Configure Traffic Shaping ..................................................................................... 2-22 2.4.5 Configure Priority Remark..................................................................................... 2-23 2.4.6 Configure Traffic Redirection ................................................................................ 2-24 2.4.7 Configure Queue Scheduling ................................................................................ 2-25 2.4.8 Configure Congestion Avoidance.......................................................................... 2-26 2.4.9 Configure Traffic Mirroring .................................................................................... 2-27 2.4.10 Configure Port Mirroring...................................................................................... 2-28 2.4.11 Configure Traffic Statistic .................................................................................... 2-29 2.4.12 Display and Debug QoS...................................................................................... 2-30

2.5 QoS Configuration Example of S3526 Series Switches.................................................. 2-31 2.5.1 Traffic Mirroring Configuration Example ............................................................... 2-31

2.6 QoS Configuration Example of S3526E and S3526C ..................................................... 2-32 2.6.1 Traffic Policing and Interface Rate Restraint Configuration Example................... 2-32 2.6.2 Traffic Mirroring Configuration Example ............................................................... 2-34

2.7 QoS Configuration Example of S3552 Series Switches.................................................. 2-35 2.7.1 Traffic Policing Configuration Example ................................................................. 2-35 2.7.2 Bi-directional Traffic Limit to Packets on Designated VLAN Configuration Example2-36


iii

2.7.3 Bi-directional Traffic Limit to Packets at Designated Port Configuration Example2-38 2.7.4 Priority Marking Configuration Example................................................................ 2-39

Chapter 3 Logon User ACL Control Configuration.................................................................... 3-1 3.1 Overview ............................................................................................................................ 3-1 3.2 Configure ACL Control over the TELNET User ................................................................. 3-1

3.2.1 Define ACL.............................................................................................................. 3-1 3.2.2 Call ACL to Control TELNET User .......................................................................... 3-2 3.2.3 Configuration Example............................................................................................ 3-2

3.3 Configure ACL Control over the SNMP Users................................................................... 3-3 3.3.1 Define an ACL......................................................................................................... 3-4 3.3.2 Call ACL to Control SNMP User ............................................................................. 3-4 3.3.3 Configuration Example............................................................................................ 3-5

3.4 Configure ACL Control over the HTTP Users.................................................................... 3-6 3.4.1 Define an ACL......................................................................................................... 3-6 3.4.2 Call ACL to Control HTTP User .............................................................................. 3-6 3.4.3 Configuration Example............................................................................................ 3-7

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Chapter 1 ACL Configuration

1-1

Chapter 1 ACL Configuration

1.1 Brief Introduction to ACL

1.1.1 ACL Overview

A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the switch can permit or deny them to pass through according to the defined policy. Access Control List (ACL) is used to implement such functions.

ACL classifies the data packets with a series of matching rules, including source address, destination address and port number, etc. The switch verifies the data packets with the rules in ACL and determines to forward or discard them.

The data packet matching rules defined by ACL can also be called in some other cases requiring traffic classification, such as defining traffic classification for QoS.

An access control rule includes several statements. Different statements specify different ranges of packets. When matching a data packet with the access control rule, the issue of match-order arises.

I. The case of filter or classify the data transmitted by the hardware

ACL can be used to filter or classify the data transmitted by the hardware of switch. In this case, the match order of ACL’s sub-rules is determined by the switch hardware. The match order defined by the user can’t be effective.

Due the chips installed, the hardware match order of ACL’s sub-rule is different in different switch models. The details are listed in the following table.

Table 1-1 Hardware match order of ACL’s sub-rule

Switch Hardware match order of ACL’s sub-rule

S3526 Series

An ACL is configured with multiple sub-rules. The deny sub-rules are matched first, and then are the permit sub-rules. Exact match mode is used for the permit sub-rules: the sub-rule with the more accurate range is matched first, for example, ACL 3000 has rule 0 and rule 1, the definition of rule 0 is “rule 0 permit ip source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255”, the definition of rule 1 is “rule 1 permit ip source 1.1.1.1 0.0.0.255 destination 2.2.2.2 0.0.0.255”, then the rule 1 is more accurate, it will be matched first.

S3526E&S3526C An ACL is configured with multiple sub-rules. The latest sub-rule will be matched first. S3552 Series An ACL is configured with multiple sub-rules. The first sub-rule will be matched first.


1-2

Note:

For S3526 series switch, packet-filter function only supports rules which action is deny, and other QoS functions such as configure priority marking, configure traffic mirroring and configure traffic statistics supports rules which action is permit. But in some case the permit ACL and deny ACL can be matched for the same time. For example, ACL 3000 has rule 0 and rule 1, rule 0 is deny rule, rule 1 is permit rule. Packet-filter function cites ACL 100 rule 0, traffic statistics cites ACL 100 rule 1, then match order is first match the deny rule then permit rule.

The case includes: ACL cited by QoS function, ACL used for filter the packet transmitted by the hardware. etc.

II. The case of filter or classify the data transmitted by the software

ACL can be used to filter or classify the data treated by the software of switch. In this case, the match order of ACL’s sub-rules can be determined by the user. There are two match-orders: config (by following the user-defined configuration order when matching the rule) and auto (according to the system sorting automatically when matching the rule, i.e. in depth-first order). Once the user specifies the match-order of an access control rule, he cannot modify it later, unless he deletes all the content and specifies the match-order again.

The case includes: ACL cited by route policy function, ACL used for control logon user, etc.

Note:

The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255. Obviously, the former one is listed ahead in the access control list. The specific standard is as follows. For basic access control list statements, comparing the source address wildcards directly. If the wildcards are same, follow the configuration sequence. For the access control list based on the interface filter, the rule that is configured with any is listed in the end, while others follow the configuration sequence. For the advanced access control list, comparing the source address wildcards first. If they are the same, then comparing the destination address wildcards. For the same destination address wildcards, comparing the ranges of port number, the one with smaller range is listed ahead. If the port numbers are in the same range, follow the configuration sequence.


1-3

1.1.2 ACL Supported by Ethernet Switch

For Ethernet Switch, ACLs are divided into the following categories:

Numbered basic ACL. Named basic ACL. Numbered advanced ACL. Named advanced ACL. Numbered Layer-2 ACL. Named Layer-2 ACL. Numbered user-defined ACL. Named user-defined ACL.

The table below lists the limits to the numbers of different ACL on a switch.

Table 1-2 Quantitative limitation to the ACL of S3526 series, S3526E and S3526C

Item Value range Numbered basic ACL. 2000 to 2999 Numbered advanced ACL. 3000 to 3999 Numbered Layer-2 ACL. 4000 to 4999 Numbered user-defined ACL. 5000 to 5999 Named basic ACL. - Named advanced ACL. - Named Layer-2 ACL. - Named user-defined ACL. - The sub items of an ACL 0 to 127

Note:

S3526 Series and S3552 Series Ethernet Switches don’t support user-defined ACL. S3526E and S3526C Ethernet Switches supports all kinds of ACL.

Table 1-3 Quantitative limitation to the ACL of S3552

Item Value range Maximum Number ACL Activated Numbered basic ACL. 2000 to 2999 Numbered advanced ACL. 3000 to 3999 Numbered Layer-2 ACL. 4000 to 4999 Named basic ACL. - Named advanced ACL. - Named Layer-2 ACL. -

64 per 100M-port 512 per 1000M-port

The sub items of an ACL 0 to 127 - Maximum sub items for all ACL (sum of all ACL’s sub items)

- 1024


1-4

One rule can be delivered to hardware by multiple QoS functions, which means the switch can perform many actions on a certain data stream. No matter how many QoS functions use the rule, the switch considers that only one rule is delivered to hardware. For example, up to 64 rules can be delivered at the 100Base-T port Ethernet0/1, rule 0 of ACL 1 is delivered to this port by traffic policing and priority tag functions separately. The switch considers only one rule is delivered and 63 other rules can be delivered at this port.

1.2 Configure ACL of S3526 Series Ethernet Switches

S3526 Series Ethernet Switches include S3526, S3526 FM, and S3526 FS switches.

ACL configuration includes:

Configure time range Define ACL Activate ACL

The above three steps had better be taken in sequence. Configure time range first and then define ACL (using the defined time range in the definition), followed activating ACL to validate it.

1.2.1 Configure Time-Range

The process of configuring a time-range includes the steps of configuring the hour-minute range, date ranges and period range. The hour-minute range is expressed in the units of minute, hour. Date range is expressed in the units of minute, hour, date, month and year. The periodic time range is expressed in the day of the week.

You can use the following command to set the time range by performing the following configuration in the system view.

Table 1-4 Set the absolute time range

Operation Command Set the absolute time range

time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] }

Delete the absolute time range

undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] ]

When the start-time and end-time are not configured, it will be all the time for one day. The end time shall be later than the start time.

When end-time end-date is not configured, it will be all the time from now to the date which can be displayed by the system. The end time shall be later than the start time.


1-5

1.2.2 Define ACL

Huawei Switches support several kinds of ACLs. Here we will introduce how to define these ACLs.

Defining ACL by following the steps below:

1) enter the corresponding ACL view 2) add a rule to the ACL

You can add multiple rules to one ACL.

Note:

1) If a specific time rang is not defined, the ACL will always function after activated. 2) During the process of defining the ACL, you can use the rule command for several times to define multiple rules for an ACL. 3) If ACL is used for filter or classify the data transmitted by the hardware of switch, the match order defined in the acl command will not be effective. If ACL is used for filter or classify the data treated by the software of switch, the match order of ACL’s sub-rules will be effective. Besides, once the user specifies the match-order of an ACL rule, he cannot modify it later. 4) The default matching-order of ACL is config, i.e. following the order as that configured by the user.

I. Define basic ACL

The rules of the basic ACL are defined on the basis of the Layer-3 source IP address to analyze the data packets.

You can use the following command to define basic ACL.


Table 1-5 Define basic ACL

Operation Command

Enter basic ACL view(from system view) acl { number acl-number | name acl-name basic } [ match-order { config | auto } ]

add a sub-item to the ACL(from basic ACL view) rule [ rule-id ] { permit | deny } [ source source-addr wildcard | any ] [ fragment ] [ time-range name ]

delete a sub-item from the ACL(from basic ACL view) undo rule rule-id [ source ] [ fragment ] [ time-range ]Delete one ACL or all the ACL(from system view) undo acl { number acl-number | name acl-name | all }


1-6

II. Define advanced ACL

The rules of the classification for advanced ACL are defined on the basis of the attributes such as source and destination IP address, the TCP or UDP port number in use and packet priority to process the data packets. The advanced ACL supports the analyses of three kinds of packet priorities, ToS (Type of Service), IP and DSCP priorities.

Note:

For S3526 series and S3026 F switches, there are some limits: 1) protocol type (the parameter protocol in rule command) can’t be configured if the user configures the IP-any, any-IP, NET-any, any-NET rules( source IP address is host IP address or NET segment address and destination address is any in the rules, or source IP address is any and destination address is host IP address or NET segment address in the rules). Otherwise the system will prompt the configuration is not available. 2) doesn’t support ToS, IP precedence, DSCP priority parameter when define advanced ACL. 3) parameter icmp-type is only supported when user defines advance ACL. ICMP packet type and code (the parameter type code in rule command) can’t be configured. Otherwise the system will prompt the configuration is not available.

You can use the following command to define advanced ACL.


Table 1-6 Define advanced ACL

Operation Command Enter advanced ACL view(from system view)

acl { number acl-number | name acl-name advanced } [ match-order { config | auto } ]

Add a sub-item to the ACL(from advanced ACL view)

rule [ rule-id ] { permit | deny } protocol [ source source-addr wildcard | any ] [ destination dest-addr wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ]

Delete a sub-item from the ACL(from advanced ACL view)

undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ precedence ] [ tos ] [ dscp ] [ fragment ] [ time-range ]

Delete one ACL or all the ACL(from system view) undo acl { number acl-number | name acl-name | all }

The advanced ACL is identified with the numbers ranging from 3000 to 3999.

Note that, the port1 and port2 in the above command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use


1-7

the mnemonic symbols as shortcut. For example, “bgp” can represent the TCP number 179 used by BGP.

III. Define Layer-2 ACL

The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 ports receiving and forwarding the packet and destination MAC address to process the data packets.

You can use the following command to define the numbered Layer-2 ACL.


Table 1-7 Define Layer-2 ACL

Operation Command

Enter Layer-2 ACL view(from system view) acl { number acl-number | name acl-name link } [ match-order { config | auto } ]

Add a sub-item to the ACL(from Layer-2 ACL view)

rule [ rule-id ] { permit | deny } [ ingress { { source-vlan-id | source-mac-addr | interface { interface-name | interface-type interface-num } }* | any } ] [ egress { { destination-vlan-id | dest-mac-addr | interface { interface-name | interface-type interface-num } }* | any } ] [ time-range name ]

Delete a sub-item from the ACL(from Layer-2 ACL view) undo rule rule-id


Layer-2 ACL can be identified with numbers ranging from 4000 to 4999.

The interface in the above command specifies the Layer-2 interface, such as the Ethernet port of a switch.

1.2.3 Activate ACL

The defined ACL can be active after activated globally on the switch. This function is used to activate the ACL filtering or classify the data transmitted by the hardware of switch.

You can use the following command to activate the defined ACL.


Table 1-8 Activate ACL

Operation Command

Activate an ACL packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Deactivate an ACL undo packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }


1-8

S3526 has some restrictions on ACL configuration in implementing QOS function using traffic classification. The restriction details are listed in the following table.

Table 1-9 ACL configuration restriction for QoS function in S3526

QoS function Implementation Restrictions on ACL configuration

Packet filter

packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Packet filter only supports using the ACL of deny operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET.

Note:

1) The Layer-3 ACL includes the advanced ACL. 2) In the description of the rules: MAC----MAC address, PORT----the switch port, IP----the host IP address, ANY----any MAC address in Layer-2 ACL and any IP address in Layer-3 ACL, NET----the segment IP address. The MAC, IP, ANY, NET and PORT before the character “-” represent the source addresses or receive port; the ones behind are the destination addresses or transmit port. MAC-MAC stands for a Layer-2 ACL rule from source MAC address to destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress 00e0-fc01-0102 1 time-range huawei ”. PORT-PORT stands for a Layer-2 ACL rule from received ethernet port to sent ethernet port, such as “rule 0 permit ingress interface ethernet0/1 egress interface ethernet 0/2 time-range huawei ”. MAC-PORT stands for a Layer-2 ACL rule from source MAC address to sent ethernet port, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress interface ethernet 0/1 time-range huawei ”. IP-IP stands for lay-3 ACL rules from source host IP address to destination host IP address (the wildcard parameter can only be 0) , such as “rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 time-range huawei”. NET-NET stands for lay-3 ACL rules from source segment IP address to destination segment IP address (the wildcard parameter can not be 0), such as “rule 0 permit ip source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255 time-range huawei”. MAC-any stands for lay-2 ACL rule from source MAC address to any destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress any time-range huawei”, and so do any-MAC, IP-any, any-IP, NET-any and any-NET rules. 3) For the MAC-MAC rule, the source and destination MAC addresses must be configured in the same VLAN. That is, configure the same VLAN ID for the source and destination MAC addresses in defining ACL. 4) For the rules of IP-any, any-IP, NET-any and any-NET, S3526 does not support packet filtering of special protocols. You can only configure protocol type as IP (the value of the parameter protocol in rule command can only be IP) in defining these types of rules in S3526. Otherwise, error information will be returned when confirm the rule. 5) IP-IP, MAC-MAC, MAC-PORT, PORT-PORT, PORT-MAC, IP-NET and NET-NET rules will function on the two directions, that is, user defines a rule to filter packets from source address to destination address,


1-9

the rule will also filter the packets from the destination address to source address. For the rules of IP-any, any-IP, NET-any, any-NET, MAC-any, any-MAC, they only function on one direction which user defined. 6) For S3526, S3526 FM, S3526 FS switches, parameter icmp-type is only supported when user defines advance ACL. ICMP packet type and code (the parameter type code in rule command) can’t be configured. Otherwise the system will prompt the configuration is not available. 7) The restrictions corresponding to each QoS function describe the ACL rule available in configuring this function. Other ACL rules will not be used in implementing this function in S3526. Otherwise, the system will return error prompts. 8) Define the ACL rules to be used in it first before implementing a QoS function.

1.2.4 Display and Debug ACL

After the above configuration, execute display command in any view to display the running of the ACL configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of the ACL module.

Table 1-10 Display and Debug ACL

Operation Command Display the status of the time range display time-range { all | name } Display the detail information about the ACL display acl config { all | acl-number | acl-name } Display the information about the ACL running state display acl running-packet-filter all Clear ACL counters reset acl counter { all | acl-number | acl-name }

The matched information of display acl config command specifies the rules treated by the switch’s CPU. The matched information of the transmitted data by switch can be displayed by display qos-global traffic-statistic command.

For syntax description, refer to the Command Manual.

1.3 Configure ACL of S3526E and S3526C





1-10











1.3.2 Define ACL





Note:

1) If a specific time rang is not defined, the ACL will always function after activated. 2) During the process of defining the ACL, you can use the rule command for several times to define multiple rules for an ACL. 3) If ACL is used for filter or classify the data transmitted by the hardware of switch, the match order defined in the acl command will not be effective. If ACL is used for filter or classify the data treated by the software of switch, the match order of ACL’s sub-rules will be effective. Besides, once the user specifies the match-order of an ACL rule, he cannot modify it later.


1-11

4) The default matching-order of ACL is config, i.e. following the order as that configured by the user.

I. Define basic ACL





Operation Command












rule [ rule-id ] { permit | deny } protocol [ source source-addr wildcard | any ] [ destination dest-addr wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ]





1-12


Note that, the port1 and port2 in the above command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as shortcut. For example, “bgp” can represent the TCP number 179 used by BGP.


The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 ports receiving and forwarding the packet and destination MAC address to process the data packets.




Operation Command



rule [ rule-id ] { permit | deny } [ protocol ] [ cos vlan-pri ] [ ingress { { source-vlan-id | source-mac-addr source-mac-wildcard | interface { interface-name | interface-type interface-num } }* | any } ] [ egress { { dest-mac-addr dest-mac-wildcard | interface { interface-name | interface-type interface-num } }* | any } ] [ time-range name ]




The interface in the above command specifies the Layer-2 interface, such as the Ethernet port of a switch.

IV. Define user-defined ACL

The user-defined ACL matches any bytes in the first 80 bytes of the Layer-2 data frame with the character string defined by the user and then processes them accordingly. To correctly use the user-defined ACL, you are required to understand the Layer-2 data frame structure. The figure below shows the first 64 bytes of the Layer-2 data frame. (Every letter represents a hexadecimal number and every two letters are one byte.)


1-13

Figure 1-1 The first 64 bytes of data frame

The table below lists the meaning and offset of each letter.

Table 1-15 Letters and their meanings

Letter Meaning Offset Letter Meaning Offset A Destination MAC address 0 O TTL field 34 B Source MAC address 6 P Protocol number (6 is TCP

and 17 is UDP). 35

C Data frame length field 12 Q IP checksum 36 D VLAN tag field 14 R Source IP address 38 E DSAP (Destination Service

Access Point) field 18 S Destination IP address 42

F SSAP (Source Service Access Point) field

19 T TCP source port 46

G Ctrl field 20 U TCP destination port 48 H org code field 21 V Sequence number 50 I Encapsulated Data type 24 W Acknowledgement field 54 J IP version 26 XY IP header length and

currently unused bit 58

K TOS field 27 Z Currently unused bits and flags bit

59

L IP packet length 28 a Window Size field 60 M ID number 30 b Others 62 N Flags field 32

The offsets listed in the above table are the field offsets in the SNAP+tag 802.3 data frame. In the user-defined ACL, you can use the rule mask and offset parameters to select any bytes from the first 64 bytes of the data frame and compare them with the user-defined rule to filter the matched data frames and process accordingly. The rules defined by the user can be some fixed properties of the data. For example, to filter all the TCP packets, you can define the rule as “06”, the rule mask as “FF” and the offset as 35. In this case, the rule mask coordinates with the offset and picks up the TCP protocol number field from the data frame and compares it with the user-defined rule string to get all the TCP packets.

Note:

When user defines user-defined ACL, please calculate and set the correct offsets according to the data frames of SNAP+tag format with the 802.3 standard described above.


1-14

You can use the following commands to define user-defined ACL.


Table 1-16 Define user-defined ACL

Operation Command

Enter user-defined ACL view(from system view) acl { number acl-number | name acl-name user } [ match-order { config | auto } ]

Add a sub-item to the ACL(from user-defined ACL view)

rule [ rule-id ] { permit | deny } { rule-string rule-mask offset }&<1-8> [ time-range name ]

Delete a sub-item from the ACL(from user-defined ACL view) undo rule rule-id


The self-defined ACL are identified with the numbers ranging from 5000 to 5999.

1.3.3 Activate ACL





Operation Command

Activate an ACL packet-filter { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Deactivate an ACL undo packet-filter { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Note:

This command supports the process to activate the Layer-2 and IP ACLs at the same time(IP ACLs include basic and advanced ACLs), however the actions of the combination items should be consistent. If the actions conflict (one is permit and the other is deny), they cannot be activated.




1-15



The matched information of display acl config command specifies the rules treated by the switch’s CPU. The matched information of the transmitted data by switch can be displayed by display qos-global traffic-statistic command.


1.4 Configure ACL of S3552 Series Ethernet Switches

S3552 Series Ethernet Switches include S3552G, S3552P, S3528G, and S3528P Ethernet Switches.













1-16



1.4.2 Define ACL





Note:

1) If a specific time rang is not defined, the ACL will always function after activated. 2) During the process of defining the ACL, you can use the rule command for several times to define multiple rules for an ACL. 3) If ACL is used for filter or classify the data transmitted by the hardware of switch, the match order defined in the acl command will not be effective. If ACL is used for filter or classify the data treated by the software of switch, the match order of ACL’s sub-rules will be effective. Besides, once the user specifies the match-order of an ACL rule, he cannot modify it later. 4) The default matching-order of ACL is config, i.e. following the order as that configured by the user.

I. Define basic ACL





Operation Command



delete a sub-item from the ACL(from basic ACL view) undo rule rule-id [ source ] [ fragment ] [ time-range ]


1-17

Operation Command Delete one ACL or all the ACL(from system view) undo acl { number acl-number | name acl-name | all }









rule [ rule-id ] { permit | deny } protocol [ source source-addr wildcard | any ] [ destination dest-addr dest-mask | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ]





Note that, the port1 and port2 in the above command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as shortcut. For example, “bgp” can represent the TCP number 179 used by BGP.


The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 packet format and destination MAC address.




1-18


Operation Command



rule [ rule-id ] { permit | deny } [ cos vlan-pri ] [ ingress { { source-vlan-id | source-mac-addr source-mac-wildcard }* | any } ] [ egress { { dest-vlan-id | dest-mac-addr dest-mac-wildcard }* | any } ] [ tagged | untagged ] [ time-range name ]




1.4.3 Activate ACL





Operation Command

Activate an ACL packet-filter inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Deactivate an ACL undo packet-filter inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }






1-19

The matched information of display acl config command specifies the rules treated by the switch’s CPU. The matched information of the transmitted data by switch can be displayed by display qos-interface traffic-statistic command.


1.5 ACL Configuration Example of S3526 Series Switches

1.5.1 Advanced ACL Configuration Example


The interconnection between different departments on a company network is implemented through the 100M ports of the Ethernet Switch. The payment query server of the Financial Dept. is accessed via Ethernet1/1 (at 129.110.1.2). It is required to properly configure the ACL and limit the department access the payment query server between 8:00 and 18:00.


Administration Departmentsubnet address10.120.0.0

Financial Departmentsubnet address10.110.0.0

Office of President129.111.1.2 Pay query server

129.110.1.2

Switch#1

#4#3

#2

Connected to a router

Figure 1-2 Access control configuration example

III. Configuration precedure

Note:

In the following configurations, only the commands related to ACL configurations are listed.


1-20

1) Define the work time range

# Define time range from 8:00 to 18:00.

[Quidway] time-range huawei 8:00 to 18:00 working-day

2) Define the ACL to access the payment server.

# Enter the named advanced ACL, named as traffic-of-payserver.

[Quidway] acl name traffic-of-payserver advanced match-order config

# Define the rules for other department to access the payment server.

[Quidway-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range huawei

3) Activate ACL.

# Activate the ACL traffic-of-payserver .

[Quidway] packet-filter ip-group traffic-of-payserver

1.5.2 Basic ACL Configuration Example


Using basic ACL, filter the packet which source IP address is 10.1.1.1 during time range 8:00 ~ 18:00 every day.


Switch#1

connect to Router



Note:


1) Define the time range


1-21


[Quidway] time-range huawei 8:00 to 18:00 daily

2) Define the ACL for packet which source IP is 10.1.1.1.

# Enter the named basic ACL, named as traffic-of-host.

[Quidway] acl name traffic-of-host basic

# Define the rules for packet which source IP is 10.1.1.1.

[Quidway-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range huawei

3) Activate ACL.

# Activate the ACL traffic-of-host .

[Quidway] packet-filter ip-group traffic-of-host

1.5.3 Link ACL Configuration Example


Using Link ACL, filter the packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303 during time range 8:00 ~ 18:00 every day.


Switch#1

connect to Router



Note:





1-22


2) Define the ACL for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303.

# Enter the named link ACL, named as traffic-of-link.

[Quidway] acl name traffic-of-link link

# Define the rules for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303.

[Quidway-acl-link-traffic-of-link] rule 1 deny ip ingress 00e0-fc01-0101 egress 00e0-fc01-0303 time-range huawei

3) Activate ACL.

# Activate the ACL traffic-of-link .

[Quidway] packet-filter link-group traffic-of-link

1.6 ACL Configuration Example of S3526E and S3526C

1.6.1 Advanced ACL Configuration Example


The interconnection between different departments on a company network is implemented through the 100M ports of the Ethernet Switch. The payment query server of the Financial Dept. is accessed via Ethernet1/1 (at 129.110.1.2). It is required to properly configure the ACL and limit the department other than the Office of President access the payment query server between 8:00 and 18:00. The Office of President (at 129.111.1.2) can access the server without limitation.


1-23


Administration Departmentsubnet address10.120.0.0

Financial Departmentsubnet address10.110.0.0

Office of President129.111.1.2 Pay query server

129.110.1.2

Switch#1

#4#3

#2

Connected to a router



Note:


1) Define the work time range


[Quidway] time-range huawei 8:00 to 18:00 working-day

2) Define the ACL to access the payment server.

# Enter the named advanced ACL, named as traffic-of-payserver.

[Quidway] acl name traffic-of-payserver advanced match-order config

# Define the rules for other department to access the payment server.

[Quidway-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range huawei

# Define the rules for the Office of President to access the payment server.

[Quidway-acl-adv-traffic-of-payserver] rule 2 permit ip source 129.111.1.2 0.0.0.0 destination 129.110.1.2 0.0.0.0

3) Activate ACL.

# Activate the ACL traffic-of-payserver .


1-24

[Quidway] packet-filter ip-group traffic-of-payserver

1.6.2 Basic ACL Configuration Example


Using basic ACL, filter the packet which source IP address is 10.1.1.1 during time range 8:00 ~ 18:00 every day.


Switch#1

connect to Router



Note:





2) Define the ACL for packet which source IP is 10.1.1.1.

# Enter the named basic ACL, named as traffic-of-host.

[Quidway] acl name traffic-of-host basic

# Define the rules for packet which source IP is 10.1.1.1.

[Quidway-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range huawei

3) Activate ACL.

# Activate the ACL traffic-of-host .

[Quidway] packet-filter ip-group traffic-of-host


1-25

1.6.3 Link ACL Configuration Example


Using Link ACL, filter the packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303 during time range 8:00 ~ 18:00 every day.


Switch#1

connect to Router



Note:





2) Define the ACL for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303.

# Enter the named link ACL, named as traffic-of-link.

[Quidway] acl name traffic-of-link link

# Define the rules for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303.

[Quidway-acl-link-traffic-of-link] rule 1 deny ip ingress 00e0-fc01-0101 0-0-0 egress 00e0-fc01-0303 0-0-0 time-range huawei

3) Activate ACL.

# Activate the ACL traffic-of-link .

[Quidway] packet-filter link-group traffic-of-link


1-26

1.6.4 User-defined ACL Configuration Example


Using user-defined ACL, filter the TCP packet during time range 8:00 ~ 18:00 every day.


Switch#1

connect to Router



Note:





2) Define the ACL for TCP packet.

# Enter the named user-defined ACL, named as traffic-of-tcp.

[Quidway] acl name traffic-of-tcp user

# Define the rules for TCP packet.

[Quidway-acl-user-traffic-of-tcp] rule 1 deny 06 ff 35 time-range huawei

3) Activate ACL.

# Activate the ACL traffic-of-tcp .

[Quidway] packet-filter user-group traffic-of-tcp

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Chapter 2 QoS configuration

2-1

Chapter 2 QoS configuration

2.1 QoS Overview

In the traditional IP network, all the packets are treated equally without priority difference. Every switch/router handles the packets following the First In First Out (FIFO) policy. That is, they make best effort to transmit the packets to the destination, not making any commitment or guarantee of the transmission reliability, delay or to satisfy other performance requirements.

With the rapid development of computer network, people transfer more and more voice, image and important data etc at real time which are sensitive to the bandwidth, delay and jitter. This enriches the network sources. On the other hand, the network congestion occurs more frequently, hence people require higher Quality of Service (QoS) for the transmission over the network.

The Ethernet technology is the most widely used network technology nowadays. Ethernet has been the dominant technology of various independent Local Area Networks (LANs), and many LANs in the Ethernet form have been part of the Internet. Moreover, along with the continuous development of the Ethernet technology, Ethernet will become one of the major ways to access the common Internet users. In order to implement the end-to-end QoS solution on the whole network, it is inevitable to consider the question of how to guarantee the Ethernet QoS service. This requires the Ethernet switching devices to apply the Ethernet QoS technology and deliver the QoS guarantee at different levels to different types of signal transmissions over the networks, especially those having requirements of shorter time delay and lower jitters.

2.1.1 Traffic

Traffic refers to all packets passing through a switch.

2.1.2 Traffic Classification

Traffic classification means identifying the packets with certain characteristics, using the matching rule called classification rule, set by the configuration administrator based on the actual requirements. The rule can be very simple. For example, the traffic with different priorities can be identified according to the ToS field in IP packet header. There are also some complex rules. For example, the information over the integrated link layer (Layer-2), network layer (Layer-3) and transport layer (Layer-4), such as MAC address, IP protocol, source IP address, destination IP address and the port number of


2-2

application etc can be used for traffic classification. Generally the classification standards are encapsulated in the header of the packets. The packet content is seldom used as the classification standard.

2.1.3 Packet Filter

Packet filter is to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, Ethernet Switches enable the filtering of various information carried in Layer 2 traffic to discards the useless, unreliable or doubtful traffic, thereby enhancing the network security.

The two key steps of realizing the frame filtering are as follows.

Step 1: Classify the ingress traffic according to the classification rule;

Step 2: Filter the classified traffic, i.e. the “deny” operation, the default ACL operation.

2.1.4 Traffic Policing

In order to deliver better service with the limited network resources, QoS monitors the traffic of the specific user on the ingress, so that it can make a better use of the assigned resource.

2.1.5 Port traffic limit

The port traffic limit is the port-based traffic limit used for limiting the general speed of packet output on the port.

2.1.6 Redirection

You can specify a new port to forward the packets according to your requirements on the QoS policy.

2.1.7 Traffic Priority

The Ethernet Switch can deliver priority tag service for some special packets. The tags include TOS, DSCP and 802.1p, etc., which can be used and defined in different QoS modules.

2.1.8 Queue Scheduling

When congestion occurs, several packets will compete for the resources. Three kinds of queue scheduling algorithms are used to overcome the problem. These three kinds


2-3

of queue scheduling algorithms are Strict-Priority Queue (SP), Weighted Round Robin (WRR) and Delay bounded WRR.

1) SP

Packets sent via thisinterface

high queue

middle queue

Classify

Packets sent

normal queue

bottom queue Sending queueDequeue

Figure 2-1 SP

The SP is specially designed for the key service application. A significant feature of the key service is requiring for priority to enjoy the service to reduce the responding delay when congestion occurs. Take 4 egress queues for each port as example, SP divides the queue of port into up to 4 kinds, high-priority, medium-priority, normal-priority and low-priority queues (which are shown as the Queue 3, 2, 1 and 0 in turn) with sequentially reduced priority.

During the progress of queue dispatching, strictly following the priority order from high to low, the SP gives preference to and sends the packets in the higher-priority queue first. When the higher-priority queue is empty it will send the packets in the lower-priority group. In this way, put the packets of higher priority service in the higher-priority queue and put the packets of lower priority, like e-mail, in the lower-priority queue, can guarantee the key service packets of higher priority are transmitted first, while the packets of lower service priority are transmitted during the idling gap between transmitting the packets of higher service priorities.

The SP also has the drawback that when congestion occurs, if there are many packets queuing in the higher-priority queue, it will require a long time to transmit these packets of higher service priority while the messages in the lower-priority queue are continuously set aside without service.

2) WRR

The round scheduling ensures every queue gets some time of service of the switch port. Take 4 egress queues for each port as example, WRR gives every queue a weight (w3, w2, w1, and w0 respectively) for resource obtaining. For example, you can configure the weight value of the WRR algorithm for 100M port as 50, 30, 10, 10 (corresponding to the w3, w2, w1 and w0 respectively). Thus the low-priority queue can be guaranteed to get the minimum bandwidth of 10Mbps, avoiding the case in SP scheduling that the


2-4

messages in the lower-priority queues may not get any service for long time. Another advantage of WRR queue is that the service time is assigned to each queue flexibly, although it is the round multiple queue scheduling. When a queue is empty, it will switch to the next queue immediately, thereby making good used of the bandwidth resource.

3) Delay bounded WRR

Comparing to the common WRR, the Delay bounded WRR also guarantee the packets in the highest-priority queue to leave the queue before the configured delay.

2.1.9 Traffic Mirroring

The traffic mirroring function is carried out by copying the specified data packets to the monitoring port for network diagnosis and troubleshooting.

2.1.10 Traffic Counting

With the flow-based traffic counting, you can request a traffic count to count and analyze the packets.

2.2 Configure QoS of S3526 Series Switches

QoS configuration includes:

Set the Port Priority Configure Trust Packet Priority Packet filter Priority tag Queue scheduling Traffic mirroring Traffic statistics

S3526 has some restrictions on ACL configuration in implementing QOS function using traffic classification. The restriction details are listed in the following table.

Table 2-1 ACL configuration restriction for QoS function in S3526


Packet filter

packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Packet filter only supports using the ACL of deny operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET.


2-5


Traffic mirroring

mirrored-to { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } interface { interface-name | interface-type interface-num }

Traffic mirroring only supports using the ACL of permit operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET.

Traffic statistic

traffic-statistic { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Traffic statistics only supports using the ACL of permit operation. The Layer-2 ACL supports using the rules of MAC-MAC. The Layer-3 ACL supports using the rules of IP-IP, but not traffic statistics of special protocols.

Priority tag

traffic-priority { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } local-precedence pre-value

Priority tag function only supports using the ACL of permit operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET. For the ACL used in priority tag, if the destination IP addresses or destination MAC addresses for two rules are the same, the new rule will overwrite the previous one.


2-6

Note:

1) The Layer-3 ACL includes the advanced ACL. 2) In the description of the rules: MAC----MAC address, PORT----the switch port, IP----the host IP address, ANY----any MAC address in Layer-2 ACL and any IP address in Layer-3 ACL, NET----the segment IP address. The MAC, IP, ANY, NET and PORT before the character “-” represent the source addresses or receive port; the ones behind are the destination addresses or transmit port. MAC-MAC stands for a Layer-2 ACL rule from source MAC address to destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress 00e0-fc01-0102 1 time-range huawei ”. PORT-PORT stands for a Layer-2 ACL rule from received ethernet port to sent ethernet port, such as “rule 0 permit ingress interface ethernet0/1 egress interface ethernet 0/2 time-range huawei ”. MAC-PORT stands for a Layer-2 ACL rule from source MAC address to sent ethernet port, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress interface ethernet 0/1 time-range huawei ”. IP-IP stands for lay-3 ACL rules from source host IP address to destination host IP address (the wildcard parameter can only be 0) , such as “rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 time-range huawei”. NET-NET stands for lay-3 ACL rules from source segment IP address to destination segment IP address (the wildcard parameter can not be 0), such as “rule 0 permit ip source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255 time-range huawei”. MAC-any stands for lay-2 ACL rule from source MAC address to any destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress any time-range huawei”, and so do any-MAC, IP-any, any-IP, NET-any and any-NET rules. 3) For the MAC-MAC rule, the source and destination MAC addresses must be configured in the same VLAN. That is, configure the same VLAN ID for the source and destination MAC addresses in defining ACL. 4) For the rules of IP-any, any-IP, NET-any and any-NET, S3526 does not support packet filtering of special protocols. You can only configure protocol type as IP (the value of the parameter protocol in rule command can only be IP) in defining these types of rules in S3526. Otherwise, error information will be returned when confirm the rule. 5) IP-IP and MAC-MAC rules will function on the two directions, that is, user defines a rule to filter packets from source address to destination address, the rule will also filter the packets from the destination address to source address. For the rules of IP-any, any-IP, NET-any, any-NET, MAC-any, any-MAC, they only function on one direction which user defined. 6) For S3526, S3526 FM, S3526 FS switches, parameter icmp-type is only supported when user defines advance ACL. ICMP packet type and code (the parameter type code in rule command) can’t be configured. Otherwise the system will prompt the configuration is not available. 7) The restrictions corresponding to each QoS function describe the ACL rule available in configuring this function. Other ACL rules will not be used in implementing this function in S3526. Otherwise, the system will return error prompts. 8) Define the ACL rules to be used in it first before implementing a QoS function.


2-7

Before configure the QoS tasks, you have to define the corresponding ACL. Packet filter function can be realized by activate the ACL.

2.2.1 Set the Port Priority

You can use the following command to set the port priority. The switch will replace the 802.1p priority carried by a packet with the port priority by default.


Table 2-2 Set the port priority

Operation Command Set the port priority priority priority-level Restore the default port priority undo priority

The port of Ethernet Switch supports 8 priority levels. You can configure the port priority at your requirements.

priority-level ranges from 0 to 7.

By default, the port priority is 0 and switch replaces the priority carried by a packet with the port priority.

2.2.2 Configure Trust Packet Priority

The system replaces the 802.1p priority carried by a packet with the port priority by default. User can configure system trusting the packet 802.1p priority and not replacing the 802.1p priorities carried by the packets with the port priority.


Table 2-3 Configure Port Priority Replacement

Operation Command Configure trust packet 802.1p priority priority trust Configure not trust packet 802.1p priority undo priority

Before configure trust packet 802.1p priority, the switch puts the packets into different queues according to the priorities of received port. After configure trust packet 802.1p priority, the switch will trust the packet 802.1p priority and put the packet into different queues accordingly, when forwarding the packets.

By default, the system replaces the 802.1p priority carried by a packet with the port priority.


2-8

2.2.3 Configure Priority Marking

The priority marking configuration is a policy to tag the priority for the packets matching the ACL. The new priority can be filled in the priority field of the packet header.

You can use the following command to configure the priority marking.


Table 2-4 Tag packet priority

Operation Command

Mark the packet priority traffic-priority { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } local-precedence pre-value

Cancel the packet priority marking

undo traffic-priority { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

For details about the command, refer to the Command Manual.

2.2.4 Configure Queue Scheduling

Queue scheduling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens. The queue scheduling function put the packet to output queue of the port according to 802.1p priority of the packet. The relationship between priority and queues is as followed.

Table 2-5 The default “COS ->Local-precedence” map

COS Value Local Precedence 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7

Table 2-6 Relationship between 802.1p priority and output queue

802.1p priority Queue ID 1,2 0 0,3 1 4,5 2 6,7 3


2-9

Table 2-7 Relationship between Local-precedence and output queue

Local-precedence Queue ID 0,1 0 2,3 1 4,5 2 6,7 3

I. Configure the Mapping Relationship between COS and Local Precedence

By default, the system provides the default “COS ->Local-precedence” mapping relationship.

Table 2-8 The default “COS ->Local-precedence” map

COS Value Local Precedence 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7

Using the following commands, you can configure the maps.


Table 2-9 Map configuration

Operation Command

Configure “COS ->Local-precedence” map

qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec

Restore its default value undo qos cos-local-precedence-map

By default, the switch uses the default mapping relationship.

II. Configure the Queue Scheduler

You can use the following command to configure the queue scheduler.



2-10

Table 2-10 Configure the queue scheduling algorithm

Operation Command

Configure the queue scheduling algorithm queue-scheduler { strict-priority | wrr queue1-weight queue2-weight queue3-weight queue4-weight }

Restore the default queue scheduling algorithm undo queue-scheduler

Ethernet Switch supports strict-priority and WRR queue schedulers.

By default, the switch uses the strict-priority algorithm.


2.2.5 Configure Traffic Mirroring

The function of Traffic mirroring is to copy the traffic matching ACL rule to the designated observing port to analyze and monitor the packets.

You can use the following command to configure the traffic mirroring.


Table 2-11 Configure traffic mirroring

Operation Command

Configure traffic mirroring mirrored-to { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } interface { interface-name | interface-type interface-num }

Cancel the configuration of traffic mirroring

undo mirrored-to { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }


2.2.6 Configure Traffic Statistics

The traffic statistics function is used for counting the data packets of the specified traffic, that is, this function counts the transmitted data which matches the ACL rules. After the traffic statistics function is configured, the user can use display qos-global traffic-statistic command to display the statistics information.

You can use the following command to configure traffic statistics.


Table 2-12 Configure traffic statistics

Operation Command

Configure traffic statistics traffic-statistic { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }


2-11

Operation Command Cancel the configuration of traffic statistics

undo traffic-statistic { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Display the statistics information display qos-global traffic-statistic


2.2.7 Display and Debug QoS

After the above configuration, execute display command in any view to display the running of the QoS configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of QoS module.

Table 2-13 Display and Debug QoS

Operation Command Display the parameter settings of all the QoS actions display qos-global all Display the mapping relationship between cos and local precedence display qos cos-local-precedence-map

Display the parameter settings of traffic mirroring display qos-global mirrored-to

Display the queue scheduling mode and parameter display qos-interface [ interface-name | interface-type interface-num ] queue-scheduler

Display the settings of priority tag display qos-global traffic-priority Display the information about the traffic display qos-global traffic-statistic

Clear the statistics information reset traffic-statistic { all | ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

For output and description of the related commands, refer to the Command Manual.

2.3 Configure QoS of S3526E and S3526C

QoS configuration includes:

Set the Port Priority Configure Trust Packet Priority Packet filter Traffic policing Redirection configuration Priority tag Queue scheduling Traffic mirroring Traffic statistics

Before configure the about QoS tasks, you have to define the corresponding ACL. Packet filter function can be realized by activate the ACL.


2-12

2.3.1 Set the Port Priority

You can use the following command to set the port priority. The switch will tag the packet using the VLAN the received port belong to if the packet has no VLAN tag. Meanwhile the system uses the port priority as the packet the 802.1p priority when tag the packet. If the packet has VLAN tag, the system will not re-tag the packet.


Table 2-14 Set the port priority

Operation Command Set the port priority priority priority-level Restore the default port priority undo priority

The port of Ethernet Switch supports 8 priority levels. You can configure the port priority at your requirements.

priority-level ranges from 0 to 7.

By default, the port priority is 0 and switch replaces the priority carried by a packet with the port priority.

2.3.2 Configure Trust Packet Priority

The switch will tag the packet using the VLAN the received port belong to if the packet has no VLAN tag. Meanwhile the system uses the port priority as the packet the 802.1p priority when tag the packet. If the packet has VLAN tag, the system will not re-tag the packet. User can configure system trusting the packet 802.1p priority and not replacing the 802.1p priorities carried by the packets with the port priority.


Table 2-15 Configure Port Priority Replacement

Operation Command Configure trust packet 802.1p priority priority trust Configure not trust packet 802.1p priority undo priority

2.3.3 Traffic Policing

Traffic policing is the flow-based traffic limit. It takes corresponding actions to deal with the flow at exceeding speed, such as discarding or lowering the priority.

You can use the following command to configure the traffic policing.


2-13


Table 2-16 Configure traffic limit

Operation Command

Configure the flow-based traffic limit

traffic-limit inbound { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } target-rate [ exceed action ]

Cancel the configuration of the flow-based traffic limit

undo traffic-limit inbound { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

You have to define the corresponding ACL before performing this configuration task.

The purpose of this configuration task is to implement the traffic policing over the data flow matching the ACL. The traffic beyond the limit will be dealt with in some other way, such as discarding.


2.3.4 Port Traffic limit

The port traffic limit is the port-based line rate used for limiting the general speed of packet output on the port.

You can use the following command to configure port traffic limit.


Table 2-17 Configure port traffic limit

Operation Command Configure the port traffic limit line-rate target-rate Cancel the configuration port traffic limit undo line-rate

Ethernet Switch supports the function of configuring configure a traffic limit for a single port.


2.3.5 Configure Packet Redirection

Packet redirection is to redirect the packets to be forwarded to CPU or other output port.

You can use the following command to configure the packet redirection.



2-14

Table 2-18 Configure redirection

Operation Command

Configure redirection traffic-redirect { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } { cpu | { interface interface-name | interface-type interface-num } }

Cancel the redirection configuration

undo traffic-redirect { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Note that the packets redirected to the CPU will not be dealt.

Note:

The configuration of redirection only takes effects on the rules with action permit.


2.3.6 Configure Priority Marking

The priority marking configuration is a policy to tag the priority for the packets matching the ACL. The new priority can be filled in the priority field of the packet header.

You can use the following command to configure the priority marking.


Table 2-19 Tag packet priority

Operation Command

Mark the packet priority traffic-priority { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }*

Cancel the packet priority marking

undo traffic-priority { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Ethernet Switch support a function to tag the packets with IP precedence (specified by ip-precedence in the traffic-priority command), DSCP (specified by dscp in the traffic-priority command) or 802.1p preference (specified by cos in the traffic-priority command). You can tag the packets with different priorities at requirements on QoS policy. The switch puts the packets into corresponding egress queues according to the 802.1p preference or the local preference (specified by local-precedence in the traffic-priority command). If both the 802.1p preference and local preference have


2-15

been specified in the traffic-priority command, the switch will put the packets into corresponding queues according to the 802.1p preference first.



Queue scheduling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens. The queue scheduling function put the packet to output queue of the port according to 802.1p priority of the packet. The mapping relationship between 802.1p priority and output queue of the port is as followed table.

Table 2-20 Default “CoS → Local-precedence” mapping table

CoS Value Local Precedence 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7

Table 2-21 Relationship between 802.1p priority and output queue

802.1p priority Queue ID 1,2 0 0,3 1 4,5 2 6,7 3

Table 2-22 Relationship between Local-precedence and output queue

Local-precedence Queue ID 0,1 0 2,3 1 4,5 2 6,7 3

I. Configure the Mapping Relationship between COS and Local Precedence

By default, the system provides the default “COS ->Local-precedence” mapping relationship.


2-16

Table 2-23 Default “CoS → Local-precedence” mapping table

CoS Value Local Precedence 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7

Using the following commands, you can configure the maps.


Table 2-24 Map configuration

Operation Command

Configure “COS ->Local-precedence” map

qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec

Restore its default value undo qos cos-local-precedence-map

By default, the switch uses the default mapping relationship.

II. Configure the Queue Scheduler

You can use the following command to configure the queue scheduler.


Table 2-25 Configure the queue scheduling algorithm

Operation Command

Configure the queue scheduling algorithm

queue-scheduler { strict-priority | wrr queue1-weight queue2-weight queue3-weight queue4-weight | wrr-max-delay queue1-weight queue2-weight queue3-weight queue4-weight maxdelay }

Restore the default queue scheduling algorithm undo queue-scheduler

Ethernet Switch support 3 kinds of queue schedulers, i.e., strict-priority, WRR and Delay bounded WRR.

By default, the switch uses the strict-priority algorithm.



2-17


The function of Traffic mirroring is to copy the traffic matching ACL rule to the designated observing port to analyze and monitor the packets.

You can use the following command to configure the traffic mirroring.



Operation Command

Configure traffic mirroring mirrored-to { user-group acl-number | acl-name [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } interface { interface-name | interface-type interface-num }

Cancel the configuration of traffic mirroring

undo mirrored-to { user-group acl-number | acl-name [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }


2.3.9 Configure Traffic Statistics

The traffic statistics function is used for counting the data packets of the specified traffic, that is, this function counts the transmitted data which matches the ACL rules. After the traffic statistics function is configured, the user can use display qos-global traffic-statistic command to display the statistics information.

You can use the following command to configure traffic statistics.


Table 2-27 Configure traffic statistics

Operation Command

Configure traffic statistics traffic-statistic { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Cancel the configuration of traffic statistics

undo traffic-statistic { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Display the statistics information display qos-global traffic-statistic



2-18


After the above configuration, execute display command in any view to display the running of the QoS configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of QoS module.

Table 2-28 Display and Debug QoS

Operation Command Display the parameter settings of all the QoS actions display qos-global all Display the mapping relationship between cos and local precedence display qos cos-local-precedence-map

Display the parameter settings of traffic mirroring display qos-global mirrored-to Display the parameter settings of port mirroring display mirror Display the queue scheduling mode and parameter display queue-scheduler

Display the settings of QoS display qos-interface [ interface-name | interface-type interface-num ] all

Display the parameter settings of traffic limit display qos-interface [ interface-name | interface-type interface-num ] traffic-limit

Display the port traffic limit display qos-interface [ interface-name | interface-type interface-num ] line-rate

Display the settings of priority tag display qos-global traffic-priority Display the settings of redirection display qos-global traffic-redirect Display the information about the traffic display qos-global traffic-statistic

Clear the statistics information reset traffic-statistic { all | user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

For output and description of the related commands, refer to the Command Manual.

2.4 QoS Configuration for S3552 Series Ethernet Switches

QoS configuration tasks include:

Configure packet filter Configure service group allocation rule Configure priority remark Configure traffic policing Configure traffic shaping Configure redirection Configure queue scheduling Configure traffic mirror Configure port mirror Configure traffic statistic

Before you perform the QoS configuration tasks listed above, you should define ACLs. You can use packet filter simply by activating the ACL for it, which is beyond the scope of this chapter.


2-19

Table 2-29 Nouns of S3552 series QoS

Noun Description

CoS CoS and 802.1p priority has the same meaning, that is, the priority at the header of the Ethernet packets. Its value ranges from 0 to 7.

Service Group

A group of parameters that allocated to the packet when it received by the switch. These parameters are used when QoS function is realized by the switch. These parameters include 802.1 priority, DSCP priority, local priority, and drop-precedence.

Drop-precedence

Drop level, also known as drop-precedence, is one parameter of the service group. Its value can be 0, 1, and 2. The switch allocates a drop level to the packet when receiving it, and can change the level when process the packet. Allocating drop level to the packet is also called color up the packet: the packet with drop level of 2 is red, with drop level of 1 is yellow, and with drop of 0 is green. This parameter is mainly used in the presence of congestion and the switch has to drop packets.

Conform-Level

Confirm level is the result by operating the following user configurations when the switch performs traffic control operation: committed average rate, committed burst size, maximum burst size, peak rate, and actual traffic at the port. This parameter is only valid when you monitor the traffic using the traffic-limit command. The value of the parameter then can be 0, 1, or 2, which is a result from mathematic operation. When you use the traffic-priority command to mark the priority, this parameter is also used in the “DSCP+ Conform-Level-> Service Group” table for the purpose of reallocating service parameters for the packets, in this table, the value of Confirm-Level is 0.

2.4.2 Configure Service Group Allocation Rule

QoS that applies on the switches is set up on the basis of service group. Each service group includes a set of QoS related parameters including 802.1p precedence (CoS precedence), DSCP precedence, local precedence (which is assigned to packets and has local significance), and drop precedence.

Upon the receipt of a packet, the switch automatically allocates a set of service groups to the packet based on a particular rule. First, the switch looks up the CoS to drop-precedence and CoS to local-precedence maps for drop-precedence and local-precedence of the packet based on its 802.1p precedence. Default settings of these maps are available for you, yet you are allowed to configure them as needed. If no local-precedence is available for the packet, the switch takes the default local-precedence assigned to the packet receiving port as the local-precedence of the packet.

I. Configure maps

You may configure maps by using the commands listed in the following table.



2-20

Table 2-30 Configure maps

Operation Command

Configure CoS to drop-precedence map.

qos cos-drop-precedence-map CoS0-map-drop-prec CoS1-map-drop-prec CoS2-map-drop-prec CoS3-map-drop-prec CoS4-map-drop-prec CoS5-map-drop-prec CoS6-map-drop-prec CoS7-map-drop-prec

Restore the default COS to drop-precedence map setting. undo qos cos-drop-precedence-map

Configure CoS to local-precedence map.

qos cos-local-precedence-map CoS0-map-local-prec CoS1-map-local-prec CoS2-map-local-prec CoS3-map-local-prec CoS4-map-local-prec CoS5-map-local-prec CoS6-map-local-prec CoS7-map-local-prec

Restore the default CoS to local-precedence map setting. undo qos cos-local-precedence-map

By default, the switches assign drop-precedence and local-precedence to received packets using the default map settings of the system.

II. Assign a default local-precedence value to a port


Table 2-31 Assign a default local-precedence value to the port

Operation Command Assign a default local-precedence value to the port. priority priority-level Restore the default local-precedence value to its default setting. undo priority

2.4.3 Configure Traffic Policing

Traffic policing implements the traffic-based rate restraint. It monitors the rate of a type of traffic and takes the action appropriate to it if the traffic size exceeds the specified limitation, for example, dropping the packets beyond the specified limitation or assigning new precedence values to them.

Traffic policing actions include re-assigning service group based on DSCP + conform-level to service map, re-assigning traffic’s 802.1p precedence based on local-precedence + conform-level to CoS map, etc. You may configure the mentioned two maps as needed.

I. Configure maps

You may configure DSCP + conform-level to service and local-precedence + conform-level to CoS maps using commands listed in the following table.


Table 2-32 Configure maps

Operation Command Access conform-level view from system view. qos conform-level conform-level-value


2-21

Operation Command Configure DSCP + conform-level to service map in conform-level view.

dscp dscp-list : dscp-value CoS-value local-precedence-value drop-precedence

Restore the default DSCP + conform-level to service map setting in conform-level view. undo dscp [ dscp-list ]

Configure TC + conform-level to CoS map in conform-level view.

local-precedence CoS-value0 CoS-value1 CoS-value2 CoS-value3 CoS-value4 CoS-value5 CoS-value6 CoS-value7

Restore the default TC + conform-level to CoS map setting in conform-level view. undo local-precedence

By default, the system provides default map settings.

II. Configure traffic policing

You may configure traffic policing using the command described in the following table.


Table 2-33 Configure traffic policing

Operation Command

Configure traffic-based traffic policing.

traffic-limit inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] } cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ]

Disable traffic-based traffic policing.

undo traffic-limit inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

Before you can configure traffic-based traffic policing, you should configure the ACLs for this purpose in addition to the DSCP + conform-level to service and local-precedence + conform-level to CoS maps.

When setting the parameters of traffic policing, the following rule is recommended: cir<pir, cbs=ebs=(cir/8)*(1~1.5). For example, if cir is set 1000Kbps, cbs=ebs =(1000/8)*(1~1.5)= (125~180)Kbytes=(125000~180000)bytes. Note that, the parameter unit of cbs and ebs is byte.

This configuration task is intended for policing the traffic filtered in by the adopted ACL, i.e., taking actions appropriate to the traffic within and beyond the specified limitation, dropping packets for example.


2-22

Note:

If you choose untrusted mode for a specific traffic in traffic-priority operation, that is, you manually specify a service group for the designated traffic, then the traffic-limit and traffic-statistic operations are invalid for this traffic. If you choose traffic-limit and traffic-statistic, however, then the untrusted mode is invalid.

For more information about these commands, see Command Manual.

2.4.4 Configure Traffic Shaping

Traffic shaping is functioning to control packet outputting speed so that packets can be outputted at an average speed. Normally, it is used for adapting to the packet receiving speed of the downstream devices in case of unnecessary packet drop and congestion. Traffic shaping is different from traffic policing in the sense that the former allows packet transmission at an average speed by buffering the packets beyond the specified rate limitation whereas the latter limits traffic size by dropping them. Due to the adoption of different approaches, traffic shaping may cause extra latency while traffic policing does not.

You may configure traffic shaping using the command in the following table.


Table 2-34 Configure traffic shaping

Operation Command Configure traffic shaping. traffic-shape [ queue queue-id ] max-rate burst-size [ queue-depth ]Disable traffic shaping. undo traffic-shape [ queue queue-id ]

The switch supports traffic shaping not only on all the traffic but also on the specified output queues at the port. You can implement those two kinds of traffic shaping by selecting different parameters. If queue queue-id in the traffic-shape command is not specified, you can perform traffic shaping on all the traffic at the port. Otherwise, you can perform traffic shaping on the specified output queue.

It is recommended to configure traffic shaping on all the traffic at the port.


2-23

Note:

Comply with the following rules when you perform traffic shaping on a queue: the depth of a single queue must smaller than that of the port. By default, the queue depth of a port is 256 and the single queue depth should be smaller than 128. The default value is recommended.

For more information about the traffic-shape command, see Command Manual.

2.4.5 Configure Priority Remark

Priority remark is configured on a switch for the purpose of assigning a set of new service group for the packets filtered in by the adopted ACL. There are four modes of priority remark.

You may set a priority remark to allow the system to automatically allocate a set of service group to the received packets

look up the maps based on the DSCP value carried by these packets to allocate a new service group for them

look up the maps based on the DSCP value assigned by you to allocate a new service group for packets.

manually assign a new set of service group for these packets.

You may use the command in the following table to configure priority remark.


Table 2-35 Remark packet priority

Operation Command

Remark packet priority. traffic-priority inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] } { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

Disable packet priority remarking.

undo traffic-priority inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

Before you can configure packet priority remark, you should define ACLs for this purpose and a DSCP + conform-level to service map. In DSCP + conform-level to service map used by packet priority remark function, the conform-level equal 0.


2-24

Note:


For more information about the command and its negative form described in this section, refer to Command Manual.

2.4.6 Configure Traffic Redirection

Traffic redirection is configured to forward a received packet to CPU, some other port, IP address, or network segment other than the one to which the packet is originally to be forwarded.

You may use the traffic-redirect command described in the following table to configure traffic redirection.


Table 2-36 Configure traffic redirection

Operation Command

Configure traffic redirection.

traffic-redirect inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] } { cpu | interface { interface-name | interface-type interface-num } | next-hop ip-addr1 ip-addr2 }

Disable traffic redirection. undo traffic-redirect { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

You should note that the packets redirected to CPU cannot be forwarded any longer.

Note:

The redirection configuration is valid only when the action taken by ACLs is permit. You can use the next-hop ip-addr1 ip-addr2 parameter realizing the policy routing function.

For more information about the traffic-redirect command, see Command Manual.


2-25


Each port on a switch supports eight output queues. The system put packets into the output queues at a port based on packets' local-precedence. To prevent resource contention of packets at the time of network congestion, queue scheduling mechanism is adopted. So far, Strict Priority (SP) and Weighted Round Robin (WRR) WRR scheduling algorithms are supported.

Different queue scheduling algorithms may apply on different queues at each port. Three queue scheduling approaches are supported:

1) Apply SP scheduling on all the queues; 2) Apply WRR scheduling on all the queues. In this approach, output queues are

assigned into WRR group 1 and WRR group 2. When scheduling queues, the system first polls the queues in WRR group 1 and then the queues in group 2 if there is no packet waiting for transmission in the queues in group 1. In the WRR scheduling approach, all the queues are assigned into WRR group 1 by default.

3) Combine SP and WRR by applying them on different queues at the same time. At the time of queue scheduling, strict scheduling is applied on the queues inside the SP scheduling group while polling is applied inside the WRR scheduling group. Thus, the system picks out queues respectively from the SP scheduling group, WRR group 1, and WRR group 2 and then schedules them using the SP approach.

You may configure queue scheduling using the queue-scheduler command and its negative form described in the following table.


Table 2-37 Configure queue scheduling algorithm

Operation Command

Configure queue scheduling algorithm. queue-scheduler wrr { group1 { queue-id queue-weight } &<1-8> | group2 { queue-id queue-weight } &<1-8> }*

Restore the default queue scheduling algorithm setting. undo queue-scheduler [ queue-id ] &<1-8>

By default, SP scheduling applies. As for the queues on which WRR scheduling does not apply, SP scheduling applies.

For more information about the queue-scheduler command and its negative form, refer to Command Manual.


2-26

2.4.8 Configure Congestion Avoidance

When congestion occurs on a switch, the switch will try to alleviate it by releasing queue resources as soon as possible and putting packets into the queues other than those suffering high latency.

Upon the receipt of a packet, the switch assigns a drop-precedence value to it. This is also known as coloring packets. Drop-precedence can be set to 0, 1, or 2, meaning green, yellow, or red. When congestion occurs, red packets are the first ones being dropped and green packets are the last ones.

You may configure congestion avoidance parameters and drop thresholds for each queue and conform-level.

Two drop algorithms are supported:

1) Tail drop: sets different drop thresholds for different queues. Thus, after the number of red (yellow or green) packets exceeds the specified upper threshold, the arriving red (yellow or green) packets will be dropped.

2) WRED drop: takes into consideration the drop-precedence of packets in each queue when dropping them. Thus, before the number of packets in a (red, yellow, or green) queue exceeds the specified upper threshold, the system starts dropping packets once the number of packets in the queue exceeds the lower threshold. The number of packets dropped at a moment is dynamically decided taking into account the factors of specified maximum drop probability and the number of packets waiting for transmission in the queue. If the number of the packets exceeds the upper threshold, however, the system will drops all the arriving packets.

Before configuring drop algorithm, you need configure the WRED parameters of the output queues.

I. Configure WRED

The system provides four default sets of WRED parameters identified by the index number 0, 1, 2, and 3. Each WRED parameter set specifies 80 parameter values, ten for each output queue on a port. You may change the WRED parameters represented by the current WRED index using the queue command described in the following table.

You may use the commands in the following table to configure WRED parameters.

Perform the following configurations beginning with accessing system view.

Table 2-38 Configure WRED parameters

Operation Command Access WRED index view from system view. wred wred-index Restore the default WRED setting in system view. undo wred wred-index


2-27

Operation Command

Set WRED parameter values in WRED index view.

queue queue-id green-min-threshhold green-max-threshhold green-max-prob yellow-min-threshhold yellow-max-threshhold yellow-max-prob red-min-threshhold red-max-threshhold red-max-prob exponent

Restore the default WRED setting in WRED index view. undo queue queue-id Exit from WRED index view. quit

Using the undo wred command, you can restore the default WRED parameter settings of all the queues in the corresponding conform-level. Using the undo queue command, you can restore the default WRED parameter settings relevant to a queue.

By default, the system provides four default sets of WRED parameters.

For more information about the commands described in this section, refer to Command Manual.

II. Configure drop algorithm

You may configure drop algorithm using the drop-mode command described in the following table.


Table 2-39 Configure drop algorithm

Operation Command Set drop algorithm. drop-mode { tail-drop | wred } [ wred-index ] Restore the default drop algorithm. undo drop-mode

By default, tail-drop is adopted.

For more information about the command, refer to Command Manual.


Traffic mirroring is to duplicate the service traffic filtered in by the adopted ACL to CPU for the purpose of traffic analysis and monitoring.

You may configure traffic mirroring using the commands described in the following table.



2-28


Operation Command

Configure traffic mirroring. mirrored-to inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } { cpu | monitor-interface }

Disable traffic mirroring. undo mirrored-to inbound { ip-group acl-number | acl-name [ rule rule ] | link-group acl-number | acl-name [ rule rule ] }

Note:

You must use the monitor-port command to configure the monitoring port before you mirror data stream to specified port. The switch only mirrors the packets received by the traffic, when you use the monitor-port command to configure the monitoring port, you must configure the direction of the monitored packets as inbound or both.

For more information about the mirrored-to command and its negative form, refer to Command Manual.

2.4.10 Configure Port Mirroring

Port mirroring is to duplicate the data on a mirroring port to a specified monitor port for the purpose of analysis and monitoring.

Ethernet switches support many-to-one mirroring, allowing duplication of packets from multiple mirroring ports to one monitor port.

You may specify a mirroring port to accept the monitoring of:

Inbound packets Outbound packets Both inbound and outbound packets

You may also specify a monitor port to monitor:

Only the inbound packets on the specified mirroring ports Only the outbound packets on the specified mirroring ports

You may configure port mirroring using the commands described in the following table.


Table 2-41 Configure port mirroring

Operation Command

Configure a monitor port. monitor-port { interface_name | interface_type interface_num } { inbound | outbound | both }

Configure one or more mirroring ports. mirroring-port port-list { inbound | outbound | both }

Disable the configuration of mirroring port or ports. undo mirroring-port port-list { inbound | outbound | both }


2-29

Operation Command

Disable the configuration of the monitor port. undo monitor-port { interface_name | interface_type interface_num } { inbound | outbound | both }

When configuring port mirroring, you must configure a monitor port prior to mirroring port (or ports). When disabling port mirroring, you can disable the monitor port only after disabling all the mirroring ports.

Each switch supports two monitor ports (also known as mirroring destination ports) at most. These two ports can function to respectively observe the inbound packets and outbound packets on one or more specified ports. A monitor port can observe as many mirroring ports as possible if it is applied to monitor the inbound packets, but it can observe only up to eight mirroring ports if it is applied to monitor the outbound packets.

Inbound packets containing errors (CRC or fragment error for example) are beyond the scope of monitoring. Outbound packets being monitored will be duplicated to the appropriate monitor port even if they are forwarded to CPU en route.

Note:

When disabling the configuration of a mirroring port, you are allowed to disable the monitoring on inbound packets, outbound packets, or both. When disabling the configuration of a monitor port observing both inbound and outbound packets, you are also allowed to disable the monitoring on only inbound or outbound packets. If a mirroring port accepts the monitoring on both inbound and outbound packets, disabling only the inbound or outbound packet monitoring on it means that the system is still required to monitor the packets in the opposite direction. In this case, you cannot remove the monitor port.

For more information about the commands described in this section, refer to Command Manual.

2.4.11 Configure Traffic Statistic

You may make statistics about traffic of a specified service using traffic statistic. It provides statistic information of the forwarded packets matching the specified ACLs. After completing the traffic statistic configuration, you may execute the display qos-interface traffic-statistic command to display the statistic information.

You may configure traffic statistic using the commands described in the following table.



2-30

Table 2-42 Configure traffic statistic

Operation Command

Configure traffic statistic. traffic-statistic inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Disable traffic statistic. undo traffic-statistic inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

Display traffic statistic information. display qos-interface [ interface-name | interface-type interface-num ] traffic-statistic

Note:


For more information about the commands of traffic statistics, refer to Command Manual.


Upon the completion of the configuration tasks described above, you may execute the display commands in any view to see the operating information of QoS configurations, thus verifying the configuration effect. You may execute the reset command to reset QoS statistic information in Ethernet interface view.

Table 2-43 Display and debugging QoS

Operation Command Display information of all QoS actions. display qos-global all

Display traffic mirroring information. display qos-interface [ interface-name | interface-type interface-num ] mirrored-to

Display priority remark information. display qos-interface [ interface-name | interface-type interface-num ] traffic-priority

Display redirection information. display qos-interface [ interface-name | interface-type interface-num ] traffic-redirect

Display traffic statistics. display qos-interface [ interface-name | interface-type interface-num ] traffic-statistic

Display port mirroring information. display mirror

Display QoS settings on all the ports. display qos-interface [ interface-name | interface-type interface-num ] all

Display traffic restraint settings. display qos-interface [ interface-name | interface-type interface-num ] traffic-limit

Display information of queue scheduling mode and related parameters.

display qos-interface [ interface-name | interface-type interface-num ] queue-scheduler

Display traffic shaping information on a port. display qos-interface [ interface-name | interface-type interface-num ] traffic-shape


2-31

Operation Command Display the DSCP + Conform-level to service and local-precedence + Conform-level to CoS maps.

display qos conform-level [ conform-level-value ] { dscp-policed-service-map [ dscp-list ] | local-precedence-CoS-map }

Display the CoS to drop-precedence map. display qos CoS-drop-precedence-map Display the CoS to Local-precedence map. display qos CoS-local-precedence-map

Reset all the statistic information. reset traffic-statistic inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

For more information about the commands described in this table, refer to Command Manual.

2.5 QoS Configuration Example of S3526 Series Switches

2.5.1 Traffic Mirroring Configuration Example


Use a Server to monitor the communication traffic that two PCs generated between them in the time range 8:00 to 18:00. Suppose the IP addresses of these two PCs are respectively 1.1.1.1 and 2.2.2.2 and the Server is attached to the Ethernet0/8 port on the switch, as shown in the following networking diagram.


Server

E0/8

Server

E0/8

Figure 2-2 Typical access control configuration example


1) Define a time range.

# Set time range to the range 8:00 to 18:00.


2) Define a rule to be applied on the traffic between two PCs.

# Access the view of the number-based advanced ACL 3000.


2-32


# Define traffic classification rule to be applied on the traffic from PC1 to PC2.

[Quidway-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0.0.0.0 destination 2.2.2.2 0 time-range huawei

# Define a rule to filter in the traffic from PC2 to PC1.


3) Monitor the communication traffic between PCs, using Ethernet0/8 as the monitor port.

[Quidway] mirrored-to ip-group 3000 interface ethernet0/8

2.6 QoS Configuration Example of S3526E and S3526C

2.6.1 Traffic Policing and Interface Rate Restraint Configuration Example


On a company’s intranet illustrated in the following figure, the departments are connected to each other via 100 megabit ports provided by an Ethernet switch. Pay server of the financial department accesses the intranet from the Ethernet 0/1 port, using the subnet address 129.110.1.2. In this scenario, the traffic generated by each department for accessing the pay server cannot exceed 20 Mbps and this server cannot send out packets at an average speed greater than 20 Mbps. Priority of the packets beyond the limitation will be set to 4.


2-33


Pay server129.110.1.2

Switch

E0/1

To Router


Switch

E0/1

To Router

Figure 2-3 QoS configuration example


Note:

The following configuration procedures only give the commands related to QoS and ACL.

1) Restrict the traffic size that the pay server is allowed to send.

# Access the view of the name-based ACL traffic-of-payserver.

[Quidway] acl name traffic-of-payserver advanced

# Define a rule in the traffic-of-payserver ACL.

[Quidway-acl-adv-traffic-of-payserver] rule 1 permit ip source 129.110.1.2 0.0.0.0 destination any

2) Restrict the traffic allowed to access the pay server.

# Restrict the pay server from sending out packets at an average rate greater than 20 Mbps and set priority of the packets beyond the limitation to 4.

[Quidway-Ethernet0/1] traffic-limit inbound ip-group traffic-of-payserver 20 exceed remark-dscp 4

# Restrict the Ethernet 0/1 port from sending packets to the pay server at a rate greater than 20 Mbps.

[Quidway-Ethernet0/1] line-rate 20


2-34

2.6.2 Traffic Mirroring Configuration Example


Use a Server to monitor the communication traffic that two PCs generated between them in the time range 8:00 to 18:00. Suppose the IP addresses of these two PCs are respectively 1.1.1.1 and 2.2.2.2 and the Server is attached to the Ethernet0/8 port on the switch, as shown in the following networking diagram.


Server

E0/8



1) Define a time range.

# Set time range to the range 8:00 to 18:00.


2) Define a rule to be applied on the traffic between two PCs.

# Access the view of the number-based advanced ACL 3000.






3) Monitor the communication traffic between PCs, using Ethernet0/8 as the monitor port.

[Quidway] mirrored-to ip-group 3000 interface ethernet0/8


2-35

2.7 QoS Configuration Example of S3552 Series Switches

2.7.1 Traffic Policing Configuration Example


On a company’s intranet illustrated in the following figure, the departments are connected to each other via 100 megabit ports provided by an Ethernet switch. Pay server of the financial department accesses the intranet from the Ethernet 0/2 port, using the IP address of 129.110.1.2. Research and development department connects the switch through Ethernet0/1 port. In this scenario, personnel of the research and development department are not allowed to access the pay server during working time (from 8:30 to 18:00), no limitation to personnel of other departments; the pay server sends out packets at a Committed information rate of 200 kbps, Committed burst size of 25000 bytes, Excess burst size of 25000 bytes.



Switch

Connect to router

Final DepartmentResearch and development Department

Majordomo(VLAN3）

Port 2Port 1


Switch

Connect to router

Final DepartmentResearch and development Department

Majordomo(VLAN3）

Port 2Port 1



Note:


1) Define working time range


2-36

# Set this time range in system view

[Quidway] time-range worktime 08:30 to 18:00 working-day

2) Restrict the traffic size sent to the pay server

# Access the view of the name-based ACL traffic-to-payserver

[Quidway] acl name traffic-to-payserver advanced

# Define a rule in the traffic-to-payserver ACL

[Quidway-acl-adv-traffic-to-payserver] rule 1 deny ip destination 129.110.1.2 0 time-range worktime

3) Restrict the traffic size that the pay server is allowed to send

# Access the view of the name-based ACL traffic-from-payserver

[Quidway] acl name traffic-from-payserver advanced

# Define a rule in the traffic-of-payserver ACL

[Quidway-acl-adv-traffic-from-payserver] rule 1 permit ip source 129.110.1.2 0

4) Restrict the traffic from common personnel when access the pay server

# Personnel of the research and development department are not allowed to access the pay server during working time, no limitation other time.

[Quidway-Ethernet0/1] packet-filter inbound ip-group traffic-to-payserver rule 1

5) Restrict the traffic sent out the pay server

# Restrict the traffic sent out by the pay server:

Committed information rate: 200 kbps Committed burst size: 25000 bytes Excess burst size: 25000 bytes

[Quidway-Ethernet0/2] traffic-limit inbound ip-group traffic-from-payserver rule 1 200 25000 25000

2.7.2 Bi-directional Traffic Limit to Packets on Designated VLAN Configuration Example


Switch port Etherenet0/1 connects to VLAN 10; the upstream port GigabitEthernet1/1 is a trunk port, allowing the pass of VLAN 10 packets. To implement bi-directional traffic limit to VLAN 10 by configuring port traffic policing, that is, to limit the speed of packets both sent out and sent to VLAN 10 to 200 kbps.


2-37


GE1/1

E0/1

VLAN 10

Switch

Network

GE1/1

E0/1

VLAN 10

Switch

NetworkNetwork



Note:


1) Define the traffic of VLAN 10

# Create Layer 2 ACL 4000


# Define a rule for packets sent out VLAN 10

[Quidway-acl-link-4000] rule 1 permit ingress vlan 10

# Define a rule for packets sent to VLAN 10

[Quidway-acl-link-4000] rule 2 permit egress vlan 10

2) Restrict the speed of traffic sent out VLAN 10

# At Ethernet0/1 port, restrict the speed of traffic sent out VLAN 10 to 200 kbps, and set the Committed burst size and Excess burst size to 25000 bytes.

[Quidway-Ethernet0/1] traffic-limit inbound link-group 4000 rule 1 200 25000 25000

3) Restrict the speed of traffic sent to VLAN 10

# At GigabitEthernet1/1 port, restrict the speed of traffic sent to VLAN 10 to 200 kbps.

[Quidway-GigabitEthernet1/1] traffic-limit inbound link-group 4000 rule 2 200 25000 25000


2-38

2.7.3 Bi-directional Traffic Limit to Packets at Designated Port Configuration Example


Restrict the speed of packets received by the Ethernet0/1 port to 200 kbps; restrict the speed of packets sent by the port to 1300 kbps. The burst size rate is set to 4k bytes.


GE1/1

E0/1 Switch

Network

Network

GE1/1

E0/1 Switch

NetworkNetwork

NetworkNetwork



1) Restrict the traffic at Ethernet0/1

# Create Layer 2 ACL 4000


# Define a rule for packets received by Ethernet0/1

[Quidway-acl-link-4000] rule 1 permit ingress any egress any

2) Restrict the speed of traffic received by Ethernet0/1

# Restrict the speed of traffic received by Ethernet0/1 to 200 kbps

[Quidway-Ethernet0/1] traffic-limit inbound link-group 4000 rule 1 200 25000 25000

3) Restrict the speed of traffic sent by Ethernet0/1

# Restrict the speed of traffic sent by Ethernet0/1 to 1300 kbps, and set the burst size to 4k bytes.

[Quidway-Ethernet0/1] traffic-shape 1300 4


2-39

2.7.4 Priority Marking Configuration Example


Specify a set of service group to packets sent by PC1 (IP address of 1.0.0.2) from 08:00 to 18:00 every day:

DSCP: ef

CoS priority: 0

local precedence: 0

drop precedence: 0


GE1/1

E0/1 E0/2VLAN2,1.0.0.1/8

VLAN3,2.0.0.1/8

PC1 PC2



1) Define time range of 8:00 to18:00

# Define time range


2) Define a rule for PC packets

# Access the view of the number-based ACL 2000


# Define a rule for classifying PC1 packets

[Quidway-acl-basic-2000] rule 0 permit ip source 1.0.0.2 0 time-range huawei

3) Retag packets sent by PC1 with ef priority


2-40

[Quidway-Ethernet0/1] traffic-priority inbound untrusted dscp ef cos 0 local-preference 0 drop-priority 0

Note:

If you choose the untrusted operation to packets sent by PC1 in traffic-priority, which means you manually designate a set of service group to packets sent out PC1, then the switch do not allow you to configure traffic-limit or traffic-statistic action to packets sent out PC1.

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Chapter 3 Logon User ACL Control Configuration

3-1

Chapter 3 Logon User ACL Control Configuration

3.1 Overview

As the Ethernet switches launched by Huawei Technologies are used more and more widely over the networks, the security issue becomes even more important. The switches provide several logon and device accessing measures, mainly including TELNET access, SNMP access, and HTTP access. The security control over the access measures is provided with the switches to prevent illegal users from logging on to and accessing the devices. There are two levels of security controls. At the first level, the user connection is controlled with ACL filter and only the legal users can be connected to the switch. At the second level, a connected user can log on to the device only if he can pass the password authentication.

This chapter mainly introduces how to configure the first level security control over these access measures, that is, how to configure to filter the logon users with ACL. For detailed description about how to configure the first level security, refer to “getting started” module of Operation Manual.

3.2 Configure ACL Control over the TELNET User

Configuring ACL control over the TELNET users can help filter the malicious and illegal connection requests before the password authentication and ensure the device security.

Take the following steps to configure the ACL control over the TELNET users:

1) Define ACLs 2) Call ACLs to control the TELNET user

The follow section introduces the configuration procedures.

3.2.1 Define ACL

You can only call the numbered basic ACL, ranging from 2000 to 2999, to implement ACL control function.

You can use the following command to configure the basic ACL.



3-2


Operation Command




In the defining process, you can configure several rules for an ACL, using the rule command repeatedly.

3.2.2 Call ACL to Control TELNET User

To control TELNET users with ACL, you can call the defined ACL in user-interface view.

You can use the following command to call an ACL.


Table 3-2 Call ACL to Control TELNET User

Operation Command Enter user-interface view(from system view) user-interface [ type ] first-number [ last-number ] Call an ACL(from user-interface view) acl acl-number { inbound | outbound }

For detailed description of the command, refer to the Command Manual.

Note:

Only the numbered basic ACL can be called for TELNET user control.

3.2.3 Configuration Example


Only permit TELNET user from 10.110.100.52 and 10.110.100.46 access switch.


3-3


Internet

Switch

Figure 3-1 Control TELNET user with ACL


# Define the basic ACLs.

[Quidway] acl number 2020 match-order config

[Quidway-acl-basic-2020] rule 1 permit source 10.110.100.52 0


[Quidway-acl-basic-2020] quit

# Call an ACL.

[Quidway] user-interface vty 0 4

[Quidway-user-interface-vty0-4] acl 2020 inbound

3.3 Configure ACL Control over the SNMP Users

Huawei Quidway Ethernet switch series support the remote management with the network management software. The network management users can access the switch with SNMP. Controlling such users with ACL can help filter the illegal NM users and prevent them from accessing the local switch.

Take the following steps to control the SNMP users with ACL.

1) Define an ACL 2) Call ACLs to control the SNMP user



3-4

3.3.1 Define an ACL

You can only call the numbered basic ACL, ranging from 2000 to 2999, to implement ACL control function. Use the same configuration commands introduced in the last section.

3.3.2 Call ACL to Control SNMP User

To control the NM users with ACL, call the defined ACL when configuring SNMP community name, username, and group name.

You can use the following commands to call an ACL.


Table 3-3 Define a numbered basic ACL

Operation Command Call an ACL when configuring SNMP community name.

snmp-agent community { read | write } community-name [ [ mib-view view-name ] | [ acl acl-number ] ]*

Call an ACL when configuring SNMP group name.

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ]

Call an ACL when configuring SNMP username.

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-list ] snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password ] [ privacy-mode des56 priv-password ] [ acl acl-list ]

SNMP community name attribute is a feature of SNMP V1. Therefore calling an ACL for SNMP community name configuration can filter the access to SNMP V1network management system.

SNMP group name and username attribute is a feature of SNMP V2C and above. Therefore calling an ACL for SNMP community name configuration can filter the access to the network management system of SNMP V2C or higher. If you configure ACL control in both of the commands, the switch will filter the NM users concerning both the features.

Note:

You can call different ACLs for the above mentioned commands.

For more about the commands, refer to the Command Manual.


3-5

Note:

Only the numbered basic ACL can be called for network management user control.



Only permit SNMP user from 10.110.100.52 and 10.110.100.46 access switch.


Internet

Switch

Figure 3-2 Control SNMP user with ACL


# Define the basic ACLs.





# Call the basic ACLs.

[Quidway] snmp-agent community read huawei acl 2020

[Quidway] snmp-agent group v2c huaweigroup acl 2020

[Quidway] snmp-agent usm-user v2c huaweiuser huaweigroup acl 2020


3-6

3.4 Configure ACL Control over the HTTP Users

Quidway Ethernet switch series support the remote management through WEB. The users can access the switch through HTTP. Controlling such users with ACL can help filter the illegal users and prevent them from accessing the local switch. After configuring ACL control over these users, the switch allows only one WEB user to access the Ethernet switch at one time.

Take the following steps to control the HTTP users with ACL.

1) Define an ACL 2) Call ACLs to control the HTTP user


3.4.1 Define an ACL

So far, you can only call the numbered basic ACL, ranging from 2000 to 2999, to implement ACL control function. Use the same configuration commands introduced in the last section.

3.4.2 Call ACL to Control HTTP User

To control the WEB network management users with ACL, call the defined ACL.

You can use the following commands to call an ACL.


Table 3-4 Call ACL to Control HTTP User

Operation Command Call an ACL to control the WEB NM users. ip http acl acl-number Cancel the ACL control function. undo ip http acl

For more about the commands, refer to the Command Manual.

Note:

Only the numbered basic ACL can be called for WEB NM user control.


3-7



Only permit WEB NM user from 10.110.100.46 access switch.


Internet

Switch

Figure 3-3 Control WEB NM user with ACL


# Define the basic ACL.




# Call the basic ACL.

[Quidway] ip http acl 2030

HUAWEI


8. Integrated management

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 Stack Function Configuration .................................................................................... 1-1 1.1 Stack Function Overview ................................................................................................... 1-1 1.2 Configure Stack Function .................................................................................................. 1-1

1.2.1 Configure IP Address Pool for the Stack ................................................................ 1-1 1.2.2 Enable/Disable a Stack ........................................................................................... 1-2 1.2.3 Switch to a Slave Switch view to Perform the Configuration .................................. 1-2

1.3 Display and Debug Stack Function.................................................................................... 1-3 1.4 Stack Function Configuration Example ............................................................................. 1-3

Chapter 2 HGMP V2 Configuration .............................................................................................. 2-1 2.1 HGMP V2 Overview........................................................................................................... 2-1

2.1.1 Overview ................................................................................................................. 2-1 2.1.2 Role of Switch ......................................................................................................... 2-1 2.1.3 Functions................................................................................................................. 2-3

2.2 Configure NDP................................................................................................................... 2-4 2.2.1 NDP Overview......................................................................................................... 2-4 2.2.2 Enable/Disable System NDP .................................................................................. 2-5 2.2.3 Enable/Disable Port NDP........................................................................................ 2-5 2.2.4 Set NDP Holdtime ................................................................................................... 2-6 2.2.5 Set NDP Timer ........................................................................................................ 2-6 2.2.6 Display and Debug NDP ......................................................................................... 2-6

2.3 Configure NTDP................................................................................................................. 2-7 2.3.1 NTDP Overview....................................................................................................... 2-7 2.3.2 Enable/Disable System NTDP ................................................................................ 2-8 2.3.3 Enable/Disable Port NTDP...................................................................................... 2-8 2.3.4 Set Hop Number for Topology Collection ............................................................... 2-9 2.3.5 Set hop-delay and port-delay for Collected Device to Forward Topology Collection Request. ........................................................................................................................... 2-9 2.3.6 Set Topology Collection Interval ........................................................................... 2-10 2.3.7 Start manually Topology Information Collection ................................................... 2-10 2.3.8 Display and Debug NTDP..................................................................................... 2-11

2.4 Configure Cluster ............................................................................................................. 2-11 2.4.1 Cluster Overview................................................................................................... 2-11 2.4.2 Enable/Disable Cluster Function........................................................................... 2-12 2.4.3 Enter cluster view.................................................................................................. 2-12 2.4.4 Configure Cluster IP Address Pool ....................................................................... 2-13 2.4.5 Name Administrator device and Cluster ............................................................... 2-13 2.4.6 Add/Delete a Cluster Member device ................................................................... 2-14

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches Table of Contents

ii

2.4.7 Set up a Cluster Automatically. ............................................................................. 2-14 2.4.8 Set Cluster Holdtime ............................................................................................. 2-15 2.4.9 Set Cluster Timer to Specify the Handshaking Message Interval......................... 2-15 2.4.10 Configure Remote Control over the Member device........................................... 2-16 2.4.11 Configure the Cluster Server and Network Management and Log Hosts........... 2-17 2.4.12 Member Accessing.............................................................................................. 2-17 2.4.13 Display and Debug Cluster ................................................................................. 2-18

2.5 HGMP V2 Configuration Example ................................................................................... 2-18

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches Chapter 1 Stack Function Configuration

1-1

Chapter 1 Stack Function Configuration

1.1 Stack Function Overview

A stack is a management domain including several Ethernet switches (one main switch and some slave switches) connected through stack ports. These Ethernet switches stacked together can act as one set of equipment and the user can manage them through the main switch.

When several Ethernet switches are connected through stack ports, the user can perform configurations on one switch and set the switch as the main switch in the stack.

A stack is created as follows. First, the user sets the optional IP address pool for the stack, and enables the stack function. Then the system will automatically add the switches, which are connected to the stack ports of the main switch, to the stack. The main switch will distribute usable IP address to the slave switch automatically as the switch joins the stack. If a new switch is connected to the main switch via stack port, the system will automatically add the new switch to the stack after the stack is established.

The connection of stack port automatically establishes the stack relationship. If a slave stack port is disconnected, that slave switch will exit the stack automatically.

1.2 Configure Stack Function

The stack function configuration includes:

Configure IP address pool for the stack Enable/Disable a stack Switch to a slave switch view to perform the configuration

1.2.1 Configure IP Address Pool for the Stack

Before enabling a stack, the user shall set an optional IP address range for a stack first. Then the main switch will automatically assign the slave switches with an IP address in the range, when the slave switches are added to the stack.



1-2

Table 1-1 Configure IP address pool for the stack

Operation Command Configure IP address range for a stack stacking ip-pool from-ip-address ip-address-number [ ip-mask ] Restore to the default IP address range undo stacking ip-pool

Before setting up a stack, the user should configure a public IP address pool for the slave switch of the stack.

Please note that the above configurations can only be performed on the non-stack switches. After a stack is enabled, the user is prevented from modifying the IP address pool.

1.2.2 Enable/Disable a Stack

When the user enables a stack with the following command, the system will automatically add the switches, connected to the main switch via stack ports, to the stack. After a stack has been enabled, if the stack port is disconnected, slave switch will exit the stack automatically.


Table 1-2 Enable/Disable a stack

Operation Command Enable a stack stacking enable Disable a stack undo stacking enable

Please note that you can only operate on the main switch to disable a stack.

1.2.3 Switch to a Slave Switch view to Perform the Configuration

The following command can be used to switch from the main switch view to a slave switch view to change the configuration.

Please perform the following configurations in user view.

Table 1-3 Switch to a slave switch view to perform the configuration

Operation Command Switch to a slave switch view to perform the configuration

stacking num


1-3

Please note that the above command can only be used for switching from the main switch view to a slave switch view and the user level remains the same after switching. To switch from a slave switch view back to a main switch view, input quit.

1.3 Display and Debug Stack Function

After the above configuration, execute display command in any view to display the running of the stack configuration, and to verify the effect of the configuration.

Table 1-4 Display and Debug Stack Function

Operation Command Display the stack state information on the main switch display stacking [ members ] Display the stack state information on a slave switch display stacking

When using this command on the main switch, if the input parameter “members” is omitted, you will find the displayed information indicating that the local switch is the main switch and also the number of switches in the stack. Using the command with members, you will find the member information of the stack, including stack number of main/slave switches, stack name, stack device name, MAC address and status etc.

When using this command on a slave switch, you will find in the displayed information of the slave switch of the stack, the stack number of the switch and MAC address of the main switch in the stack.

1.4 Stack Function Configuration Example


Switch A, Switch B, and Switch C are stacked together through the stack ports. Switch A is the main switch. Switch B and Switch C are slave switches. The network administrator manages Switch B and Switch C through Switch A.


1-4


Internet

Switch A

Switch B Switch C

Internet

Switch A

Switch B Switch C

Figure 1-1 Stack configuration example


# Configure IP address pool for the stack on Switch A.

[Quidway] stacking ip-pool 129.10.1.1 5

# Enable a stack on Switch A.

[Quidway] stacking enable

# Display stack information on the main switch, Switch A.

<stack_0.Quidway> display stacking

Main device for stack.

Total members:3

# Display stack member information on the main switch, Switch A.

<stack_0.Quidway> display stacking members

Member number: 0

Name:stack_0.Quidway

Device: Switch A

MAC Address:00e0-fc07-0bc0

Member status:Cmdr

Member number: 1


Device: Switch B

MAC Address:00e0-fc07-58a0

Member status:Up

Member number: 2


1-5


Device: Switch C

MAC Address:00e0-fc07-58a1

Member status:Up

# Switch to the slave switch, Switch B, to perform the configuration.

<stack_0.Quidway> stacking 1

<stack_1.Quidway>

# Display stack information on the slave switch, Switch B.

<stack_1.Quidway> display stacking

Slave device for stack.

Member number: 1

Main switch mac address:00e0-fc07-0bc0

# Switch back to the main switch, Switch A to perform the configuration.

<stack_1.Quidway> quit

<stack_0.Quidway>

# Switch to the slave switch, Switch C, to perform the configuration.

<stack_0.Quidway> stacking 2

<stack_2.Quidway>

# Switch back to the main switch, Switch A to perform the configuration.

<stack_2.Quidway> quit

<stack_0.Quidway>

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches Chapter 2 HGMP V2 Configuration

2-1

Chapter 2 HGMP V2 Configuration

2.1 HGMP V2 Overview

2.1.1 Overview

By HGMP V2 function, the network administrator can manage multiple switches at a managing switch with a public IP address. The managing switch is called administrator device and the managed switches are called member devices. Generally, you do not assign public IP addresses for the member devices. The management and maintenance over the member devices are implemented through redirection of administrator device. An administrator device and several member devices compose a cluster. The figure below illustrates a typical application of the cluster.

Administrator device

Member device

Member device

Member device

69.110.1.1

Network management device

Cluster

69.110.1.100

Candidate device

network

Figure 2-1 A cluster

2.1.2 Role of Switch

The switches in a cluster have different status and functions and play different roles. You can configure the role of a specified switch. And the switches can also change their roles by some defined rules.


2-2

The roles in a cluster include administrator device, member device and Candidate device.

Administrator device: Configured with a public network IP address and providing management interface for all the switches in the cluster. The administrator device manages the member device through command redirection, that is, administrator device receives and processes the management commands from the network. If the command is destined to a member device, the administrator device will forward it to the member device. The administrator device has the functions such as discovering adjacency information, collecting the topology of the whole network, managing the cluster, maintaining the cluster status and supporting different agents.

Member device: Member of a cluster, doesn’t assigned public IP address, managed by the administrator device’s command redirection. The member device has the functions such as discovering adjacent information, being managed by the administrator device, executing the commands delivered by the proxy and reporting failure/log etc.

Candidate device: Not a member of any cluster yet, but member-capable, that is, being able to be a member device of a cluster.

The following figure illustrates the rules of role switchover.

Command switch Member switch

Candidate switch

Remove

from a

cluste

r

Designa

ted as

command

switch

Added to a cluster

Remove from

a cluster

Command device Member device

Candidate device

Remove

from a

cluste

r

Designa

ted as

command

devic

e

Added to a cluster

Remove from

a cluster


Candidate switch

Remove

from a

cluste

r

Designa

ted as

command

switch

Added to a cluster

Remove from

a cluster

Administrator device Member device

Candidate device

Remove

from a

cluste

r

Designa

ted as

adminis

trator

devic

e

Added to a cluster

Remove from

a cluster


Candidate switch

Remove

from a

cluste

r

Designa

ted as

command

switch

Added to a cluster

Remove from

a cluster

Command device Member device

Candidate device

Remove

from a

cluste

r

Designa

ted as

command

devic

e

Added to a cluster

Remove from

a cluster


Candidate switch

Remove

from a

cluste

r

Designa

ted as

command

switch

Added to a cluster

Remove from

a cluster

Administrator device Member device

Candidate device

Remove

from a

cluste

r

Designa

ted as

adminis

trator

devic

e

Added to a cluster

Remove from

a cluster

Figure 2-2 Rules of changing roles

There must be a unique administrator device configured for every cluster. The designated administrator device identifies and discovers the Candidate device through collecting NDP/NTDP information. You can configure a Candidate device as a member device of the cluster.

After added to a cluster, the Candidate device becomes a member device. If a member device is deleted from the cluster, it becomes a Candidate device again.


2-3

Note:

To configure the cluster function, perform the following operations on the administrator device: 1) Enable system NDP and port NDP 2) Configure NDP parameter 3) Enable system NTDP and port NTDP 4) Configure NTDP parameter 5) Enable cluster function 6) Configure cluster parameter And perform the following operations on the member devices and Candidate devices: 1) E Enable system NDP and port NDP 2) Enable system NTDP and port NTDP 3) Enable cluster function

2.1.3 Functions

The advantages of HGMP V2 are as follows:

Streamlining the configuration management tasks: You can simply configure a public network IP address for the administrator device and thereby implement the configuration and management over multiple switches. There is no need to login to each member device and perform configuration on their Console ports respectively.

Providing topology discovery and displaying function, which is useful for network displaying and debugging.

Saving IP address Performing software upgrade and parameter configuration to multiple switches

simultaneously. Independent of network topology and distance.

The HGMP V2 management has the following functions.

Network topology discovery Network topology collection Member identification Membership management

Detailed functions are described as follows:

Network topology discovery is implemented by NDP (Neighbor Discovery Protocol). It is used for discovering the information of the directly connected neighbors, including the device type, software/hardware version, connecting port etc. of the adjacent devices and providing the information concerning device ID, port address, device capability and hardware platform etc.


2-4

Network topology collection is implemented by NTDP. It is used for collecting the information concerning device connection and the Candidate device. It can also be used for setting hops for topology discovery.

Member identification positions every member device in the cluster, so that the administrator device can identify them and delivery the configuration and management commands to them.

Membership management includes adding or removing a member, member device authenticating the administrator device and hand-shaking interval etc.

The following sections describe the detailed configuration of cluster management functions.

2.2 Configure NDP

2.2.1 NDP Overview

NDP is the protocol for discovering the related information of the adjacent points. NDP runs on the data link layer, so it supports different network layer protocols.

NDP is used for discovering the information of the directly connected neighbors, including the device type, software/hardware version, and connecting port of the adjacent devices. It can also provide the information concerning device ID, port address, device capability and hardware platform, etc.

All the devices supporting NDP maintain the NDP information table. The table entry will be removed by NDP automatically when the aging timer expires. You can also clear the current NDP information to collect new adjacent information.

The device running NDP broadcasts the packets carrying NDP data to all the activated ports regularly. The packet carries the holdtime, indicating how long the receiving device has to keep the updating data. The receiver only keeps the information in the NDP packet, but not forwards it. The corresponding data entry in the NDP table will be updated with the arriving information. If the new information is same as the old one, only the holdtime will be updated.

NDP configuration includes:

Enable/Disable system NDP Enable/Disable port NDP Set NDP Holdtime Set NDP timer


2-5

Note:

On an administrator device, you need to enable system NDP and port NDP, meanwhile configure the NDP parameters as well. However, you only have to enable NDP on a device and the corresponding ports on member device. As the protocol run, the member device will adopt the parameters of the administrator device.

2.2.2 Enable/Disable System NDP

When collecting NDP information of the adjacent device on any port, NDP should be enabled globally. With System NDP, the NDP information will be collected periodically. These information can be queried by user. After disabling System NDP, all the NDP information of the switch will be cleared and the switch will no longer process any NDP packets.


Table 2-1 Enable/Disable system NDP

Operation Command Enable System NDP. ndp enable [ interface port-list ] Disable System NDP. undo ndp enable [ interface port-list ]

By default, System NDP is enabled.

2.2.3 Enable/Disable Port NDP

You can set the Port NDP enable/disable states to decide to collect adjacent node information for which port. After system NDP and port NDP have been enabled, the adjacent node NDP information can be collected for the port regularly. If port NDP is disabled, NDP information cannot be collected and transmitted on this port.


Table 2-2 Enable/Disable NDP on a Port

Operation Command Enable port NDP ndp enable Disable port NDP undo ndp enable

By default, port NDP is enabled.


2-6

2.2.4 Set NDP Holdtime

The NDP holdtime specifies how long the adjacent node can keep the local node information. The adjacent device knows the holdtime from the received NDP packet and will discard the packet when it expires.


Table 2-3 Set NDP Holdtime

Operation Command Set NDP Holdtime ndp timer aging aging-in-secs Restore the default NDP holdtime. undo ndp timer aging

Note that NDP holdtime is supposed to be longer than the NDP timer (described in the following section). Otherwise, NDP information table will be unstable.

By default, NDP is hold for up to 180 seconds.

2.2.5 Set NDP Timer

The NDP information of the adjacent nodes shall be updated frequently to guarantee the timely updating for local information. You can use the following command to decide how often the NDP information will be updated.


Table 2-4 Set NDP timer

Operation Command Set NDP timer ndp timer hello seconds Set the NDP timer back to the default setting undo ndp timer hello

Note that NDP timer is supposed to be shorter than the NDP holdtime (described in the previous section). Otherwise, NDP information table will be unstable.

By default, NDP is transmitted every 60 seconds.

2.2.6 Display and Debug NDP

After the above configuration, execute display command in any view to display the running of the NDP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of NDP module. Execute debugging command in user view to debug the NDP module.


2-7

Table 2-5 Display and Debug NDP

Operation Command Display global NDP configuration information (including NDP timer and holdtime). display ndp

Display the information about the port enabled with NDP display ndp interface port-list

Clear NDP counters. reset ndp statistics Enable/Disable Debugging NDP [ undo ] debugging ndp packet [ interface port-list ]

2.3 Configure NTDP

2.3.1 NTDP Overview

Neighbor Topology Discovery Protocol (NTDP) is a protocol for network topology information collection. NTDP provides the information of available devices to join the cluster and collects the information about switches within the specified hops for the cluster management.

According to the adjacent table information provided by NDP, NTDP transmits and forwards NTDP topology collection request to collect NDP information and neighboring connection information of every device in a certain network. After collecting the information, the administrator device or the network administrator can perform some functions accordingly.

When the NDP on the member device finds changes of neighbor, it will advertise the changes to the administrator device by handshake message. The administrator device can run NTDP to collect the specified topology and show the network topology changes in time.

NTDP configuration includes:

Enable/Disable Global NTDP Enable/Disable NTDP on a Port Set hop number for topology collection. Set delay for collected device to forward topology collection request Set delay for collected port to forward topology collection request Set topology collection interval Start topology information collection


2-8

Note:

On an administrator device, you need to enable system NTDP and port NTDP, meanwhile configure the NTDP parameters as well. However, you only have to enable system NTDP and the corresponding port NTDP on member device. As the protocol run, the member device will adopt the parameters of the administrator device.

2.3.2 Enable/Disable System NTDP

Before a device can process NTDP packet, you are supposed to enable the System NTDP first. After disabling System NTDP, all the NTDP information on the switch will be cleared and the switch will discard all the NTDP packets and stop transmitting NTDP request.


Table 2-6 Enable/Disable System NTDP

Operation Command Enable System NTDP ntdp enable Disable System NTDP undo ntdp enable

By default, the System NTDP is enabled.

2.3.3 Enable/Disable Port NTDP

You can use the following command to enable/disable Port NTDP to decide to transmit/receive and forward NTDP packet via which port. After the system NTDP and port NTDP have been enabled, the NTDP packets can be transmitted, received and forwarded via the port. After the NTDP is disabled on the port, the port will not process NTDP packet.


Table 2-7 Enable/Disable port NTDP

Operation Command Enable port NTDP ntdp enable Disable port NTDP undo ntdp enable

Note that, in some occasions, it only needs collecting the topology connected to the Downlink ports, not caring about that connected to the Uplink. In this case, NTDP is supposed to be disabled on the Uplink ports.


2-9

By default, port NTDP is enabled on the ports supporting NDP. If you enable NTDP on a port not supporting NDP, NTDP cannot be run.

2.3.4 Set Hop Number for Topology Collection

You can set a limit to the hops for topology collection, so that only the topology information of the devices within the specified hops will be collected and infinitive collection can be avoided. The collection scope is limited by setting hop limit for discovery since the switch originating the collection. For example, if you set a limit of 2 to the hop number, only the switches 2 hops away from the first switch transmitting the topology collection request will be collected.


Table 2-8 Set hop number for topology collection.

Operation Command Set hop number for topology collection. ntdp hop hop-value Restore the default hop number for topology collection. undo ntdp hop

Note that the settings are only valid on the first switch transmitting the topology collection request. The broader collection scope requires more memory of the topology-collecting device. Normally, collection is launched by the administrator device in cluster function.

By default, the topology information of the switches 3 hops away from the collecting switch is collected.

2.3.5 Set hop-delay and port-delay for Collected Device to Forward Topology Collection Request.

When the topology requests are disseminated over the network, many network devices may receive them at the same time and send responses accordingly, which could cause network congestion and make the topology collector too busy. To avoid such problem, every device delays a duration (hop delay) after receiving a topology request until forwards it via the first port. And then it delays for another duration (port delay) until forwarding it via the next port and so on.

You can use the following commands to configure the hop delay and port delay to forward topology collection request on the current device.



2-10

Table 2-9 Set delay for collected device to forward topology collection request.

Operation Command Set delay for collected device to forward topology collection request. ntdp timer hop-delay time

Restore the default delay for collected device to forward topology collection request. undo ntdp timer hop-delay

Set delay for collected port to forward topology collection request. ntdp timer port-delay time

Restore the default delay for collected port to forward topology collection request. undo ntdp timer port-delay

By default, the device to be collected forwards the topology request after delaying for 200ms, the port to be collected forwards the topology collection request after a delay of 20ms.

2.3.6 Set Topology Collection Interval

In order to learn the global topology changes in time, it is necessary to periodically collect the topology information throughout the whole scope specified.


Table 2-10 Set topology collection interval

Operation Command Set topology collection interval ntdp timer interval-in-mins Restore the default topology collection interval. undo ntdp timer

By default, the value of topology collection is 0, that is, the regular topology collection will not be performed.

2.3.7 Start manually Topology Information Collection

After the topology collection interval is specified, NTDP will automatically and periodically collects topology information throughout the network. Besides, NTDP also provides commands for network topology collection manually.

Whenever you want to manually collect the network topology information for the purpose of device management and monitoring, simply use the following command to start the process.


Table 2-11 Start topology information collection

Operation Command Start topology information collection ntdp explore


2-11

2.3.8 Display and Debug NTDP

After the above configuration, execute display command in any view to display the running of the

NTDP configuration, and to verify the effect of the configuration.

Table 2-12 Display and Debug NTDP

Operation Command Display global NTDP information. display ntdp Display the device information collected by NTDP. display ntdp device-list [ verbose ]

When the display ntdp device-list is executed without the verbose parameter, it will display the list of the devices collected by NTDP. When executed with the verbose parameter, it will display the detailed information about the devices collected by NTDP.

2.4 Configure Cluster

2.4.1 Cluster Overview

This section describes the relevant configurations of cluster management, including how to enable and set up a cluster, how to configure public network IP address for administrator device, how to add/delete a cluster member and how to configure the handshaking interval etc.

There must be a unique administrator device configured for every cluster. A cluster contains only one administrator device. When creating a cluster, you are supposed to designate an administrator device first. It is the entrance and exit to access the cluster members, that is, a user on the external network can access, configure, manage, and monitor the cluster members through it. an administrator device recognizes and controls all the local members, no matter where they are located on the network or how they are connected. In addition, it is responsible for collecting the topology information about all the members and candidates to provide useful information for a user when he establishes a cluster. The administrator device learns the network topology through NDP/NTDP information collection to manage and monitor the device.

Before performing other configuration tasks, the cluster function is supposed to be enabled first.

Cluster configuration includes:

Enable/Disable cluster function Enter cluster view Configure cluster IP address pool Name the administrator device and cluster. Add/delete a cluster member device


2-12

Setup a cluster automatically. Member accessing Set cluster holdtime. Set cluster timer to specify the handshaking message interval. Configure FTP/TFTP Servers and Logging/SNMP Hosts for a Cluster.

Note:

You need to enable the cluster function and configure cluster parameters on an administrator device. However, you only have to enable the cluster function on the member devices and Candidate devices.

2.4.2 Enable/Disable Cluster Function

Enable the cluster function before using it.


Table 2-13 Enable/Disable cluster function

Operation Command Enable cluster function. cluster enable Disable cluster function. undo cluster enable

Above commands can be used on any device supporting the cluster function. When you use the undo cluster enable command on an administrator device, the system will delete the cluster and disable the cluster function on it. When you use it on a member device, the system will exit the cluster and disable the cluster function on it.

By default, the cluster function is enabled.

2.4.3 Enter cluster view

You must enter cluster view before configure the cluster function.


Table 2-14 enter cluster view

Operation Command enter cluster view. cluster


2-13

2.4.4 Configure Cluster IP Address Pool

Before setting up a cluster, you are supposed to configure a private IP address pool. When a Candidate device is added, the administrator device will dynamically assign a private IP address, which can be used for communication inside the cluster. In this way, you can use the administrator device to manage and maintain the member devices.

Perform the following configuration in cluster view.

Table 2-15 Configure cluster IP address pool

Operation Command

Configure cluster IP address pool. ip-pool administrator-ip-address { ip-mask | ip-mask-length}

Restore the default IP address pool of the cluster. undo ip-pool

Before setting up a cluster, the user should configure a private IP address pool for the member devices of the cluster.

Note that, the above configuration can only be performed on administrator device, and must be configured before the cluster is build. The IP address pool of an existing cluster cannot be modified.

2.4.5 Name Administrator device and Cluster

Every cluster has a name.


Table 2-16 Name the administrator device and cluster.

Operation Command Name Administrator device and Cluster. build name Remove all the member devices from the cluster and configure the administrator device as a Candidate device.

undo build

This command can only be used on an administrator device. When executed on an administrator device to configure a different cluster name, the command can be used to rename the cluster.

By default, the switch is not an administrator device and no cluster name has been specified.


2-14

2.4.6 Add/Delete a Cluster Member device

You can use the following command to add a member device or delete a member device.


Table 2-17 Add/Delete a cluster member device

Operation Command

Add a cluster member device. add-member [ member-num ] mac-address H-H-H [ password password ]

Delete a cluster member device. delete-member member-num

Note that, adding/deleting a member device must be performed on the administrator device, otherwise, error prompt will be given.

It is not necessary for you to assign a number for the member device newly added, because the administrator device will assign an available number to it automatically.

When a switch is added to a cluster, the administrator will automatically set administrator’s password as the switch’s password.

2.4.7 Set up a Cluster Automatically.

The system provides cluster auto-setup function. You can follow the prompts to setup a cluster step by step on an administrator-capable device, using the following command.

After auto-build is executed, the system will ask you to enter a cluster name. Then the discovered Candidate devices within the specified hops will be listed. You can confirm the operation and add all the listed candidates to the new cluster.

In the process of automatic setup, you are allowed to enter <CTRL + C> to cancel the operation. And then the system stops adding new switch to the cluster and exits the automatic setup process, however, the switches already added to the cluster will not be removed.


Table 2-18 Automatic cluster setup

Operation Command Setup a cluster automatically. auto-build [ recover ]

Note that you can only execute the above command on the command-capable device.


2-15

2.4.8 Set Cluster Holdtime

After a cluster is set up, some communication fault maybe occurs due to network problem or switch reset. If the fault has not been addressed before the hold time configured on switch expires, the member state goes down. When the communication is resumed, such member needs to join the cluster again (this process is conducted automatically). Otherwise, the member stays normal and does not to join again.


Table 2-19 Set cluster holdtime

Operation Command Set cluster holdtime. holdtime seconds Restore the default cluster holdtime. undo holdtime

Note that the above command can only be executed on the administrator device, which will advertise the cluster timer value to the member devices.

By default, the cluster holdtime is 60 seconds.

2.4.9 Set Cluster Timer to Specify the Handshaking Message Interval

The member devices and administrator device send handshake messages to communicate with each other in real time. The administrator device monitors member states and link states inside the cluster through handshaking with members periodically.

After joining the cluster, a member device starts handshaking with the administrator device regularly. an administrator device and member device consider the current communication as normal, as long as they can receive the handshake messages.

A member or an administrator device considers the communication with each other as failed, if it has not received the handshake messages for three continuous times.

In addition, the member devices send handshake messages to report the topology changes to the administrator device for processing.

You can use the following command to set the handshake message interval on an administrator device.



2-16

Table 2-20 Set cluster timer to specify the handshaking message interval.

Operation Command Set cluster timer to specify the handshaking message interval. timer interval

Restore the default handshaking message interval. undo timer

Note that the above command can only be executed on the administrator device, which will advertise the cluster timer value to the member devices.

By default, handshaking message is transmitted every 10 seconds.

2.4.10 Configure Remote Control over the Member device

The communication between the administrator device and member devices may be interrupted due to some configuration errors. If the member device cannot be controlled in regular way, you can use remote control function provided by administrator device to control member device remotely. For example, you can delete the booting configuration file and reset the member device.

Normally, the cluster packets can only be forwarded over VLAN1. In case of configuration error, for example, the member port connected to the administrator device is configured to VLAN2, the member device and the administrator device will not be able to communicate with each other. However, you can configure VLAN check on the administrator device to solve this problem. After this task is conducted, the configuration information will be contained in the cluster packets. The member device will automatically add the port receiving such packets to VLAN1, if the port does not belong to it. Thus the normal communication between an administrator device and member device is ensured.

You can use the following command to perform the configuration.


Table 2-21 Configure remote control over the member device

Operation Command

Reset member device reboot member { member-num | mac-address H-H-H } [ eraseflash ]

Configure to perform VLAN check for communication inside the cluster. port-tagged vlan vlanid

Configure not to perform VLAN check for communication inside the cluster. undo port-tagged

Note that the above command can only be executed on the administrator device.


2-17

When using the reboot member command, you can decide to delete the configuration file or not with the eraseflash parameter.

2.4.11 Configure the Cluster Server and Network Management and Log Hosts

After a cluster is set up, you can configure the server and network management and log hosts on the administrator device for the entire cluster.

A member device accesses the configured server through the administrator device.

The cluster members output all log information to the configured log host in the end. A member outputs and sends the log information to the administrator device directly. The administrator device translates the log information addresses and sends the log packets to the cluster log host. Similarly, all the trap packets are output to the cluster NM host.

You can use the following commands to configure the cluster server and network management and log hosts.


Table 2-22 Configure FTP /TFTP Servers and Logging/SNMP Hosts for a Cluster

Operation Command Configure FTP server for the whole cluster. ftp-server ip-address Remove the FTP server from the cluster. undo ftp-server Configure TFTP server for the whole cluster. tftp-server ip-address Remove the TFTP server from the cluster. undo tftp-server Configure the logging host for the whole cluster. logging-host ip-address Remove the logging host from the whole cluster. undo logging-host Configure the SNMP host for the whole cluster. snmp-host ip-address Remove the SNMP host from the whole cluster. undo snmp-host

Note that the above command can only be executed on the administrator device.

2.4.12 Member Accessing

A member device in a cluster can be managed through the administrator device. You can configure a specified member device on administrator device .In order to do this, you should enter the specified member device view on the administrator device; after configuration, you can exit the view.

Authorization is required when you want to configure a switch on the administrator device. Upon passing the member device authorization, the configuration is allowed. If the user password of the member device is different from the administrator device, you cannot configure the member device. The user level will be inherited from the


2-18

administrator device when you configure the member device on the administrator device. For example, system will retain in as user view when you configure the member device on the administrator device.

Authorization is also required when you exit the member device view on the administrator device. After passing the authorization, the system will enter user view automatically.


Table 2-23 Member accessing

Operation Command

Member accessing cluster switch-to { member-num | mac-address H-H-H | administrator }

Note that, when executed on the administrator device, if the parameter member-num specifying member number is omitted, error message prompts. Enter quit to stop switchover operation.

2.4.13 Display and Debug Cluster

After the above configuration, execute display command in any view to display the running of the Cluster configuration, and to verify the effect of the configuration.

Table 2-24 Display and Debug Cluster

Operation Command Display cluster state and statistics display cluster

Display the information of Candidate devices. display cluster candidates [ mac-address H-H-H | verbose ]

Display the information about member devices. display cluster members [ member-num | verbose ]

2.5 HGMP V2 Configuration Example

I. Network requirments

Set up a cluster of three switches and configure an administrator device to manage the other two members. The administrator device is connected with the members via Ethernet0/1 and Ethernet0/2 respectively. It is connected to the external network via Ethernet1/1 carrying VLAN2 at 163.172.55.1. The entire cluster uses the same FTP server and TFTP server at 63.172.55.1 and the NM station and log host at 69.172.55.4.


2-19


Administratordevice

Member device MACaddress 00e0.fc01.0011

SNMP host/logging host

Cluster

NetworkFTP server/TFTPserver

E0/1 E0/2E1/1 E1/1

E1/1

69.172.55.4

63.172.55.1 VLAN interface 2IP address

163.172.55.1

Member device MACaddress 00e0.fc01.0012

Figure 2-3 HGMP networking


1) Configure the administrator device

# Enable global NDP on the device and port Ethernet0/1 and Ethernet0/2.

[Quidway] ndp enable

[Quidway] interface ethernet 0/1

[Quidway-Ethernet0/1] ndp enable

[Quidway-Ethernet0/1] interface ethernet 0/2


# Set to hold NDP information for 200 seconds.

[Quidway] ndp timer aging 200

# Configure to sends NDP packet every 70 seconds.

[Quidway] ndp timer hello 70

# Enable NTDP on the device and the port Ethernet0/1 and Ethernet0/2.

[Quidway] ntdp enable


[Quidway-Ethernet0/1] ntdp enable

[Quidway-Ethernet0/1] interface ethernet 0/2


2-20


# Configure to collect topology information within 2 hops.

[Quidway] ntdp hop 2

# Configure that the collected device delays for 150 milliseconds before forwarding a topology collection request.

[Quidway] ntdp timer hop-delay 150

# Configure that the port on the collected device delays for 15 milliseconds before forwarding a topology collection request.

[Quidway] ntdp timer port-delay 15

# Configure to collect topology information every 3 minutes.

[Quidway] ntdp timer 3

# Run cluster function.

[Quidway] cluster enable

# Configure the internal IP address pool for the cluster, containing 8 addresses starting from 172.16.0.1.

[Quidway] cluster

[Quidway-cluster] ip-pool 172.16.0.1 255.255.255.248

# Set up a cluster and give name to it.

[Quidway-cluster] build huawei

[huawei_0.Quidway-cluster]

# Add the two connected switches into the cluster.

[huawei_0.Quidway-cluster] add-member 1 mac-address 00e0-fc01-0011

[huawei_0.Quidway-cluster] add-member 17 mac-address 00e0-fc01-0012

# Set to hold the member information for 100 seconds.

[huawei_0.Quidway-cluster] holdtime 100

[huawei_0.Quidway-cluster] timer 10

# Configure internal FTP Server, TFTP Server, Logging host, and SNMP host for the cluster.

[huawei_0.Quidway-cluster] ftp-server 63.172.55.1

[huawei_0.Quidway-cluster] tftp-server 63.172.55.1


2-21

[huawei_0.Quidway-cluster] logging-host 69.172.55.4

[huawei_0.Quidway-cluster] snmp-host 69.172.55.4

2) Configure a member device (taking one of the members as an example).

# Enable NDP on the device and the port Ethernet1/1.

[Quidway] ndp enable



# Enable NTDP on the device and the port Ethernet1/1.

[Quidway] ntdp enable



# Run the cluster function.

[Quidway] cluster enable

Note:

Upon the completion of the above configurations, you can use the cluster switch-to { member-num | mac-address H-H-H } command to switch to the member device view to maintain and manage the member devices, and use the cluster switch-to administrator command to resume the administrator device view. To reset a member device through the administrator device, use the reboot member { member-num | mac-address H.H.H } [ eraseflash ] command. For detailed information about these configurations, refer to the preceding description of this chapter.

HUAWEI


9. STP

Operation Manual - STP Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 RSTP Configuration..................................................................................................... 1-1 1.1 STP Overview.................................................................................................................... 1-1

1.1.1 Function of STP....................................................................................................... 1-1 1.1.2 Implement STP........................................................................................................ 1-1 1.1.3 Implement RSTP on Ethernet Switch...................................................................... 1-7

1.2 Configure RSTP................................................................................................................. 1-7 1.2.1 Enable/Disable RSTP on a Switch.......................................................................... 1-8 1.2.2 Enable/Disable RSTP on a Port.............................................................................. 1-8 1.2.3 Configure RSTP Operating Mode ........................................................................... 1-9 1.2.4 Set Priority of a Specified Bridge ............................................................................ 1-9 1.2.5 Specify the Switch as Primary or Secondary Root Switch.................................... 1-10 1.2.6 Set Forward Delay of a Specified Bridge .............................................................. 1-11 1.2.7 Set Hello Time of the Specified Bridge ................................................................. 1-12 1.2.8 Set Max Age of the Specified Bridge .................................................................... 1-12 1.2.9 Set Timeout Factor of the Bridge .......................................................................... 1-13 1.2.10 Set the Maximum Transmission Speed of the Specified Port............................. 1-13 1.2.11 Set Specified Port to be an EdgePort ................................................................. 1-14 1.2.12 Set Path Cost of the Specified Port .................................................................... 1-14 1.2.13 Set the Priority of a Specified Port ...................................................................... 1-15 1.2.14 Configure a Specified Port to be Connected to Point-to-Point Link .................... 1-15 1.2.15 Set mCheck of the Specified Port ....................................................................... 1-16 1.2.16 Configure the Switch Security Function .............................................................. 1-17

1.3 Display and Debug RSTP................................................................................................ 1-18 1.4 RSTP Configuration Example.......................................................................................... 1-18

Chapter 2 MSTP Region-configuration ....................................................................................... 2-1 2.1 MSTP Overview................................................................................................................. 2-1

2.1.1 MSTP Concepts ...................................................................................................... 2-1 2.1.2 MSTP Principles...................................................................................................... 2-4

2.2 Configure MSTP .............................................................................................................. 2-10 2.2.1 Configure the MST Region for a Switch................................................................ 2-11 2.2.2 Specify the Switch as Primary or Secondary Root Switch.................................... 2-12 2.2.3 Configure the MSTP Running Mode ..................................................................... 2-14 2.2.4 Configure the Bridge Priority for a Switch ............................................................. 2-14 2.2.5 Configure the Max Hops in an MST Region ......................................................... 2-15 2.2.6 Configure the Switching Network Diameter .......................................................... 2-16 2.2.7 Configure the Time Parameters of a Switch ......................................................... 2-16 2.2.8 Configure the Max Transmission Speed on a Port ............................................... 2-18

Operation Manual - STP Quidway S3500 Series Ethernet Switches Table of Contents

ii

2.2.9 Configure a Port as an Edge Port ......................................................................... 2-19 2.2.10 Configure the Path Cost of a Port ....................................................................... 2-20 2.2.11 Configure the Priority of a Port............................................................................ 2-21 2.2.12 Configure the Port (not) to Connect with the Point-to-Point Link ........................ 2-22 2.2.13 Configure the mCheck Variable of a Port ........................................................... 2-23 2.2.14 Configure the Switch Security Function .............................................................. 2-24 2.2.15 Enable MSTP on the Device ............................................................................... 2-25 2.2.16 Enable/Disable MSTP on a Port ......................................................................... 2-26

2.3 Display and Debug MSTP ............................................................................................... 2-26

Operation Manual - STP Quidway S3500 Series Ethernet Switches Chapter 1 RSTP Configuration

1-1

Chapter 1 RSTP Configuration

1.1 STP Overview

1.1.1 Function of STP

Spanning Tree Protocol ( STP ) is applied in loop network to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.

1.1.2 Implement STP

The fundamental of STP is that the switches exchange a special kind of protocol packet (which is called configuration Bridge Protocol Data Units, or BPDU, in IEEE 802.1D) to decide the topology of the network. The configuration BPDU contains the information enough to ensure the switches to compute the spanning tree.

The configuration BPDU mainly contains the following information:

1) The root ID consisting of root priority and MAC address 2) The cost of the shortest path to the root 3) Designated switch ID consisting of designated switch priority and MAC address 4) Designated port ID consisting of port priority and port number 5) The age of the configuration BPDU: MessageAge 6) The maximum age of the configuration BPDU: MaxAge 7) Configuration BPDU interval: HelloTime 8) Forward delay of the port: ForwardDelay.

What are the designated switch and designated port?


1-2

Switch A

Switch CSwitch BCP2BP2

CP1BP1

AP2AP1

LAN

Figure 1-1 Designated switch and designated port

For a switch, the designated switch is a switch in charge of forwarding packets to the local switch via a port called the designated port accordingly. For a LAN, the designated switch is a switch that in charge of forwarding packets to the network segment via a port called the designated port accordingly. As illustrated in the figure1-1, Switch A forwards data to Switch B via the port AP1. So to Switch B, the designated switch is Switch A and the designated port is AP1. Also in the figure above, Switch B and Switch C are connected to the LAN and Switch B forwards packets to LAN. So the designated switch of LAN is Switch B and the designated port is BP2.

Note:

AP1, AP2, BP1, BP2, CP1 and CP2 respectively delegate the ports of Switch A, Switch B and Switch C.

The specific calculation process of STP algorithm.

The following example illustrates the calculation process of STP.

The figure1-2 below illustrates the network.


1-3

Switch Awith priority 0

Switch Cwith priority 2

Switch Bwith priority 1

CP2BP2CP1

BP1

AP2AP1

4

105

Figure 1-2 Ethernet switch networking

To facilitate the descriptions, only the first four parts of the configuration BPDU are described in the example. They are root ID (expressed as Ethernet switch priority), path cost to the root, designated switch ID (expressed as Ethernet switch priority) and the designated port ID (expressed as the port number). As illustrated in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively.

9) Initial state

When initialized, each port of the switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated switch IDs as their own switch IDs and the designated ports as their ports.

Switch A:

Configuration BPDU of AP1: {0, 0, 0, AP1}


Switch B:

Configuration BPDU of BP1: {1, 0, 1, BP1}


Switch C:

Configuration BPDU of CP2: {2, 0, 2, CP2}


10) Select the optimum configuration BPDU

Every switch transmits its configuration BPDU to others. When a port receives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher-priority configuration BPDU is


1-4

received, the local BPDU is updated. And the optimum configuration BPDU will be elected through comparing the configuration BPDUs of all the ports.

The comparison rules are:

The configuration BPDU with a smaller root ID has a higher priority f the root IDs are the same, perform the comparison based on root path costs. The

cost comparison is as follows: the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as S, the configuration BPDU with a smaller S has a higher priority.

If the costs of path to the root are also the same, compare in sequence the designated switch ID, designated port ID and the ID of the port via which the configuration BPDU was received.

In summary, we assume that the optimum BPDU can be selected through root ID comparison in the example.

11) Specify the root port, block the redundancy link and update the configuration BPDU of the designated port.

The port receiving the optimum configuration BPDU is designated to be the root port, whose configuration BPDU remains the same. Any other port, whose configuration BPDU has been updated in the step Select the optimum configuration BPDU, will be blocked and will not forward any data, in addition, it will only receive but not transmit BPDU and its BPDU remains the same. The port, whose BPDU has not been updated in the step Select the optimum configuration BPDU will be the designated port. Its configuration BPDU will be modified as follows: substituting the root ID with the root ID in the configuration BPDU of the root port, the cost of path to root with the value made by the root path cost plus the path cost corresponding to the root port, the designated switch ID with the local switch ID and the designated port ID with the local port ID.

The comparison process of each switch is as follows.

Switch A:

AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU. The configuration BPDU is processed on the AP2 in a similar way. Thus Switch A finds itself the root and designated switch in the configuration BPDU of every port; it regards itself as the root, retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter. By now, the configuration BPDUs of the two ports are as follows:

Configuration BPDU of AP1: {0, 0, 0, AP1}.


Switch B:


1-5

BP1 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one, so it updates its configuration BPDU.

BP2 receives the configuration BPDU from Switch C and finds that the local BPDU priority is higher than that of the received one, so it discards the received BPDU.

By now the configuration BPDUs of each port are as follows: Configuration BPDU of BP1: {0, 0, 0, AP1}, Configuration BPDU of BP2: {1, 0, 1, BP2}.

Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows.

The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1}. BP2 updates root ID with that in the optimum configuration BPDU, the path cost to root with 5, sets the designated switch as the local switch ID and the designated port ID as the local port ID. Thus the configuration BPDU becomes {0, 5, 1, BP2}.

Then all the designated ports of Switch B transmit the configuration BPDUs regularly.

Switch C:

CP2 receives from the BP2 of Switch B the configuration BPDU {1, 0, 1, BP2} that has not been updated and then the updating process is launched. {1, 0, 1, BP2}.

CP1 receives the configuration BPDU {0, 0, 0, AP2} from Switch A and Switch C launches the updating. The configuration BPDU is updated as {0, 0, 0, AP2}.

By comparison, CP1 configuration BPDU is elected as the optimum one. The CP1 is thus specified as the root port with no modifications made on its configuration BPDU. However, CP2 will be blocked and its BPDU also remains same, but it will not receive the data (excluding the STP packet) forwarded from Switch B until spanning tree calculation is launched again by some new events. For example, the link from Switch B to C is down or the port receives any better configuration BPDU.

CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}.

Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}.

By comparison, the configuration BPDU of CP2 is elected as the optimum one, CP2 is elected as the root port, whose BPDU will not change, while CP1 will be blocked and retain its BPDU, but it will not receive the data forwarded from Switch A until spanning tree calculation is triggered again by some changes. For example, the link from Switch B to C as down.


1-6

Thus the spanning tree is stabilized. The tree with the root Switch A is illustrated in the figure1-3 below.




CP2BP2

BP1

AP1

4

5

Figure 1-3 The final stabilized spanning tree

To facilitate the descriptions, the description of the example is simplified. For example, the root ID and the designated switch ID in actual calculation should comprise both switch priority and switch MAC address. Designated port ID should comprise port priority and port MAC address. In the updating process of a configuration BPDU, other configuration BPDUs besides the first four items will make modifications according to certain rules. The basic calculation process is described below:

Configuration BPDU forwarding mechanism in STP:

Upon the initiation of the network, all the switches regard themselves as the roots. The designated ports send the configuration BPDUs of local ports at a regular interval of HelloTime. If it is the root port that receives the configuration BPDU, the switch will enable a timer to time the configuration BPDU as well as increase MessageAge carried in the configuration BPDU by certain rules. If a path goes wrong, the root port on this path will not receive configuration BPDUs any more and the old configuration BPDUs will be discarded due to timeout. Hence, recalculation of the spanning tree will be initiated to generate a new path to replace the failed one and thus restore the network connectivity.

However, the new configuration BPDU as now recalculated will not be propagated throughout the network right away, so the old root ports and designated ports that have not detected the topology change will still forward the data through the old path. If the new root port and designated port begin to forward data immediately after they are elected, an occasional loop may still occur. In RSTP, a transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state.


1-7

1.1.3 Implement RSTP on Ethernet Switch

The Ethernet Switch implements the Rapid Spanning Tree Protocol (RSTP), i.e., the enhancement of STP. The Forward Delay for the root ports and designated ports to enter forwarding state is greatly reduced in certain conditions, thereby shortening the time period for stabilizing the network topology.

To achieve the rapid transition of the root port state, the following requirement should be met: The old root port on this switch has stopped data forwarding and the designated port in the upstream has begun forwarding data.

The conditions for rapid state transition of the designated port are:

The port is an Edge port that does not connect with any switch directly or indirectly. If the designated port is an edge port, it can switch to forwarding state directly without immediately forwarding data.

The port is connected with the point-to-point link, that is, it is the master port in aggregation ports or full duplex port. It is feasible to configure a point-to-point connection. However, errors may occur and therefore this configuration is not recommended. If the designated port is connected with the point-to-point link, it can enter the forwarding state right after handshaking with the downstream switch and receiving the response.

The switch that uses RSTP is compatible with the one using STP. Both protocol packets can be identified by the switch running RSTP and used in spanning tree calculation.

Note:

RSTP is the protocol of single spanning tree. A switching network only has one spanning tree. To guarantee the normal communication inside a VLAN, the devices of a VLAN shall have routes to one another on the Spanning Tree, otherwise, the communication inside the VLAN will be affected if some links inside a VLAN are blocked. For some VLAN that cannot be arranged along the spanning tree paths for some special requirements, you have to disable RSTP on the switch port corresponding to the VLAN.

1.2 Configure RSTP

RSTP configuration includes:

Enable/Disable RSTP on the switch Enable/Disable RSTP on the port Configure RSTP Operating Mode Set priority of a specified bridge


1-8

Set Forward Delay of a specified bridge Set Hello Time of the specified bridge Set Max Age of the specified bridge Set the maximum transmission speed of the specified port Set specified port as the EdgePort Set path cost of the specified port Set the priority of a specified port Configure a specified port to be connected to a point-to-point link Set mCheck of the specified port

Among the above-mentioned tasks, only the steps of enabling STP on the switch and enabling STP on the port are required. For other tasks, if you do not configure them, the system will use the default settings.

Before enabling spanning tree, relative parameters of Ethernet port or the device can be configured. After disabling the spanning tree, these configuration parameters will be reserved and becoming functional after enabling the spanning tree again.

1.2.1 Enable/Disable RSTP on a Switch

You can use the following command to enable RSTP on the switch.


Table 1-1 Enable/Disable RSTP on a device

Operation Command Enable/Disable RSTP on a device stp { enable | disable } Restore RSTP to the default value undo stp

Only after the RSTP is enabled on the switch can other configurations take effect.

Note that some network resource will be occupied after RSTP is enabled.

By default, RSTP is disabled.

1.2.2 Enable/Disable RSTP on a Port

You can use the following command to enable/disable the RSTP on the designated port. To flexibly control the RSTP operations, after RSTP is enabled on the Ethernet ports of the switch, it can be disabled again to forbid the ports to participate in the spanning tree calculation.



1-9

Table 1-2 Enable/Disable RSTP on a port

Operation Command Enable RSTP on a specified port stp enable Disable RSTP on a specified port stp disable

Note that the redundancy route may be generated after RSTP is disabled on the Ethernet port.

By default, RSTP on all the ports will be enabled after it is enabled on the switch.

1.2.3 Configure RSTP Operating Mode

RSTP is executable in RSTP mode or STP-compatible mode. RSTP mode is applied when all the network devices provided for executing RSTP, while the STP-compatible mode is applied when both STP and RSTP are executable on the network.

You can use the following command to set the RSTP operating mode.


Table 1-3 Set RSTP operating mode

Operation Command Configure to run RSTP in STP-compatible/RSTP mode stp mode { stp | rstp } Restore the default RSTP mode undo stp mode

Normally, if there is a bridge provided to execute STP in the switching network, the port (in the switch running RSTP), which connects to another port (in the switch for executing STP), can automatically switch to STP compatible mode from RSTP mode.

By default, RSTP runs in RSTP mode.

1.2.4 Set Priority of a Specified Bridge

Whether a bridge can be selected as the “root” of the spanning tree depends on its priority. By assigning a lower priority, a bridge can be artificially specified as the root of the spanning tree.

You can use the following command to configure the priority of a specified bridge.



1-10

Table 1-4 Set priority of a specified bridge

Operation Command Set priority of a specified bridge stp priority bridge-priority Restore the default priority of specified bridge undo stp priority

Note that if the priorities of all the bridges in the switching network are the same, the bridge with the smallest MAC address will be selected as the “root”. When RSTP is enabled, an assignment of a priority to the bridge will lead to recalculation of the spanning tree.

By default, the priority of the bridge is 32768.

1.2.5 Specify the Switch as Primary or Secondary Root Switch

RSTP can determine the spanning tree root through calculation. You can also specify the current switch as the root using this command.

You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree.


Table 1-5 Specify the switch as primary or secondary root switch

Operation Command Specify the current switch as the primary root switch of the spanning tree. stp root primary Specify the current switch as the secondary root switch of the spanning tree. stp root secondary Disqualify the current switch as the primary or secondary root. undo stp root

After a switch is configured as primary root switch or secondary root switch, user can’t modify the bridge priority of the switch.

A switch can either be a primary or secondary root bridge, but not both of them.

If the primary root of a spanning tree instance is down or powered off, the secondary root will take its place, unless you configure a new primary root. Of two or more configured secondary root switches, RSTP selects the one with the smallest MAC address to take the place of the failed primary root.


1-11

Note:

To configure a switch as the root of the spanning tree instance, you can specify its priority as 0 or simply set it as the root, using the command. It is not necessary to specify two or more roots for an STI. In other words, please do not specify the root for an STI on two or more switches. You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more switches. Generally, you are recommended to designate one primary root and more than one secondary roots for a spanning tree.

By default, a switch is neither the primary root nor the secondary root of the spanning tree.

1.2.6 Set Forward Delay of a Specified Bridge

Link failure will cause recalculation of the spanning tree and change its structure. However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately. If the newly selected root port and designated port begin to forward data frame right away, occasional loop can be caused. Accordingly, the protocol adopts a state transition mechanism, that is, the root port and the designated port must undergo a transition state for a period of Forward Delay before they transition to the forwarding state and resume data frame forwarding. This delay ensures that the new configuration BPDU has been propagated throughout the network before the data frame forwarding is resumed.

You can use the following command to set the Forward Delay for a specified bridge.


Table 1-6 Set forward delay of a specified bridge

Operation Command Set Forward Delay of a specified bridge stp timer forward-delay centiseconds Restore the default Forward Delay of specified bridge undo stp timer forward-delay

Forward Delay of the bridge is related to the diameter of the switching network. As a rule , the larger the network diameter , the longer the Forward Delay. Note that if the Forward Delay is configured too short, occasional path redundancy may occur. If the Forward Delay is configured too long, the restoring of network connection may take a long time. It is recommended to use the default setting.

By default, the bridge Forward Delay is 15 seconds.


1-12

1.2.7 Set Hello Time of the Specified Bridge

A bridge transmits hello packet regularly to the adjacent bridges to check if there is link failure.

You can use the following command to set the Hello Time of a specified bridge.


Table 1-7 Set Hello Time of the specified bridge

Operation Command Set Hello Time of the specified bridge stp timer hello centiseconds Restore the default Hello Time of the specified bridge undo stp timer hello

Appropriate Hello Time can ensure that the bridge can detect the link failure in the network in time without occupying too many network resources. If the Hello Time is too long it will result in the spanning tree recalculation because the bridge mistakes due to the frame dropping of the link for link failure. If the Hello Time is too short, it will result in frequently sending of configuration BPDUs by the bridge and thus unduly increasing the switch load and wastes of network resource.

By default, the Hello Time of the bridge is 2 seconds.

1.2.8 Set Max Age of the Specified Bridge

Max Age is a parameter to judge whether the configuration BPDU is “timeout”. Users can configure it according to the actual network situation.

You can use the following command to set Max Age of a specified bridge.


Table 1-8 Set Max Age of the specified bridge

Operation Command Set Max Age of the specified bridge stp timer max-age centiseconds Restore the default Max Age of the specified bridge undo stp timer max-age

If the Max Age is too short, it will result in frequent calculation of spanning tree or misjudge the network congestion as a link fault. On the other hand, too long Max Age may make the bridge unable to find link failure in time and weaken the network auto-sensing ability. It is recommended to use the default setting.

By default, the bridge Max Age is 20 seconds.


1-13

1.2.9 Set Timeout Factor of the Bridge

A bridge transmits hello packet regularly to the adjacent bridges to check if there is link failure. Generally, if the switch doesn’t receive the RSTP packets from the upstream switch for 3 times of hello time, the switch will decide the upstream switch is dead and will recalculate the topology of the network. Then in steady network, the recalculation may be caused when the upstream is busy. In this case, user can redefine the timeout interval to a longer time by define the multiple of hello time.

You can use the following command to set the multiple value of hello time of a specified bridge.


Table 1-9 Set Timeout Factor of the Bridge

Operation Command Set the multiple value of hello time of a specified bridge stp timeout-factor number Restore the default multiple value of hello time undo stp timeout-factor

It is recommended to set 5, 6 or 7 as the value of multiple in the steady network.

By default, the multiple value of hello time of the bridge is 3.

1.2.10 Set the Maximum Transmission Speed of the Specified Port

The maximum transmission speed of Ethernet port is related to its physical state and network structure. Users can configure it according to the actual network situation.

You can use the following command to set the maximum transmission speed of the specified port.


Table 1-10 Set the maximum transmission speed of the specified port

Operation Command Set the maximum transmission speed of the specified port stp transit-limit packetnum Restore the default maximum transmission speed of the specified port undo stp transit-limit

If the max transmission speed on a port is too high, there will be too many packets being transmitted per unit time, which occupies excessive network resources. It is recommended to use the default setting.

By default, the maximum transmission speed is 3 (a counter value without unit) on all the Ethernet ports of the bridge.


1-14

1.2.11 Set Specified Port to be an EdgePort

EdgePort is not connected to any switch directly or indirectly via the connected network.

You can use the following command to set a specified port as an EdgePort.


Table 1-11 Set specified port as the EdgePort

Operation Command Set a specified port as an EdgePort or a non-EdgePort stp edged-port { enable | disable } Set the specified port as the non-EdgePort, as defaulted undo stp edged-port

In the process of recalculating the spanning tree, the EdgePort can transfer to the forwarding state directly and reduce unnecessary transition time. If the current Ethernet port is not connected with any Ethernet port of other bridges, this port should be set as an EdgePort. If a specified port connected to a port of any other bridge is configured as an edge port, RSTP will automatically detect and reconfigure it as a non-EdgePort.

After the network topology changed, if a configured non-EdgePort changes to an EdgePort and is not connected to any other port, it is recommended to configure it as an EdgePort manually because RSTP cannot configure a non-EdgePort as an EdgePort automatically.

Configure the port directly connected to the terminal as an EdgePort, so that the port can transfer immediately to the forwarding state.

By default, all the Ethernet ports are configured as non-EdgePort.

1.2.12 Set Path Cost of the Specified Port

The path cost of Ethernet port is related to the speed of a link connected to the port.

You can use the following command to set the Path Cost of a specified port.


Table 1-12 Set path cost of the specified port

Operation Command Set path cost of the specified port stp cost cost Restore the default path cost of the specified port undo stp cost


1-15

The path cost of Ethernet port is related to its link speed. The higher the link speed is, the lower the path cost should be configured. RSTP can automatically detect the link speed on the current Ethernet port and convert it to the corresponding path cost. Note that configuring path cost of an Ethernet port will cause the recalculation of the spanning tree. It is recommended to use the default value and let RSTP calculate the path cost on the current Ethernet port.

By default, the bridge gets the path cost of a port according to the link speed directly.

1.2.13 Set the Priority of a Specified Port

The port priority is an important basis to decide if the port can be a root port. In the calculation of the spanning tree, the port with the highest priority will be selected as the root assuming all other conditions are the same.

You can use the following command to set the priority of a specified port.


Table 1-13 Set the priority of a specified port

Operation Command Set the priority of a specified port stp port priority port-priority Restore the default priority of the specified port undo stp port priority

By setting the priority of an Ethernet port, you can put a specified Ethernet port into the final spanning tree. Generally, the lower the value is set, the higher priority the port has and the more likely it is for this Ethernet port to be included in the spanning tree. If all the Ethernet ports of the bridge adopt the same priority parameter value, then the priority of these ports depends on the Ethernet port index number. Note that changing the priority of Ethernet port will cause recalculation of the spanning tree. You can set the port priority at the time when setting up the networking requirements.

By default, priorities of all the Ethernet ports are 128.

1.2.14 Configure a Specified Port to be Connected to Point-to-Point Link

Generally, a point-to-point link connects the switches.

You can use the following command to configure a specified port to be connected to a point-to-point link.



1-16

Table 1-14 Configure a specified port to be connected to a point-to-point link

Operation Command Configure a specified port to be connected to a point-to-point link stp point-to-point force-true Configure a specified port not to be connected to a point-to-point link stp point-to-point force-false Configure RSTP to automatically detect if the port is connected to a point-to-point link. stp point-to-point auto Configure the port to be automatically detected if it is connected to a point-to-point link, as defaulted. undo stp point-to-point

The two ports connected via the Point-to-Point link can enter the forwarding state rapidly by transmitting synchronous packets, so that the unnecessary forwarding delay can be reduced. If this parameter is configured to be auto mode, RSTP can automatically detect if the current Ethernet port is connected to a Point-to-Point link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such link.

You can manually configure the active Ethernet port to connect with the Point-to-Point link. However, if the link is not a point-to-point link, the command may cause a system problem, and therefore it is recommended to set it as auto mode.

By default, this parameter is configured to auto, namely in auto mode.

1.2.15 Set mCheck of the Specified Port

Suppose there are some switches running STP and some other switches running RSTP on a switching network. RSTP is STP-compatible. In a relatively stable network, though the bridge running STP has been removed, the port of the switch running RSTP is still working in STP-compatible mode. You can use the following command to manually command the port to work in RSTP mode. This command can only be issued if the bridge runs RSTP in RSTP mode and has no effect in the STP-compatible mode.

You can use the following command to configure mCheck of a specified port.


Table 1-15 Set mCheck of the specified port

Operation Command Set mCheck of the specified port stp mcheck

This command can be used when the bridge runs RSTP in RSTP mode, but it cannot be used when the bridge runs RSTP in STP-compatible mode.


1-17

1.2.16 Configure the Switch Security Function

An RSTP switch provides BPDU protection and Root protection functions.

For an access device, the access port is generally directly connected to the user terminal (e.g., PC) or a file server, and the access port is set to edge port to implement fast transition. When such port receives BPDU packet, the system will automatically set it as a non-edge port and recalculate the spanning tree, which causes the network topology flapping. In normal case, these ports will not receive STP BPDU. If someone forges BPDU to attack the switch, the network will flap. BPDU protection function is used against such network attack.

In case of configuration error or malicious attack, the primary root may receive the BPDU with a higher priority and then loose its place, which causes network topology change errors. Due to the erroneous change, the traffic supposed to travel over the high-speed link may be pulled to the low-speed link and congestion will occur on the network. Root protection function is used against such problem.

The root port and other blocked ports maintain their state according to the BPDUs send by uplink switch. Once the link is blocked or encountering a faulty condition, the ports cannot receive BPDUs and the switch will select root port again. In this case, the former root port will turn into a BDPU specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated.

The security functions can control the generation of loop. After it is enabled, the root port cannot be changed, the blocked port will maintain in “Discarding” state and do not forward packets, thus to avoid link loop.

You can use the following command to configure the security functions of the switch.

Perform the following configuration in corresponding views.

Table 1-16 Configure the switch security function

Operation Command Configure switch BPDU protection (from system view) stp bpdu-protection Restore the disabled BPDU protection state, as defaulted, (from system view). undo stp bpdu-protection Configure switch Root protection (from Ethernet port view) stp root-protection Restore the disabled Root protection state, as defaulted, (from Ethernet port view) undo stp root-protection

Configure switch loop protection function (from Ethernet port view) stp loop-protection Restore the disabled loop protection state, as defaulted (from Ethernet port view) undo stp loop-protection

After configured with BPDU protection, the switch will disable the edge port through RSTP, which receives a BPDU, and notify the network manager at same time. Only the network manager can resume these ports.


1-18

The port configured with Root protection only plays a role of a designated port. Whenever such port receives a higher-priority BPDU when it is about to turn into non-designated port, it will be set to a listening state and not forward packets any more (as if the link to the port is disconnected). If the port has not received any higher-priority BPDU for a certain period of time thereafter, it will resume to the normal state.

When configure a port, only one configuration can be effective among loop protection, Root protection and Edge port configuration at same moment.

By default, the switch does not enable loop protection, BPDU protection or Root protection.

For detailed information about the configuration commands, refer to the Command Manual.

1.3 Display and Debug RSTP

After the above configuration, execute display command in any view to display the running of the RSTP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of RSTP module. Execute debugging command in user view to debug the RSTP module.

Table 1-17 Display and Debug RSTP

Operation Command Display RSTP configuration information about the local switch and the specified ports display stp [ interface interface-list ]

Clear RSTP statistics information reset stp [ interface interface-list ] Enable RSTP (error/event/packet) debugging debugging stp { error | event | packet } Disable RSTP debugging undo debugging stp { error | event | packet }

1.4 RSTP Configuration Example


In the following scenario, Switch C serves as a standby of Switch B and forwards data when fault occurs on Switch B. They are connected to each other with two links, so that, in case one of the links fails, the other one can still work normally. Switch D through Switch F are directly connected with the downstream user computers and they are connected to Switch C and Switch B with uplink ports.

You can configure RSTP on the Switch B through Switch F to meet these requirements.

Only the configurations related to RSTP are listed in the following procedure. Switch A is not involved in the spanning tree calculation. It is not necessary to configure RSTP on Switch A, so the configurations on it will not be introduced hereafter. Switch D through


1-19

Switch F are configured in same way basically, so only the RSTP configuration on Switch D will be introduced.

Note:

Switch A can be a mid-range switch of Huawei, such as S5516 and S6500 Series Switches. Switch B and Switch C can be the low-end switches of Huawei, such as S3500 Series Switches. Switch D through Switch F can be the low-end switches of Huawei, such as S3000 Series, S2000 Series etc.


Switch B Switch C

Switch A

Switch D

GE1/1 GE1/1

E0/1 E0/2E0/3 E0/1 E0/2 E0/3

E1/1 E2/1 E1/1 E2/1 E2/1E1/1

E0/24

E0/23 E0/23

E0/24

Switch E Switch F

Figure 1-4 RSTP configuration example


1) Configure Switch B

# Enable RSTP globally.

[Quidway] stp enable

# The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes Ethernet 0/4 as an example.)


[Quidway-Ethernet0/4] stp disable


1-20

# To configure Switch B as a root, you can either configure the Bridge priority of it as 0 or simply use the command to specify it as the root.

2) Set the Bridge priority of Switch B to 0

[Quidway] stp priority 0

3) Designate Switch B as the root, using the following command.

[Quidway] stp root primary

# Enable the Root protection function on every designated port.


[Quidway-Ethernet0/1] stp root-protection





# RSTP operating mode, time parameters, and port parameters take default values.

4) Configure Switch C






# To configure Switch C as a secondary root, you can either configure the Bridge priority of it as 4096 or simply use the command to specify it as the secondary root.

5) Set the Bridge priority of Switch C to 4096

[Quidway] stp priority 4096

6) Designate Switch C as the root, using the following command.

[Quidway] stp root secondary

# Enable the Root protection function on every designated port.




1-21






7) Configure Switch D






# Configure the ports (Ethernet 0/1 through Ethernet 0/24) directly connected to users as edge ports and enables BPDU PROTECTION function. (Take Ethernet 0/1 as an example.)


[Quidway-Ethernet0/1] stp edged-port enable

[Quidway-Ethernet0/1] quit

[Quidway] stp bpdu-protection


Operation Manual - STP Quidway S3500 Series Ethernet Switches Chapter 2 MSTP Region-configuration

2-1

Chapter 2 MSTP Region-configuration

2.1 MSTP Overview

Note:

For Quidway series switches, MSTP feature is compatible to STP and RSTP, but if a switch supports RSTP, it will not support MSTP. S3552 Series Switches support MSTP feature.

MSTP stands for Multiple Spanning Tree Protocol, which is compatible with STP and RSTP.

STP cannot transit fast. Even on the point-to-point link or the edge port, it has to take an interval as long as twice forward delay before the network converges.

RSTP can converge fast, but still has the drawback, that is, all the network bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by VLAN.

MSTP makes up for the drawback of STP and RSTP. It makes the network converge fast and the traffic of different VLAN distributed along their respective paths, which provides a better load-balance mechanism for the redundant links.

MSTP associates VLAN and the spanning tree and divides a switching network into several regions, each of which has a spanning tree independent of one another. MSTP prunes the network into a loopfree tree to avoid proliferation, it also provides multiple redundant paths for data forwarding to implement the VLAN data forwarding load-balance.

2.1.1 MSTP Concepts

There are 4 MST region in Figure 2-1. The concept of MSTP will be introduced with this figure in the followed text.


2-2

Region A0vlan 1 mapped to Instance 1vlan 2 mapped to Instance 2Other vlans mapped to CIST

Region A0vlan 1 mapping to Instance 1, region root Bvlan 3 mapped to Instance 2 , region root COther vlans mapped to CIST

Region B0vlan 1 mapped to Instance 1vlan 2 mapped to Instance 2Other vlans mapped to CISTRegion C0

vlan 1 mapped to Instance 1vlan 2 and 3 mapped to Instance 2Other vlans mapped to CIST

C

A

B

D

BPDU

CST: CommonSpanning Tree

CIST: Common and InternalSpanning Tree

BPDU

BPDU

MSTI: Multiple SpanningTree Instance

Figure 2-1 Basic MSTP concepts

I. MST region

Multiple Spanning Tree Regions: A multiple spanning tree region contains several physically and directly connected MSTP switches sharing the same region name, VLAN-spanning tree mapping configuration, and MSTP revision level configuration, and the network segments between them. There can be several MST regions on a switching network. You can group several switches into a MST region, using MSTP configuration commands. For details, refer to the operation manual in this chapter. For example, MST region A0 in the network of figure2-1, the 4 switches in this region are configured same region name, same vlan mapping table (VLAN1 map to instance 1, VLAN 2 map to instance 2, other VLAN map to instance 0), same revision level (not indicated in Figure 2-1).

II. VLAN mapping table

An attribute of MST region, is used for descript the mapping relationship of VLAN and STI. For example, the VLAN mapping table of MST region A0 in figure2-1 is VLAN1 map to instance 1, VLAN 2 map to instance 2, other VLAN map to instance 0.

III. IST

Internal Spanning Tree (IST): The entire switching network has a Common and Internal Spanning Tree (CIST). An MSTP region has an Internal Spanning Tree (IST), which is a fragment of CIST. For example, every MST region in figure2-1 has an IST.


2-3

IV. CST

Common Spanning Tree (CST): Connects the spanning trees of all the MST region. Taking every MST region as a “switch”, the CST can be regarded as their spanning tree generated with STP/RSTP. For example, the red line indicates the CST in figure2-1.

V. CIST

CIST (Common and Internal Spanning Tree): A single spanning tree made of IST and CST (Common Spanning Tree). CIST of figure2-1 is composed by each IST in every MST region and the CST.

VI. MSTI

Multiple Spanning Tree Instance (MSTI): Multiple spanning trees can be generated with MSTP in an MSTI and independent of one another. Such a spanning tree is called an MSTI. Every MST region can have many STI called MSTI. These STI is related to corresponding VLAN.

VII. Region root

The region root refers to the root of the IST and MSTI of the MST region. The spanning trees in an MST region have different topology and their region roots may also be different. In each MST region in Figure 2-1, every STI has its region root.

VIII. Common Root Bridge

The Common Root Bridge refers to the root bridge of CIST. There is only one common root bridge in the specified network.

IX. Edge port

The edge port refers to the port located at the MST region edge, connecting different MST regions, MST region and STP region, or MST region and RSTP region. For MSTP calculation, the edge port shall take the same role on MSTI and CIST instance. For example, the edge port as a master port on CIST instance should serve as a master port on every MSTI in the region.

X. Port role

In the process of MSTP calculation, a port can serve as a designated port, root port, master port, Alternate port, or BACKUP.

The root port is the one through which the data are forwarded to the root. The designated port is the one through which the data are forwarded to the

downstream network segment or switch.


2-4

Master port is the port connecting the entire region to the Common Root Bridge and located on the shortest path between them.

Alternate port is the backup of the master port. When the master port is blocked, the alternate port will take its place.

If two ports of a switch are connected, there must be a loop. In this case, the switch will block one of them. The blocked one is called BACKUP port.

A port can play different roles in different spanning tree instances.

The following figure illustrates the above mentioned concepts for your better understanding.

MST region

C

A

B

D

Port 4

Port 1 Port 2

Connected to the common root

EdgePort

Master port Alternate port

Designated port

Backup portPort 3

Port 5 Port 6

Figure 2-2 Port roles

2.1.2 MSTP Principles

MSTP divides the entire Layer 2 network into several MST regions and calculates and generates CST for them. Multiple spanning trees are generated in a region and each of them is called an MSTI. The instance 0 is called IST, and others are called MSTI.

I. CIST calculation

The CIST root is the highest-priority switch elected from the switches on the entire network through comparing their configuration BPDUs. MSTP calculates and generates IST in an MST region and also the CST connecting the regions. CIST is the unique single spanning tree of the entire switching network.


2-5

II. MSTI calculation

Inside an MST region, MSTP generates different MSTIs for different VLANs according to the association between VLAN and the spanning tree. The calculation process of MSTI is same like RSTP.

In this way, the packets of a VLAN travel along the corresponding MSTI inside the MST region and the CST between different regions.

Followed introduce the calculation process of one MSTI.

The fundamental of STP is that the switches exchange a special kind of protocol packet (which is called configuration Bridge Protocol Data Units, or BPDU, in IEEE 802.1D) to decide the topology of the network. The configuration BPDU contains the information enough to ensure the switches to compute the spanning tree.

The configuration BPDU mainly contains the following information:

1) The root ID consisting of root priority and MAC address 2) The cost of the shortest path to the root 3) Designated switch ID consisting of designated switch priority and MAC address 4) Designated port ID consisting of port priority and port number 5) The age of the configuration BPDU: MessageAge 6) The maximum age of the configuration BPDU: MaxAge 7) Configuration BPDU interval: HelloTime 8) Forward delay of the port: ForwardDelay.

What are the designated switch and designated port?

Switch A

Switch CSwitch BCP2BP2

CP1BP1

AP2AP1

LAN

Figure 2-3 Designated switch and designated port

For a switch, the designated switch is a switch in charge of forwarding packets to the local switch via a port called the designated port accordingly. For a LAN, the designated switch is a switch that in charge of forwarding packets to the network segment via a port called the designated port accordingly. As illustrated in the Figure 2-3, Switch A forwards data to Switch B via the port AP1. So to Switch B, the designated switch is


2-6

Switch A and the designated port is AP1. Also in the figure above, Switch B and Switch C are connected to the LAN and Switch B forwards packets to LAN. So the designated switch of LAN is Switch B and the designated port is BP2.

Note:

AP1, AP2, BP1, BP2, CP1 and CP2 respectively delegate the ports of Switch A, Switch B and Switch C.

The specific calculation process of STP algorithm.

The following example illustrates the calculation process of STP.

The Figure 2-4 below illustrates the network.




CP2BP2CP1

BP1

AP2AP1

4

105

Figure 2-4 Ethernet switch networking

To facilitate the descriptions, only the first four parts of the configuration BPDU are described in the example. They are root ID (expressed as Ethernet switch priority), path cost to the root, designated switch ID (expressed as Ethernet switch priority) and the designated port ID (expressed as the port number). As illustrated in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively.

9) Initial state

When initialized, each port of the switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated switch IDs as their own switch IDs and the designated ports as their ports.

Switch A:




2-7

Switch B:



Switch C:



10) Select the optimum configuration BPDU

Every switch transmits its configuration BPDU to others. When a port receives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher-priority configuration BPDU is received, the local BPDU is updated. And the optimum configuration BPDU will be elected through comparing the configuration BPDUs of all the ports.

The comparison rules are:

The configuration BPDU with a smaller root ID has a higher priority f the root IDs are the same, perform the comparison based on root path costs. The

cost comparison is as follows: the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as S, the configuration BPDU with a smaller S has a higher priority.

If the costs of path to the root are also the same, compare in sequence the designated switch ID, designated port ID and the ID of the port via which the configuration BPDU was received.

In summary, we assume that the optimum BPDU can be selected through root ID comparison in the example.

11) Specify the root port, block the redundancy link and update the configuration BPDU of the designated port.

The port receiving the optimum configuration BPDU is designated to be the root port, whose configuration BPDU remains the same. Any other port, whose configuration BPDU has been updated in the step Select the optimum configuration BPDU, will be blocked and will not forward any data, in addition, it will only receive but not transmit BPDU and its BPDU remains the same. The port, whose BPDU has not been updated in the step Select the optimum configuration BPDU will be the designated port. Its configuration BPDU will be modified as follows: substituting the root ID with the root ID in the configuration BPDU of the root port, the cost of path to root with the value made by the root path cost plus the path cost corresponding to the root port, the designated switch ID with the local switch ID and the designated port ID with the local port ID.

The comparison process of each switch is as follows.

Switch A:


2-8

AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU. The configuration BPDU is processed on the AP2 in a similar way. Thus Switch A finds itself the root and designated switch in the configuration BPDU of every port; it regards itself as the root, retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter. By now, the configuration BPDUs of the two ports are as follows:



Switch B:

BP1 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one, so it updates its configuration BPDU.

BP2 receives the configuration BPDU from Switch C and finds that the local BPDU priority is higher than that of the received one, so it discards the received BPDU.

By now the configuration BPDUs of each port are as follows: Configuration BPDU of BP1: {0, 0, 0, AP1}, Configuration BPDU of BP2: {1, 0, 1, BP2}.

Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows.

The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1}. BP2 updates root ID with that in the optimum configuration BPDU, the path cost to root with 5, sets the designated switch as the local switch ID and the designated port ID as the local port ID. Thus the configuration BPDU becomes {0, 5, 1, BP2}.

Then all the designated ports of Switch B transmit the configuration BPDUs regularly.

Switch C:

CP2 receives from the BP2 of Switch B the configuration BPDU {1, 0, 1, BP2} that has not been updated and then the updating process is launched. {1, 0, 1, BP2}.

CP1 receives the configuration BPDU {0, 0, 0, AP2} from Switch A and Switch C launches the updating. The configuration BPDU is updated as {0, 0, 0, AP2}.

By comparison, CP1 configuration BPDU is elected as the optimum one. The CP1 is thus specified as the root port with no modifications made on its configuration BPDU. However, CP2 will be blocked and its BPDU also remains same, but it will not receive the data (excluding the STP packet) forwarded from Switch B until spanning tree calculation is launched again by some new events. For example, the link from Switch B to C is down or the port receives any better configuration BPDU.


2-9

CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}.

Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}.

By comparison, the configuration BPDU of CP2 is elected as the optimum one, CP2 is elected as the root port, whose BPDU will not change, while CP1 will be blocked and retain its BPDU, but it will not receive the data forwarded from Switch A until spanning tree calculation is triggered again by some changes. For example, the link from Switch B to C as down.

Thus the spanning tree is stabilized. The tree with the root Switch A is illustrated in the Figure 2-5 below.




CP2BP2

BP1

AP1

4

5

Figure 2-5 The final stabilized spanning tree

To facilitate the descriptions, the description of the example is simplified. For example, the root ID and the designated switch ID in actual calculation should comprise both switch priority and switch MAC address. Designated port ID should comprise port priority and port MAC address. In the updating process of a configuration BPDU, other configuration BPDUs besides the first four items will make modifications according to certain rules. The basic calculation process is described below:

Configuration BPDU forwarding mechanism in STP:

Upon the initiation of the network, all the switches regard themselves as the roots. The designated ports send the configuration BPDUs of local ports at a regular interval of HelloTime. If it is the root port that receives the configuration BPDU, the switch will enable a timer to time the configuration BPDU as well as increase MessageAge carried in the configuration BPDU by certain rules. If a path goes wrong, the root port on this path will not receive configuration BPDUs any more and the old configuration BPDUs will be discarded due to timeout. Hence, recalculation of the spanning tree will be


2-10

initiated to generate a new path to replace the failed one and thus restore the network connectivity.

However, the new configuration BPDU as now recalculated will not be propagated throughout the network right away, so the old root ports and designated ports that have not detected the topology change will still forward the data through the old path. If the new root port and designated port begin to forward data immediately after they are elected, an occasional loop may still occur. In RSTP, a transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state.

MSTP is compatible with STP and RSTP. The MSTP switch can recognize both the STP and RSTP packets and calculate the spanning tree with them. Beside the basic MSTP functions, Quidway Ethernet Switch Series also provide some features easy to manage from the point of view of the users. These features include root bridge hold, secondary root bridge, ROOT PROTECTION, BPDU PROTECTION, protocol hot swapping, master/slave switchover, and so on.

2.2 Configure MSTP

MSTP configuration includes:

Configure the MST region for a switch Specify the switch as primary or secondary root switch Configure the MSTP running mode Configure the Bridge priority for a switch Configure the max hops in an MST region Configure the switching network diameter Configure the time parameters of a switch Configure the max transmission speed on a port Configure a port as an edge port Configure the Path Cost of a port Configure the priority of a port Configure the port (not) to connect with the point-to-point link Configure the mCheck variable of a port Configure the switch security function Enable MSTP on the device Enable MSTP on a port

Only after MSTP is enabled on the device will other configurations take effect. Before enabling MSTP, you can configure the related parameters of the device and Ethernet ports, which will take effect upon enabling MSTP and stay effective even after resetting MSTP. The check command can show the region parameters yet to take effect. The


2-11

display active-region-configuration command shows the parameters configured before MSTP is enabled. For those configured after MSTP is enabled, you can use the related display commands to display. For detailed information, refer to the “Display and Debug MSTP” section. .

You do not have to perform all the mentioned tasks to configure MSTP. Many of them are designed to adjust the MSTP parameters provided with default values. You can configure these parameters per the actual conditions or simply take the defaults. For detail information, refer to the task description or the Command Manual.

Note:

When GVRP and MSTP startup on the switch simultaneously, GVRP packets will propagate along CIST which is a spanning tree instance. In this case, if you want to issue a certain VLAN through GVRP on the network, you should make sure that the VLAN is mapped to CIST when configuring the VLAN mapping table of MSTP. CIST is spanning tree instance 0.

2.2.1 Configure the MST Region for a Switch

Which MST region a switch belongs to is determined with the configurations of the region name, VLAN mapping table, and MSTP revision level. You can perform the following configurations to put a switch into an MST region.

Follow the procedure listed in the table below and perform these configurations from system view.

I. Enter MST region view


Table 2-1 Enter MST region view

Operation Command Enter MST region view (from system view) stp region-configuration Restore the default settings of MST region undo stp region-configuration

II. Configure the MST Region

Perform the following configuration in MST region view.


2-12

Table 2-2 Configure the MST region for a switch

Operation Command Configure MST region name region-name name Restore the default MST region name undo region-name Configure VLAN mapping table instance instance-id vlan vlan-list Restore the default VLAN mapping table undo instance Configure the MSTP revision level of MST region revision-level level Restore the MSTP revision level of MST region undo revision-level

An MST region can contain up to 17 spanning tree instances, among which the Instance 0 is IST and the Instances 1 through 16 are MSTIs. Upon the completion of the above configurations, the current switch is put into a specified MST region. Note that two switches belong to the same MST region only if they have been configured with the same MST region name, STI-VLAN mapping tables of an MST region, and the MST region revision level.

Configuring the related parameters, especially the VLAN mapping table, of the MST region, will lead to the recalculation of spanning tree and network topology flapping. To bate such flapping, MSTP triggers to recalculate the spanning tree according to the configurations only if one of the following conditions is met:

The user manually activates the configured parameters related to the MST region, using the active region-configuration command.

The user enables MSTP, using the stp enable command.

By default, the MST region name is the first switch MAC address, all the VLANs in the MST region are mapped to the STI 0, and the MSTP region revision level is 0. You can restore the default settings of MST region, using the undo stp region-configuration command in system view.

III. Activate the MST Region Configuration,and exit the MST Region View

Perform the following configuration in MST region view.

Table 2-3 Activate the MST Region Configuration and exit the MST Region View

Operation Command Show the configuration information of the MST region under revision (from MST region view) check region-configuration

Manually activate the MST region configuration (from MST region view) active region-configuration Exit MST region view (from MST region view) quit

2.2.2 Specify the Switch as Primary or Secondary Root Switch

MSTP can determine the spanning tree root through calculation. You can also specify the current switch as the root, using the command provided by the switch.


2-13

You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree.


Table 2-4 Specify the switch as primary or secondary root switch

Operation Command Specify current switch as the primary root switch of the specified spanning tree.

stp [ instance instance-id ] root primary [ bridge-diameter bridgenum ] [ hello-time centi-senconds ]

Specify current switch as the secondary root switch of the specified spanning tree.

stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum ] [ hello-time centi-senconds ]

Specify current switch not to be the primary or secondary root. undo stp [ instance instance-id ] root

After a switch is configured as primary root switch or secondary root switch, user can’t modify the bridge priority of the switch.

You can configure the current switch as the primary or secondary root switch of the STI (specified by the instance instance-id parameter). If the instance-id takes 0, the current switch is specified as the primary or secondary root switch of the CIST.

The root types of a switch in different STIs are independent of one another. The switch can be a primary or secondary root of any STI. However, it cannot serve as both the primary and secondary roots of one STI.

If the primary root is down or powered off, the secondary root will take its place, unless you configure a new primary root. Of two or more configured secondary root switches, MSTP selects the one with the smallest MAC address to take the place of the failed primary root.

When configuring the primary and secondary switches, you can also configure the network diameter and hello time of the specified switching network. For detailed information, refer to the configuration tasks “Configure switching network diameter” and “Configure the Hello Time of the switch”.

Note:

You can configure the current switch as the root of several STIs, however, it is not necessary to specify two or more roots for an STI. In other words, please do not specify the root for an STI on two or more switches. You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more switches. Generally, you are recommended to designate one primary root and more than one secondary roots for a spanning tree.


2-14

By default, a switch is neither the primary root or the secondary root of the spanning tree.

2.2.3 Configure the MSTP Running Mode

MSTP and RSTP are compatible and they can recognize the packets of each other. However, STP cannot recognize MSTP packets. To implement the compatibility, MSTP provides two operation modes, STP-compatible mode and MSTP mode. In STP-compatible mode, the switch sends STP packets via every port and serves as a region itself. In MSTP mode, the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch provides multiple spanning tree function.

You can use the following command to configure MSTP running mode. MSTP can intercommunicate with STP. If there is STP switch in the switching network, you may use the command to configure the current MSTP to run in STP-compatible mode, otherwise, configure it to run in MSTP mode.


Table 2-5 Configure the MSTP running mode

Operation Command Configure MSTP to run in STP-compatible mode stp mode stp Configure MSTP to run in MSTP mode. stp mode mstp Restore the default MSTP running mode undo stp mode

Generally, if there is STP switch on the switching network, the port connected to it will automatically transit from MSTP mode to STP-compatible mode. But the port cannot automatically transit back to MSTP mode after the STP switch is removed.

By default, MSTP runs in MSTP mode.

2.2.4 Configure the Bridge Priority for a Switch

Whether a switch can be elected as the spanning tree root depends on its Bridge priority. The switch configured with a smaller Bridge priority is more likely to become the root. An MSTP switch may have different priorities in different STIs.

You can use the following command to configure the Bridge priorities of the designated switch in different STIs.



2-15

Table 2-6 Configure the Bridge priority for a switch

Operation Command Configure the Bridge priority of the designated switch. stp [ instance instance-id ] bridge-priority priorityRestore the default Bridge priority of the designated switch. undo stp [ instance instance-id ] bridge-priority

When configuring the switch priority with the instance instance-id parameter as 0, you are configuring the CIST priority of the switch.

Caution:

In the process of spanning tree root election, of two or more switches with the lowest Bridge priorities, the one has a smaller MAC address will be elected as the root.

By default, the switch Bridge priority is 32768.

2.2.5 Configure the Max Hops in an MST Region

The scale of MST region is limited by the max hops in an MST region, which is configured on the region root. As the BPDU traveling from the spanning tree root, each time when it is forwarded by a switch, the max hops is reduced by 1. The switch discards the configuration BPDU with 0 hops left. This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation, thereby limiting the scale of the MST region.

You can use the following command to configure the max hops in an MST region.


Table 2-7 Configure the max hops in an MST region

Operation Command Configure the max hops in an MST region. stp max-hops hop Restore the default max hops in an MST region undo stp max-hops

The more the hops in an MST region, the larger the scale of the region. Only the max hops configured on the region root can limit the scale of MST region. Other switches in the MST region also apply the configurations on the region root, even if they have been configured with max hops.

By default, the max hops of an MST is 20.


2-16

2.2.6 Configure the Switching Network Diameter

Any two hosts on the switching network are connected with a specific path carried by a series of switches. Among these paths, the one passing more switches than all others is the network diameter, expressed as the number of passed switches.

You can use the following command to configure the diameter of the switching network.


Table 2-8 Configure the switching network diameter

Operation Command Configure the switching network diameter. stp bridge-diameter bridgenum Restore the default switching network diameter. undo stp bridge-diameter

The network diameter is the parameter specifying the network scale. The larger the diameter, the lager the scale.

When a user configures the network diameter on a switch, MSTP automatically calculates and sets the hello time, forward-delay time and maximum-age time of the switch to the desirable values.

Setting the network diameter takes effect on CIST only, but has no effect on MSTI.

By default, the network diameter is 7 and the three corresponding timers take the default values.

2.2.7 Configure the Time Parameters of a Switch

The switch has three time parameters, Forward Delay, Hello Time, and Max Age.

Forward Delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. However, the configuration BPDU recalculated cannot be immediately propagated throughout the network. The temporary loops may occur if the new root port and designated port forward data right after being elected. Therefore the protocol adopts a state transition mechanism. It takes a Forward Delay interval for the root port and designated port to transit from the learning state to forwarding state. The Forward Delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network.

The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault.

Max Age specifies when the configuration BPDU will expire. The switch will discard the expired configuration BPDU.


2-17

You can use the following command to configure the time parameters for the switch.


Table 2-9 Configure the time parameters of a switch

Operation Command Configure Forward Delay on the switch. stp timer forward-delay centiseconds Restore the default Forward Delay of the switch. undo stp timer forward-delay Configure Hello Time on the switch. stp timer hello centiseconds Restore the default Hello Time on the switch. undo stp timer hello Configure Max Age on the switch. stp timer max-age centiseconds Restore the default Max Age on the switch. undo stp timer max-age

Every switch on the switching network adopts the values of the time parameters configured on the root switch of the CIST.

Caution:

The Forward Delay configured on a switch depends on the switching network diameter. Generally, the Forward Delay is supposed to be longer when the network diameter is longer. Note that too short a Forward Delay may redistribute some redundant routes temporarily, while too long a Forward Delay may prolong the network connection resuming. The default value is recommended. A suitable Hello Time ensures the switch to detect the link fault on the network but occupy moderate network resources. The default value is recommended. If you set too long a Hello Time, when there is packet dropped over a link, the switch may consider it as link fault and the network device will recalculate the spanning tree accordingly. However, for too short a Hello Time, the switch frequently sends configuration BPDU, which adds its burden and wastes the network resources. Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as link fault. However, if the Max Age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which will weaken the auto-adaptation capacity of the network. The default value is recommended.

To avoid frequent network flapping, the values of Hello Time, Forward Delay and Maximum Age should guarantee the following formulas equal.

2 * (forward-delay - 1seconds) >= maximum-age

maximum-age >= 2 * (hello + 1.0 seconds)

You are recommended to use the stp root primary command to specify the network diameter and Hello Time of the switching network, thus MSTP will automatically calculate and give the rather desirable values.


2-18

By default, Forward Delay is 15 seconds, Hello Time is 2 seconds, and Max Age is 20 seconds.

2.2.8 Configure the Max Transmission Speed on a Port

The max transmission speed on a port specifies how many MSTP packets will be transmitted every Hello Time via the port.

The max transmission speed on a port is limited by the physical state of the port and the network structure. You can configure it according the network conditions.

You can configure the max transmission speed on a port in the following ways.

I. Configure in system view


Table 2-10 Configure the max transmission speed on a port

Operation Command Configure the max transmission speed on a port. stp interface interface-list transit-limit packetnum Restore the max transmission speed on a port. undo stp interface interface-list transit-limit

II. Configure in Ethernet port view


Table 2-11 Configure the max transmission speed on a port

Operation Command Configure the max transmission speed on a port. stp transit-limit packetnum Restore the max transmission speed on a port. undo stp transit-limit

You can configure the max transmission speed on a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

This parameter only takes a relative value without units. If it is set too large, too many packets will be transmitted during every Hello Time and too many network resourced will be occupied. The default value is recommended.

By default, the max transmission speed on every Ethernet port of the switch is 3.


2-19

2.2.9 Configure a Port as an Edge Port

An edge port refers to the port not directly connected to any switch or indirectly connected to a switch over the connected network.

You can configure a port as an edge port or non-edge port in the following ways.



Table 2-12 Configure a port as an edge port or a non-edge port

Operation Command Configure a port as an edge port. stp interface interface-list edged-port enable Configure a port as a non-edge port. stp interface interface-list edged-port disable Restore the default setting, non-edge port, of the port. undo stp interface interface-list edged-port



Table 2-13 Configure a port as an edge port or a non-edge port

Operation Command Configure a port as an edge port. stp edged-port enable Configure a port as a non-edge port. stp edged-port disable Restore the default setting, non-edge port, of the port. undo stp edged-port

You can configure a port as an edge port or a non-edge port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

After configured as an edge port, the port can fast transit from blocking state to forwarding state without any delay. In the case that BPDU protection has not been enabled on the switch, the configured edge port will turn into non-edge port again when it receives BPDU from other port. In the case that BPDU protection is enabled, the port will be disabled. The configuration of this parameter takes effect on all the STIs. In other words, if a port is configured as an EdgedPort or Non- EdgedPort, it is configured the same on all the STIs.

It is better to configure the BPDU protection on the edged port, so as to prevent the switch from being attacked.

Before BPDU protection is enabled on the switch, the port runs as a non-edge port when it receives BPDU, even if the user has set it as an edge port.


2-20

By default, all the Ethernet ports of the switch have been configured as non-edge ports.

Note:

It is better to configure the port directly connected with terminal as the edged port, and enable the BPDU function on the port. That is to realize fast state-transition and prevent the switch from being attacked.

2.2.10 Configure the Path Cost of a Port

Path Cost is related to the speed of the link connected to the port. On the MSTP switch, a port can be configured with different path costs for different STIs. Thus the traffic from different VLANs can run over different physical links, thereby implementing the VLAN-based load-balancing.

You can configure the path cost of a port in the following ways.



Table 2-14 Configure the Path Cost of a port

Operation Command Configure the Path Cost of a port. stp interface interface-list [ instance instance-id ] cost cost Restore the default path cost of a port. undo stp interface interface-list [ instance instance-id ] cost



Table 2-15 Configure the Path Cost of a port

Operation Command Configure the Path Cost of a port stp [ instance instance-id ] cost cost Restore the default path cost of a port. undo stp [ instance instance-id ] cost

You can configure the path cost of a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

Upon the change of path cost of a port, MSTP will recalculate the port role and transit the state. When instance-id takes 0, it indicates to set the path cost on the CIST.

By default, MSTP is responsible for calculating the port path cost.


2-21

2.2.11 Configure the Priority of a Port

For spanning tree calculation, the port priority is an importance factor to determine if a port can be elected as the root port. With other things being equal, the port with the highest priority will be elected as the root port. On the MSTP switch, a port can have different priorities in different STIs and plays different roles respectively. Thus the traffic from different VLANs can run over different physical links, thereby implementing the VLAN-based load-balancing.

You can configure the port priority in the following ways.



Table 2-16 Configure the port priority

Operation Command Configure the port priority. stp interface interface-list [ instance instance-id ] port priority priority Restore the default port priority. undo stp interface interface-list [ instance instance-id ] port priority



Table 2-17 Configure the port priority

Operation Command Configure the port priority. stp [ instance instance-id ] port priority priority Restore the default port priority. undo stp [ instance instance-id ] port priority

You can configure the port priority with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

Upon the change of port priority, MSTP will recalculate the port role and transit the state. Generally, a smaller value represents a higher priority. If all the Ethernet ports of a switch are configured with the same priority value, the priorities of the ports will be differentiated by the index number. The change of Ethernet port priority will lead to spanning tree recalculation. You can configure the port priority per actual networking requirements.

By default, the priority of all the Ethernet ports is 128.


2-22

2.2.12 Configure the Port (not) to Connect with the Point-to-Point Link

The point-to-point link directly connects two switches.

You can configure the port (not) to connect with the point-to-point link in the following ways.



Table 2-18 Configure the port (not) to connect with the point-to-point link

Operation Command Configure the port to connect with the point-to-point link. stp interface interface-list point-to-point force-trueConfigure the port not to connect with the point-to-point link. stp interface interface-list point-to-point force-false

Configure MSTP to automatically detect if the port is directly connected with the point-to-point link. stp interface interface-list point-to-point auto Configure MSTP to automatically detect if the port is directly connected with the point-to-point link, as defaulted.

undo stp interface interface-list point-to-point



Table 2-19 Configure the port (not) to connect with the point-to-point link

Operation Command Configure the port to connect with the point-to-point link. stp point-to-point force-true Configure the port not to connect with the point-to-point link. stp point-to-point force-false Configure MSTP to automatically detect if the port is directly connected with the point-to-point link. stp point-to-point auto Configure MSTP to automatically detect if the port is directly connected with the point-to-point link, as defaulted. undo stp point-to-point

You can configure the port (not) to connect with the point-to-point link with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

For the ports connected with the point-to-point link, upon some port role conditions met, they can transit to forwarding state fast through transmitting synchronization packet, thereby reducing the unnecessary forwarding delay. If the parameter is configured as auto mode, MSTP will automatically detect if the current Ethernet port is connected with the point-to-point link.


2-23

Note:

For a link aggregation, only the master port can be configured to connect with the point-to-point link. If a port in auto-negotiation mode operates in full-duplex mode upon negotiation, it can be configured to connect with the point-to-point link.

This configuration takes effect on the CIST and all the MSTIs. The settings of a port whether to connect the point-to-point link will be applied to all the STIs to which the port belongs. Note that a temporary loop may be redistributed if you configure a port not physically connected with the point-to-point link as connected to such a link by force.

By default, the parameter is configured as auto.

2.2.13 Configure the mCheck Variable of a Port

The port of an MSTP switch operates in either STP-compatible or MSTP mode.

Suppose a port of an MSTP switch on a switching network is connected to an STP switch, the port will automatically transit to operate in STP-compatible mode. However, the port stays in STP-compatible mode and cannot automatically transit back to MSTP mode when the STP switch is removed. In this case, you can perform mCheck operation to transit the port to MSTP mode by force.

You can use the following measure to perform mCheck operation on a port.



Table 2-20 Configure the mCheck variable of a port

Operation Command Perform mCheck operation on a port. stp interface interface-list mcheck



Table 2-21 Configure the mCheck variable of a port

Operation Command Perform mCheck operation on a port. stp mcheck


2-24

You can configure mCheck variable on a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

Note that the command can be used only if the switch runs MSTP. The command does not make any sense when the switch runs in STP-compatible mode.

2.2.14 Configure the Switch Security Function

An MSTP switch provides BPDU protection and Root protection functions.

For an access device, the access port is generally directly connected to the user terminal (e.g., PC) or a file server, and the access port is set to edge port to implement fast transition. When such port receives BPDU packet, the system will automatically set it as a non-edge port and recalculate the spanning tree, which causes the network topology flapping. In normal case, these ports will not receive STP BPDU. If someone forges BPDU to attack the switch, the network will flap. BPDU protection function is used against such network attack.

The primary and secondary root switches of the spanning tree, especially those of ICST, shall be located in the same region. It is because the primary and secondary roots of CIST are generally placed in the core region with a high bandwidth in network design. In case of configuration error or malicious attack, the legal primary root may receive the BPDU with a higher priority and then loose its place, which causes network topology change errors. Due to the illegal change, the traffic supposed to travel over the high-speed link may be pulled to the low-speed link and congestion will occur on the network. Root protection function is used against such problem.

The root port and other blocked ports maintain their state according to the BPDUs send by uplink switch. Once the link is blocked or has trouble, then the ports cannot receive BPDUs and the switch will select root port again. In this case, the former root port will turn into specified port and the former blocked ports will enter forwarding state, as a result, a link loop will be generated.

The security functions can control the generation of loop. After it is enabled, the root port cannot be changed, the blocked port will maintain in “Discarding” state and do not forward packets, thus to avoid link loop.

You can use the following command to configure the security functions of the switch.

Perform the following configuration in corresponding configuration modes.


2-25

Table 2-22 Configure the switch security function

Operation Command Configure switch BPDU protection (from system view) stp bpdu-protection Restore the disabled BPDU protection state as defaulted (from system view) undo stp bpdu-protection

Configure switch Root protection (from system view) stp interface interface-list root-protection Restore the disabled Root protection state as defaulted (from system view)

undo stp interface interface-list root-protection

Configure switch Root protection (from Ethernet port view) stp root-protection Restore the disabled Root protection state as defaulted (from Ethernet port view) undo stp root-protection Configure switch loop protection function (from Ethernet port view) stp loop-protection

Restore the disabled loop protection state, as defaulted (from Ethernet port view) stp loop-protection

After configured with BPDU protection, the switch will disable the edge port through MSTP, which receives a BPDU, and notify the network manager at same time. These ports can be resumed by the network manager only.

The port configured with Root protection only plays a role of designated port on every instance. Whenever such port receives a higher-priority BPDU, that is, it is about to turn into non-designated port, it will be set to listening state and not forward packets any more (as if the link to the port is disconnected). If the port has not received any higher-priority BPDU for a certain period of time thereafter, it will resume the normal state.

When configure a port, only one configuration can be effective among loop protection, Root protection and Edge port configuration at same moment.

By default, the switch does not enable BPDU protection or Root protection.

For more about the configuration commands, refer to the Command Manual.

2.2.15 Enable MSTP on the Device

You can use the following command to enable MSTP on the device.


Table 2-23 Enable/Disable MSTP on a device

Operation Command Enable MSTP on a device. stp enable Disable MSTP on a device. stp disable Restore the disable state of MSTP, as defaulted. undo stp

Only if MSTP has been enabled on the device will other MSTP configurations take effect.


2-26

By default, MSTP is disabled.

2.2.16 Enable/Disable MSTP on a Port

You can use the following command to enable/disable MSTP on a port. You may disable MSTP on some Ethernet ports of a switch to spare them from spanning tree calculation. This is a measure to flexibly control MSTP operation and save the CPU resources of the switch.

MSTP can be enabled/disabled on a port through the following ways.



Table 2-24 Enable/Disable MSTP on a port

Operation Command Enable MSTP on a port. stp interface interface-list enable Disable MSTP on a port. stp interface interface-list disable Restore the default MSTP state on the port. undo stp interface-list



Table 2-25 Enable/Disable MSTP on a port

Operation Command Enable MSTP on a port. stp enable Disable MSTP on a port. stp disable Restore the default MSTP state on the port. undo stp

You can enable/disable MSTP on a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual.

Note that redundant route may be generated after MSTP is disabled.

By default, MSTP is enabled on all the ports after it is enabled on the device.

2.3 Display and Debug MSTP

After the above configuration, execute display command in any view to display the running of the MSTP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of MSTP module. Execute debugging command in user view to debug the MSTP module


2-27

Table 2-26 Display and Debug MSTP

Operation Command Show the configuration information about the current port and the switch.

display stp [ instance instance-id ] [ interface interface-list | slot slot-num ] [ brief ]

Show the configuration information about the region. display stp region-configuration

Clear the MSTP statistics information. reset stp [ interface interface-list ] Enable/Disable MSTP (packet receiving/transmitting, event, error) debugging on the port.

[ undo ] debugging stp [ interface interface-list ] { packet | event }

Enable/Disable the global MSTP debugging. [ undo ] debugging stp { global-event | global-error | all } Enable/Disable specified STI debugging [ undo ] debugging stp instance instance-id

HUAWEI


10. Security

Operation Manual - Security Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 802.1x Configuration ................................................................................................... 1-1 1.1 802.1x Overview ................................................................................................................ 1-1

1.1.1 802.1x Standard Overview...................................................................................... 1-1 1.1.2 802.1x System Architecture .................................................................................... 1-1 1.1.3 802.1x Authentication Process................................................................................ 1-2 1.1.4 Implement 802.1x on Ethernet Switch .................................................................... 1-3

1.2 Configure 802.1x................................................................................................................ 1-3 1.2.1 Enable/Disable 802.1x ............................................................................................ 1-4 1.2.2 Set the Port Access Control Mode. ......................................................................... 1-4 1.2.3 Set Port Access Control Method............................................................................. 1-5 1.2.4 Check the Users that Log on the Switch via Proxy ................................................. 1-5 1.2.5 Set Supplicant Number on a Port............................................................................ 1-6 1.2.6 Set to Enable DHCP to Launch Authentication....................................................... 1-6 1.2.7 Configure Authentication Method for 802.1x User .................................................. 1-6 1.2.8 Set the Maximum times of authentication request message retransmission.......... 1-7 1.2.9 Set the handshake period of 802.1x ....................................................................... 1-7 1.2.10 Configure Timers................................................................................................... 1-8 1.2.11 Enable/Disable quiet-period Timer........................................................................ 1-9

1.3 Display and Debug 802.1x................................................................................................. 1-9 1.4 802.1x Configuration Example........................................................................................... 1-9

Chapter 2 AAA and RADIUS Protocol Configuration ................................................................ 2-1 2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1

2.1.1 AAA Overview ......................................................................................................... 2-1 2.1.2 RADIUS Protocol Overview .................................................................................... 2-1 2.1.3 Implement AAA/RADIUS on Ethernet Switch ......................................................... 2-2

2.2 Configure AAA ................................................................................................................... 2-3 2.2.1 Create/Delete ISP Domain...................................................................................... 2-3 2.2.2 Configure Relevant Attributes of ISP Domain......................................................... 2-4 2.2.3 Create a Local User ................................................................................................ 2-5 2.2.4 Set Attributes of Local User .................................................................................... 2-5 2.2.5 Disconnect a User by Force.................................................................................... 2-6

2.3 Configure RADIUS Protocol .............................................................................................. 2-7 2.3.1 Create/Delete a RADIUS server Group .................................................................. 2-7 2.3.2 Set IP Address and Port Number of RADIUS Server ............................................. 2-8 2.3.3 Set RADIUS Packet Encryption Key....................................................................... 2-9 2.3.4 Set Response Timeout Timer of RADIUS Server ................................................. 2-10 2.3.5 Set Retransmission Times of RADIUS Request Packet....................................... 2-10

Operation Manual - Security Quidway S3500 Series Ethernet Switches Table of Contents

ii

2.3.6 Set a Real-time Accounting Interval...................................................................... 2-10 2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded2-11 2.3.8 Enable/Disable Stopping Accounting Request Buffer........................................... 2-12 2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request .......... 2-12 2.3.10 Set the Supported Type of RADIUS Server........................................................ 2-13 2.3.11 Set RADIUS Server State ................................................................................... 2-13 2.3.12 Set Username Format Transmitted to RADIUS Server ...................................... 2-14 2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server........................... 2-14 2.3.14 Configure Local RADIUS Server Group.............................................................. 2-15

2.4 Display and Debug AAA and RADIUS Protocol .............................................................. 2-15 2.5 AAA and RADIUS Protocol Configuration Examples ...................................................... 2-16

2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server ............ 2-16 2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server ................ 2-18

2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting.................................. 2-18

Chapter 3 HABP Configuration .................................................................................................... 3-1 3.1 HABP Overview ................................................................................................................. 3-1 3.2 HABP configuration ........................................................................................................... 3-1

3.2.1 Configuring HABP Server ....................................................................................... 3-1 3.2.2 Configuring HABP Client......................................................................................... 3-2

3.3 Displaying and Debugging HABP Attribute ....................................................................... 3-2

Chapter 4 System-guard Configuration ...................................................................................... 4-1 4.1 System-guard Overview .................................................................................................... 4-1 4.2 System-guard Configuration .............................................................................................. 4-1

4.2.1 Enable system-guard function................................................................................. 4-1 4.2.2 Set the max detection count of the affected hosts .................................................. 4-2 4.2.3 Set parameters of address learning........................................................................ 4-2

4.3 Display and Debug System-guard..................................................................................... 4-3

Operation Manual - Security Quidway S3500 Series Ethernet Switches Chapter 1 802.1x Configuration

1-1

Chapter 1 802.1x Configuration

1.1 802.1x Overview

1.1.1 802.1x Standard Overview

IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control protocol. IEEE issued it in 2001 and suggested the related manufacturers should use the protocol as the standard protocol for LAN user access authentication. The 802.1x originated from the IEEE 802.11 standard, which is the standard for wireless LAN user access. The initial purpose of 802.1x was to implement the wireless LAN user access authentication. Since its principle is commonly applicable to all the LANs complying with the IEEE 802 standards, the protocol finds wide application in wired LANs.

In the LANs complying with the IEEE 802 standards, the user can access the devices and share the resources in the LAN through connecting the LAN access control device like the LAN Switch. However, in telecom access, commercial LAN (a typical example is the LAN in the office building) and mobile office etc., the LAN providers generally hope to control the user’s access. In these cases, the requirement on the above-mentioned “Port Based Network Access Control” originates.

As the name implies, “Port Based Network Access Control” means to authenticate and control all the accessed devices on the port of LAN access control device. If the user’s device connected to the port can pass the authentication, the user can access the resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the user is physically disconnected.

802.1x defines port based network access control protocol and only defines the point-to-point connection between the access device and the access port. The port can be either physical or logical. The typical application environment is as follows: Each physical port of the LAN Switch only connects to one user workstation (based on the physical port) and the wireless LAN access environment defined by the IEEE 802.11 standard (based on the logical port), etc.

1.1.2 802.1x System Architecture

The system using the 802.1x is the typical C/S (Client/Server) system architecture. It contains three entities, which are illustrated in the following figure: Supplicant System, Authenticator System and Authentication Sever System.


1-2

The LAN access control device needs to provide the Authenticator System of 802.1x. The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client provided by Huawei Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1x Authentication Sever system normally stays in the carrier’s AAA center.

Authenticator and Authentication Sever exchange information through EAP (Extensible Authentication Protocol) frames. The Supplicant and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS) so as to go through the complicated network to reach the Authentication Server. Such procedure is called EAP Relay.

There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the ports. The Controlled Port will be in connecting state only after the user passes the authentication. Then the user is allowed to access the network resources.

Supplicant AuthenticatorPAE

AuthenticatorServer

SupplicantSystem

Authenticator SystemAuthenticator

ServerSystem

EAP protocolexchanges

carried inhigher layerprotocol

EAPoL

ControlledPort

Portunauthorized

LAN

Uncontrolled

Port

ServicesofferedbyAuthenticators System

Figure 1-1 802.1x system architecture

1.1.3 802.1x Authentication Process

802.1x configures EAP frame to carry the authentication information. The Standard defines the following types of EAP frames:

EAP-Packet: Authentication information frame, used to carry the authentication information.


1-3

EAPoL-Start: Authentication originating frame, actively originated by the Supplicant.

EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state. EAPoL-Key: Key information frame, supporting to encrypt the EAP packets. EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard

Forum (ASF).

The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant and the Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator System and then transmitted to the Authentication Server System. The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator.

From the above fundamentals we can see that 802.1x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication so as to assist 802.1x to implement the user ID authentication. For detailed description of AAA, refer to the corresponding AAA configuration.

1.1.4 Implement 802.1x on Ethernet Switch

Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way:

Support to connect several End Stations in the downstream via a physical port. The access control (or the user authentication method) can be based on port or

MAC address.

In this way, the system becomes much securer and easier to manage.

1.2 Configure 802.1x

The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet switch. When the global 802.1x is not enabled, the user can configure the 802.1x state of the port. The configured items will take effect after the global 802.1x is enabled.

Note:

1) Do not enable 802.1x and RSTP( or MSTP) simultaneously, otherwise switch may not work normally. 2) When 802.1x is enabled on a port, the max number of MAC address learning which is configured by the command mac-address max-mac-count cannot be configured on the port, and vice versa.


1-4

The Main 802.1x configuration includes:

Enable/Disable 802.1x Set the port access control mode Set port access control method Check the users that log on the switch via proxy Set maximum number of users via each port Set to enable DHCP to launch authentication configure authentication method for 802.1x user Set the Maximum times of authentication request message retransmission Set the handshake period of 802.1x Configure timers Enable/Disable quiet-period Timer

Among the above tasks, the first one is compulsory, otherwise 802.1x will not take any effect. The other tasks are optional. You can perform the configurations at requirements.

1.2.1 Enable/Disable 802.1x

The following commands can be used to enable/disable the 802.1x on the specified port. When no port is specified in system view, the 802.1x is enabled/disabled globally.

Perform the following configurations in system view or Ethernet port view.

Table 1-1 Enable/Disable 802.1x

Operation Command Enable the 802.1x dot1x [ interface interface-list ] Disable the 802.1x undo dot1x [ interface interface-list ]

User can configure 802.1x on individual port, but it is not enabled yet. The configuration will take effect right after 802.1x is enabled globally.

By default, 802.1x authentication has not been enabled globally and on any port.

1.2.2 Set the Port Access Control Mode.

The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured.



1-5

Table 1-2 Set the port access control mode.

Operation Command

Set the port access control mode. dot1x port-control { authorized- force | unauthorized-force | auto } [ interface interface-list ]

Restore the default access control mode of the port. undo dot1x port-control [ interface interface-list ]

By default, the mode of 802.1x performing access control on the port is auto (automatic identification mode, which is also called protocol control mode). That is, the initial state of the port is unauthorized. It only permits EAPoL packets receiving/transmitting and does not permit the user to access the network resources. If the authentication flow is passed, the port will be switched to the authorized state and permit the user to access the network resources. This is the most common case.

1.2.3 Set Port Access Control Method

The following commands are used for setting 802.1x access control method on the specified port. When no port is specified in system view, the access control method of port is configured globally.


Table 1-3 Set port access control method

Operation Command

Set port access control method dot1x port-method { macbased | portbased } [ interface interface-list ]

Restore the default port access control method undo dot1x port-method [ interface interface-list ]

By default, 802.1x authentication method on the port is macbased. That is, authentication is performed based on MAC addresses.

1.2.4 Check the Users that Log on the Switch via Proxy

The following commands are used for checking the users that log on the switch via proxy.


Table 1-4 Check the users that log on the switch via proxy

Operation Command

Enable the check for access users via proxy dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

Cancel the check for access users via proxy undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]


1-6

By default, cancel the control method set for access 802.1x users via proxy.

1.2.5 Set Supplicant Number on a Port

The following commands are used for setting number of users allowed by 802.1x on specified port. When no port is specified, all the ports accept the same number of supplicants.


Table 1-5 Set maximum number of users via specified port

Operation Command Set maximum number of users via specified port dot1x max-user user-number [ interface interface-list ]

Restore the maximum number of users on the port to the default value undo dot1x max-user [ interface interface-list ]

By default, 802.1x allows up to 256 supplicants on each port for S3500 Series Ethernet switches.

1.2.6 Set to Enable DHCP to Launch Authentication

The following commands are used for setting whether 802.1x enables the Ethernet switch to launch the user ID authentication when the user runs DHCP and applies for dynamic IP addresses.


Table 1-6 Set to enable DHCP to launch authentication

Operation Command

Enable DHCP to launch authentication dot1x dhcp-launch

Disable DHCP to launch authentication undo dot1x dhcp-launch

By default, authentication will not be launched when the user runs DHCP and applies for dynamic IP addresses.

1.2.7 Configure Authentication Method for 802.1x User

The following commands can be used to configure the authentication method for 802.1x user. Three kinds of methods are available: PAP authentication (RADIUS server must support PAP authentication), CHAP authentication (RADIUS server must support CHAP authentication), EAP relay authentication (switch send authentication


1-7

information to RADIUS server in the form of EAP packets directly and RADIUS server must support EAP authentication).


Table 1-7 Configure authentication method for 802.1x user

Operation Command

Configure authentication method for 802.1x user dot1x authentication-method { chap | pap | eap md5-challenge}

Restore the default authentication method for 802.1x user undo dot1x authentication-method

By default, CHAP authentication is used for 802.1x user authentication.

1.2.8 Set the Maximum times of authentication request message retransmission

The following commands are used for setting the maximum retransmission times of the authentication request message that the switch sends to the supplicant.


Table 1-8 Set the maximum times of the authentication request message retransmission

Operation Command Set the maximum times of the authentication request message retransmission dot1x retry max-retry-value Restore the default maximum retransmission times undo dot1x retry

By default, the max-retry-value is 3. That is, the switch can retransmit the authentication request message to a supplicant for 3 times at most.

1.2.9 Set the handshake period of 802.1x

The following commands are used to set the handshake period of 802.1x. After setting handshake-period, system will send the handshake packet by the period. Suppose the dot1x retry time is configured as N, the system will consider the user having logged off and set the user as logoff state if system doesn’t receive the response of user for consecutive N times.



1-8

Table 1-9 Set the handshake period of 802.1x

Operation Command Set the handshake period of 802.1x dot1x timer handshake-period interval Restore the handshake period to default value undo dot1x timer handshake-period

By default, handshake period is 15s.

1.2.10 Configure Timers

The following commands are used for configuring the 802.1x timers.


Table 1-10 Configure timers

Operation Command

Configure timers dot1x timer { quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }

Restore default settings of the timers

undo dot1x timer { quiet-period | tx-period | supp-timeout | server-timeout }

quiet-period: Specify the quiet timer. If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.

quiet-period-value: Specify how long the quiet period is. The value ranges from 10 to 120 in units of second.

server-timeout: Specify the timeout timer of an Authentication Server. If an Authentication Server has not responded before the specified period expires, the Authenticator will resend the authentication request.

server-timeout-value: Specify how long the duration of a timeout timer of an Authentication Server is. The value ranges from 100 to 300 in units of second.

supp-timeout: Specify the authentication timeout timer of a Supplicant. If a Supplicant has not responded before the specified period expires, Authenticator will resend the authentication request.

supp-timeout-value: Specify how long the duration of an authentication timeout timer of a Supplicant is. The value ranges from 10 to 120 in units of second.

tx-period: Specify the transmission timeout timer. If a Supplicant has not responded before the specified period expires, Authenticator will resend the authentication request.


1-9

tx-period-value: Specify how long the duration of the transmission timeout timer is. The value ranges from 10 to 120 in units of second.

By default, the quiet-period-value is 60s, the tx-period-value is 30s, the supp-timeout-value is 30s, the server-timeout-value is 100s .

1.2.11 Enable/Disable quiet-period Timer

You can use the following commands to enable/disable a quiet-period timer of an Authenticator (which can be a Quidway Series Ethernet Switch). If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by dot1x timer quiet-period command) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.


Table 1-11 Enable/Disable a quiet-period timer

Operation Command Enable a quiet-period timer. dot1x quiet-period Disable a quiet-period timer undo dot1x quiet-period

1.3 Display and Debug 802.1x

After the above configuration, execute display command in any view to display the running of the VLAN configuration, and to verify the effect of the configuration. Execute reset command in user view to reset 802.1x statistics information. Execute debugging command in user view to debug the 802.1x module.

Table 1-12 Display and debug 802.1x

Operation Command Display the configuration, running and statistics information of 802.1x

display dot1x [ sessions | statistics ] [ interface interface-list ]

Reset the 802.1x statistics information reset dot1x statistics [ interface interface-list ] Enable the error/event/packet/all debugging of 802.1x debugging dot1x { error | event | packet | all } Disable the error/event/packet/all debugging of 802.1x. undo debugging dot1x { error | event | packet | all }

1.4 802.1x Configuration Example



1-10

As shown in the following figure, the workstation of a user is connected to the port Ethernet 0/1 of the Switch.

The switch administrator will enable 802.1x on all the ports to authenticate the supplicants so as to control their access to the Internet. The access control mode is configured as based on the MAC address

All the supplicants belong to the default domain huawei163.net, which can contain up to 30 users. RADIUS authentication is performed first. If there is no response from the RADIUS server, local authentication will be performed. For accounting, if the RADIUS server fails to account, the user will be disconnected. In addition, when the user is accessed, the domain name does not follow the user name. Normally, if the user’s traffic is less than 2kbps consistently over 20 minutes, he will be disconnected.

A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name” when the system exchanges packets with the authentication RADIUS server and “money” when the system exchanges packets with the accounting RADIUS server. Configure the system to retransmit packets to the RADIUS server if no response received in 5 seconds. Retransmit the packet no more than 5 times in all. Configure the system to transmit a real-time accounting packet to the RADIUS server every 15 minutes. The system is instructed to transmit the user name to the RADIUS server after removing the user domain name.

The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is enabled.


Supplicant

Authentication Serv ers(RADIUS Server Cluster

IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

Sw itchE0/1

Supplicant

Authentication Serv ers(RADIUS Server Cluster

IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

Sw itchE0/1

Figure 1-2 Enabling 802.1x and RADIUS to perform AAA on the supplicant


1-11


Note:

The following examples concern most of the AAA/RADIUS configuration commands. For details, refer to the chapter AAA and RADIUS Protocol Configuration. The configurations of accessing user workstation and the RADIUS server are omitted.

# Enable the 802.1x performance on the specified port Ethernet 0/1.

[Quidway] dot1x interface ethernet 0/1

# Set the access control mode. (This command could not be configured, when it is configured as MAC-based by default.)

[Quidway] dot1x port-method macbased interface ethernet 0/1

# Create the RADIUS group radius1 and enters its configuration mode.

[Quidway] radius scheme radius1

#Set IP address of the primary authentication/accounting RADIUS servers.

[Quidway-radius-radius1] primary authentication 10.11.1.1

[Quidway-radius-radius1] primary accounting 10.11.1.2

# Set the IP address of the second authentication/accounting RADIUS servers.

[Quidway-radius-radius1] secondary authentication 10.11.1.2

[Quidway-radius-radius1] secondary accounting 10.11.1.1

# Set the encryption key when the system exchanges packets with the authentication RADIUS server.

[Quidway-radius-radius1] key authentication name

# Set the encryption key when the system exchanges packets with the accounting RADIUS server.

[Quidway-radius-radius1] key accounting money

# Set the timeouts and times for the system to retransmit packets to the RADIUS server.

[Quidway-radius-radius1] timer 5

[Quidway-radius-radius1] retry 5


1-12

# Set the interval for the system to transmit real-time accounting packets to the RADIUS server.

[Quidway-radius-radius1] timer realtime-accounting 15

# Configure the system to transmit the user name to the RADIUS server after removing the domain name.

[Quidway-radius-radius1] user-name-format without-domain

[Quidway-radius-radius1] quit

# Create the user domain huawei163.net and enters isp configuration mode.

[Quidway] domain huawei163.net

# Specify radius1 as the RADIUS server group for the users in the domain huawei163.net.

[Quidway-isp-huawei163.net] radius-scheme radius1

# Set a limit of 30 users to the domain huawei163.net.

[Quidway-isp-huawei163.net] access-limit enable 30

# Enable idle cut function for the user and set the idle cut parameter in the domain huawei163.net.

[Quidway-isp-huawei163.net] idle-cut enable 20 2000

# Add a local supplicant and sets its parameter.

[Quidway] local-user localuser

[Quidway-luser-localuser] service-type lan-access

[Quidway-luser-localuser] password simple localpass

# Enable the 802.1x globally.

[Quidway] dot1x

Operation Manual - Security Quidway S3500 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration

2-1

Chapter 2 AAA and RADIUS Protocol

Configuration

2.1 AAA and RADIUS Protocol Overview

2.1.1 AAA Overview

Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.

The network security mentioned here refers to access control and it includes:

Which user can access the network server? Which service can the authorized user enjoy? How to keep accounts for the user who is using network resource?

Accordingly, AAA shall provide the following services:

Authentication: authenticates if the user can access the network sever. Authorization: authorizes the user with specified services. Accounting: traces network resources consumed by the user.

Generally applying Client/Server architecture, in which client ends run as managed sources and the servers centralize and store user information, AAA framework owns the good scalability, and is easy to realize the control and centralized management of user information.

2.1.2 RADIUS Protocol Overview

As mentioned above, AAA is a management framework, so it can be implemented by some protocols. RADIUS is such a protocol frequently used.

I. What is RADIUS

Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments requiring both high security and remote user access. For example, it is often used for managing a large number of scattering dial-in users who use serial ports


2-2

and modems. RADIUS system is the important auxiliary part of Network Access Server (NAS).

After RADIUS system is started, if the user wants to have right to access other network or consume some network resources through connection to NAS (dial-in access server in PSTN environment or Ethernet switch with access function in Ethernet environment), NAS, namely RADIUS client end, will transmit user AAA request to the RADIUS server. RADIUS server has a user database recording all the information of user authentication and network service access. When receiving user’s request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls supplicant and corresponding connections, while RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS.

NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (like password etc.) to avoid being intercepted or stolen.

II. RADIUS operation

RADIUS server generally uses proxy function of the devices like access server to perform user authentication. The operation process is as follows: First, the user send request message (the client username and encrypted password is included in the message ) to RADIUS server. Second, the user will receive from RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication, and the REJECT message indicates that the user has not passed the authentication and needs to input username and password again, otherwise he will be rejected to access.

2.1.3 Implement AAA/RADIUS on Ethernet Switch

By now, we understand that in the above-mentioned AAA/RADIUS framework, Quidway Series Ethernet Switches, serving as the user access device or NAS, is the client end of RADIUS. In other words, the AAA/RADIUS concerning client-end is implemented on Quidway Series Ethernet Switches. The figure below illustrates the RADIUS authentication network including Quidway Series Ethernet Switches.


2-3

Internet

S3500 series

PC user1

PC user2

PC user3

PC user4S3500 series

S3000 series

S2000 series

ISP1

ISP2

Internet

AuthenticationServ er

AccountingServ er1

InternetInternet

S3500 series

PC user1

PC user2

PC user3

PC user4S3500 series

S3000 series

S2000 series

ISP1

ISP2

Internet

AuthenticationServ er

AccountingServ er1

Figure 2-1 Networking when S3500 Series Ethernet switches applying RADIUS authentication

2.2 Configure AAA

AAA configuration includes:

Create/Delete ISP Domain Configure Relevant Attributes of ISP Domain Create a local user Set attributes of local user Disconnect a user by force

Among the above configuration tasks, creating ISP domain is compulsory, otherwise the supplicant attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements.

2.2.1 Create/Delete ISP Domain

What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, taking [email protected] as an example, the isp-name (i.e. huawei163.net) following the @ is the ISP domain name. When Quidway Series Ethernet Switches control user access, as for an ISP user whose username is in userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name.

The purpose of introducing ISP domain settings is to support the multi-ISP application environment. In such environment, one access device might access users of different ISP. Because the attributes of ISP users, such as username and password formats, etc, may be different, it is necessary to differentiate them through setting ISP domain. In


2-4

Quidway Series Ethernet Switches ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy ( RADIUS server group applied etc.)

For Quidway Series Ethernet Switches, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain.


Table 2-1 Create/Delete ISP domain

Operation Command Create ISP domain or enter the view of a specified domain.

domain [ isp-name | default { disable | enable isp-name }]

Remove a specified ISP domain undo domain isp-name

By default, a domain named “system” has been created in the system. The attributes of “system” are all default valuesthere is no ISP domain in the system.

2.2.2 Configure Relevant Attributes of ISP Domain

The relevant attributes of ISP domain include the adopted RADIUS server group, state, and maximum number of supplicants . Where,

The adopted RADIUS server group is the one used by all the users in the ISP domain. The RADIUS server group can be used for RADIUS authentication or accounting. By default, the default RADIUS server group is used. The command shall be used together with the commands of setting RADIUS server and server cluster. For details, refer to the following Configuring RADIUS section of this chapter.

Every ISP has active/block states. If an ISP domain is in active state, the users in it can request for network service, while in block state, its users cannot request for any network service, which will not affect the users already online. An ISP is in the block state when it is created. No user in the domain is allowed to request for network service.

Maximum number of supplicants specifies how many supplicants can be contained in the ISP. For any ISP domain, there is no limit to the number of supplicants by default.

The idle cut function means: If the traffic from a certain connection is lower than the defined traffic, cut off this connection.

Perform the following configurations in ISP domain view.


2-5

Table 2-2 Configure relevant attributes of ISP domain

Operation Command Specify the adopted RADIUS server group radius-scheme radius-scheme-name

Restore the adopted RADIUS server group to the default RADIUS server group undo radius-scheme

Specify the ISP domain state to be used state { active | block } Set a limit to the amount of supplicants access-limit { disable | enable max-user-number } Restore the limit to the default setting undo access-limit Set the idle idle-cut { disable | enable minute flow}

By default, after an ISP domain is created, the used RADIUS server group is the default one named “default” (for relevant parameter configuration, refer to the Configuring RADIUS section of this chapter).,the state of domain is active , there is no limit to the amount of supplicants ,and disable the idle-cut configure.

2.2.3 Create a Local User

A local user is a group of users set on NAS. The username is the unique identifier of a user. A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS.

Perform the following configurations in system view

Table 2-3 Create/Delete a local user and relevant properties

Operation Command Add local users local-user user-name Delete all the local users undo local-user all

Delete a local user by specifying its type undo local-user { user-name | all [ service-type { lan-access | ftp | telnet | ssh } ] }

By default, there is no local user in the system.

2.2.4 Set Attributes of Local User

The attributes of a local user include its password, state, service type and some other settings.



2-6

Table 2-4 Set the method that a local user uses to set password

Operation Command

Set the method that a local user uses to set password local-user password-display-mode { cipher-force | auto }

Cancel the method that the local user uses to set password undo local-user password-display-mode

Where, auto means that the password display mode will be the one specified by the user at the time of configuring password (see the password command in the following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text.

Perform the following configurations in local user view.

Table 2-5 Set/Remove the attributes concerned with a specified user

Operation Command Set a password for a specified user password { simple | cipher } password

Remove the password set for the specified user undo password

Set the state of the specified user state { active | block } Set a service type for the specified user

service-type { ftp [ ftp-directory directory ] | lan-access | ssh [ level level | telnet [ level level ] ] | telnet [ level level | ssh [ level level ] ] }

Cancel the service type of the specified user

undo service-type { ftp [ ftp-directory ] | lan-access | ssh [ level | telnet [ level ] ] | telnet [ level | ssh [ level ] ] }

Configure the attributes of lan-access users

attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum } }*

Remove the attributes defined for the lan-access users undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

2.2.5 Disconnect a User by Force

Sometimes it is necessary to disconnect a user or a category of users by force. The system provides the following command to serve for this purpose.


Table 2-6 Disconnect a user by force

Operation Command

Disconnect a user by force

cut connection { all | access-type { dot1x | gcm } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }

By default, no online user will be disconnected by force.


2-7

2.3 Configure RADIUS Protocol

For the Quidway Series Ethernet Switches, the RADIUS protocol is configured on the per RADIUS server group basis. In real networking environment, a RADIUS server group can be an independent RADIUS server or a set of primary/second RADIUS servers with the same configuration but two different IP addresses. Accordingly, attributes of every RADIUS server group include IP addresses of primary and second servers, shared key and RADIUS server type etc.

Actually, RADIUS protocol configuration only defines some necessary parameters using for information interaction between NAS and RADIUS Server. To make these parameters effective, it is necessary to configure, in the view, an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes. For more about the configuration commands, refer to the AAA Configuration section above.

RADIUS protocol configuration includes:

Create/Delete a RADIUS server group Set IP Address and Port Number of RADIUS Server Set RADIUS packet encryption key Set response timeout timer of RADIUS server Set retransmission times of RADIUS request packet Set a real-time accounting interval Set maximum times of real-time accounting request failing to be responded Enable/Disable stopping accounting request buffer Set the maximum retransmitting times of stopping accounting request Set the Supported Type of RADIUS Server Set RADIUS server state Set username format transmitted to RADIUS server Set the unit of data flow that transmitted to RADIUS server Set local RADUIS server group

Among the above tasks, creating RADIUS server group and setting IP address of RADIUS server are required, while other takes are optional and can be performed as per your requirements.

2.3.1 Create/Delete a RADIUS server Group

As mentioned above, RADIUS protocol configurations are performed on the per RADIUS server group basis. Therefore, before performing other RADIUS protocol configurations, it is compulsory to create the RADIUS server group and enter its view to set its IP address.

You can use the following commands to create/delete a RADIUS server group.



2-8

Table 2-7 Create/Delete a RADIUS server group

Operation Command Create a RADIUS server group and enter its view radius scheme radius-server-name Delete a RADIUS server group undo radius scheme radius-server-name

Several ISP domains can use a RADIUS server group at the same time.

By default, the system has a RADIUS server group named “default” whose attributes are all default values. The default attribute values will be introduced in the following text.

2.3.2 Set IP Address and Port Number of RADIUS Server

After creating a RADIUS server group, you are supposed to set IP addresses and UDP port numbers for the RADIUS servers, including primary/second authentication/authorization servers and accounting servers. So you can configure up to 4 groups of IP addresses and UDP port numbers. However, at least you have to set one group of IP address and UDP port number for each pair of primary/second servers to ensure the normal AAA operation.

You can use the following commands to configure the IP address and port number for RADIUS servers.

Perform the following configurations in RADIUS server group view.

Table 2-8 Set IP Address and Port Number of RADIUS Server

Operation Command Set IP address and port number of primary RADIUS authentication/authorization server.

primary authentication ip-address [ port-number ]

Restore IP address and port number of primary RADIUS authentication/authorization or server to the default values. undo primary authentication

Set IP address and port number of primary RADIUS accounting server. primary accounting ip-address [ port-number ]

Restore IP address and port number of primary RADIUS accounting server or server to the default values. undo primary accounting

Set IP address and port number of secondary RADIUS authentication/authorization server.

secondary authentication ip-address [ port-number ]

Restore IP address and port number of second RADIUS authentication/authorization or server to the default values. undo secondary authentication

Set IP address and port number of second RADIUS accounting server.

secondary accounting ip-address [ port-number ]

Restore IP address and port number of second RADIUS accounting server or server to the default values. undo secondary accounting

In real networking environments, the above parameters shall be set according to the specific requirements. For example, you may specify 4 groups of different data to map 4 RADIUS servers, or specify one of the two servers as primary


2-9

authentication/authorization server and second accounting server and the other one as second authentication/authorization server and primary accounting server, or you may also set 4 groups of exactly same data so that every server serves as a primary and second AAA server.

To guarantee the normal interaction between NAS and RADIUS server, you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server. In addition, because RADIUS protocol uses different UDP ports to receive/transmit authentication/authorization and accounting packets, you shall set two different ports accordingly. Suggested by RFC2138/2139, authentication/authorization port number is 1812 and accounting port number is 1813. However, you may use values other than the suggested ones. (Especially for some earlier RADIUS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.)

The RADIUS service port settings on Quidway Series Ethernet Switches are supposed to be consistent with the port settings on RADIUS server. Normally, RADIUS accounting service port is 1813 and the authentication/authorization service port is 1812.

By default, all the IP addresses of primary/second authentication/authorization and accounting servers are 0.0.0.0, authentication/authorization service port is 1812 and accounting service UDP port is 1813.

2.3.3 Set RADIUS Packet Encryption Key

RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet through setting the encryption key. Only when the keys are identical can both ends to accept the packets from each other end and give response.

You can use the following commands to set the encryption key for RADIUS packets.


Table 2-9 Set RADIUS packet encryption key

Operation Command Set RADIUS authentication/authorization packet encryption key key authentication string Restore the default RADIUS authentication/authorization packet encryption key. undo key authentication

Set RADIUS accounting packet key key accounting string Restore the default RADIUS accounting packet key undo key accounting

By default, the keys of RADIUS authentication/authorization and accounting packets are all “huawei”.


2-10

2.3.4 Set Response Timeout Timer of RADIUS Server

After RADIUS (authentication/authorization or accounting) request packet has been transmitted for a period of time, if NAS has not received the response from RADIUS server, it has to retransmit the request to guarantee RADIUS service for the user.

You can use the following command to set response timeout timer of RADIUS server.


Table 2-10 Set response timeout timer of RADIUS server

Operation Command Set response timeout timer of RADIUS server timer second Restore the response timeout timer of RADIUS server to default value undo timer

By default, timeout timer of RADIUS server is 3 seconds.

2.3.5 Set Retransmission Times of RADIUS Request Packet

Since RADIUS protocol uses UDP packet to carry the data, the communication process is not reliable. If the RADIUS server has not responded NAS before timeout, NAS has to retransmit RADIUS request packet. If it transmits more than the specified retry-times, NAS considers the communication with the primary and secondary RADIUS servers has been disconnected.

You can use the following command to set retransmission times of RADIUS request packet.


Table 2-11 Set retransmission times of RADIUS request packet

Operation Command Set retransmission times of RADIUS request packet retry retry-times Restore the default value of retransmission times undo retry

By default, RADIUS request packet will be retransmitted up to three times.

2.3.6 Set a Real-time Accounting Interval

To implement real-time accounting, it is necessary to set a real-time accounting interval. After the attribute is set, NAS will transmit the accounting information of online users to the RADIUS server regularly.

You can use the following command to set a real-time accounting interval.


2-11


Table 2-12 Set a real-time accounting interval

Operation Command Set a real-time accounting interval timer realtime-accounting minute Restore the default value of the interval undo timer realtime-accounting

minute specifies the real-time accounting interval in minutes. The value shall be a multiple of 3.

The value of minute is related to the performance of NAS and RADIUS server. The smaller the value is, the higher the performances of NAS and RADIUS are required. When there are a large amount of users (more than 1000, inclusive), we suggest a larger value. The following table recommends the ratio of minute value to the number of users.

Table 2-13 Recommended ratio of minute to number of users

Number of users Real-time accounting interval (minute) 1 to 99 3 100 to 499 6 500 to 999 12 ≥1000 ≥15

By default, minute is set to 12 minutes.

2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded

RADIUS server usually checks if a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for long, it will consider that there is device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unpredictable failure exists. Quidway Series Switches support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.

You can use the following command to set the maximum times of real-time accounting request failing to be responded



2-12

Table 2-14 Set maximum times of real-time accounting request failing to be responded

Operation Command Set maximum times of real-time accounting request failing to be responded retry realtime-accounting retry-times

Restore the maximum times to the default value undo retry realtime-accounting

How to calculate the value of retry-times? Suppose that RADIUS server connection will timeout in T and the real-time accounting interval of NAS is t, then the integer part of the result from dividing T by t is the value of count. Therefore, when applied, T is suggested the numbers which can be divided exactly by t.

By default, the real-time accounting request can fail to be responded no more than 5 times.

2.3.8 Enable/Disable Stopping Accounting Request Buffer

Because the stopping accounting request concerns account balance and will affect the amount of charge, which is very important for both the subscribers and the ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from Quidway Series Ethernet Switches to RADIUS accounting server has not been responded, switch shall save it in the local buffer and retransmit it until the server responds or discards the messages after transmitting for specified times. The following command can be used for setting to save the message or not. If save, use the command to set the maximum retransmission times.


Table 2-15 Enable/Disable stopping accounting request buffer

Operation Command

Enable stopping accounting request buffer stop-accounting-buffer enable

Disable stopping accounting request buffer undo stop-accounting-buffer enable

By default, the stopping accounting request will be saved in the buffer.

2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request

Because the stopping accounting request concerns account balance and will affect the amount of charge, which is very important for both the subscribers and the ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from Quidway Series Ethernet Switch to RADIUS


2-13

accounting server has not been responded, switch shall save it in the local buffer and retransmit it until the server responds or discards the messages after transmitting for specified times. Use the command to set the maximum retransmission times.


Table 2-16 Set the maximum retransmitting times of stopping accounting request

Operation Command Set the maximum retransmitting times of stopping accounting request retry stop-accounting retry-times Restore the maximum retransmitting times of stopping accounting request to the default value undo retry stop-accounting

By default, the stopping accounting request can be retransmitted for up to 500 times.

2.3.10 Set the Supported Type of RADIUS Server

Quidway Series Ethernet Switches support the standard RADIUS protocol and the extended RADIUS service platforms, such as IP Hotel, 201+ and Portal, independently developed by Huawei.

You can use the following command to set the supported types of RADIUS servers.


Table 2-17 Set the supported type of RADIUS server

Operation Command Setting the Supported Type of RADIUS Server server-type { huawei | iphotel | portal | standard } Restore the RADIUS server type to the default setting undo server-type

By default, RADIUS server type is standard.

2.3.11 Set RADIUS Server State

For the primary and second servers (no matter it is an authentication/authorization server or accounting server), if the primary is disconnected to NAS for some fault, NAS will automatically turn to exchange packets with the second server. However, after the primary one recovers, NAS will not resume the communication with it at once, instead, it continues communicating with the second one. When the second one fails to communicate, NAS will turn to the primary one again. The following commands can be used to set the primary server to be active manually, in order that NAS can communicate with it right after the troubleshooting.

When the primary and second servers are both active or block, NAS will send the packets to the primary server only.


2-14


Table 2-18 Set RADIUS server state

Operation Command Set the state of primary RADIUS server state primary { accounting | authentication } { block | active } Set the state of second RADIUS sever state secondary{ accounting | authentication } { block | active }

By default, the state of each server in RADIUS server group is active.

2.3.12 Set Username Format Transmitted to RADIUS Server

As mentioned above, the supplicants are generally named in userid@isp-name format. The part following “@” is the ISP domain name. Quidway Series Ethernet Switches will put the users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server. The following command of switch decides whether the username to be sent to RADIUS server carries ISP domain name or not.

Table 2-19 Set username format transmitted to RADIUS server

Operation Command Set Username Format Transmitted to RADIUS Server user-name-format { with-domain | without-domain }

Note:

If a RADIUS server group is configured not to allow usernames including ISP domain names, the RADIUS server group shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

By default, RADIUS server group acknowledges that the username sent to it includes ISP domain name.

2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server

The following command defines the unit of the data flow sent to RADIUS server.


2-15

Table 2-20 Set the unit of data flow transmitted to RADIUS server

Operation Command Set the unit of data flow transmitted to RADIUS server

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-byte | kilo-byte | mega-byte | one-packet }

Restore the unit to the default setting undo data-flow-format

By default, the default data unit is byte and the default data packet unit is one packet.

2.3.14 Configure Local RADIUS Server Group

RADIUS service, which adopts authentication/authorization/accounting servers to manage users, is widely used in Huawei Quidway series switches. Besides, local authentication/authorization/accounting service is also used in these products and it is called local RADIUS function, i.e. realize basic RADIUS function on the switch.

Perform the following commands in system view to create/delete local RADIUS server group.

Table 2-21 Create/Delete local RADIUS server group

Operation Command Create local RADIUS server group and enter its view local-radius nas-ip ip-address key password Delete local RADIUS server group undo local-radius nas-ip ip-address

By default, the IP address of local RADIUS server group is 127.0.0.1 and the password is Huawei.

When using local RADIUS server function of Huawei, remember the number of UDP port used for authentication is 1645 and that for authorization is 1646.

2.4 Display and Debug AAA and RADIUS Protocol

After the above configuration, execute display command in any view to display the running of the AAA and RADIUS configuration, and to verify the effect of the configuration. Execute reset command in user view to reset AAA and RADIUS configuration . Execute debugging command in user view to debug AAA and RADIUS.

Table 2-22 Display and debug AAA and RADIUS protocol

Operation Command Display the configuration information of the specified or all the ISP domains. display domain [ isp-name ]


2-16

Operation Command

Display related information of user’s connection

display connection { access-type { dot1x | gcm } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }

Display related information of the local userdisplay local-user [ domain isp-name | idle-cut { disable | enable } | service-type { telnet | ftp | lan-access | ssh } | state { active | block } | user-name user-name | vlan vlan-id ]

Display information of local RADIUS server group display local-server statistics

Display the configuration information of all the RADIUS server groups or a specified one

display radius [ radius-server-name ]

Display the statistics information of RADIUS packets display radius statistics

Display the stopping accounting requests saved in buffer without response (from system view)

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Delete the stopping accounting requests saved in buffer without response (from system view)

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Enable RADIUS packet debugging debugging radius packet

Disable RADIUS packet debugging undo debugging radius packet Enable debugging of localRADIUS server group debugging local-server { all | error | event | packet }

Disable debugging of localRADIUS server group undo debugging local-server { all | error | event | packet }

2.5 AAA and RADIUS Protocol Configuration Examples

For the hybrid configuration example of AAA/RADIUS protocol and 802.1x protocol, refer to Configuration Example in 802.1x Configuration. It will not be detailed here.

2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server

Note:

Configuring Telnet user authentication at the remote server is similar to configuring FTP users. The following description is based on Telnet users.

I. Networking Requirements

In the environment as illustrated in the following figure, it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered.


2-17

One RADIUS server (as authentication server) is connected to the switch and the server IP address is 10.110.91.146. The password for exchanging messages between the switch and the authentication server is "expert”. The switch cuts off domain name from username and sends the left part to the RADIUS server.

II. Networking Topology

Authentication Servers( IP address:10.110.91.164 )

Internet

Switch

telnet user

Internet

Figure 2-2 Configuring remote RADIUS authentication for Telnet users

III. Configurtion Schedule

# Add a Telnet user.

Omitted

Note:

For details about configuring FTP and Telnet users, refer to User Interface Configuration in Getting Started.

# Configure remote authentication mode for the Telnet user, i.e. scheme mode.

[Quidway-ui-vty0-4] authentication-mode scheme

# Configure domain.

[Quidway] domain cams

[Quidway-isp-cams] quit

# Configure RADIUS scheme.


2-18

[Quidway] radius scheme cams

[Quidway-radius-cams] primary authentication 10.110.91.146 1812

[Quidway-radius-cams] key authentication expert

[Quidway-radius-cams] service-type Huawei

[Quidway-radius-cams] user-name-format without-domain

# Configuration association between domain and RADIUS.

[Quidway-radius-cams] quit

[Quidway] domain cams

[Quidway-isp-cams] radius-scheme cams

2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server

Local RADIUS authentication of Telnet/FTP users is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to Huawei, the UDP port number of the authentication server to 1645.

Note:

For details about local RADIUS authentication of Telnet/FTP users, refer to “Configuring local RADIUS Server Group”.

2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting

RADIUS protocol of TCP/IP protocol suite is located on the application layer. It mainly specifies how to exchange user information between NAS and RADIUS server of ISP. So it is very likely to be invalid.

Fault one: User authentication/authorization always fails

Troubleshooting:

1) The username may not be in the userid@isp-name format or NAS has not been configured with a default ISP domain. Please use the username in proper format and configure the default ISP domain on NAS.


2-19

2) The user may have not been configured in the RADIUS server database. Check the database and make sure that the configuration information of the user does exist in the database.

3) The user may have input a wrong password. So please make sure that the supplicant inputs the correct password.

4) The encryption keys of RADIUS server and NAS may be different. Please check carefully and make sure that they are identical.

5) There might be some communication fault between NAS and RADIUS server, which can be discovered through pinging RADIUS from NAS. So please ensure the normal communication between NAS and RADIUS.

Fault two: RADIUS packet cannot be transmitted to RADIUS server.

Troubleshooting:

6) The communication lines (on physical layer or link layer) connecting NAS and RADIUS server may not work well. So please ensure the lines work well.

7) The IP address of the corresponding RADIUS server may not have been set on NAS. Please set a proper IP address for RADIUS server.

8) UDP ports of authentication/authorization and accounting services may not be set properly. So make sure they are consistent with the ports provided by RADIUS server.

Fault three: After being authenticated and authorized, the user cannot send charging bill to the RADIUS server.

Troubleshooting:

9) The accounting port number may be set improperly. Please set a proper number. 10) The accounting service and authentication/authorization service are provided on

different servers, but NAS requires the services to be provided on one server (by specifying the same IP address). So please make sure the settings of servers are consistent with the actual conditions.

Operation Manual - Security Quidway S3500 Series Ethernet Switches Chapter 3 HABP Configuration

3-1

Chapter 3 HABP Configuration

3.1 HABP Overview

If 802.1x attribute is configured at a switch, on a switch, 802.1x will run authentication at those ports where 802.1x is enabled. Only those which pass the authentication are able to forward packets. For those ports where 802.1x authentication is skipped, packets will be filtered by 802.1x attribute, so the management over them is also impossible. HABP(Huawei Authentication Bypass Protocol) attribute can be used to solve this problem.

HABP packets contain the MAC address and other information of the member switches. When HABP attribute is enabled at the management switch, 802.1x authentication will be skipped for HABP packets, so management over switches is possible.

HABP includes HABP server and HABP client. In general, the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches, while the client responds to the request packets and forwards them to the lower-level switches. HABP server is often enabled at the management switch, while HABP client is at the member switches.

HABP attribute had better be enabled at a switch where 802.1x is enabled.

3.2 HABP configuration

HABP attribute configuration tasks include:

Configuring HABP server Configuring HABP client

3.2.1 Configuring HABP Server

When HABP server is enabled, the management switch sends HABP request packets to its member switches to collect their MAC addresses, for the convenience of management. You can define the time interval for transmitting HABP request packets on the management switch.

To configure HABP server, follow these steps:

Enable HABP attribute Configure HABP server Set time interval for HABP request transmission

Operation Manual - Security Quidway S3500 Series Ethernet Switches Chapter 3 HABP Configuration

3-2

Please perform the following operations in system view.

Table 3-1 Configuring HABP server

Operation Command Enable HABP attribute habp enable Restore HABP attribute to the default value undo habp enable Configure the switch as HABP Server habp server vlan vlan-id Delete HABP Server configuration undo habp server Set time interval for HABP request transmission habp timer interval Restore the time interval to the default value undo habp timer

By default, HABP attribute is disabled at a switch, the HABP mode is client, and the time interval for HABP request transmission is 20 seconds.

3.2.2 Configuring HABP Client

HABP client runs at the member switches. Since the default HABP mode is client, you only need to enable HABP attribute at a switch.

Please perform the following operations in system view.

Table 3-2 Configuring HABP client

Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable

By default, HABP attribute is disabled at a switch.

3.3 Displaying and Debugging HABP Attribute

After the above configurations, you can view HABP attribute information using the display command in any view, or just for check. You can also debug HABP module using the debugging command in user view.

Table 3-3 Displaying and debugging HABP attribute

Operation Command Display configuration information and state of HABP attribute display habp Display MAC address table of HABP attribute display habp table Display HABP packet statistics display habp traffic Display HABP debugging state display debugging habp Enable HABP debugging debugging habp Disable HABP debugging undo debugging habp

Operation Manual - Security Quidway S3500 Series Ethernet Switches Chapter 4 System-guard Configuration

4-1

Chapter 4 System-guard Configuration

Note:

Among S3500 series ethernet switches, S3526, S3526E Series and S3526C support system-guard function.

4.1 System-guard Overview

System-guard is a worm virus detection function supported by ethernet switches. It uses automatic confirm ACL to hardware and forces the affected host logoff, so as to isolate the affected host from the network and prevent other hosts from being affected. And after a specified time, ethernet switch will recover normal forwarding of the affected host.

4.2 System-guard Configuration

System-guard configuration includes:

Enable system-guard function Set the max detection count of the affected hosts Set parameters of address learning

4.2.1 Enable system-guard function

The following commands can be used to enable/disable system-guard function. Only after the system-guard function is enabled, should other configurations of system-guard be valid.


Table 4-1 Enable system-guard function

Operation Command Enable system-guard function system-guard enable Disable system-guard function undo system-guard enable

By default, system-guard function is disabled.


4-2

Note:

1) Before enabling safe-guard function, be sure the port priority is default value 0 and the ethernet switch doesn’t trust the cos priority of packets. 2) After safe-guard is enabled, please don’t change the port priority and the mode of queue-scheduling.

4.2.2 Set the max detection count of the affected hosts

The following commands can be used to set the max detection count of of the affected hosts.


Table 4-2 Set the max detection count

Operation Command Set the max detection count of the affected hosts system-guard detect-maxnum numberRestore the max detection count of the affected hosts to default value undo system-guard detect-maxnum

By default, the max detection count of the affected hosts is 30.

4.2.3 Set parameters of address learning

The following commands can be used to set the max number of the learned IP addresses ( IP-record-threshold ), threshold of consecutive detection times which the learned address number exceed the threshold of IP address learned for one time ( record-times-threshold) and isolate time ( isolate-time ) of system-guard function. For example, if IP-record-threshold, record-times-threshold, isolate-time of system-guard function are set to 50, 3, 5, the system will consider to be attacked and not learn the destination IP address of the packet from source IP address for 5 times of aging period if the IP address number system learned from one source IP address exceed 50 for consecutive 3 times.


Table 4-3 Set parameters of address learning

Operation Command Set IP-record-threshold, record-times-threshold, isolate-time of system-guard function

system-guard detect-threshold IP-record-threshold record-times-threshold isolate-time

Restore IP-record-threshold, record-times-threshold, isolate-time to the default values undo system-guard detect-threshold


4-3

By default, IP-record-threshold, record-times-threshold, isolate-time of system-guard function are 30, 1 and 3.

4.3 Display and Debug System-guard

After the above configuration, execute display command in any view to display the running of system-guard configuration, and to verify the effect of the configuration.

Table 4-4 Display and Debug System-guard

Operation Command Display current IP pool state of system-guard display system-guard ip-record Display current detection results and parameters of system-guard display system-guard state

HUAWEI


11. Reliability

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 VRRP Configuration .................................................................................................... 1-1 1.1 VRRP Overview ................................................................................................................ 1-1 1.2 Configure VRRP ................................................................................................................ 1-2

1.2.1 Enable/disable the Function to Ping the Virtual IP Address ................................... 1-3 1.2.2 Set Correspondence between Virtual IP Address and MAC Address .................... 1-3 1.2.3 Add/Delete a Virtual IP Address.............................................................................. 1-4 1.2.4 Configure the priority of switches in the virtual router. ............................................ 1-5 1.2.5 Configure Preemption and Delay for a Switch within a Virtual Router.................... 1-5 1.2.6 Configure Authentication Type and Authentication Key ......................................... 1-6 1.2.7 Configure VRRP Timer ........................................................................................... 1-7 1.2.8 Configure Switch to Track a Specified Interface ..................................................... 1-7

1.3 Display and Debug VRRP ................................................................................................. 1-8 1.4 VRRP Configuration Example ........................................................................................... 1-8

1.4.1 VRRP Single Virtual Router Example ..................................................................... 1-8 1.4.2 VRRP Tracking Interface Example ....................................................................... 1-10 1.4.3 Multiple Virtual Routers Example.......................................................................... 1-11

1.5 Troubleshoot VRRP......................................................................................................... 1-12

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches Chapter 1 VRRP Configuration

1-1

Chapter 1 VRRP Configuration

1.1 VRRP Overview

Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. In general, a default route (for example, 10.100.10.1 as shown in the following internetworking diagram) will be configured for every host on a network, so that the packets destined to some other network segment from the host will go through the default route to the Layer 3 Switch1, implementing communication between the host and the external network. If Switch1 is down, all the hosts on this segment taking Switch1 as the next-hop on the default route will be disconnected to the external network.

Ethernet

Switch

Host 1 Host 2 Host 3

10.100.10.7 10.100.10.8 10.100.10.9

10.100.10.1

Network

Figure 1-1 LAN Networking

VRRP, designed for LANs with multicast and broadcast capabilities (such as Ethernet) settles the above problem. The diagram below is taken as an example to explain the implementation principal of VRRP. VRRP combines a group of LAN switches (including a Master and several Backups) into a virtual router (a backup group).


1-2

Ethernet

Master

Host 1 Host 2 Host 3

10.100.10.7 10.100.10.8 10.100.10.9

Virtual IP address10.100.10.1

Network

Backup

Virtual IP address10.100.10.1

Actual IP address10.100.10.2 Actual IP address10.100.10.3

Figure 1-2 Virtual router

This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the virtual router). The switches within the virtual router have their own IP addresses (such as 10.100.10.2 for the Master switch and 10.100.10.3 for the BACKUP switch). The host on the LAN only knows the IP address of this virtual router 10.100.10.1, but not the specific IP addresses 10.100.10.2 of the Master switch and 10.100.10.3 of the BACKUP switch. They configure their own default routes as the IP address of this virtual router: 10.100.10.1. Therefore, hosts within the network will communicate with the external network through this virtual router. If a Master switch in the virtual group breaks down, another BACKUP switch will function as the new Master switch to continue serving the host with routing to avoid interrupting the communication between the host and the external networks.

1.2 Configure VRRP

VRRP configuration includes:

Enable/disable the Function to Ping the Virtual IP Address Set Correspondence between Virtual IP Address and MAC Address Add/Remove virtual IP address Configure the priority of switches in the virtual router. Enable the preemption mode and configure a period of delay. Configure authentication type and authentication key Configure timer of the virtual router Configure to track a specified interface


1-3

1.2.1 Enable/disable the Function to Ping the Virtual IP Address

This operation enables or disables the function to ping the virtual IP address of the backup group. The standard protocol of VRRP does not support the ping function, then the user cannot judge with ping command whether an IP address is used by the backup group. If the user configure the IP address for the host same as the virtual IP address of the backup group, then all messages in this segment will be forwarded to the host.

So Huawei switches provide the ping function.

The following commands can be used to enable and disable the ping function.


Table 1-1 Enable/disable the ping function

Operation Command Enable the function to ping the virtual IP address vrrp ping-enable Disable the function to ping the virtual IP address undo vrrp ping-enable

By default, the function to ping the virtual IP address is disabled.

You can set the ping function before configuring the backup group.

1.2.2 Set Correspondence between Virtual IP Address and MAC Address

This operation sets correspondence between the virtual lP address and the real/virtual MAC address. In the standard protocol of VRRP, the virtual IP address of the backup group corresponds to the virtual MAC address, as guarantees correct data forwarding in the sub-net.

Due to the chips installed, some switches support matching one IP address to multiple MAC addresses.

Huawei switches not only guarantee correct data forwarding in the sub-net, also support such function: the user can choose to match the virtual IP address with the real MAC address or virtual MAC address of the routing interface.

The following commands can be used to set correspondence between the IP address and the MAC address.



1-4

Table 1-2 Set correspondence between virtual IP address and MAC address

Operation Command Set correspondence between the virtual IP address and the MAC address vrrp method { real-mac | virtual-mac }

Set the correspondence to the default value undo vrrp method

By default, the virtual IP address of the backup group corresponds to the virtual MACA address.

You should set correspondence between the virtual IP address of the backup group and the MAC address before configuring the backup group. Otherwise, you cannot configure the correspondence.

S3526, S3526 FM, S3526 FS Ethernet switches don’t support this configuration.

1.2.3 Add/Delete a Virtual IP Address

The following command is used for assigning an IP address of the local segment to a virtual router or removing an assigned virtual IP address of a virtual router from the virtual address list.


Table 1-3 Add/Delete a virtual IP address

Operation Command Add a virtual IP address. vrrp vrid virtual-router-ID virtual-ip virtual-address Delete a virtual IP address. undo vrrp vrid virtual-router-ID [ virtual-ip virtual-address ]

The virtual-router-ID covers the range from 1 to 255. The virtual-address can be an unused address in the network segment where the virtual router resides, or the IP address of an interface in the virtual router. If the IP address is of the switch, it can also be configured. In this case, the switch will be called an IP Address Owner. When adding the first IP address to a virtual router, the system will create a new virtual router accordingly. When adding new address to this backup group thereafter, the system will directly add it into the virtual IP address list.

After the last virtual IP address is removed from the virtual router, the whole virtual router will also be removed. That is, there is no more virtual router on the interface any more and any configuration of it is invalid accordingly.


1-5

1.2.4 Configure the priority of switches in the virtual router.

The status of each switch in the virtual router will be determined by its priority in VRRP. The switch with the highest priority will become the Master.

The priority ranges from 0 to 255 (the greater the number, the higher the priority). However the value can only be taken from 1 to 254. The priority 0 is reserved for special use and 255 is reserved for the IP address owner by the system.


Table 1-4 Configure the priority of switches in the virtual router.

Operation Command Configure the priority of switches in the virtual router. vrrp vrid virtual-router-ID priority priority Clear the priority of switches in the virtual router. undo vrrp vrid virtual-router-ID priority

By default, the priority is 100.

Note:

The priority for IP address owner is always 255, which cannot be configured otherwise.

1.2.5 Configure Preemption and Delay for a Switch within a Virtual Router

Once a switch in the virtual router becomes the Master switch, so long as it still functions properly, other switches, even configured with a higher priority later, cannot become the Master switch unless they are configured to work in preemption mode. The switch in preemption mode will become the Master switch, when it finds its own priority is higher than that of the current Master switch. Accordingly, the former Master switch will become the BACKUP switch. Together with preemption settings, a delay can also be set. In this way, a Backup will wait for a period of time before becoming a Master. In an unstable network if the BACKUP switch has not received the packets from the Master switch punctually, it will become the Master switch. However, the failure of BACKUP to receive the packets may be due to network congestion, instead of the malfunction of the Master switch. In this case, the Backup will receive the packet after a while. The delay settings can thereby avoid the frequent status changing.



1-6

Table 1-5 Configure preemption and delay for a switch within a virtual router

Operation Command Enable the preemption mode and configure a period of delay.

vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]

Disable the preemption mode. undo vrrp vrid virtual-router-ID preempt-mode

The delay ranges from 0 to 255, measured in seconds. By default, the preemption mode is preemption with a delay of 0 second..

Note:

If preemption mode is cancelled, the delay time will automatically become 0 second.

1.2.6 Configure Authentication Type and Authentication Key

VRRP provides following authentication types:

simple: Simple character authentication md5: MD5 authentication

In a network under possible security threat, the authentication type can be set to simple. Then the switch will add the authentication key into the VRRP packets before transmitting it. The receiver will compare the authentication key of the packet with the locally configured one. If they are the same, the packet will be taken as a true and legal one. Otherwise it will be regarded as an illegal packet to be discarded. In this case, an authentication key not exceeding 8 characters should be configured.

In a totally unsafe network, the authentication type can be set to md5. The switch will use the authentication type and MD5 algorithm provided by the Authentication Header to authenticate the VRRP packets. In this case an authentication key not exceeding 16 characters should be configured.

Those packets failing to pass the authentication will be discarded and a trap packet will be sent to the network management system.


Table 1-6 Configure authentication type and authentication key.

Operation Command Configure authentication type and authentication key. vrrp authentication-mode type [ key ] Clear authentication type and authentication key. undo vrrp authentication-mode


1-7

Note:

The same authentication type and authentication key should be configured for all vlan interfaces that belong to the virtual router.

1.2.7 Configure VRRP Timer

The Master switch advertises its normal operation state to the switches within the VRRP virtual router by sending them VRRP packets regularly (at adver-interval). If the Backup has not received any VRRP packet from the Master after a period of time (specified by master-down-interval), it will consider the Master as down. It will then take his place and become the Master.

You can use the following command to set a timer and adjust the interval, adver-interval, between Master transmits VRRP packets. The master-down-interval of the BACKUP switch is three times that of the adver-interval. The excessive network traffic or the differences between different switch timers will result in master-down-interval timing out and state changing abnormally. Such problems can be solved through prolonging the adver-interval and setting delay time. adver-interval is measured in seconds.


Table 1-7 Configure VRRP timer

Operation Command Configure VRRP timer vrrp vrid virtual-router-ID timer advertise adver-interval Clear VRRP timer undo vrrp vrid virtual-router-ID timer advertise

By default, adver-interval is configured to be 3.

1.2.8 Configure Switch to Track a Specified Interface

VRRP interface track function has expanded the backup function. Backup is provided not only to the interface where the virtual router resides, but also to some other malfunctioning switch interface. By implementing the following command you can track some interface. If the interface which is tracked is DOWN, the priority of the switch including the interface will reduce automatically by the value specified by value-reduced, thus resulting in comparatively higher priorities of other switches within the virtual router, one of which will turn to Master switch so as to track this interface.



1-8

Table 1-8 Configure Switch to Track a Specified Interface

Operation Command

Configure to track a specified interface vrrp vrid virtual-router-ID track vlan-interface interface-num [ reduced value-reduced ]

Stop tracking the specified interface undo vrrp vrid virtual-router-ID track [ vlan-interface interface-num ]

By default, value-reduced is taken 10.

Note:

When the switch is an IP address owner, its interfaces cannot be tracked.

1.3 Display and Debug VRRP

After the above configuration, execute display command in any view to display the running of the VRRP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug VRRP configuration.

Table 1-9 Display and debug VRRP

Operation Command

Display VRRP state information. display vrrp [ interface vlan-interface interface-num ] [ virtual-router-ID ]

Enable VRRP debugging. debugging vrrp { state | packet } Disable VRRP debugging. undo debugging vrrp { state | packet }

You can enable VRRP debugging to display how it runs. You can set the argument option to packet or state to debug the VRRP packet or VRRP state respectively. By default, the switch disables the debugging.

1.4 VRRP Configuration Example

1.4.1 VRRP Single Virtual Router Example


Host A uses the VRRP virtual router which combines switch A and switch B as its default gateway to visit host B on the Internet.


1-9

VRRP virtual router information includes: virtual router ID1, virtual IP address 202.38.160.111, switch A as the Master and switch B as the BACKUP allowed preemption.


Virtual IP address: 202.38.160.111

Switch_A

Host A

202.36.160.3

VLAN-interface2: 202.38.160.1

Internet

Switch_B



Host B

10.2.3.1

Figure 1-3 VRRP configuration networking

III. Configuration Procedure

Configure switch A

[LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111

[LSW_A-vlan-interface2] vrrp vrid 1 priority 110

Configure switch B

[LSW_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111

The virtual router can be used soon after configuration. Host A can configure the default gateway as 202.38.160.111.

Under normal conditions, switch A functions as the gateway, but when switch A is turned off or malfunctioning, switch B will function as the gateway instead.

Configure preemption mode for switch A, so that it can resume its gateway function as the Master after recovery.


1-10

1.4.2 VRRP Tracking Interface Example


Even when switch A is still functioning, it may want switch B to function as gateway when the Internet interface connected with it does not function properly. This can be implemented by configuration of tracking interface.

In simple language, the virtual router ID is set as 1 with additional configurations of authorization key and timer


See Figure 1-3.


Configure switch A

# Create a virtual router.


# Set the priority for the virtual router.


# Set the authentication key for the virtual router.

[LSW_A-vlan-interface2] vrrp authentication-mode md5 switch

# Set Master to send VRRP packets every 5 seconds.

[LSW_A-vlan-interface2] vrrp vrid 1 timer advertise 5

# Track an interface.

[LSW_A-vlan-interface2] vrrp vrid 1 track vlan-interface 3 reduced 30

Configure switch B

# Create a virtual router.


# Set the authentication key for the virtual router.

[LSW_B-vlan-interface2] vrrp authentication-mode md5 switch

# Set Master to send VRRP packets every 5 seconds.

[LSW_B-vlan-interface2] vrrp vrid 1 timer advertise 5


1-11

Under normal conditions, switch A functions as the gateway, but when the interface vlan-interface 3 of switch A is down, its priority will be reduced by 30, lower than that of switch B so that switch B will preempt the Master for gateway services instead.

When vlan-interface3, the interface of switch A, recovers, this switch will resume its gateway function as the Master.

1.4.3 Multiple Virtual Routers Example


A Switch can function as the backup switch for many virtual routers.

Such a multi-backup configuration can implement load balancing. For example, switch A as the Master switch of group 1 can share the responsibility of the backup switch for virtual router 2 and vice versa for switch B. Some hosts employ virtual router 1 as the gateway, while others employ virtual router 2 as the gateway. In this way, both load balancing and mutual backup are implemented.


See Figure 1-3.


Configure switch A

# Create virtual router 1.






Configure switch B







1-12

[LSW_B-vlan-interface2] vrrp vrid 2 priority 110

1.5 Troubleshoot VRRP

As the configuration of VRRP is not very complicated, almost all the malfunctions can be found through viewing the configuration and debugging information. Here are some possible failures you might meet and the corresponding troubleshooting methods.

I. Fault 1: Frequent prompts of configuration errors on the console

This indicates that an incorrect VRRP packet has been received. It may be because of the inconsistent configuration of another switch within the virtual router, or the attempt of some devices to send out illegal VRRP packets. The first possible fault can be solved through modifying the configuration. And as the second possibility is caused by the malicious attempt of some devices, non-technical measures should be resorted to.

II. Fault 2: More than one Masters existing within the same virtual router

There are also 2 reasons. One is short time coexistence of many Master switches, which is normal and needs no manual intervention. Another is the long time coexistence of many Master switches, which may be because several Masters cannot receive VRRP packets from each other, or receive some illegal packets.

To solve such problems, an attempt should be made to ping among the many Master switches and if such an attempt fails, it indicates that there are other problems in existence. If they can be pinged through, it indicates that the problems are caused by inconsistent configuration. For the configuration of the same VRRP virtual router, complete consistence for the number of virtual IP addresses, each virtual IP address, timer duration and authentication type must be guaranteed.

III. Fault 3: Frequent switchover of VRRP state

Such problem occurs when the virtual router timer duration is set too short. So the problem can be solved through prolonging this duration or configuring the preemption delay.

HUAWEI



Operation Manual - System Management Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 File System Management............................................................................................ 1-1 1.1 File System ........................................................................................................................ 1-1

1.1.1 File System Overview ............................................................................................. 1-1 1.1.2 Directory Operation ................................................................................................. 1-1 1.1.3 File Operation.......................................................................................................... 1-1 1.1.4 Storage Device Operation....................................................................................... 1-2 1.1.5 Set the Prompt Mode of the File System ................................................................ 1-2

1.2 Configure File Management .............................................................................................. 1-3 1.2.1 Configure File Management Overview.................................................................... 1-3 1.2.2 Display the Current-configuration and Saved-configuration of Ethernet Switch..... 1-3 1.2.3 Save the Current-configuration ............................................................................... 1-4 1.2.4 Erase Configuration Files from Flash Memory........................................................ 1-4

1.3 FTP .................................................................................................................................... 1-5 1.3.1 FTP Overview.......................................................................................................... 1-5 1.3.2 Enable/Disable FTP Server..................................................................................... 1-6 1.3.3 Configure the FTP Server Authentication and Authorization .................................. 1-6 1.3.4 Configure the Running Parameters of FTP Server ................................................. 1-7 1.3.5 Display and Debug FTP Server .............................................................................. 1-7 1.3.6 Introduction to FTP Client ....................................................................................... 1-8 1.3.7 FTP client configuration example............................................................................ 1-8 1.3.8 FTP server configuration example ........................................................................ 1-10

1.4 TFTP ................................................................................................................................ 1-11 1.4.1 TFTP Overview ..................................................................................................... 1-11 1.4.2 Configure the File Transmission Mode ................................................................. 1-12 1.4.3 Download Files by means of TFTP....................................................................... 1-12 1.4.4 Upload Files by means of TFTP............................................................................ 1-12 1.4.5 TFTP Client Configuration Example...................................................................... 1-13

Chapter 2 MAC Address Table Management.............................................................................. 2-1 2.1 MAC Address Table Management Overview .................................................................... 2-1 2.2 MAC Address Table Configuration .................................................................................... 2-2

2.2.1 Set MAC Address Table Entries ............................................................................. 2-2 2.2.2 Set MAC Address Aging Time ................................................................................ 2-2 2.2.3 Set the Max Count of MAC Address Learned by a Port ......................................... 2-3

2.3 Display and Debug MAC Address Table ........................................................................... 2-4 2.4 MAC Address Table Management Configuration Example............................................... 2-4

Chapter 3 Device management .................................................................................................... 3-1 3.1 Device Management Overview.......................................................................................... 3-1


ii

3.2 Device Management Configuration ................................................................................... 3-1 3.2.1 Reboot Ethernet Switch .......................................................................................... 3-1 3.2.2 Designate the APP Adopted When Booting the Ethernet Switch Next Time.......... 3-1 3.2.3 Upgrade BootROM.................................................................................................. 3-2

3.3 Display and Debug Device Management Configuration.................................................... 3-2

Chapter 4 System Maintenance and Debugging........................................................................ 4-1 4.1 Basic System Configuration............................................................................................... 4-1

4.1.1 Set Name for Switch ............................................................................................... 4-1 4.1.2 Set the System Clock.............................................................................................. 4-1 4.1.3 Set the Time Zone................................................................................................... 4-1 4.1.4 Set the Summer Time ............................................................................................. 4-2

4.2 Display the State and Information of the System .............................................................. 4-2 4.3 System Debugging ............................................................................................................ 4-3

4.3.1 Enable/Disable the Terminal Debugging ................................................................ 4-3 4.3.2 Display Diagnostic Information................................................................................ 4-4

4.4 Testing Tools for Network Connection............................................................................... 4-4 4.5 Logging Function ............................................................................................................... 4-5

4.5.1 Introduction to Info-center ....................................................................................... 4-5 4.5.2 Info-center Configuration......................................................................................... 4-8 4.5.3 Sending the Configuration Information to Loghost................................................ 4-11 4.5.4 Sending the Configuration Information to Console terminal ................................. 4-13 4.5.5 Sending the Configuration Information to Telnet Terminal or Dumb Terminal ..... 4-15 4.5.6 Sending the Configuration Information to Log Buffer............................................ 4-18 4.5.7 Sending the Configuration Information to Trap Buffer .......................................... 4-20 4.5.8 Sending the Configuration Information to SNMP Network Management.............. 4-21 4.5.9 Turn on/off the Information Synchronization Switch in Fabric .............................. 4-23 4.5.10 Displaying and Debugging Info-center................................................................ 4-24 4.5.11 Configuration examples of sending log to Unix loghost...................................... 4-24 4.5.12 Configuration examples of sending log to Linux loghost .................................... 4-26 4.5.13 Configuration examples of sending log to console terminal ............................... 4-29

Chapter 5 SNMP Configuration.................................................................................................... 5-1 5.1 SNMP Overview................................................................................................................. 5-1 5.2 SNMP Versions and Supported MIB ................................................................................. 5-1 5.3 Configure SNMP................................................................................................................ 5-2

5.3.1 Set Community Name ............................................................................................. 5-3 5.3.2 Set the Method of Identifying and Contacting the Administrator............................. 5-3 5.3.3 Enable/Disable SNMP Agent to Send Trap ............................................................ 5-4 5.3.4 Set the Destination Address of Trap ....................................................................... 5-4 5.3.5 Set Lifetime of Trap Message ................................................................................. 5-4 5.3.6 Set SysLocation ...................................................................................................... 5-5 5.3.7 Set SNMP Version .................................................................................................. 5-5 5.3.8 Set the Engine ID of a Local or Remote Device ..................................................... 5-5


iii

5.3.9 Set/Delete an SNMP Group .................................................................................... 5-6 5.3.10 Set the Source Address of Trap............................................................................ 5-6 5.3.11 Add/Delete a User to/from an SNMP Group ......................................................... 5-6 5.3.12 Create/Update View Information or Deleting a View............................................. 5-7 5.3.13 Set the Size of SNMP Packet Sent/Received by an Agent .................................. 5-7 5.3.14 Disable SNMP Agent ............................................................................................ 5-7

5.4 Display and Debug SNMP ................................................................................................. 5-8 5.5 SNMP Configuration Example ........................................................................................... 5-8

Chapter 6 RMON Configuration ................................................................................................... 6-1 6.1 RMON Overview................................................................................................................ 6-1 6.2 Configure RMON ............................................................................................................... 6-2

6.2.1 Add/Delete an Entry to/from the Alarm Table ......................................................... 6-2 6.2.2 Add/Delete an Entry to/from the Event Table ......................................................... 6-2 6.2.3 Add/Delete an Entry to/from the History Control Table........................................... 6-3 6.2.4 Add/Delete an Entry to/from the Extended RMON Alarm Table............................. 6-3 6.2.5 Add/Delete an Entry to/from the Statistics Table .................................................... 6-3

6.3 Display and Debug RMON ................................................................................................ 6-4 6.4 RMON Configuration Example .......................................................................................... 6-4

Chapter 7 NTP Configuration ....................................................................................................... 7-1 7.1 Brief Introduction to NTP ................................................................................................... 7-1

7.1.1 NTP Functions......................................................................................................... 7-1 7.1.2 Basic Operating Principle of NTP............................................................................ 7-1

7.2 NTP Configuration ............................................................................................................. 7-2 7.2.1 Configure NTP Operating Mode.............................................................................. 7-3 7.2.2 Configure NTP ID Authentication............................................................................ 7-6 7.2.3 Set NTP Authentication Key.................................................................................... 7-6 7.2.4 Set Specified Key as Reliable ................................................................................. 7-7 7.2.5 Designate an Interface to Transmit NTP Message................................................. 7-7 7.2.6 Set NTP Master Clock............................................................................................. 7-7 7.2.7 Enable/Disable an Interface to Receive NTP Message.......................................... 7-8 7.2.8 Set Authority to Access a Local Ethernet Switch.................................................... 7-8 7.2.9 Set Maximum Local Sessions ................................................................................. 7-9

7.3 NTP Display and Debugging ............................................................................................. 7-9 7.4 Typical NTP Configuration Example.................................................................................. 7-9

Chapter 8 SSH Terminal Services................................................................................................ 8-1 8.1 SSH Terminal Services...................................................................................................... 8-1

8.1.1 SSH Overview......................................................................................................... 8-1 8.1.2 Configuring SSH Server.......................................................................................... 8-3 8.1.3 Configuring SSH Client ........................................................................................... 8-6 8.1.4 Displaying and Debugging SSH............................................................................ 8-10 8.1.5 SSH Configuration Example ................................................................................. 8-11


iv

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 1 File System Management

1-1

Chapter 1 File System Management

1.1 File System

1.1.1 File System Overview

The Ethernet switch provides a file system module for user’s efficient management over the storage devices such as flash memory. The file system offers file access and directory management, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file.

By default, the file system needs user’s confirmation before executing the commands, such as deleting or overwriting a file, which may make losses.

Based on the operated objects, the file system can be divided as follows:

Directory operation File operation Storage device operation Set the prompt mode of the file system

1.1.2 Directory Operation

The file system can be used to create or delete a directory, display the current working directory, and display the information about the files or directories under a specified directory. You can use the following commands to perform directory operations.


Table 1-1 Directory operation

Operation Command Create a directory mkdir directory Delete a directory rmdir directory Display the current working directory pwd Display the information about directories or files dir [ / all ] [ file-url ] Change the current directory cd directory

1.1.3 File Operation

The file system can be used to delete or undelete a file and permanently delete a file. Also, it can be used to display file contents, rename, copy and move a file and display


1-2

the information about a specified file. You can use the following commands to perform file operations.


Table 1-2 File operation

Operation Command Delete a file delete [ /unreserved ] file-url Undelete a file undelete file-url Delete a file from the recycle bin permanently reset recycle-bin file-url View contents of a file more file-url Rename a file rename fileurl-source fileurl-dest Copy a file copy fileurl-source fileurl-dest Move a file move fileurl-source fileurl-dest Display the information about directories or files dir [ / all ] [ file-url ]

1.1.4 Storage Device Operation

The file system can be used to format a specified memory device. You can use the following commands to format a specified memory device.


Table 1-3 Storage device operation

Operation Command Format the storage device format filesystem

1.1.5 Set the Prompt Mode of the File System

The following command can be used for setting the prompt mode of the current file system.


Table 1-4 File system operation

Operation Command Set the file system prompt mode. file prompt { alert | quiet }


1-3

1.2 Configure File Management

1.2.1 Configure File Management Overview

The management module of configuration file provides a user-friendly operation interface. It saves the configuration of the Ethernet switch in the text format of command line to record the whole configuration process. Thus you can view the configuration information conveniently.

The format of configuration file includes:

It is saved in the command format. Only the non-default constants will be saved The organization of commands is based on command views. The commands in

the same command mode are sorted in one section. The sections are separated with a blank line or a comment line (A comment line begins with exclamation mark “#”).

Generally, the sections in the file are arranged in the following order: system configuration, ethernet port configuration, vlan interface configuration, routing protocol configuration and so on.

It ends with “end”.

The management over the configuration files includes:

Display the Current-configuration and Saved-configuration of Ethernet Switch Save the Current-configuration Erase configuration files from Flash Memory

1.2.2 Display the Current-configuration and Saved-configuration of Ethernet Switch

After being powered on, the system will read the configuration files from Flash for the initialization of the device. (Such configuration files are called saved-configuration files). If there is no configuration file in Flash, the system will begin the initialization with the default parameters. Relative to the saved-configuration, the configuration in effect during the operating process of the system is called current-configuration. You can use the following commands to display the current-configuration and saved-configuration information of the Ethernet switch.

Perform the following configuration in any view.


1-4

Table 1-5 Display the configurations of the Ethernet switch

Operation Command Display the saved-configuration information of the Ethernet switch display saved-configuration

Display the current-configuration information of the Ethernet switch

display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ ospf | system | user-interface ] ] [ | { begin | exclude | include } regular-expression ]

Note:

The configuration files are displayed in their corresponding saving formats.

1.2.3 Save the Current-configuration

Use the save command to save the current-configuration in the Flash Memory, and the configurations will become the saved-configuration when the system is powered on for the next time.


Table 1-6 Save the current-configuration

Operation Command

Save the current-configuration save

1.2.4 Erase Configuration Files from Flash Memory

The reset saved-configuration command can be used to erase configuration files from Flash Memory. The system will use the default configuration parameters for initialization when the Ethernet switch is powered on for the next time.


Table 1-7 Erase configuration files from Flash Memory

Operation Command Erase configuration files from Flash Memory reset saved-configuration

You may erase the configuration files from the Flash in the following cases:

After being upgraded, the software does not match with the configuration files.


1-5

The configuration files in flash are damaged. (A common case is that a wrong configuration file has been downloaded.)

1.3 FTP

1.3.1 FTP Overview

FTP is a common way to transmit files on the Internet and IP network. Before the World Wide Web (WWW), files were transmitted in the command line mode and FTP was the most popular application. Even now, FTP is still used widely, while most users transmit files via Email and Web.

FTP, a TCP/IP protocol on the application layer, is used for transmitting files between a remote server and a local host.

The Ethernet switch provides the following FTP services:

FTP server: You can run FTP client program to log in the server and access the files on it.

FTP client: After connected to the server through running the terminal emulator or Telnet on a PC, you can access the files on it, using FTP command.

Switch PC

Network

SwitchSwitch PC

Network

Figure 1-1 FTP configuration

Table 1-8 Configuration of the switch as FTP client

Device Configuration Default Description

Switch Log into the remote FTP server directly with the ftp command. --

You need first get FTP user command and password, and then log into the remote FTP server. Then you can get the directory and file authority.

PC Start FTP server and make such settings as username, password, authority.

-- --


1-6

Table 1-9 Configuration of the switch as FTP server


Start FTP server. FTP server is disabled.

You can view the configuration information of FTP server with the ftp-server command.

Configure authentication and authorization for FTP server. -- Configure username, password and

authorized directory for FTP users. Switch

Configure running parameters for FTP server. Configure timeout time value for FTP

server.

PC Log into the switch from FTP client. -- --

Caution:

The prerequisite for normal FTP function is that the switch and PC are reachable.

1.3.2 Enable/Disable FTP Server

You can use the following commands to enable/disable the FTP server on the switch. Perform the following configuration in system view.

Table 1-10 Enable/Disable FTP Server

Operation Command Enable the FTP server ftp server enable Disable the FTP server undo ftp server

FTP server supports multiple users to access at the same time. A remote FTP client sends request to the FTP server. Then, the FTP server will carry out the corresponding operation and return the result to the client.

By default, FTP server is disabled.

1.3.3 Configure the FTP Server Authentication and Authorization

You can use the following commands to configure FTP server authentication and authorization. The authorization information of FTP server includes the top working directory provided for FTP clients.



1-7

Table 1-11 Configure the FTP Server Authentication and Authorization

Operation Command Create new local user and enter local user view(system view) local-user username

Delete local user(system view) undo local-user [ username | all [ service-type ftp ] ]Configure password for local user(local user view) password [ cipher | simple ] password Configure service type for local user(local user view) service-type ftp ftp-directory directory Cancel password for local user(local user view) undo password Cancel service type for local user(local user view) undo service-type ftp [ ftp-directory ]

Only the clients who have passed the authentication and authorization successfully can access the FTP server.

1.3.4 Configure the Running Parameters of FTP Server

You can use the following commands to configure the connection timeout of the FTP server. If the FTP server receives no service request from the FTP client for a period of time, it will cut the connection to it, thereby avoiding the illegal access from the unauthorized users. The period of time is FTP connection timeout.


Table 1-12 Configure FTP server connection timeout

Operation Command Configure FTP server connection timeouts ftp timeout minute Restoring the default FTP server connection timeouts undo ftp timeout

By default, the FTP server connection timeout is 30 minutes.

1.3.5 Display and Debug FTP Server

After the above configuration, execute display command in any view to display the running of the FTP Server configuration, and to verify the effect of the configuration.

Table 1-13 Display and debug FTP Server

Operation Command Display FTP server display ftp-server Display the connected FTP users. display ftp-user

The display ftp-server command can be used for displaying the configuration information about the current FTP server, including the maximum amount of users supported by FTP server and the FTP connection timeout. The display ftp-user


1-8

command can be used for displaying the detail information about the connected FTP users.

1.3.6 Introduction to FTP Client

As an additional function provided by Ethernet switch, FTP client is an application module and has no configuration functions. The switch connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations (such as creating or deleting a directory).

1.3.7 FTP client configuration example


The switch serves as FTP client and the remote PC as FTP server. The configuration on FTP server: Configure a FTP user named as switch, with password hello and with read & write authority over the Switch root directory on the PC. The IP address of a VLAN interface on the switch is 1.1.1.1, and that of the PC is 2.2.2.2. The switch and PC are reachable.

The switch application switch.app is stored on the PC. Using FTP, the switch can download the switch.app from the remote FTP server and upload the vrpcfg.txt to the FTP server under the switch directory for backup purpose.


Switch PC

Network

SwitchSwitch PC

Network

Figure 1-2 Networking for FTP configuration


1) Configure FTP server parameters on the PC: a user named as switch, password hello, read & write authority over the Switch directory on the PC.

2) Configure the switch

# Log into the switch (locally through the Console port or remotely using Telnet).


1-9

<Quidway>

Caution:

If the flash memory of the switch is not enough, you need to first delete the existing programs in the flash memory and then upload the new ones.

# Type in the right command in user view to establish FTP connection, then correct username and password to log into the FTP server.

<Quidway> ftp 2.2.2.2

Trying ...

Press CTRL+K to abort

Connected.

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User(none):switch

331 Give me your password, please

Password:*****

230 Logged in successfully

[ftp]

# Type in the authorized directory of the FTP server.

[ftp] cd switch

# Use the put command to upload the vrpcfg.txt to the FTP server.

[ftp] put vrpcfg.txt

# Use the get command to download the switch.app from the FTP server to the flash directory on the FTP server.

[ftp] get switch.app

# Use the quit command to release FTP connection and return to user view.

[ftp] quit

<Quidway>

# Use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the switch.

<Quidway> boot boot-loader switch.app


1-10

<Quidway> reboot

1.3.8 FTP server configuration example


Switch serves as FTP server and the remote PC as FTP client. The configuration on FTP server: Configure a FTP user named as switch, with password hello and with read & write authority over the flash root directory on the PC. The IP address of a VLAN interface on the switch is 1.1.1.1, and that of the PC is 2.2.2.2. The switch and PC are reachable.

The switch application switch.app is stored on the PC. Using FTP, the PC can upload the switch.app from the remote FTP server and download the vrpcfg.txt from the FTP server for backup purpose.


Switch PC

Network

SwitchSwitch PC

Network

Figure 1-3 Networking for FTP configuration

1) Configure the switch


<Quidway>

# Start FTP function and set username, password and file directory.

[Quidway] ftp server enable

[Quidway] local-user switch

[Quidway-luser-switch] service-type ftp ftp-directory flash:

[Quidway-luser-switch] password simple hello

2) Run FTP client on the PC and establish FTP connection. Upload the switch.app to the switch under the Flash directory and download the vrpcfg.txt from the switch. FTP client is not shipped with the switch, so you need to buy it separately.


1-11

Caution:


3) When the uploading is completed, initiate file upgrade on the switch.

<Quidway>



<Quidway> reboot

1.4 TFTP

1.4.1 TFTP Overview

Trivial File Transfer Protocol (TFTP) is a simple protocol for file transmission. Compared with FTP, another file transmission protocol, TFTP has no complicated interactive access interface or authentication control, and therefore it can be used when there is no complicated interaction between the clients and server. TFTP is implemented on the basis of UDP.

TFTP transmission is originated from the client end. To download a file, the client sends a request to the TFTP server and then receives data from it and sends acknowledgement to it. To upload a file, the client sends a request to the TFTP server and then transmits data to it and receives the acknowledgement from it. TFTP transmits files in two modes, binary mode for program files and ASCII mode for text files.

Switch PC

Network

SwitchSwitch PC

Network

Figure 1-4 TFTP configuration


1-12

Table 1-14 Configuration of the switch as TFTP client


Configure IP address for the VLAN interface of the switch, in the same network segment as that of TFTP server.

--

TFTP is right for the case where no complicated interactions are required between the client and server. Make sure that the IP address of the VLAN interface on the switch is in the same network segment as that of the TFTP server. Switch

Use the tftp command to log into the remote TFTP server for file uploading and downloading.

- -

PC Start TFTP server and set authorized TFTP directory. - --

1.4.2 Configure the File Transmission Mode

TFTP transmits files in two modes, binary mode for program files and ASCII mode for text files. You can use the following commands to configure the file transmission mode.


Table 1-15 Configure the file transmission mode

Operation Command Configure the file transmission mode tftp { ascii | binary }

By default, TFTP transmits files in binary mode.

1.4.3 Download Files by means of TFTP

To download a file, the client sends a request to the TFTP server and then receives data from it and sends acknowledgement to it. You can use the following commands to download files by means of TFTP.


Table 1-16 Download files by means of TFTP

Operation Command Download files by means of TFTP tftp get //A.A.A.A/xxx.yyy mmm.nnn

1.4.4 Upload Files by means of TFTP

To upload a file, the client sends a request to the TFTP server and then transmits data to it and receives the acknowledgement from it. You can use the following commands to upload files.


1-13


Table 1-17 Upload files by means of TFTP

Operation Command Upload files by means of TFTP tftp put mmm.nnn //A.A.A.A/xxx.yyy

1.4.5 TFTP Client Configuration Example


The switch serves as TFTP client and the remote PC as TFTP server. Authorized TFTP directory is set on the TFTP server. The IP address of a VLAN interface on the switch is 1.1.1.1, and that of the PC is 2.2.2.2. The interface on the switch connecting the PC belong to the same VLAN.

The switch application switch.app is stored on the PC. Using TFTP, the switch can download the switch.app from the remote TFTP server and upload the vrpcfg.txt to the TFTP server under the switch directory for backup purpose.


Switch PC

Network

SwitchSwitch PC

Network

Figure 1-5 Networking for TFTP configuration


1) Start TFTP server on the PC and set authorized TFTP directory. 2) Configure the switch


<Quidway>


1-14

Caution:


# Enter system view and download the switch.app from the TFTP server to the flash memory of the switch.


[Quidway]

# Configure IP address 1.1.1.1 for the VLAN interface, ensure the port connecting the PC is also in this VALN (VLAN 1 in this example).




# Upload the vrpcfg.txt to the TFTP server.

[Quidway] tftp put vrpcfg.txt //1.1.1.2/vrpcfg.txt

# Download the switch.app from the TFTP server.

[Quidway] tftp get //1.1.1.2/switch.app switch.app



<Quidway> reboot

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 2 MAC Address Table Management

2-1

Chapter 2 MAC Address Table Management

2.1 MAC Address Table Management Overview

An Ethernet Switch maintains a MAC address table for fast forwarding packets. A table entry includes the MAC address of a device and the port ID of the Ethernet switch connected to it. The dynamic entries (not configured manually) are learned by the Ethernet switch. The Ethernet switch learns a MAC address in the following way: after receiving a data frame from a port (assumed as port A), the switch analyzes its source MAC address (assumed as MAC_SOURCE) and considers that the packets destined at MAC_SOURCE can be forwarded via the port A. If the MAC address table contains the MAC_SOURCE, the switch will update the corresponding entry, otherwise, it will add the new MAC address (and the corresponding forwarding port) as a new entry to the table.

The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addresses are not contained in the table. The network device will respond after receiving a broadcast packet and the response contains the MAC address of the device, which will then be learned and added into the MAC address table by the Ethernet switch. The consequent packets destined the same MAC address can be forwarded directly thereafter. If the MAC address cannot be found even after broadcasting the packet, the switch will drop it and notify the transmitter that the packet can not arrive at the destination.

MAC Address Port

MACA 1

MACB 1

MACC 2

MACD 2MACD MACA ......

Port 1

MACD MACA ......

Port 2

Figure 2-1 The Ethernet switch forwards packets with MAC address table


2-2

The Ethernet switch also provides the function of MAC address aging. If the switch receives no packet for a period of time, it will delete the related entry from the MAC address table. However, this function takes no effect on the static MAC addresses.

You can configure (add or modify) the MAC address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones.

2.2 MAC Address Table Configuration

MAC address table management includes:

Set MAC Address Table Entries Set MAC Address Aging Time Set the Max Count of MAC Address Learned by a Port

2.2.1 Set MAC Address Table Entries

Administrators can manually add, modify, or delete the entries in MAC address table according to the actual needs. They can also delete all the (unicast) MAC address table entries related to a specified port or delete a specified type of entries, such as dynamic entries or static entries.

You can use the following commands to add, modify, or delete the entries in MAC address table.


Table 2-1 Set MAC address table entries

Operation Command

Add/Modify an address entry

mac-address { static | dynamic } hw-addr interface { interface-name | interface-type interface-num } vlan vlan-id

Delete an address entry undo mac-address [ static | dynamic ] [ [ hw-addr ] interface [interface-name | interface-type interface-num ] vlan vlan-id ]

When deleting the dynamic address table entries, the learned entries will be deleted simultaneously.

2.2.2 Set MAC Address Aging Time

The setting of an appropriate aging time can effectively implement the function of MAC address aging. Too long or too short aging time set by subscribers will cause the problem that the Ethernet switch broadcasts a great mount of data packets without MAC addresses, which will affect the switch operation performance.


2-3

If aging time is set too long, the Ethernet switch will store a great number of out-of-date MAC address tables. This will consume MAC address table resources and the switch will not be able to update MAC address table according to the network change.

If aging time is set too short, the Ethernet switch may delete valid MAC address table.

You can use the following commands to set the MAC address aging time for the system.


Table 2-2 Set the MAC address aging time for the system

Operation Command Set the dynamic MAC address aging time mac-address timer { aging age | no-aging } Restore the default MAC address aging time undo mac-address timer aging

In addition, this command takes effect on all the ports. However the address aging only functions on the dynamic addresses (the learned or configured as age entries by the user).

By default, the aging-time is 300 seconds. With the no-aging parameter, the command performs no aging on the MAC address entries.

2.2.3 Set the Max Count of MAC Address Learned by a Port

With the address learning function, an Ethernet switch can learn new MAC addresses. After received a packet destined some already learned MAC address, the switch will forward it directly with the hardware, instead of broadcasting. But Too many MAC address items learned by a port will affect the switch operation performance.

User can control the MAC address items learned by a port through setting the max count of MAC address learned by a port. If user set the max count value of a port as count, the port will not learn new MAC address items when the count of MAC address items reaches count.

You can use the following commands to set the max count of MAC address learned by a port.


Table 2-3 Set the Max Count of MAC Address Learned by a Port

Operation Command

Set the Max Count of MAC Address Learned by a Port mac-address max-mac-count count Restore the default Max Count of MAC Address Learned by a Port undo mac-address max-mac-count


2-4

By default, there is no limit to the MAC addresses learned via the Ethernet port.

2.3 Display and Debug MAC Address Table

After the above configuration, execute display command in any view to display the running of the MAC address table configuration, and to verify the effect of the configuration.

Execute debugging command in user view to debug MAC address table configuration.

Table 2-4 Display and debug MAC address table

Operation Command

Display the information in the address table display mac-address [ mac-addr [ vlan vlan-id ] | [ static | dynamic ] [ interface { interface-name | interface-type interface-num } ] [ vlan vlan-id ] [ count ] ]

Display the aging time of dynamic address table entries display mac-address aging-time Enable the address table management debugging debugging mac-address Disable the address table management debugging undo debugging mac-address

2.4 MAC Address Table Management Configuration Example


The user logs in the switch via the Console port to configure the address table management. It is required to set the address aging time to 500s and add a static address 00e0-fc35-dc71 to Ethernet 0/2 in vlan1.


2-5


Console Port

Network Port

Switch

Internet

Figure 2-2 Typical configuration of address table management


# Enter the system view of the switch.


# Add a MAC address (specify the native VLAN, port and state).

[Quidway] mac-address static 00e0-fc35-dc71 interface ethernet 0/2 vlan 1

# Set the address aging time to 500s.

[Quidway] mac-address timer aging 500

# Display the MAC address configurations in any view (the display information on S3526).

[Quidway] display mac-address interface ethernet 0/2

MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)

00-e0-fc-35-dc-71 1 Static Ethernet0/2 NOAGED

00-e0-fc-17-a7-d6 1 Learned Ethernet0/2 500

00-e0-fc-5e-b1-fb 1 Learned Ethernet0/2 500

00-e0-fc-55-f1-16 1 Learned Ethernet0/2 500

--- 4 mac address(es) found on port Ethernet0/2 ---

# Display the MAC address configurations in any view (the display information on S3526E).


2-6

[Quidway] display mac-address interface ethernet 0/2

MAC ADDR VLAN ID STATE PORT INDEX AGING TIME

00-e0-fc-35-dc-71 1 Static Ethernet0/2 NOAGED

00-e0-fc-17-a7-d6 1 Learned Ethernet0/2 AGING

00-e0-fc-5e-b1-fb 1 Learned Ethernet0/2 AGING

00-e0-fc-55-f1-16 1 Learned Ethernet0/2 AGING

--- 4 mac address(es) found on port Ethernet0/2 ---

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 3 Device management

3-1

Chapter 3 Device management

3.1 Device Management Overview

With the device management function, the Ethernet Switch can display the current running state and event debugging information about the slots, thereby implementing the maintenance and management of the state and communication of the physical devices. In addition, there is a command available for rebooting the system, when some function failure occurs.

The device management configuration task is simple. As far as a user concerned, it is mainly the display and debug the device management.

3.2 Device Management Configuration

The device management configuration includes:

Reboot Ethernet switch Designate the APP adopted when booting the Ethernet switch next time Upgrade BootROM

3.2.1 Reboot Ethernet Switch

It would be necessary for users to reboot the Ethernet switch when failure occurs.


Table 3-1 Reboot Ethernet switch

Operation Command Reboot the whole system reboot

3.2.2 Designate the APP Adopted When Booting the Ethernet Switch Next Time

In the case that there are several APPs in the Flash Memory, you can use this command to designate the APP adopted when booting the Ethernet switch next time.


Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 3 Device management

3-2

Table 3-2 Designate the APP adopted when booting the Ethernet switch next time

Operation Command Designate the APP adopted when booting the Ethernet switch next time boot boot-loader file-url

3.2.3 Upgrade BootROM

You can use this command to upgrade the BootROM with the BootROM program in the Flash Memory. This configuration task facilitates the remote upgrade. You can upload the BootROM program file from a remote end to the switch via FTP and then use this command to upgrade the BootROM.


Table 3-3 Upgrade BootROM

Operation Command Upgrade BootROM boot bootrom file-url

3.3 Display and Debug Device Management Configuration

After the above configuration, execute display command in any view to display the running of the Device management configuration, and to verify the effect of the configuration.

Table 3-4 Display and debug Device management configuration

Operation Command Display the APP to be applied when rebooting the switch. display boot-loader Display the module types and running states of each slot display device Display the busy status of CPU display cpu Display the Used status of switch memory display memory [ slot slot-number ]

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 4 System Maintenance and Debugging

4-1

Chapter 4 System Maintenance and Debugging

4.1 Basic System Configuration

4.1.1 Set Name for Switch

Perform the operation of sysname command in the system view.

Table 4-1 set name for Switch

Operation Command Set the switch name sysname sysname Restore switch name to default value undo sysname

4.1.2 Set the System Clock

Perform the operation of clock datetime command in the user view.

Table 4-2 Set the system clock

Operation Command Set the system clock clock datetime HH:MM:SS YYYY/MM/DD

4.1.3 Set the Time Zone

You can configure the name of the local time zone and the time difference between the local time and the standard Universal Time Coordinated (UTC).

Perform the following operations in the user view.

Table 4-3 Setting the time zone

Operation Command Set the local time clock timezone zone_name { add | minus } HH:MM:SS Restore to the default UTC time zone undo clock timezone

By default, the UTC time zone is adopted.


4-2

4.1.4 Set the Summer Time

You can set the name, starting and ending time of the summer time.

Perform the following operations in the user view.

Table 4-4 Setting the summer time

Operation Command

Set the name and range of the summer time clock summer-time zone_name { one-off | repeating } start-time start-date end-time end-date offset-time

Remove the setting of the summer time undo clock summer-time

By default, the summer time is not set.

4.2 Display the State and Information of the System

The display commands can be classified as follows according to their functions.

Commands for displaying the system configuration information Commands for displaying the system running state Commands for displaying the system statistics information

For the display commands related to each protocols and different ports, refer to the relevant chapters. The following display commands are used for displaying the system state and the statistics information.

Perform the following operations in any view.

Table 4-5 The display commands of the system

Operation Command Display the system clock display clock Display the system version display version Display the terminal user display users [ all ] Display the saved-configuration display saved-configuration

Display the current-configuration display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ ospf | system | user-interface ] ] [ | { begin | exclude | include } regular-expression ]

Display the state of the debugging display debugging [ interface { interface-name | interface-type interface-number } ] [ module-name ]


4-3

4.3 System Debugging

4.3.1 Enable/Disable the Terminal Debugging

The Ethernet switch provides various ways for debugging most of the supported protocols and functions, which can help you diagnose and address the errors.

The following switches can control the outputs of the debugging information:

Protocol debugging switch controls the debugging output of a protocol. Terminal debugging switch controls the debugging output on a specified user

screen.

The figure below illustrates the relationship between two switches.

1 2 3

Protocol debuggingswitch

ON ONOFF

ONOFF

1 3 1 3

Screen output switch

1 3

Debugginginformation

Figure 4-1 Debug output

You can use the following commands to control the above-mentioned debugging.

Perform the following operations in user view.

Table 4-6 Enable/Disable the debugging

Operation Command Enable the protocol debugging debugging { all | module-name [ debugging-option ] }

Disable the protocol debugging undo debugging { all | { protocol-name | function-name } [ debugging-option ] }

Enable the terminal debugging terminal debugging Disable the terminal debugging undo terminal debugging


4-4

For more about the usage and format of the debugging commands, refer to the relevant chapters.

Note:

Since the debugging output will affect the system operating efficiency, do not enable the debugging without necessity, especially use the debugging all command with caution. When the debugging is over, disable all the debugging.

4.3.2 Display Diagnostic Information

When the Ethernet switch does not run well, you can collect all sorts of information about the switch to locate the source of fault. However, each module has its corresponding display command, which make it difficult for you to collect all the information needed. In this case, you can use display diagnostic-information command.

You can perform the following operations in any view.

Table 4-7 display diagnostic information

Operation Command

display diagnostic information display diagnostic-information

4.4 Testing Tools for Network Connection

I. ping

The ping command can be used to check the network connection and if the host is reachable.

Perform the following operation in any view.

Table 4-8 The ping command

Operation Command Support IP ping

ping [ -a ip-address ] [-c count ] [ -d ] [ -h ttl ] [ -i {interface-type interface-num | interface-name } ] [ ip ] [ -n ] [ - p pattern ] [ -q ] [ -r ] [ -s packetsize ] [ -t timeout ] [ -tos tos ] [ -v ] host

The output of the command includes:


4-5

The response to each ping message. If no response packet is received when time is out, ”Request time out” information appears. Otherwise, the data bytes, the packet sequence number, TTL, and the round-trip time of the response packet will be displayed.

The final statistics, including the number of the packets the switch sent out and received, the packet loss ratio, the round-trip time in its minimum value, mean value and maximum value.

II. tracert

The tracert is used for testing the gateways passed by the packets from the source host to the destination one. It is mainly used for checking if the network is connected and analyzing where the fault occurs in the network.

The execution process of tracert is described as follows: Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent, for the TTL is timeout. Re-send the packet with TTL value as 2 and the second hop returns the TTL timeout message. The process is carried over and over until the packet reaches the destination. The purpose to carry out the process is to record the source address of each ICMP TTL timeout message, so as to provide the route of an IP packet to the destination.

Perform the following operation in any view.

Table 4-9 The tracert command

Operation Command Trace route tracert [ -a source-IP ] [ -f first-TTL ] [ -m max-TTL ] [ -p port ] [ -q nqueries ] [ -w timeout ] string

4.5 Logging Function

4.5.1 Introduction to Info-center

The Info-center is an indispensable part of the Ethernet switch. It serves as an information center of the system software modules. The logging system is responsible for most of the information outputs, and it also makes detailed classification to filter the information efficiently. Coupled with the debugging program, the info-center provides powerful support for the network administrators and the R&D personnel to monitor the operating state of networks and diagnose network failures.

When the log information is output to terminal or log buffer, the following parts will be included:

%Timestamp Sysname Module name/Severity/Digest: Content


4-6

For example:

%Jun 7 05:22:03 2003 Quidway IFNET/6/UPDOWN:Line protocol on interface Ethernet0/2, changed state to UP

When the log information is output to info-center, the first part will be “<Priority>”.

For example:

<187>Jun 7 05:22:03 2003 Quidway IFNET/6/UPDOWN:Line protocol on interface Ethernet0/2, changed state to UP

The description of the components of log information is as follows:

1) Priority

The priority is computed according to following formula: facility*8+severity-1. The default value for the facility is 23. The range of severity is 1~8, and the severity will be introduced in separate section.

The value of facility can be set by command info-center loghost, .local1 to local7 corresponding to 16 to 23 respectively, for detailed information, refer to RFC3164 (The BSD syslog Protocol).

Notice: Priority is only effective when information is send to loghost. There is no character between priority and timestamp.

2) Timestamp

If the logging information is send to the log host, the default format of timestamp is date, and it can be changed to boot format or none format through the command:

info-center timestamp log { date | boot | none }

The date format of timestamp is "mm dd hh:mm:ss yyyy".

"mm" is month field, such as: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.

"dd" is day field, if the day is little than 10th, one blank should be added, such as " 7".

"hh:mm:ss" is time field, "hh" is from 00 to 23, "mm" and "ss" are from 00 to 59.

"yyyy" is year field.

If changed to boot format, it represents the milliseconds from system booting. Generally, the data is so big that we use two 32 bits integers, and separated with a dot '.'.

For example:

<189>0.166970 Quidway IFNET/6/UPDOWN:Line protocol on interface Ethernet0/2, changed state to UP

It means that 166970ms (0*2^32+166970) has passed from system booting.


4-7

If changed to none format, the timestamp field is not present in logging information.

Notice: There is a blank between timestamp and sysname. If the timestamp is none format, there is a blank between priority and sysname.

3) Sysname

The sysname is the host name, the default value is "Quidway".

User can change the host name through sysname command.

Notice: There is a blank between sysname and module name.

4) Module name

The module name is the name of module which create this logging information, the following sheet list some examples:

Table 4-10 Module names in logging information

Module name Description BGP Border Gateway Protocol CFM Configuration File Management HWCM Huawei Configuration Mib IFNET Interface Management IP Internet Protocol NTP Network Time Protocol OSPF Open Shortest Path First SNMP Simple Network Management Protocol

Notice: There is a slash ('/') between module name and severity.

5) Severity

Switch information falls into three categories: log information, debugging information and trap information. The info-center classifies every kind of information into 8 severity or urgent levels. The log filtering rule is that the system prohibits outputting the information whose severity level is greater than the set threshold. The more urgent the logging packet is, the smaller its severity level is. The level represented by “emergencies” is 0, and that represented by ”debugging” is 7. Therefore, when the threshold of the severity level is “debugging”, the system will output all the information.

Definition of severity in logging information is as followed.

Table 4-11 Info-center-defined severity

Severity Description emergencies The extremely emergent errors alerts The errors that need to be corrected immediately. critical Critical errors errors The errors that need to be concerned but not critical warnings Warning, there might exist some kinds of errors. notifications The information should be concerned. informational Common prompting information


4-8

Severity Description debugging Debugging information

Notice: There is a slash between severity and digest.

6) Digest

The digest is abbreviation, it represent the abstract of contents.

Notice: There is a colon between digest and content.

7) Content

It is the contents of logging information.

4.5.2 Info-center Configuration

Switch supports 6 output directions of information.

The system assigns a channel in each output direction by default. See the table below.

Table 4-12 Numbers and names of the channels for log output

Output direction Channel number Default channel name Console 0 console Monitor 1 monitor Info-center loghost 2 loghost Trap buffer 3 trapbuf Logging buffer 4 logbuf snmp 5 snmpagent

Note:

The settings in the six directions are independent from each other. The settings will take effect only after enabling the information center.

The info-center of Ethernet Switch has the following features:

Support to output log in six directions, i.e., Console, monitor to Telnet terminal, logbuf, loghost, trapbuf, and SNMP.

The log is divided into 8 levels according to the significance and it can be filtered based on the levels.

The information can be classified in terms of the source modules and the information can be filtered in accordance with the modules.

The output language can be selected between Chinese and English.

1) Sending the configuration information to loghost.


4-9

Table 4-13 Sending the configuration information to loghost

Device Configuration Default value Configuration description

Enable info-center By default, info-center is enabled.

Other configurations are valid only if the info-center is enabled.

Set the information output direction to loghost -

The configuration about the loghost on the switch and that on loghost must be the same; otherwise the information cannot be sent to the loghost correctly. Switch

Set information source -

You can define which modules and information to be sent out and the time-stamp format of information, and so on. You must turn on the switch of the corresponding module before defining output debugging information.

Loghost Refer to configuration cases for related log host configuration - -

2) Sending the configuration information to the console terminal.

Table 4-14 Sending the configuration information to the console terminal.




Set the information output direction to Console - -



Switch

Enable terminal display function - You can view debugging information after enabling terminal display function


4-10

3) Sending the configuration information to monitor terminal

Table 4-15 Sending the configuration information to monitor terminal




Set the information output direction to monitor

- -



Switch

Enable the terminal display function and this function for the corresponding information

- For Telnet terminal and dumb terminal, to view the information, you must enable the current terminal display function using the terminal monitor command.

4) Sending the configuration information to log buffer.

Table 4-16 Sending the configuration information to log buffer




Set the information output direction to logbuffer - You can configure the size of the log

buffer at the same time.

Switch



5) Sending the configuration information to trap buffer.

Table 4-17 Sending the configuration information to trap buffer




Set the information output direction to trapbuffer - You can configure the size of the trap buffer at

the same time. Switch




4-11

6) Sending the configuration information to SNMP

Table 4-18 Sending the configuration information to SNMP




Set the information output direction to SNMP - -



Switch

Configuring SNMP features - See Chapter 5 SNMP ConfigurationNetwork management workstation

The same as the SNMP configuration of the switch - -

7) Turn on/off the information synchronization switch in Fabric

Table 4-19 Turn on/off the information synchronization switch in Fabric




Switch Set the information output direction to SNMP

By default, switches of master log in Fabric, debugging and trap information synchronization are turned on, so as log and strap information synchronization switches in other switches.

This configuration can keep log information, debugging information and trap information in Fabric in every switch synchronized.

4.5.3 Sending the Configuration Information to Loghost

To send configuration information to loghost, follow the steps below:

1) Enabling info-center

Perform the following operation in system view.

Table 4-20 Enable/disable info-center

Operation Command Enable info-center info-center enable Disable info-center undo info-center enable


4-12

Note:

Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting.

2) Configuring to output information to loghost


Table 4-21 Configuring to output information to loghost

Operation Command

Output information to loghost info-center loghost host-ip-addr [ channel { channel-number | channel-name } ] [ facility local-number ] [ language { chinese | english } ]

Cancel the configuration of outputting information to loghost undo info-center loghost host-ip-addr

Note:

Ensure to enter the correct IP address using the info-center loghost command to configure loghost IP address. If you enter a loopback address, the system prompts of invalid address appears.

3) Configuring information source on the switch

By this configuration, you can define the information that sent to console terminal is generated by which modules, information type, information level, and so on.


Table 4-22 Defining information source

Operation Command Define information source

info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ]

Cancel the configuration of information source

undo info-center source { modu-name | default } channel { channel-number | channel-name }

modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the level below it will not be output. channel-number specifies the channel number and channel-name specifies the channel name.

When defining the information sent to the loghost, channel-number or channel-name must be set to the channel that corresponds to loghost direction.


4-13

Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging. When there is no specific configuration record for a module in the channel, use the default one.

Note:

If you want to view the debugging information of some modules on the switch, you must select debugging as the information type when configuring information source, meantime using the debugging command to turn on the debugging switch of those modules.

You can use the following commands to configure log information, debugging information and the time-stamp output format of trap information.

Perform the following operation in system view:

Table 4-23 Configuring the output format of time-stamp

Operation Command Configure the output format of the time-stamp info-center timestamp { log | trap | debugging } { boot | date | none }

Output time-stamp is disabled undo info-center timestamp { log | trap | debugging }

4) Configuring loghost

The configuration on the loghost must be the same with that on the switch. For related configuration, see the configuration examples in the later part.

4.5.4 Sending the Configuration Information to Console terminal

To send configuration information to console terminal, follow the steps below:






4-14

Note:


2) Configuring to output information to console terminal


Table 4-25 Configuring to output information to console terminal

Operation Command Output information to Console info-center console channel{ channel-number | channel-name }Cancel the configuration of outputting information to Console undo info-center console channel


By this configuration, you can define the information that sent to console terminal is generated by which modules, information type, information level, and so on.



Operation Command

Define information source info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ]




When defining the information sent to the console terminal, channel-number or channel-name must be set to the channel that corresponds to Console direction.



4-15

Note:







4) Enable terminal display function

To view the output information at the console terminal, you must first enable the corresponding log, debugging and trap information functions at the switch.

For example, if you have set the log information as the information sent to the console terminal, now you need to use the terminal logging command to enable the terminal display function of log information on the switch, then you can view the information at the console terminal.

Perform the following operation in user view:

Table 4-28 Enabling terminal display function

Operation Command Enable terminal display function of debugging information terminal debugging Disable terminal display function of debugging information undo terminal debugging Enable terminal display function of log information terminal logging Disable terminal display function of log information undo terminal logging Enable terminal display function of trap information terminal trapping Disable terminal display function of trap information undo terminal trapping

4.5.5 Sending the Configuration Information to Telnet Terminal or Dumb Terminal

To send configuration information to Telnet terminal or dumb terminal, follow the steps below:


4-16



Table 4-29 Enable/disable Info-center


Note:


2) Configuring to output information to Telnet terminal or dumb terminal


Table 4-30 Configuring to output information to Telnet terminal or dumb terminal

Operation Command

Output information to Telnet terminal or dumb terminal info-center monitor channel { channel-number | channel-name }

Cancel the configuration of outputting information to Telnet terminal or dumb terminal undo info-center monitor channel


By this configuration, you can define the information that sent to Telnet terminal or dumb terminal is generated by which modules, information type, information level, and so on.



Operation Command




modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The


4-17

information with the level below it will not be output. channel-number specifies the channel number and channel-name specifies the channel name.

When defining the information sent to Telnet terminal or dumb terminal, channel-number or channel-name must be set to the channel that corresponds to Console direction.


Note:

When there are more than one Telnet users or monitor users at the same time, some configuration parameters should be shared among the users, such as module-based filtering settings and severity threshold. When a user modifies these settings, it will be reflected on other clients.

Note:







4) Enabling terminal display function

To view the output information at the Telnet terminal or dumb terminal, you must first enable the corresponding log, debugging and trap information functions at the switch.


4-18

For example, if you have set the log information as the information sent to the Telnet terminal or dumb terminal, now you need to use the terminal logging command to enable the terminal display function of log information on the switch, then you can view the information at the Telnet terminal or dumb terminal.

Perform the following operation in user view:

Table 4-33 Enabling terminal display function

Operation Command Enable terminal display function of log, debugging and trap information terminal monitor Disable terminal display function of the above information undo terminal monitor Enable terminal display function of debugging information terminal debugging Disable terminal display function of debugging information undo terminal debugging Enable terminal display function of log information terminal logging Disable terminal display function of log information undo terminal logging Enable terminal display function of trap information terminal trapping Disable terminal display function of trap information undo terminal trapping

4.5.6 Sending the Configuration Information to Log Buffer

To send configuration information to log buffer, follow the steps below:



Table 4-34 Enabling/disabling info-center


Note:


2) Configuring to output information to log buffer


Table 4-35 Configuring to output information to log buffer

Operation Command

Output information to log buffer info-center logbuffer [ channel { channel-number | channel-name } ] [ size buffersize ]

Cancel the configuration of outputting information to log buffer undo info-center logbuffer [ channel | size ]


4-19


By this configuration, you can define the information that sent to log buffer is generated by which modules, information type, information level, and so on.



Operation Command





When defining the information sent to log buffer, channel-number or channel-name must be set to the channel that corresponds to Console direction.


Note:








4-20

4.5.7 Sending the Configuration Information to Trap Buffer

To send configuration information to trap buffer, follow the steps below:





Note:


2) Configuring to output information to trap buffer


Table 4-39 Configuring to output information to trap buffer

Operation Command

Output information to trap buffer info-center trapbuffer [ size buffersize ] [ channel { channel-number | channel-name } ]

Cancel the configuration of outputting information to trap buffer undo info-center trapbuffer [ channel | size ]


By this configuration, you can define the information that sent to trap buffer is generated by which modules, information type, information level, and so on.



Operation Command Define information source

info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ]




4-21


When defining the information sent to trap buffer, channel-number or channel-name must be set to the channel that corresponds to Console direction.


Note:







4.5.8 Sending the Configuration Information to SNMP Network Management

To send configuration information to SNMP NM, follow the steps below:






4-22

Note:


2) Configuring to output information to SNMP NM


Table 4-43 Configuring to output information to SNMP NM

Operation Command Output information to SNMP NM info-center snmp channel { channel-number | channel-name }Cancel the configuration of outputting information to SNMP NM undo info-center snmp channel


By this configuration, you can define the information that sent to SNMP NM is generated by which modules, information type, information level, and so on.



Operation Command





When defining the information sent to SNMP NM, channel-number or channel-name must be set to the channel that corresponds to Console direction.



4-23

Note:







4) Configuring of SNMP and network management workstation on the switch

You have to configure SNMP on the switch and the remote workstation to ensure that the information is correctly sent to SNMP NM. Then you can get correct information from network management workstation. SNMP configuration on switch refers to Chapter 5 SNMP Configuration

4.5.9 Turn on/off the Information Synchronization Switch in Fabric

After the forming of a Fabric by switches which support the XRN, the log, debugging and trap information among the switches is synchronous. The synchronization process is as follows: each switch sends its own information to other switches in the Fabric and meantime receives the information from others, and then the switch updates the local information to ensure the information coincidence within the Fabric.

The switch provides command line to turn on/off the synchronization switch in every switch. If the synchronization switch of a switch is turned off, it does not send information to other switches but still receives information from others.

1) Enable info-center





4-24

2) Turn on the information synchronization switch


Table 4-47 Turn on/off the information synchronization switch of every switch

Operation Command Turn on the information synchronization switch of the specified switch

info-center switch-on { unit-id | master | all } [ debugging | logging | trapping ]*

Turn off the information synchronization switch of the specified switch

undo info-center switch-on { unit-id | master | all } [ debugging | logging | trapping ]*

You can turn on/off the synchronization switch of the specified information on the specified switch as needed.

By default, the log, debugging and trap information synchronization switch of master in Fabric are all turned on. The log, debugging and trap information synchronization switch of other switches are turned on.

4.5.10 Displaying and Debugging Info-center

After the above configuration, performing the display command in any view, you can view the running state of the info-center. You also can authenticate the effect of the configuration by viewing displayed information. Performing the reset command in user view, you can clear statistics of info-center.

Perform the following operation in user view. The display command still can be performed in any view.

Table 4-48 Displaying and debugging info-center

Operation Command Display the content of information channel display channel [ channel-number | channel-name ]Display configuration of system log and memory buffer display info-center Clear information in memory buffer reset logbuffer Clear information in trap buffer reset trapbuffer

4.5.11 Configuration examples of sending log to Unix loghost

I. Networking Requirement

The networking requirement are as follows:

Sending the log information of the switch to Unix loghost The IP address of the loghost is 202.38.1.10


4-25

The information with the severity level above informational will be sent to the loghost

The output language is English The modules that allowed to output information are ARP and IP


Switch PC

Network

SwitchSwitch PC

Network

Figure 4-2 Schematic diagram of configuration

III. Configuration steps

(1)Configuration on the switch

Enabling info-center

[Quidway] info-center enable

# Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English; set that the modules which are allowed to output information are ARP and IP.

[Quidway] info-center loghost 202.38.1.10 facility local4 language english

[Quidway] info-center source arp channel loghost log level informational

[Quidway] info-center source ip channel loghost log level informational

(2)Configuration on the loghost

This configuration is performed on the loghost. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.0.

Step 1: Perform the following command as the super user (root).

# mkdir /var/log/Quidway

# touch /var/log/Quidway/information


4-26

Step 2: Edit file /etc/syslog.conf as the super user (root), add the following selector/actor pairs.

# Quidway configuration messages

local4.info /var/log/Quidway/information

Note:

Note the following points when editing /etc/syslog.conf: 1) The note must occupy a line and start with the character #. 2) There must be a tab other than a space as the separator in selector/actor pairs. 3) No redundant space after file name. 4) The device name and the acceptant log information level specified in /etc/syslog.conf must be consistent with info-center loghost and info-center loghost a.b.c.d facility configured on the switch. Otherwise, the log information probably cannot be output to the loghost correctly.

Step 3: After the establishment of information (log file) and the revision of /etc/syslog.conf, you should send a HUP signal to syslogd (system daemon), through the following command, to make syslogd reread its configuration file /etc/syslog.conf.

# ps -ae | grep syslogd

147

# kill -HUP 147

After the above operation, the switch system can record information in related log files.

Note:

To configure facility, severity, filter and the file syslog.conf synthetically, you can get classification in great detail and filter the information.

4.5.12 Configuration examples of sending log to Linux loghost



Sending the log information of the switch to Linux loghost


4-27

The IP address of the loghost is 202.38.1.10 The information with the severity level above informational will be sent to the

loghost The output language is English All modules are allowed to output information


Switch PC

Network

SwitchSwitch PC

Network



(1)Configuration steps

# Enabling info-center


# Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English; set all the modules are allowed output information.

[Quidway] info-center loghost 202.38.1.10 facility local7 language english

[Quidway] info-center source default channel loghost log level informational

(2)Configuration on the loghost

This configuration is performed on the loghost.

Step 1: Perform the following command as the super user (root).

# mkdir /var/log/Quidway

# touch /var/log/Quidway/information

Step 2: Edit file /etc/syslog.conf as the super user (root), add the following selector/actor pairs.

# Quidway configuration messages


4-28

local7.info /var/log/Quidway/information

Note:

Note the following points when editing /etc/syslog.conf: 1) The note must occupy a line and start with the character #. 2) There must be a tab other than a space as the separator in selector/actor pairs. 3) No redundant space after file name. 4) The device name and the acceptant log information level specified in /etc/syslog.conf must be consistent with info-center loghost and info-center loghost a.b.c.d facility configured on the switch. Otherwise, the log information probably cannot be output to the loghost correctly.

Step 3: After the establishment of information (log file) and the revision of /etc/syslog.conf, you should view the number of syslogd (system daemon) through the following command, kill syslogd daemon and reuse -r option the start syslogd in daemon.

# ps -ae | grep syslogd

147

# kill -9 147

# syslogd -r &

Note:

For Linux loghost, you must ensure that syslogd daemon is started by -r option.

After the above operation, the switch system can record information in related log files.

Note:

To configure facility, severity, filter and the file syslog.conf synthetically, you can get classification in great detail and filter the information.


4-29

4.5.13 Configuration examples of sending log to console terminal



Sending the log information of the switch to console terminal The information with the severity level above informational will be sent to the

console terminal The output language is English

The modules that allowed to output information are ARP and IP.


console

PC Switch

console

PC Switch

console

PC Switch

console

PC Switch



(1)Configuration on the switch

# Enabling info-center


# Configure console terminal log output; allow modules ARP and IP to output information; the severity level is restricted within the range of emergencies to informational.

[Quidway] info-center console channel console

[Quidway] info-center source arp channel console log level informational

[Quidway] info-center source ip channel console log level informational

# Enabling terminal display function

<Quidway> terminal logging

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 5 SNMP Configuration

5-1

Chapter 5 SNMP Configuration

5.1 SNMP Overview

By far, the Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating. SNMP adopts the polling mechanism and provides the most basic function set. It is most applicable to the small-sized, fast-speed and low-cost environment. It only requires the unverified transport layer protocol UDP; and is thus widely supported by many other products.

In terms of structure, SNMP can be divided into two parts, namely, Network Management Station and Agent. Network Management Station is the workstation for running the client program. At present, the commonly used NM platforms include Sun NetManager and IBM NetView. Agent is the server software operated on network devices. Network Management Station can send GetRequest, GetNextRequest and SetRequest messages to the Agent. Upon receiving the requests from the Network Management Station, Agent will perform Read or Write operation according to the message types, generate and return the Response message to Network Management Station. On the other hand, Agent will send Trap message on its own initiative to the Network Management Station to report the events whenever the device encounters any abnormalities such as new device found and restart.

5.2 SNMP Versions and Supported MIB

To uniquely identify the management variables of a device in SNMP messages, SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree. A tree node represents a managed object, as shown in the figure below. Thus the object can be identified with the unique path starting from the root.


5-2

A

2

6

1

5

2 1

1

2

1

B

Figure 5-1 Architecture of the MIB tree

The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}. The number string is the Object Identifier of the managed object.

The current SNMP Agent of Ethernet switch supports SNMP V1, V2C and V3. The MIBs supported are listed in the following table.

Table 5-1 MIBs supported by the Ethernet Switch

MIB attribute MIB content References MIB II based on TCP/IP network device RFC1213

RFC1493 BRIDGE MIB RFC2675 RIP MIB RFC1724 RMON MIB RFC2819 Ethernet MIB RFC2665 OSPF MIB RFC1253

Public MIB

IF MIB RFC1573 DHCP MIB QACL MIB ADBM MIB RSTP MIB VLAN MIB Device management

Private MIB

Interface management

5.3 Configure SNMP

The main configuration of SNMP includes:

Set community name Set the Method of Identifying and Contacting the Administrator


5-3

Enable/Disable snmp Agent to Send Trap Set the Destination Address of Trap Set sysLocation Set the Engine ID of a Local or Remote Device Set/Delete an SNMP Group Set the Source Address of Trap Add/Delete a User to/from an SNMP Group Create/Update View Information or Deleting a View Set the Size of SNMP Packet Sent/Received by an Agent

5.3.1 Set Community Name

SNMP V1 and SNMPV2C adopt the community name authentication scheme. The SNMP message incompliant with the community name accepted by the device will be discarded. SNMP Community is named with a character string, which is called Community Name. The various communities can have read-only or read-write access mode. The community with read-only authority can only query the device information, whereas the community with read-write authority can also configure the device.

You can use the following commands to set the community name.


Table 5-2 Set community name

Operation Command Set the community name and the access authority

snmp-agent community { read | write } community-name [ [ mib-view view-name ] [ acl acl-list ] ]

Remove the community name and the access authority undo snmp-agent community community-name

5.3.2 Set the Method of Identifying and Contacting the Administrator

The sysContact is a management viable of the system group in MIB II. The content is the method of identifying and contacting the related personnel of the managed device.

You can use the following commands to set the method of identifying and contacting the administrators.



5-4

Table 5-3 Set the method of identifying and contacting the administrator

Operation Command Set the method of identifying and contacting the administrator snmp-agent sys-info contact sysContact

Restore the default method of identifying and contacting the administrator undo snmp-agent sys-info contact

5.3.3 Enable/Disable SNMP Agent to Send Trap

The managed device transmits trap without request to the Network Management Station to report some critical and urgent events (such as restart).

You can use the following commands to enable or disable the managed device to transmit trap message.


Table 5-4 Enable/Disable snmp agent to Send Trap

Operation Command Enable to send trap

snmp-agent trap enable [ standard [ authentication ] [ coldstart ] [ linkdown ] [ linkup ] [ warmstart ] | bgp [ backwardtransition ] [ established ] | vrrp [ authfailure | newmaster ] ]

Disable to send trap

undo snmp-agent trap enable [ standard [ authentication ] [ coldstart ] [ linkdown ] [ linkup ] [ warmstart ] | bgp [ backwardtransition ] [ established ] | vrrp [ authfailure | newmaster ] ]

5.3.4 Set the Destination Address of Trap

You can use the following commands to set or delete the destination address of the trap.


Table 5-5 Set the destination address of trap

Operation Command

Set the destination address of trap snmp-agent target-host trap address udp-domain host-addr [ udp-port udp-port-number ] params securityname community-string [ v1 | v2c | v3 [ authentication | privacy ] ]

Delete the destination address of trap undo snmp-agent target-host host-addr securityname community-string

5.3.5 Set Lifetime of Trap Message

You can use the following command to set lifetime of Trap message. Trap message that exists longer than the set lifetime will be dropped.


5-5


Table 5-6 Set the lifetime of Trap message

Operation Command Set lifetime of Trap message snmp-agent trap life seconds Restore lifetime of Trap message undo snmp-agent trap life

By default, the lifetime of Trap message is 120 seconds.

5.3.6 Set SysLocation

The sysLocation is a management variable of the MIB system group, used for specifying the location of managed devices.

You can use the following commands to set the sysLocation.


Table 5-7 Set sysLocation

Operation Command Set sysLocation snmp-agent sys-info location sysLocation Restore the default location of the Ethernet switch undo snmp-agent sys-info location

By default, the sysLocation is specified as “Beijing China”.

5.3.7 Set SNMP Version

You can use the following commands to set the Set SNMP Version.


Table 5-8 Set SNMP Version

Operation Command Set SNMP Version snmp-agent sys-info version { { v1 | v2c | v3 } * | all } Restore the default SNMP Version of the Ethernet switch undo snmp-agent sys-info version { { v1 | v2c | v3 } * | all }

5.3.8 Set the Engine ID of a Local or Remote Device

You can use the following commands to set the engine ID of a local or remote device.



5-6

Table 5-9 Set the engine ID of a local or remote device

Operation Command Set the engine ID of the device snmp-agent local-engineid engineid Restore the default engine ID of the device. undo snmp-agent local-engineid

By default, the engine ID is expressed as enterprise No. + device information. The device information can be IP address, MAC address, or user-defined text.

5.3.9 Set/Delete an SNMP Group

You can use the following commands to set or delete an SNMP group.


Table 5-10 Set/Delete an SNMP Group

Operation Command

Setting an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [notify-view notify-view ] [ acl acl-list ]

Deleting an SNMP group undo snmp-agent group { v1 | v2c } group-name undo snmp-agent group v3 group-name [ authentication | privacy ]

5.3.10 Set the Source Address of Trap

You can use the following commands to set or remove the source address of the trap.


Table 5-11 Set the source address of trap

Operation Command Set the Source Address of Trap snmp-agent trap source interface-name interface-num Remove the source address of trap undo snmp-agent trap source

5.3.11 Add/Delete a User to/from an SNMP Group

You can use the following commands to add or delete a user to/from an SNMP group.



5-7

Table 5-12 Add/Delete a user to/from an SNMP group

Operation Command

Add a user to an SNMP group. snmp-agent usm-user { v1 | v2c } username groupname [ acl acl-list ] snmp-agent usm-user v3 username groupname [ authentication-mode { md5 | sha } authpassstring [ privacy-mode { des56 privpassstring } ] ] [ acl acl-list ]

Delete a user from an SNMP group.undo snmp-agent usm-user { v1 | v2c } username groupname undo snmp-agent usm-user v3 username groupname { local | engineid engine-id }

5.3.12 Create/Update View Information or Deleting a View

You can use the following commands to create, update the information of views or delete a view.


Table 5-13 Create/Update view information or deleting a view

Operation Command Create/Update view information snmp-agent mib-view { included | excluded } view-name oid-tree Delete a view undo snmp-agent mib-view view-name

5.3.13 Set the Size of SNMP Packet Sent/Received by an Agent

You can use the following commands to set the size of SNMP packet sent/received by an agent.


Table 5-14 Set the size of SNMP packet sent/received by an agent

Operation Command Set the size of SNMP packet sent/received by an agent snmp-agent packet max-size byte-countRestore the default size of SNMP packet sent/received by an agent undo snmp-agent packet max-size

The agent can receive/send the SNMP packets of the sizes ranging from 484 to 17940, measured in bytes. By default, the size of SNMP packet is 1500 bytes.

5.3.14 Disable SNMP Agent

To disable SNMP Agent, please Perform the following configuration in system view.


5-8

Table 5-15 Disable snmp agent

Operation Command Disable snmp agent undo snmp-agent

If user disable NMP Agent, it will be enabled whatever snmp-agent command is configured thereafter.

5.4 Display and Debug SNMP

After the above configuration, execute display command in any view to display the running of the SNMP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug SNMP configuration.

Table 5-16 Display and debug SNMP

Operation Command Display the statistics information about SNMP packets display snmp-agent statistics

Display the engine ID of the active device display snmp-agent { local-engineid | remote-engineid }

Display the group name, the security mode, the states for all types of views, and the storage mode of each group of the switch.

display snmp-agent group [ group-name ]

Display the names of all users in the group user table display snmp-agent usm-user [ engineid engineid ] [ group groupname ] [ username username ]

Display the current community name display snmp-agent community [ read | write ]

Display the current MIB view display snmp-agent mib-view [ exclude | include | { viewname mib-view } ]

Display the contact character string of the system display snmp-agent sys-info contact Display the location character string of the system display snmp-agent sys-info location Display the version character string of the system display snmp-agent sys-info version

5.5 SNMP Configuration Example


Network Management Station and the Ethernet switch are connected via the Ethernet. The IP address of Network Management Station is 129.102.149.23 and that of the VLAN interface on the switch is 129.102.0.1. Perform the following configurations on the switch: setting the community name and access authority, administrator ID, contact and switch location, and enabling the switch to sent trap packet.


5-9


Ethernet

NMS

129.102.0.1129.102.149.23

Figure 5-2 SNMP configuration example


# Enter the system view.


# Set the community name , group name and user.

[Quidway] snmp-agent sys-info version all

[Quidway] snmp-agent community write public

[Quidway] snmp-agent mib include internet 1.3.6.1

[Quidway] snmp-agent group v3 managev3group write internet

[Quidway] snmp-agent usm v3 managev3user managev3group

# Set the VLAN interface 2 as the interface used by network management. Add port Ethernet 0/3 to the VLAN 2. This port will be used for network management. set the IP address of VLAN interface 2 as 129.102.0.1.

[Quidway] vlan 2

[Quidway-vlan2] port ethernet 0/3

[Quidway-vlan2] interface vlan 2


# Set the administrator ID, contact and the physical location of the Ethernet switch.

[Quidway] snmp-agent sys-info contact Mr.Wang-Tel:3306

[Quidway] snmp-agent sys-info location telephone-closet,3rd-floor

# Enable SNMP agent to send the trap to Network Management Station whose ip address is 129.102.149.23. The SNMP community is public.

[Quidway] snmp-agent trap enable standard authentication


5-10

[Quidway] snmp-agent trap enable standard coldstart

[Quidway] snmp-agent trap enable standard linkup

[Quidway] snmp-agent trap enable standard linkdown

[Quidway] snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public

IV. Configure Network Management System

The Ethernet Switch supports Huawei’s iManager Quidview NMS. Users can query and configure the Ethernet switch through the network management system. For more about it, refer to the manuals of Huawei’s NM products.

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 6 RMON Configuration

6-1

Chapter 6 RMON Configuration

6.1 RMON Overview

Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the widely used Network Management standards by far.

RMON is implemented fully based on the SNMP architecture (which is one of its outstanding advantages) and compatible with the existing SNMP framework, and therefore it is unnecessary to adjust the protocol. RMON includes NMS and the Agent running on the network devices. On the network monitor or detector, RMON Agent tracks and accounts different traffic information on the segment connected to its port, such as the total number of packets on a segment in a certain period of time or that of the correct packets sent to a host. ROMN helps the SNMP monitor the remote network device more actively and effectively, which provides a highly efficient means for the monitoring of the subnet operations. RMON can reduce the communication traffic between the NMS and the agent, thus facilitates an effective management over the large interconnected networks.

RMON allows multiple monitors. It can collect data in two ways.

One is to collect data with a special RMON probe. NMS directly obtains the management information from the RMON probe and controls the network resource. In this way, it can obtain all the information of RMON MIB

Another way is to implant the RMON Agent directly into the network devices (e.g. router, switch, HUB, etc.), so that the devices become network facilities with RMON probe function. RMON NMS uses the basic SNMP commands to exchange data information with SNMP Agent and collect NM information. However, limited by the device resources, normally, not all the data of RMON MIB can be obtained with this method. In most cases, only four groups of information can be collected. The four groups include trap information, event information, history information and statistics information.

The Ethernet Switch implements RMON in the second method by far. With the RMON-supported SNMP Agent running on the network monitor, NMS can obtain such information as the overall traffic of the segment connected to the managed network device port, the error statistics and performance statistics, thereby implementing the management (generally remote management) over the network.


6-2

6.2 Configure RMON

RMON configuration includes:

Add/Delete an Entry to/from the Alarm Table Add/Delete an Entry to/from the Event Table Add/Delete an Entry to/from the History Control Table Add/Delete an Entry to/from the extended RMON alarm table Add/Delete an Entry to/from the Statistics Table

6.2.1 Add/Delete an Entry to/from the Alarm Table

RMON alarm management can monitor the specified alarm variables such as the statistics on a port. When a value of the monitored data exceeds the defined threshold, an alarm event will be generated. Generally, the event will be recorded in the device log table and a Trap message will be sent to NMS. The events are defined in the event management. The alarm management includes browsing, adding and deleting the alarm entries.

You can use the following commands to add/delete an entry to/from the alarm table.


Table 6-1 Add/Delete an entry to/from the alarm table

Operation Command

Add an entry to the alarm table. rmon alarm entry-number alarm-variable sampling-time { delta | absolute } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ]

Delete an entry from the alarm table. undo rmon alarm entry-number

6.2.2 Add/Delete an Entry to/from the Event Table

RMON event management defines the event ID and the handling of the event by keeping logs, sending Trap messages to NMS or performing the both at the same time.

You can use the following commands to add/delete an entry to/from the event table.


Table 6-2 Add/Delete an entry to/from the event table

Operation Command

Add an entry to the event table. rmon event event-entry [ description string ] { log | trap trap-community | log-trap log-trapcommunity | none } [ owner rmon-station ]

Delete an entry from the event table. undo rmon event event-entry


6-3

6.2.3 Add/Delete an Entry to/from the History Control Table

The history data management helps you set the history data collection, periodical data collection and storage of the specified ports. The sampling information includes the utilization ratio, error counts and total number of packets.

You can use the following commands to add/delete an entry to/from the history control table.


Table 6-3 Add/Delete an entry to/from the history control table

Operation Command

Add an entry to the history control table. rmon history entry-number buckets number interval sampling-interval [ owner text-string ]

Delete an entry from the history control table. undo rmon history entry-number

6.2.4 Add/Delete an Entry to/from the Extended RMON Alarm Table

You can use the command to add/delete an entry to/from the extended RMON alarm table.


Table 6-4 Add/Delete an entry to/from the extended RMON alarm table

Operation Command

Add an entry to the extended RMON alarm table.

rmon prialarm entry-number alarm-var [ alarm-des ] sampling-timer { delta | absolute | changeratio } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ]

Delete an entry from the extended RMON alarm table. undo rmon prialarm entry-number

6.2.5 Add/Delete an Entry to/from the Statistics Table

The RMON statistics management concerns the port usage monitoring and error statistics when using the ports. The statistics include collision, CRC and queuing, undersize packets or oversize packets, timeout transmission, fragments, broadcast, multicast and unicast messages and the usage ratio of bandwidth.

You can use the following commands to add/delete an entry to/from the statistics table.

Perform the following configuration in Ethernet port view..


6-4

Table 6-5 Add/Delete an entry to/from the statistics table

Operation Command Add an entry to the statistics table rmon statistics entry-number [ owner text-string ] Delete an entry from the statistics table undo rmon statistics entry-number

6.3 Display and Debug RMON

After the above configuration, execute display command in any view to display the running of the RMON configuration, and to verify the effect of the configuration.

Table 6-6 Display and debug RMON

Operation Command Display the RMON statistics display rmon statistics [ port-num ] Display the history information of RMON display rmon history [ port-num ] Display the alarm information of RMON display rmon alarm [ alarm-table-entry ] Display the extended alarm information of RMON display rmon prialarm [ prialarm-table-entry ] Display the RMON event display rmon event [ event-table-entry ] Display the event log of RMON display rmon eventlog [ event-number ]

6.4 RMON Configuration Example


Set an entry in RMON Ethernet statistics table for the Ethernet port performance, which is convenient for network administrators’ query.


6-5


Console Port

Network Port

Switch

Internet

Figure 6-1 RMON configuration networking


# Configure RMON.

[Quidway-Ethernet2/1] rmon statistics 1 owner huawei-rmon

# View the configurations in user view.

<Quidway> display rmon statistics Ethernet 2/1

Statistics entry 1 owned by huawei-rmon is VALID.

Gathers statistics of interface Ethernet2/1. Received:

octets : 270149, packets : 1954

broadcast packets :1570 , multicast packets:365

undersized packets :0 , oversized packets:0

fragments packets :0 , jabbers packets :0

CRC alignment errors:0 , collisions :0

Dropped packet events (due to lack of resources):0

Packets received according to length (in octets):

64 :644 , 65-127 :518 , 128-255 :688

256-511:101 , 512-1023:3 , 1024-1518:0

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 7 NTP Configuration

7-1

Chapter 7 NTP Configuration

7.1 Brief Introduction to NTP

7.1.1 NTP Functions

As the network topology gets more and more complex, it becomes important to synchronize the clocks of the equipment on the whole network. Network Time Protocol (NTP) is the TCP/IP that advertises the accurate time throughout the network.

NTP ensures the consistency of the following applications:

For the increment backup between the backup server and client, NTP ensures the clock synchronization between the two systems.

For multiple systems that coordinate to process a complex event, NTP ensures them to reference the same clock and guarantee the right order of the event.

Guarantee the normal operation of the inter-system (Remote Procedure Call). Record for an application when a user logs in to a system, a file is modified, or

some other operation is performed.

7.1.2 Basic Operating Principle of NTP

The following figure illustrates the basic operating principle of NTP:

Network

Network

NTP消息包 10:00:00am

Network

Network

11:00:01am

NTP消息包 10:00:00am 11:00:01am 11:00:02am

NTP消息包 10:00:00am

NTP Packet received at 10:00:03

1.

2.

3.

4.

LS_A

LS_A

LS_A

LS_A

LS_B

LS_B

LS_B

LS_B

Figure 7-1 Basic operating principle of NTP


7-2

In the figure above, Ethernet Switch A and Ethernet Switch B are connected via the Ethernet port. They have independent system clocks. Before implement automatic clock synchronization on both switches, we assume that:

Before synchronizing the system clocks on Ethernet Switch A and B, the clock on Ethernet Switch A is set to 10:00:00am, and that on B is set to 11:00:00am.

Ethernet Switch B serves as an NTP time server. That is, Ethernet Switch A synchronizes the local clock with the clock of B.

It takes 1 second to transmit a data packet from either A or B to the opposite end.

The system clocks are synchronized as follows:

Ethernet Switch A sends an NTP packet to Ethernet Switch B. The packet carries the timestamp 10:00:00am (T1) that tells when it left Ethernet Switch A.

When the NTP packet arrives at Ethernet Switch B, Ethernet Switch B adds a local timestamp 11:00:01am (T2) to it.

When the NTP packet leaves Ethernet Switch B, Ethernet Switch B adds another local timestamp 11:00:02am (T3) to it.

When Ethernet Switch A receives the acknowledgement packet, it adds a new timestamp 10:00:03am (T4) to it.

Now Ethernet Switch A collects enough information to calculate the following two important parameters:

The delay for a round trip of an NTP packet traveling between the Switch A and B: Delay= (T4-T1) - (T3-T2).

Offset of Ethernet Switch A clock relative to Ethernet Switch B clock: offset= ( (T2-T1) + (T3-T4) ) /2.

In this way, Ethernet Switch A uses the above information to set the local clock and synchronize it with the clock on Ethernet Switch B.

The operating principle of NTP is briefly introduced above. For details, refer to RFC1305.

7.2 NTP Configuration

NTP is used for time synchronization throughout a network. NTP configuration tasks include:

Configure NTP operating mode Configure NTP ID authentication Set NTP authentication key Set the specified key to be reliable Set a local interface for transmitting NTP packets Set an external reference clock or the local clock as the master NTP clock Enable/Disable an interface to receive NTP packets Set control authority to access the local Ethernet Switch service.


7-3

Set maximum local sessions

7.2.1 Configure NTP Operating Mode

S3026 and S2403H Ethernet Switches can only serve as ntp client but not ntp server.

You can set the NTP operating mode of an Ethernet Switch according to its location in the network and the network structure. For example, you can set a remote server as the time server of the local equipment. In this case the local Ethernet Switch works as an NTP client. If you set a remote server as a peer of the local Ethernet Switch, the local equipment operates in symmetric active mode. If you configure an interface on the local Ethernet Switch to transmit NTP broadcast packets, the local Ethernet Switch will operates in broadcast mode. If you configure an interface on the local Ethernet Switch to receive NTP broadcast packets, the local Ethernet Switch will operates in broadcast client mode. If you configure an interface on the local Ethernet Switch to transmit NTP multicast packets, the local Ethernet Switch will operates in multicast mode. Or you may also configure an interface on the local Ethernet Switch to receive NTP multicast packets, the local Ethernet Switch will operates in multicast client mode.

Configure NTP server mode Configure NTP peer mode Configure NTP broadcast server mode Configure NTP broadcast client mode Configure NTP multicast server mode Configure NTP multicast client mode

I. Configure NTP Server Mode

Set a remote server whose ip address is ip-address as the local time server. ip-address specifies a host address other than a broadcast, multicast or reference clock IP address. In this case, the local Ethernet Switch operates in client mode. In this mode, only the local client synchronizes its clock with the clock of the remote server, while the reverse synchronization will not happen.


Table 7-1 Configure NTP time server

Operation Command

Configure NTP time server ntp-service unicast-server ip-address [ version number ] [ authentication-keyid keyid ] [ source-interface { interface-name | interface-type interface-number } ] [ priority ]

Cancel NTP server mode undo ntp-service unicast-server ip-address

NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; interface-name or interface-type


7-4

interface-number specifies the IP address of an interface, from which the source IP address of the NTP packets sent from the local Ethernet Switch to the time server will be taken; priority indicates the time server will be the first choice.

II. Configure NTP Peer Mode

Set a remote server whose ip address is ip-address as the peer of the local equipment. In this case, the local equipment operates in symmetric active mode. ip-address specifies a host address other than a broadcast, multicast or reference clock IP address. In this mode, both the local Ethernet Switch and the remote server can synchronize their clocks with the clock of opposite end.


Table 7-2 Configure NTP peer mode

Operation Command

Configure NTP peer mode ntp-service unicast-peer ip-address [ version number ] [ authentication-key keyid ] [ source-interface { interface-name | interface-type interface-number } ] [ priority ]

Cancel NTP peer mode undo ntp-service unicast-peer ip-address

NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; interface-name or interface-type interface-number specifies the IP address of an interface, from which the source IP address of the NTP packets sent from the local Ethernet Switch to the peer will be taken; priority indicates the peer will be the first choice for time server.

III. Configure NTP Broadcast Server Mode

Designate an interface on the local Ethernet Switch to transmit NTP broadcast packets. In this case, the local equipment operates in broadcast mode and serves as a broadcast server to broadcast messages to its clients regularly.

Perform the following configurations in VLAN interface view.

Table 7-3 Configure NTP broadcast server mode

Operation Command Configure NTP broadcast server mode

ntp-service broadcast-server [ authentication-keyid keyid version number ]

Cancel NTP broadcast server mode undo ntp-service broadcast-server

NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; This command can only be configured on the interface where the NTP broadcast packets will be transmitted.


7-5

IV. Configure NTP Broadcast Client Mode

Designate an interface on the local Ethernet Switch to receive NTP broadcast messages and operate in broadcast client mode. The local Ethernet Switch listens to the broadcast from the server. When it receives the first broadcast packets, it starts a brief client/server mode to switch messages with a remote server for estimating the network delay. Thereafter, the local Ethernet Switch enters broadcast client mode and continues listening to the broadcast and synchronizes the local clock according to the arrived broadcast message.


Table 7-4 Configure NTP broadcast client mode

Operation Command Configure NTP broadcast client mode ntp-service broadcast-client Disable NTP broadcast client mode undo ntp-service broadcast-client

This command can only be configured on the interface where the NTP broadcast packets will be received.

V. Configure NTP Multicast Server Mode

Designate an interface on the local Ethernet Switch to transmit NTP multicast packets. In this case, the local equipment operates in multicast mode and serves as a multicast server to multicast messages to its clients regularly.


Table 7-5 Configure NTP multicast server mode

Operation Command

Configure NTP multicast server mode ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid ] [ ttl ttl-number ] [ version number ]

Cancel NTP multicast server mode undo ntp-service multicast-server

NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; ttl-number of the multicast packets ranges from 1 to 255; And the multicast IP address defaults to 224.0.1.1.

This command can only be configured on the interface where the NTP multicast packet will be transmitted.


7-6

VI. Configure NTP Multicast Client Mode

Designate an interface on the local Ethernet Switch to receive NTP multicast messages and operate in multicast client mode. The local Ethernet Switch listens to the multicast from the server. When it receives the first multicast packets, it starts a brief client/server mode to switch messages with a remote server for estimating the network delay. Thereafter, the local Ethernet Switch enters multicast client mode and continues listening to the multicast and synchronizes the local clock by the arrived multicast message.


Table 7-6 Configure NTP multicast client mode

Operation Command Configure NTP multicast client mode ntp-service multicast-client [ ip-address ] Cancel NTP multicast client mode undo ntp-service multicast-client

Multicast IP address ip-address defaults to 224.0.1.1; This command can only be configured on the interface where the NTP multicast packets will be received.

7.2.2 Configure NTP ID Authentication

Enable NTP authentication, set MD5 authentication key, and specify the reliable key. A client will synchronize itself by a server only if the serve can provide a reliable key.


Table 7-7 Configure NTP authentication

Operation Command Enable NTP authentication ntp-service authentication enable Disable NTP authentication undo ntp-service authentication enable

7.2.3 Set NTP Authentication Key

This configuration task is to set NTP authentication key.


Table 7-8 Configure NTP authentication key

Operation Command

Configure NTP authentication key ntp-service authentication-keyid number authentication-mode md5 value

Remove NTP authentication key undo ntp-service authentication-keyid number


7-7

Key number number ranges from 1 to 4294967295; the key value contains 1 to 32 ASCII characters.

7.2.4 Set Specified Key as Reliable

This configuration task is to set the specified key as reliable.


Table 7-9 Set the specified key as reliable

Operation Command Set the specified key as reliable ntp-service reliable authentication-keyid key-number Cancel the specified reliable key. undo ntp-service reliable authentication-keyid key-number

Key number key-number ranges from 1 to 4294967295

7.2.5 Designate an Interface to Transmit NTP Message

If the local equipment is configured to transmit all the NTP messages, these packets will have the same source IP address, which is taken from the IP address of the designated interface.


Table 7-10 Designate an interface to transmit NTP message

Operation Command

Designate an interface to transmit NTP message ntp-service source-interface { interface-name | interface-type interface-number }

Cancel the interface to transmit NTP message undo ntp-service source-interface

An interface is specified by interface-name or interface-type interface-number. The source address of the packets will be taken from the IP address of the interface. If the ntp-service unicast-server or ntp-service unicast-peer command also designates a transmitting interface, use the one designated by them.

7.2.6 Set NTP Master Clock

This configuration task is to set the external reference clock or the local clock as the NTP master clock.



7-8

Table 7-11 Set the external reference clock or the local clock as the NTP master clock

Operation Command Set the external reference clock or the local clock as the NTP master clock. ntp-service refclock-master [ ip-address ] [ stratum ] Cancel the NTP master clock settings undo ntp-service refclock-master [ ip-address ]

ip-address specifies the IP address 127.127.t.u of a reference clock, in which t ranges from 0 to 37 and u from 0 to 3. stratum specifies how many stratums the local clock belongs to and ranges from 1 to 15. If no IP address is specified, the system defaults to setting the local clock as the NTP master clock. You can specify the stratum parameter.

7.2.7 Enable/Disable an Interface to Receive NTP Message

This configuration task is to enable/disable an interface to receive NTP message.


Table 7-12 Enable/Disable an interface to receive NTP message

Operation Command Disable an interface to receive NTP message ntp-service in-interface disable Enable an interface to receive NTP message undo ntp-service in-interface disable

This configuration task must be performed on the interface to be disabled to receive NTP message.

7.2.8 Set Authority to Access a Local Ethernet Switch

Set authority to access the NTP services on a local Ethernet Switch. This is a basic and brief security measure, compared to authentication. An access request will be matched with peer, serve, serve only, and query only in an ascending order of the limitation. The first matched authority will be given.


Table 7-13 Set authority to access a local Ethernet switch

Operation Command Set authority to access a local Ethernet switch

ntp-service access { query | synchronization | serve | peer } acl-number

Cancel settings of the authority to access a local Ethernet switch undo ntp-service access { query | synchronization | serve | peer }

IP address ACL number is specified through the acl-number parameter and ranges from 2000 to 2999. The meanings of other authority levels are as follows:


7-9

query: Allow control query for the local NTP service only.

synchronization: Allow request for local NTP time service only.

serve: Allow local NTP time service request and control query. However, the local clock will not be synchronized by a remote server.

peer: Allow local NTP time service request and control query. And the local clock will also be synchronized by a remote server.

7.2.9 Set Maximum Local Sessions

This configuration task is to set the maximum local sessions.


Table 7-14 Set the maximum local sessions

Operation Command Set the maximum local sessions ntp-service max-dynamic-sessions number Resume the maximum number of local sessions undo ntp-service max-dynamic-sessions

number specifies the maximum number of local sessions, ranges from 0 to 100, and defaults to 100.

7.3 NTP Display and Debugging

After completing the above configurations, you can use the display command to show how NTP runs and verify the configurations according to the outputs.

In user view, you can use the debugging command to debug NTP.

Table 7-15 NTP display and debugging

Operation Command Display the status of NTP service display ntp-service status Display the status of sessions maintained by NTP service display ntp-service sessions [ verbose ] Display the brief information about every NTP time server on the way from the local equipment to the reference clock source. display ntp-service trace

Enable NTP debugging debugging ntp-service

7.4 Typical NTP Configuration Example

I. Configure NTP server

1) Network requirements


7-10

On Quidway1, set local clock as the NTP master clock at stratum 2. On Quidway2, configure Quidway1 as the time server in server mode and set the local equipment as in client mode.

2) Networking diagram

......

Vlan-interface2:1.0.1.11

Quidway0

Quidway1

Quidway2

Quidway3

Quidway4

Quidway5





1.0.1.2 3.0.1.2

Figure 7-2 Typical NTP configuration networking diagram

3) Configuration procedure

Configure Ethernet Switch Quidway1:

# Enter system view.

<Quidway1> system-view

# Set the local clock as the NTP master clock at stratum 2.

[Quidway1] ntp-service refclock-master 2




# Set Quidway1 as the NTP server.

[Quidway2] ntp-service unicast-server 1.0.1.11

The above examples synchronized Quidway2 by Quidway1. Before the synchronization, the Quidway2 is shown in the following status:

[Quidway2] display ntp-service status

clock status: unsynchronized

clock stratum: 16

reference clock ID: none

nominal frequency: 100.0000 Hz

actual frequency: 100.0000 Hz


7-11

clock precision: 2^17

clock offset: 0.0000 ms

root delay: 0.00 ms

root dispersion: 0.00 ms

peer dispersion: 0.00 ms

reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000)

After the synchronization, Quidway2 turns into the following status:


clock status: synchronized

clock stratum: 8

reference clock ID: LOCAL(0)





root delay: 0.00 ms



reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112)

By this time, Quidway2 has been synchronized by Quidway1 and is at stratum 3, higher than Quidway1 by 1.

Display the sessions of Quidway2 and you will see Quidway2 has been connected with Quidway1.

[Quidway2] display ntp-service sessions

source reference stra reach poll now offset delay disper

**************************************************************************

[12345]127.127.1.0 LOCAL(0) 7 377 64 57 0.0 0.0 1.0

[5]1.0.1.11 0.0.0.0 16 0 64 - 0.0 0.0 0.0

[5]128.108.22.44 0.0.0.0 16 0 64 - 0.0 0.0 0.0

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

II. NTP peer configuration example


On Quidway3, set local clock as the NTP master clock at stratum 2. On Quidway2, configure Quidway1 as the time server in server mode and set the local equipment as in client mode. At the same time, Quidway5 sets Quidway4 as its peer.


See Figure 3-3.



7-12









# Set Quidway1 as the NTP server at stratum 3 after synchronization.

[Quidway4] ntp-service unicast-server 3.0.1.31

Configure Ethernet Switch Quidway5: (Quidway4 has been synchronized by Quidway3)





# After performing local synchronization, set Quidway4 as a peer.

[Quidway5] ntp-service unicast-peer 3.0.1.32

The above examples configure Quidway4 and Quidway5 as peers and configure Quidway5 as in active peer mode and Quidway4 in passive peer mode. Since Quidway5 is at stratum 1 and Quidway4 is at stratum 3, synchronize Quidway4 by Quidway5.

After synchronization, Quidway4 status is shown as follows:



clock stratum: 8






root delay: 0.00 ms


7-13




By this time, Quidway4 has been synchronized by Quidway5 and it is at stratum 2, or higher than Quidway5 by 1.

Display the sessions of Quidway4 and you will see Quidway4 has been connected with Quidway5.

[Quidwa4] display ntp-service sessions


**************************************************************************

[12345]127.127.1.0 LOCAL(0) 7 377 64 57 0.0 0.0 1.0

[5]1.0.1.11 0.0.0.0 16 0 64 - 0.0 0.0 0.0

[5]128.108.22.44 0.0.0.0 16 0 64 - 0.0 0.0 0.0


III. Configure NTP broadcast mode


On Quidway3, set local clock as the NTP master clock at stratum 2 and configure to broadcast packets from Vlan-interface2. Configure Quidway4 and Quidway1 to listen to the broadcast from their Vlan-interface2 respectively.


See Figure 1-2.







# Enter Vlan-interface2 view.

[Quidway3] interface vlan-interface 2

# Set it as broadcast server .

[Quidway3-Vlan-Interface2] ntp-service broadcast-server




7-14




[Quidway4-Vlan-Interface2] ntp-service broadcast-client






[Quidway1-Vlan-Interface2] ntp-service broadcast-client

The above examples configured Quidway4 and Quidway1 to listen to the broadcast via Vlan-interface2, Quidway3 to broadcast packets from Vlan-interface2. Since Quidway1 and Quidway3 are not located on the same segment, they cannot receive any broadcast packets from Quidway3, while Quidway4 is synchronized by Quidway3 after receiving its broadcast packet.

After the synchronization, you can find the state of Quidway4 as follows:



clock stratum: 8






root delay: 0.00 ms




By this time, Quidway4 has been synchronized by Quidway3 and it is at stratum 3, higher than Quidway3 by 1.

Display the status of Quidway4 sessions and you will see Quidway4 has been connected to Quidway3.

[Quidway2] display ntp-service sessions



7-15

**************************************************************************

[12345]127.127.1.0 LOCAL(0) 7 377 64 57 0.0 0.0 1.0

[5]1.0.1.11 0.0.0.0 16 0 64 - 0.0 0.0 0.0

[5]128.108.22.44 0.0.0.0 16 0 64 - 0.0 0.0 0.0


IV. Configure NTP multicast mode


Quidway3 sets the local clock as the master clock at stratum 2 and multicast packets from Vlan-interface2. Set Quidway4 and Quidway1 to receive multicast messages from their respective Vlan-interface2.


See Figure 1-2.





# Set the local clock as a master NTP clock at stratum 2.




# Set it as a multicast server.

[Quidway3-Vlan-Interface2] ntp-service multicast-server






# Enable multicast client mode.

[Quidway4-Vlan-Interface2] ntp-service multicast-client




7-16




# Enable multicast client mode.

[Quidway1-Vlan-Interface2] ntp-service multicast-client

The above examples configure Quidway4 and Quidway1 to receive multicast messages from Vlan-interface2, Quidway3 multicast messages from Vlan-interface2. Since Quidway1 and Quidway3 are not located on the same segments, Quidway1 cannot receive the multicast packets from Quidway3, while Quidway4 is synchronized by Quidway3 after receiving the multicast packet.

V. Configure authentication-enabled NTP server mode


Quidway1 sets the local clock as the NTP master clock at stratum 2. Quidway2 sets Quidway1 as its time server in server mode and itself in client mode and enables authentication.


See Figure 1-2.





# Set the local clock as the master NTP clock at stratum 2.

[Quidway1] ntp-service refclcok-master 2




# Set Quidway1 as time server.

[Quidway2[ ntp-service unicast-server 1.0.1.11

# Enable authentication.

[Quidway2] ntp-service authentication enable

# Set the key.


7-17

[Quidway2] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

# Set the key as reliable.

[Quidway2] ntp-service reliable authentication-keyid 42

The above examples synchronized Quidway2 by Quidway1. Since Quidway1 has not been enabled authentication, it cannot synchronize Quidway2. And now let us do the following additional configurations on Quidway1 :

# Enable authentication.

[Quidway1] ntp-service authentication enable

# Set the key.

[Quidway1] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

# Configure the key as reliable.

[Quidway1] ntp-service reliable authentication-keyid 42

Operation Manual - System Management Quidway S3500 Series Ethernet Switches Chapter 8 SSH Terminal Services

8-1

Chapter 8 SSH Terminal Services

8.1 SSH Terminal Services

8.1.1 SSH Overview

Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the switch remotely from an insecure network environment. A switch can connect to multiple SSH clients. SSH Client functions to enable SSH connections between users and the Ethernet switch or UNIX host that support SSH Server. You can set up SSH channels for local connection. See Figure 8-1.

Currently the switch which runs SSH server supports SSH version 1.5.

2

3

1

1: Switch running SSH server 2: PC running SSH client 3: Ethernet LAN

Figure 8-1 Setting up SSH channels in LAN

Note:

In the above figure, the VLAN for the Ethernet port must have been configured with VLAN interfaces and IP address.

The communication process between the server and client include these five stages: version negotiation stage, key negotiation stage, authentication stage, session request stage, interactive session stage.


8-2

Version negotiation stage: The client sends TCP connection requirement to the server. When TCP connection is established, both ends begin to negotiate SSH version. If they can work together in harmony, they enter key algorithm negotiation stage. Otherwise the server clears the TCP connection.

Key negotiation stage: Both ends negotiate key algorithm and compute session key. The server randomly generates its RSA key and sends the public key to the client. The client figures out session key based on the public key from the server and the random number generated locally. The client encrypts the random number with the public key from the server and sends the result back to the server. The server then decrypts the received data with the server private key to get the client random number. It then uses the same algorithm to work out the session key based on server public key and the returned random number. Then both ends get the same key without data transfer over the network, while the key is used at both ends for encryption and description.

Authentication stage: The server authenticates the user at the client after obtaining session key. The client sends its username to the server: If the username has been created and configured as no authentication, authentication stage is skipped for this user. Otherwise, authentication process continues. SSH supports two authentication types: password authentication and RSA authentication. In the first type, the server compare the username and password received with those configured locally. The user is allowed to log on to the switch if the usernames and passwords match exactly. RSA authentication works in this way: The RSA public key of the client user is configured at the server. The client first sends the member modules of its RSA public key to the server, which checks its validity. If it is valid, the server generates a random number, which is sent to the client after being encrypted with RSA public key. Both ends calculate authentication data based on the random number and session ID. The client sends the authentication data calculated back to the server, which compares it with its attention data obtained locally. If they match exactly, the user is allowed to access the switch. Otherwise, authentication process fails.

Session request stage: The client sends session request messages to the server which processes the request messages.

Interactive session stage: Both ends exchange data till the session ends.

Session packets are encrypted in transfer and the session key is generated randomly. Encryption is used in exchanging session key and RSA authentication achieves key exchange without transfer over the network. SSH can protect server-client data security to the uttermost. The authentication will also start even if the username received is not configured at the server, so malicious intruders cannot judge whether a username they key in exists or not. This is also a way to protect username.


8-3

8.1.2 Configuring SSH Server

Basic configuration tasks refer to those required for successful connection from SSH client to SSH server, which advanced configuration tasks are those modifying SSH parameters.

Configuration tasks on SSH server include:

Setting system protocol and link maximum Configuring and deleting local RSA key pair Configuring authentication type Defining update interval of server key Defining SSH authentication timeout value Defining SSH authentication retry value Entering RSA public key view and editing public key Associating public key with SSH user

I. Setting system protocol

By default, the system only supports Telnet protocol, so you must specify SSH protocol for the system before enabling SSH.

Please perform the following configuration in system view.

Table 8-1 Setting system protocols and link maximum

Operation Command

Set system protocol and link maximum protocol inbound { all | ssh | telnet }

Caution:

If SSH protocol is specified, to ensure a successful login, you must configure the AAA authentication using the authentication-mode scheme command. The protocol inbound ssh configuration fails if you configure authentication-mode password and authentication-mode none. When you configure SSH protocol successfully for the user interface, then you cannot configure authentication-mode password and authentication-mode none any more.

II. Configuring and canceling local RSA key pair

In executing this command, if you have configured RSA host key pair, the system gives an alarm after using this command and prompts that the existing one will be replaced. The server key pair is created dynamically by SSH server. The maximum bit range of both key pairs is 2048 bits and the minimum is 512.


8-4

Please perform the following configurations in system view.

Table 8-2 Configuring and canceling local RSA key pair

Operation Command Configure local RSA key pair rsa local-key-pair create Cancel local RSA key pair rsa local-key-pair destroy

Caution:

For a successful SSH login, you must configure and generate the local RSA key pairs. To generate local key pairs, you just need to execute the command once, with no further action required even after the system is rebooted.

III. Configuring authentication type

For a new user, you must specify authentication type. Otherwise, he/she cannot access the switch.


Table 8-3 Configuring authentication type

Operation Command Configure authentication type ssh user username authentication-type { password | rsa | all } Remove authentication type setting undo ssh user username authentication-type

If the configuration is RSA authentication type, then the RSA public key of client user must be configured on the switch, that is to perform the 7 and 8 serial number marked configuration.

By default, no authentication type is specified for a new user, so he/she cannot access the switch.

IV. Defining update interval of server key


Table 8-4 Defining update interval of server key

Operation Command Define update interval of server key ssh server rekey-interval hours Restore the default update interval undo ssh server rekey-interval


8-5

By default, the system does not update server key.

V. Defining SSH authentication timeout value


Table 8-5 Defining SSH authentication timeout value

Operation Command Define SSH authentication timeout value ssh server timeout seconds Restore the default timeout value undo ssh server timeout

By default, the timeout value for SSH authentication is 60 seconds.

VI. Defining SSH authentication retry value

Setting SSH authentication retry value can effectively prevent malicious registration attempt.


Table 8-6 Defining SSH authentication retry value

Operation Command Define SSH authentication retry value ssh server authentication-retries times Restore the default retry value undo ssh server authentication-retries

By default, the retry value is 3.

VII. Entering RSA key code view and editing public key

You can enter the RSA key code view and edit the client public key.

Note:

This operation is only available for the SSH users using RSA authentication. At the switch, you configure the RSA public key of the client, while at the client, you specify the RSA private key which corresponds to the RSA public key. This operation will fail if you configure password authentication for the SSH user.



8-6

Table 8-7 Configuring public key

Operation Command Enter RSA public key view rsa peer-public-key key-name Delete a designated public key undo rsa peer-public-key key-name

When entering the RSA key code view with the rsa peer-public-key command, you can begin editing the public key with the public-key-code begin command. You can key in blank space between characters, since the system can remove the blank space automatically. But the public key should be composed of hexadecimal characters. Terminate public key editing and save the result with the public-key-code end command. Validity check comes before saving: the public key editing fails if the key contains invalid characters.

Please perform the following configurations in the RSA public key view.

Table 8-8 Starting/terminating public key editing

Operation Command Enter RSA key code view public-key-code begin Terminate RSA key code view public-key-code end Quit RSA public key view peer-public-key end

VIII. Associating public key with SSH user


Table 8-9 Associating public key with SSH user

Operation Command Associate existing public with an SSH user ssh user username assign rsa-key keyname Remove the association undo ssh user username assign rsa-key

8.1.3 Configuring SSH Client

There are several types of SSH client software, such as PuTTY and FreeBSD. You should first configure the client’s connection with the server. The basic configuration tasks on client include:

Specifying server IP address. Selecting SSH protocol. The client supports the remote connection protocols link

Telnet, Rlogin and SSH. To set up SSH connection, you must select SSH protocol. Choosing SSH version. The switch currently supports SSH Server 1.5, so you

have to choose 1.5 or earlier version.


8-7

Specifying RSA private key file. If you specify RSA authentication for the SSH user, you must specify RSA private key file. The RSA key, which includes the public key and private key, are generated by the client software. The former is configured in the server (switch) and the latter is in the client.

The following description takes the PuTTY as an example.

I. Specifying server IP address

Start PuTTY program and the client configuration interface pops up.

Figure 8-2 SSH client configuration interface (1)

In the Host Name (or IP address) text box key in the IP address of the switch, for example, 10.110.28.10. You can also input the IP address of an interface in UP state, but its route to SSH client PC must be reachable.

II. Selecting SSH protocol

Select SSH for the Protocol item.

III. Choosing SSH version

Click the left menu [Category/Connection/SSH] to enter the interface shown in following figure:


8-8


You can select 1, as shown in the figure.

IV. Specifying RSA private key file

If you want to enable RSA authentication, you must specify RSA private key file, which is not required for password authentication.

Click [SSH/Auth] to enter the interface as shown in the following figure:


8-9


Click the <Browse> button to enter the File Select interface. Choose a desired file and click <OK>.

V. Opening SSH connection

Click the <Open > button to enter SSH client interface. If it runs normally, you are promoted to enter username and password. See the following figure.


8-10

Figure 8-5 SSH client interface

1) Key in correct username and password and log into SSH connection. 2) Log out of SSH connection with the logout command.

8.1.4 Displaying and Debugging SSH

Run the display command in any view to view the running of SSH and further to check configuration result.

Run the debugging command to debug the SSH.

Please perform the following configurations in any view.

Table 8-10 Display SSH information

Operation Command Display host and server public keys display rsa local-key-pair public Display client RSA public key display rsa peer-public-key [ brief | name keyname ] Display SSH state information and session display ssh server { status | session } Display SSH user information display ssh user-information [ username ] Enable SSH debugging debugging ssh server { VTY index | all } Enable RSA debugging debugging rsa Disable SSH debugging undo debugging ssh server { VTY index | all } Disable RSA debugging undo debugging rsa


8-11

8.1.5 SSH Configuration Example


As shown in Figure 8-6, configure local connection from SSH Client to the switch. The client uses SSH protocol to access the switch.


SSH ClientSwitch

SSH ClientSwitch

Figure 8-6 Networking for SSH local configuration


You should run this command before any other configuration:

[Quidway] rsa local-key-pair create

Note:

If you have configured local key pair in advance, this operation is unnecessary.

For password authentication mode [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode scheme [Quidway-ui-vty0-4] protocol inbound ssh [Quidway] local-user client001 [Quidway-luser-client001] password simple huawei [Quidway-luser-client001] service-type ssh [Quidway] ssh user client001 authentication-type password

Select the default values for SSH authentication timeout value, retry value and update interval of server key. Then run SSH1.5 client program on the PC which is connected to the switch and access the switch using username “client001” and password “huawei”.

For RSA authentication mode

# Create local user client002

[Quidway] local-user client002 [Quidway-luser-client002] service-type ssh


8-12

# Specify AAA authentication on the user interface.

[Quidway] user-interface vty 0 4

[Quidway-ui-vty0-4] authentication-mode scheme

# Select SSH protocol on the switch.

[Quidway-ui-vty0-4] protocol inbound ssh

# Specify RSA authentication on the switch.

[Quidway] ssh user client002 authentication-type RSA

# Configure RSA key pair on the switch.

[Quidway] rsa peer-public-key quidway002

[Quidway-rsa-public] public-key-code begin

[Quidway-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463

[Quidway-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913

[Quidway-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4

[Quidway-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC

[Quidway-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16

[Quidway-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125

[Quidway-key-code] public-key-code end

[Quidway-rsa-public] peer-public-key end

[Quidway] ssh user client002 assign rsa-key key002

Note:

You need to specify RSA private key which corresponds to the public key for the SSH user client002.

Run SSH1.5 client program on the PC which has been configured with private RSA private key and you can set up SSH connection.

HUAWEI


13. Appendix

Operation Manual - Appendix Quidway S3500 Series Ethernet Switches Table of Contents

i

Table of Contents

Appendix A Acronyms............................................................................................................A-1

Operation Manual - Appendix Quidway S3500 Series Ethernet Switches Appendix A Acronyms

A-1

Appendix A Acronyms

A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router

B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D-V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Registration Protocol H

HGMP Huawei Group Management Protocol

I IAB Internet Architecture Board ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IGP Interior Gateway Protocol IP Internet Protocol

L LSA Link State Advertisement LSDB Link State DataBase M MAC Medium Access Control MIB Management Information Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM

Operation Manual - Appendix Quidway S3500 Series Ethernet Switches Appendix A Acronyms

A-2

O OSPF Open Shortest Path First

P PIM Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode

Q QoS Quality of Service

R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol

S SNMP Simple Network Management Protocol SP Strict Priority STP Spanning Tree Protocol

T TCP/IP Transmission Control Protocol/ Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live

U UDP User Datagram Protocol

V VLAN Virtual LAN VOD Video On Demand VRRP Virtual Router Redundancy Protocol

W WRR Weighted Round Robin

s3500 series operation manual

Documents