Configuration Guide - Business Systems Connection

Configuration Guide - Business Systems Connection
User's Manual
XGS3-42000R
4-Slot Layer 3
IPv6/IPv4 Routing
Chassis Switch
1
Trademarks
Copy right © PLANE T Technology Corp. 2010.
Cont ents subject to which revision without prior notice.
PLANE T is a registered trademark of P LANE T Technology Corp.
All other trademarks belong to their
respective owners.
Disclaimer
PLANE T Technology does not warrant that the hardware will work properly in all environments and
applications, and makes no warranty and repres entation, either implied or expressed, with respect to the
quality, performance, merchantability, or fitness for a particular purpos e. PLANE T has made every effort to
ensure that this User's Manual is accurat e; PLANE T disclaims liability for any inaccuracies or omissions that
may have occurred.
Information in this User's Manual is subject to change without notice and does not repres ent a commitment on
the part of PLA NET. PLA NET assumes no responsibility for any inaccuracies that may be contained in this
User's Manual. PLA NE T mak es no commitment to update or k eep current the information in this User's
Manual, and reserves the right to make improvements to this User's Manual and/or to the products described
in this User's Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your
comments and suggestions.
FCC Warning
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generat es, uses,
and can radiate radio frequency energy and, if not installed and us ed in accordance with the Instruction
manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference in which case the user will be required to correct the interference at
whos e own expense.
CE Mark Warning
This is a Class A product. In a domestic environment, this product may cause radio interference, in which
case the user may be required to take adequate measures.
Energy Saving Note of the Device
For energy saving, please remove the power cable to disconnect the device from the power circuit.
Without removing power cable, the device will still consuming power from the power source. In the view of
Saving the Energy and reduce the unnecessary power consuming, it is strongly suggested to remove the
power connection for the device if this device is not intended to be active.
2
WEEE Warning
To avoid the potential effects on the environment and human health as a result of the
presence of hazardous substances in electrical and electronic equi pment, end users of
electrical and electronic equipment should understand the meaning of the crossed-out
wheeled bin symbol. Do not dis pose of WEEE as unsorted municipal waste and have to
collect such WEEE separately.
Revision
PLANE T 4-Slot Layer 3 IP v6/IP v4 Routing Chassis Switch User's Manual
FOR MODEL: XGS3-42000R
REVIS ION: 1.0 (APRIL. 2010)
Part No: EM-XGS 3-42000R (2081-A96040-000)
3
Content
CHAPTER 1 INTRODUTION OF XGS3-42000R .................................................................... 1-1
1.1 PACKET CONTENTS ................................................................................................................... 1-1
1.2 PRODUCT D ESCRIPTION ............................................................................................................. 1-2
1.3 PRODUCT FEATURES .................................................................................................................. 1-3
1.4 PRODUCT SPECIFICATION ........................................................................................................... 1-5
1.4.1 XGS3-42000R Specification ............................................................................................ 1-5
1.4.2 Management Module Specification .................................................................................. 1-6
1.4.3 Standard Ethernet Module Specification ........................................................................... 1-9
CHAPTER 2 INSTALLATION ..................................................................................................... 2-1
2.1 HARDWARE D ESCRIPTION ........................................................................................................... 2-1
2.1.1 Chassis Switch Hardware Description ............................................................................. 2-1
2.1.2 Management Module Hardware Description ..................................................................... 2-3
2.1.3 Standard Ethernet Module Hardware Description ............................................................. 2-7
2.1.4 AC Power Supply Module Hardware Description .............................................................2-11
2.2 INSTALL THE C HASSIS SWITCH .................................................................................................. 2-12
2.2.1 Desktop Installation ...................................................................................................... 2-12
2.2.2 Rack Mounting ............................................................................................................. 2-13
2.2.3 Chassis Switch Grounding ............................................................................................ 2-14
2.2.4 Installing the Management / Standard Ethernet Module .................................................. 2-16
2.2.5 Removing / Installing the Dust Gauze ............................................................................ 2-17
2.2.6 Removing / Installing the Fan Tray ................................................................................ 2-17
2.2.7 Removing / Installing the Power Supply Unit .................................................................. 2-18
2.2.8 Installing the SFP / XFP Transceiver .............................................................................. 2-19
CHAPTER 3 CHASSIS SWITCH MANAGEMENT ............................................................... 3-23
3.1 MANAGEMENT OPTIONS ........................................................................................................... 3-23
3.1.1 Out-Of-Band Management ............................................................................................ 3-23
3.1.2 In-band Management ................................................................................................... 3-28
3.2 CLI INT ERFACE ....................................................................................................................... 3-33
3.2.1 Configuration Modes .................................................................................................... 3-34
3.2.2 Configuration Syntax .................................................................................................... 3-36
3.2.3 Shortcut Key Support ................................................................................................... 3-36
3.2.4 Help Function .............................................................................................................. 3-37
3.2.5 Input Verification .......................................................................................................... 3-38
3.2.6 Fuzzy Match Support .................................................................................................... 3-38
CHAPTER 4 BASIC CHASSIS SWITCH CONFIGURATION ............................................... 4-1
4.1 BASIC C ONFIGURATION .............................................................................................................. 4-1
4.2 T ELNET MANAGEMENT ............................................................................................................... 4-1
1
4.2.1 Telnet ............................................................................................................................ 4-1
4.2.2 SSH .............................................................................................................................. 4-3
4.3 CONFIGURAT E C HASSIS SWITCH IP ADDRESSES ............................................................................ 4-4
4.3.1 Chassis Switch IP Addresses Configuration Task List ....................................................... 4-4
4.4 SNMP C ONFIGURATION ............................................................................................................. 4-7
4.4.1 Introduction to SNMP ..................................................................................................... 4-7
4.4.2 Introduction to MIB ......................................................................................................... 4-8
4.4.3 Introduction to RMON ..................................................................................................... 4-9
4.4.4 SNMP Configuration ....................................................................................................... 4-9
4.4.5 Typical SNMP Configuration Examples ...........................................................................4-11
4.4.6 SNMP Troubleshooting ................................................................................................. 4-13
4.5 SWITCH UPGRADE ................................................................................................................... 4-14
4.5.1 Chassis Switch System Files ........................................................................................ 4-14
4.5.2 BootROM Upgrade ....................................................................................................... 4-14
4.5.3 FTP/TFTP Upgrade ...................................................................................................... 4-16
CHAPTER 5 FILE SYSTEM OPERATIONS ............................................................................ 5-1
5.1 INTRODUCTION TO FILE STORAGE D EVICES ................................................................................... 5-1
5.2 FILE SYST EM OPERATION CONFIGURATION TASK LIST ..................................................................... 5-1
5.3 TYPICAL APPLICATIONS .............................................................................................................. 5-2
5.4 TROUBL ESHOOTING ................................................................................................................... 5-3
CHAPTER 6 CLUSTER CONFIGURATION ............................................................................ 6-1
6.1 INTRODUCTION TO CLUSTER NETWORK MANAGEMENT ..................................................................... 6-1
6.2 CLUST ER N ETWORK MANAGEMENT C ONFIGURATION S EQUENCE ...................................................... 6-1
6.3 EXAMPLES OF CL USTER A DMINISTRATION ..................................................................................... 6-4
6.4 CLUST ER A DMINISTRATION T ROUBLESHOOTING ............................................................................. 6-5
CHAPTER 7 PORT CONFIGURATION .................................................................................... 7-1
7.1 INTRODUCTION TO PORT ............................................................................................................. 7-1
7.2 N ETWORK PORT CONFIGURATION TASK LIST ................................................................................. 7-1
7.3 PORT CONFIGURATION EXAMPLE ................................................................................................. 7-2
7.4 PORT T ROUBL ESHOOTING .......................................................................................................... 7-3
CHAPTER 8 PORT ISOLATION FUNCTION CONFIGURATION ........................................ 8-1
8.1 INTRODUCTION TO PORT ISOLATION FUNCTION............................................................................... 8-1
8.2 TASK S EQUENCE OF PORT ISOLATION........................................................................................... 8-1
8.3 PORT ISOLATION F UNCTION TYPICAL EXAMPLES ............................................................................ 8-2
CHAPTER 9 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION .............. 9-3
2
9.1 INTRODUCTION TO PORT LOOPBACK D ET ECTION F UNCTION ............................................................. 9-3
9.2 PORT LOOPBACK D ET ECTION F UNCTION C ONFIGURATION TASK LIST ................................................ 9-3
9.3 PORT LOOPBACK D ET ECTION F UNCTION EXAMPLE......................................................................... 9-5
9.4 PORT LOOPBACK D ET ECTION T ROUBLESHOOTING ......................................................................... 9-5
CHAPTER 10 ULDP FUNCTION CONFIGURATION .......................................................... 10-5
10.1 INT RODUCTION TO ULDP F UNCTION ......................................................................................... 10-6
10.2 ULDP CONFIGURATION TASK S EQUENCE.................................................................................. 10-7
10.3 ULDP F UNCTION TYPICAL EXAMPLES ...................................................................................... 10-9
10.4 ULDP T ROUBLESHOOTING ....................................................................................................10-10
CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION .................................. 11-1
11.1 I NTRODUCTION TO LLDP F UNCTION ..........................................................................................11-1
11.2 LLDP F UNCTION CONFIGURATION TASK S EQUENCE ....................................................................11-2
11.3 LLDP F UNCTION TYPICAL EXAMPLE..........................................................................................11-4
11.4 LLDP F UNCTION TROUBL ESHOOTING ........................................................................................11-5
CHAPTER 12 PORT CHANNEL CONFIGURATION ........................................................... 12-1
12.1 INT RODUCTION TO PORT C HANNEL ........................................................................................... 12-1
12.2 BRIEF INTRODUCTION TO LACP ............................................................................................... 12-2
12.2.1 Static LACP Aggregation ............................................................................................. 12-2
12.2.2 Dy namic LACP Aggregation ........................................................................................ 12-3
12.3 PORT C HANNEL CONFIGURATION TASK LIST .............................................................................. 12-3
12.4 PORT C HANNEL EXAMPLES ..................................................................................................... 12-5
12.5 PORT C HANNEL TROUBLESHOOTING ........................................................................................ 12-7
CHAPTER 13 JUMBO CONFIGURATION............................................................................. 13-1
13.1 INT RODUCTION TO J UMBO ....................................................................................................... 13-1
13.2 J UMBO CONFIGURATION TASK S EQUENCE ................................................................................. 13-1
CHAPTER 14 VLAN CONFIGURATION ................................................................................ 14-1
14.1 VLAN CONFIGURATION .......................................................................................................... 14-1
14.1.1 Introduction to VLAN .................................................................................................. 14-1
14.1.2 VLA N Configuration Task List ...................................................................................... 14-2
14.1.3 Typical VLA N Application ............................................................................................ 14-4
14.1.4 Typical Application of Hy brid Port ................................................................................ 14-6
14.2 GV RP CONFIGURATION.......................................................................................................... 14-7
14.2.1 Introduction to GVRP .................................................................................................. 14-7
14.2.2 GV RP Configuration Task List ..................................................................................... 14-8
14.2.3 Typical GV RP Application ........................................................................................... 14-9
3
14.2.4 GV RP Troubleshooting ..............................................................................................14-10
14.3 DOT1Q -TUNNEL C ONFIGURATION ............................................................................................14-10
14.3.1 Introduction to Dot1q-tunnel .......................................................................................14-10
14.3.2 Dot1q-tunnel Configuration ........................................................................................ 14-11
14.3.3 Typical Applications of the Dot1q-tunnel ......................................................................14-12
14.4 VLAN-TRANSLATION CONFIGURATION .....................................................................................14-13
14.4.1 Introduction to VLAN-translation .................................................................................14-13
14.4.2 VLA N-translation Configuration ..................................................................................14-13
14.4.3 Typical application of VLA N-t ranslation .......................................................................14-14
14.4.4 VLA N-translation Troubleshooting ..............................................................................14-15
14.5 DYNAMIC VLAN CONFIGURATION ...........................................................................................14-15
14.5.1 Introduction to Dynamic VLAN ....................................................................................14-15
14.5.2 Dy namic VLAN Configuration .....................................................................................14-15
14.5.3 Typical Application of the Dynamic VLA N ....................................................................14-17
14.5.4 Dy namic VLAN Troubles hooting .................................................................................14-18
14.6 VOICE VLAN CONFIGURATION................................................................................................14-18
14.6.1 Introduction to Voice VLAN ........................................................................................14-18
14.6.2 Voice VLA N Configuration ..........................................................................................14-18
14.6.3 Typical Applications of the Voice VLA N .......................................................................14-19
14.6.4 Voice VLA N Troubleshooting ......................................................................................14-20
CHAPTER 15 MAC TABLE CONFIGURATION .................................................................... 15-1
15.1 INT RODUCTION TO MAC TABL E ............................................................................................... 15-1
15.1.1 Obtaining MAC Table .................................................................................................. 15-1
15.1.2 Forward or Filter ......................................................................................................... 15-2
15.2 MAC ADDRESS TABLE CONFIGURATION TASK LIST ..................................................................... 15-3
15.3 TYPICAL CONFIGURATION EXAMPLES ....................................................................................... 15-4
15.4 MAC TABLE TROUBL ESHOOTING ............................................................................................. 15-4
15.5 MAC ADDRESS F UNCTION EXTENSION ..................................................................................... 15-5
15.5.1 MAC A ddress Binding ................................................................................................. 15-5
CHAPTER 16 MSTP CONFIGURATION ................................................................................ 16-1
16.1 INT RODUCTION TO MSTP ........................................................................................................ 16-1
16.1.1 MS TP Region ............................................................................................................ 16-1
16.1.2 Port Roles .................................................................................................................. 16-3
16.1.3 MS TP Load Balance ................................................................................................... 16-3
16.2 MSTP C ONFIGURATION TASK LIST ........................................................................................... 16-3
16.3 MSTP EXAMPLE ................................................................................................................... 16-6
16.4 MSTP T ROUBL ESHOOTING ....................................................................................................16-10
CHAPTER 17 QOS CONFIGURATION .................................................................................. 17-1
17.1 INT RODUCTION TO Q OS .......................................................................................................... 17-1
4
17.1.1 QoS Terms ................................................................................................................. 17-1
17.1.2 QoS Implementation ................................................................................................... 17-2
17.1.3 Basic QoS Model ....................................................................................................... 17-2
17.2 Q OS CONFIGURATION TASK LIST ............................................................................................. 17-5
17.3 Q OS EXAMPLE...................................................................................................................... 17-9
17.4 Q OS TROUBL ESHOOTING ......................................................................................................17-12
CHAPTER 18 PBR CONFIGURATION................................................................................... 18-1
18.1 INT RODUCTION TO P BR .......................................................................................................... 18-1
18.2 PBR CONFIGURATION ............................................................................................................ 18-1
18.3 PBR EXAMPLES .................................................................................................................... 18-1
CHAPTER 19 IPV6 PBR CONFIGURATION......................................................................... 19-1
19.1 INT RODUCTION TO P BR(POLICY- BASED ROUT ER) ...................................................................... 19-1
19.2 PBR CONFIGURATION TASK S EQUENCE.................................................................................... 19-1
19.3 PBR EXAMPLES .................................................................................................................... 19-2
19.4 PBR T ROUBLESHOOTING H ELP ............................................................................................... 19-3
CHAPTER 20 FLOW-BASED REDIRECTION...................................................................... 20-4
20.1 INT RODUCTION TO FLOW- BASED R EDIRECTION........................................................................... 20-4
20.2 FLOW- BASED R EDIRECTION CONFIGURATION TASK S EQUENCE..................................................... 20-4
20.3 FLOW- BASED R EDIRECTION EXAMPLES..................................................................................... 20-5
20.4 FLOW- BASED R EDIRECTION T ROUBLESHOOTING H ELP ................................................................ 20-5
CHAPTER 21 LAYER 3 FORWARD CONFIGURATION ..................................................... 21-1
21.1 LAYER 3 I NTERFACE ............................................................................................................... 21-1
21.1.1 Introduction to Layer 3 Interface .................................................................................. 21-1
21.1.2 Layer 3 Interface Configuration Task List...................................................................... 21-1
21.2 IP CONFIGURATION ................................................................................................................ 21-2
21.2.1 Introduction to IP v4, IP v6 ............................................................................................ 21-2
21.2.2 IP Configuration ......................................................................................................... 21-4
21.2.3 IP Configuration Examples .........................................................................................21-10
21.2.4 IP v6 Troubleshooting .................................................................................................21-15
21.3 IP FORWARDING ...................................................................................................................21-15
21.3.1 Introduction to IP Forwarding .....................................................................................21-15
21.3.2 IP Route A ggregation Configuration Task ....................................................................21-15
21.4 URPF .................................................................................................................................21-16
21.4.1 Introduction to URPF .................................................................................................21-16
21.4.2 URPF Configuration Task Sequence ...........................................................................21-17
21.4.3 URPF Typical Example ..............................................................................................21-18
21.4.4 URPF Troubleshooting ..............................................................................................21-19
5
21.5 ARP ...................................................................................................................................21-19
21.5.1 Introduction to ARP ...................................................................................................21-19
21.5.2 A RP Configuration Task List .......................................................................................21-19
21.5.3 A RP Troubles hooting .................................................................................................21-21
CHAPTER 22 ARP SCANNING PREVENTION FUNCTION CONFIGURATION ........... 22-1
22.1 INT RODUCTION TO ARP SCANNING P REVENTION F UNCTION ......................................................... 22-1
22.2 ARP SCANNING P REVENTION CONFIGURATION TASK S EQUENCE .................................................. 22-1
22.3 ARP SCANNING P REVENTION TYPICAL EXAMPLES ..................................................................... 22-3
22.4 ARP SCANNING P REVENTION T ROUBLESHOOTING H ELP ............................................................. 22-4
CHAPTER 23 PREVENT ARP, ND SPOOFING CONFIGURATION ................................. 23-1
23.1 OV ERVIEW ............................................................................................................................ 23-1
23.1.1 A RP (Address Resolution Protocol) ............................................................................. 23-1
23.1.2 A RP Spoofing ............................................................................................................. 23-1
23.1.3 How to prevent void ARP/ND Spoofing ........................................................................ 23-1
23.2 P REVENT ARP, ND SPOOFING CONFIGURATION.......................................................................... 23-2
23.3 P REVENT ARP, ND SPOOFING EXAMPLE................................................................................... 23-2
CHAPTER 24 ARP GUARD CONFIGURATION ................................................................... 24-1
24.1 INT RODUCTION TO ARP GUARD ............................................................................................. 24-1
24.2 ARP GUARD CONFIGURATION TASK LIST ................................................................................ 24-2
CHAPTER 25 ARP LOCAL PROXY CONFIGURATION ..................................................... 25-1
25.1 INT RODUCTION TO ARP LOCAL PROXY FUNCTION....................................................................... 25-1
25.2 ARP LOCAL PROXY FUNCTION CONFIGURATION TASK LIST ......................................................... 25-2
25.3 TYPICAL EXAMPLES OF ARP LOCAL PROXY F UNCTION ............................................................... 25-2
25.4 ARP LOCAL PROXY FUNCTION T ROUBLESHOOTING .................................................................... 25-3
CHAPTER 26 GRATUITOUS ARP CONFIGURATION........................................................ 26-1
26.1 INT RODUCTION TO G RATUITOUS ARP ....................................................................................... 26-1
26.2 G RATUITOUS ARP CONFIGURATION TASK LIST .......................................................................... 26-1
26.3 G RATUITOUS ARP CONFIGURATION EXAMPLE ........................................................................... 26-2
26.4 G RATUITOUS ARP T ROUBLESHOOTING ..................................................................................... 26-2
CHAPTER 27 ND SNOOPING CONFIGURATION............................................................... 27-1
27.1 INT RODUCTION TO ND S NOOPING ............................................................................................ 27-1
27.2 ND S NOOPING BASIC CONFIGURATION ..................................................................................... 27-1
27.3 ND S NOOPING EXAMPLE ........................................................................................................ 27-3
27.4 ND S NOOPING TROUBL ESHOOTING .......................................................................................... 27-4
6
CHAPTER 28 DHCP CONFIGURATION................................................................................ 28-1
28.1 INT RODUCTION TO DHCP ....................................................................................................... 28-1
28.2 DHCP SERVER CONFIGURATION.............................................................................................. 28-2
28.3 DHCP R ELAY CONFIGURATION................................................................................................ 28-4
28.4 DHCP CONFIGURATION EXAMPLES .......................................................................................... 28-5
28.5 DHCP TROUBL ESHOOTING ..................................................................................................... 28-7
CHAPTER 29 DHCPV6 CONFIGURATION ........................................................................... 29-1
29.1 INT RODUCTION TO DHCPV 6 .................................................................................................... 29-1
29.2 DHCPV 6 SERVER C ONFIGURATION .......................................................................................... 29-2
29.3 DHCPV 6 R ELAY D EL EGATION CONFIGURATION.......................................................................... 29-3
29.4 DHCPV 6 PREFIX D EL EGATION S ERVER CONFIGURATION............................................................. 29-4
29.5 DHCPV 6 PREFIX D EL EGATION CLIENT CONFIGURATION .............................................................. 29-5
29.6 DHCPV 6 CONFIGURATION EXAMPLES ...................................................................................... 29-6
29.7 DHCPV 6 TROUBLESHOOTING ................................................................................................29-10
CHAPTER 30 DHCP OPTION 82 CONFIGURATION .......................................................... 30-1
30.1 INT RODUCTION TO DHCP OPTION 82 ........................................................................................ 30-1
30.1.1 DHCP option 82 Message Structure ............................................................................ 30-1
30.1.2 option 82 Working Mechanism .................................................................................... 30-2
30.2 DHCP OPTION 82 CONFIGURATION TASK LIST ........................................................................... 30-2
30.3 DHCP OPTION 82 APPLICATION EXAMPLES ............................................................................... 30-4
CHAPTER 31 DHCP SNOOPING CONFIGURATION ......................................................... 31-1
31.1 INT RODUCTION TO DHCP SNOOPING ........................................................................................ 31-1
31.2 DHCP SNOOPING C ONFIGURATION TASK S EQUENCE .................................................................. 31-2
31.3 DHCP SNOOPING TYPICAL APPLICATION .................................................................................. 31-4
31.4 DHCP SNOOPING T ROUBL ESHOOTING H ELP ............................................................................. 31-5
31.4.1 Monitor and Debug Information ................................................................................... 31-5
31.4.2 DHCP Snooping Troubleshooting Help ........................................................................ 31-6
CHAPTER 32 DHCPV6 SNOOPING CONFIGURATION .................................................... 32-1
32.1 INT RODUCTION TO DHCPV 6 SNOOPING .................................................................................... 32-1
32.1.1 Defense against Fake DHCP v6 Server ........................................................................ 32-1
32.1.2 Defense against Fake IP v6 Address ............................................................................ 32-1
32.1.3 Defense against the attack of DHCP v6 addresses exhaustion ....................................... 32-1
32.1.4 Defense against ND cheat .......................................................................................... 32-1
32.1.5 Reply the remove requirement for port ......................................................................... 32-2
32.2 DHCPV 6 SNOOPING CONFIGURATION TASK S EQUENCE .............................................................. 32-2
7
32.3 DHCPV 6 SNOOPING TYPICAL APPLICATION .............................................................................. 32-4
32.4 DHCPV 6 SNOOPING TROUBL ESHOOTING .................................................................................. 32-5
32.4.1 Monitor and Debug Information ................................................................................... 32-5
32.4.2 DHCP v6 Snooping Troubleshooting Help ..................................................................... 32-5
CHAPTER 33 ROUTING PROTOCOL OVERVIEW............................................................. 33-1
33.1 ROUTING TABLE .................................................................................................................... 33-1
33.2 IP ROUTING P OLICY ............................................................................................................... 33-2
33.2.1 Introduction to Routing Policy ...................................................................................... 33-2
33.2.2 IP Routing Policy Configuration Task List ..................................................................... 33-4
33.2.3 Configuration Examples .............................................................................................. 33-7
33.2.4 Troubleshooting ......................................................................................................... 33-8
CHAPTER 34 STATIC ROUTE................................................................................................. 34-1
34.1 INT RODUCTION TO STATIC ROUT E............................................................................................. 34-1
34.2 INT RODUCTION TO D EFAULT ROUT E.......................................................................................... 34-1
34.3 STATIC ROUT E C ONFIGURATION TASK LIST ................................................................................ 34-1
34.4 STATIC ROUT E C ONFIGURATION EXAMPLES ............................................................................... 34-2
CHAPTER 35 RIP ....................................................................................................................... 35-1
35.1 INT RODUCTION TO RIP ........................................................................................................... 35-1
35.2 RIP CONFIGURATION TASK LIST .............................................................................................. 35-2
35.3 RIP EXAMPLES ..................................................................................................................... 35-8
35.3.1 Typical RIP Examples ................................................................................................. 35-8
35.3.2 Typical Examples of RIP aggregation function .............................................................35-10
35.4 RIP TROUBL ESHOOTING ........................................................................................................ 35-11
CHAPTER 36 RIPNG ................................................................................................................. 36-1
36.1 INT RODUCTION TO RIPNG ....................................................................................................... 36-1
36.2 RIPNG CONFIGURATION TASK LIST .......................................................................................... 36-2
36.3 RIPNG CONFIGURATION EXAMPLES .......................................................................................... 36-6
36.3.1 Typical RIPng Examples ............................................................................................. 36-6
36.3.2 RIPng Aggregation Route Function Typical Examples ................................................... 36-8
36.4 RIPNG T ROUBLESHOOTING ..................................................................................................... 36-9
CHAPTER 37 OSPF................................................................................................................... 37-1
37.1 INT RODUCTION TO OSPF ........................................................................................................ 37-1
37.2 OSPF CONFIGURATION TASK LIST ........................................................................................... 37-3
37.3 OSPF EXAMPLES .................................................................................................................. 37-8
37.3.1 Configuration Example of OSPF .................................................................................. 37-8
37.3.2 Configuration Examples of OSPF VPN .......................................................................37-16
8
37.4 OSPF T ROUBLESHOOTING ....................................................................................................37-18
CHAPTER 38 OSPFV3.............................................................................................................. 38-1
38.1 INT RODUCTION TO OSPFV 3 .................................................................................................... 38-1
38.2 OSPFV 3 C ONFIGURATION TASK LIST ....................................................................................... 38-4
38.3 OSPFV 3 EXAMPLES .............................................................................................................. 38-7
38.4 OSPFV 3 T ROUBL ESHOOTING .................................................................................................38-10
CHAPTER 39 BGP ..................................................................................................................... 39-1
39.1 INT RODUCTION TO BGP .......................................................................................................... 39-1
39.2 BGP CONFIGURATION TASK LIST ............................................................................................. 39-4
39.3 CONFIGURATION EXAMPLES OF BGP .......................................................................................39-15
39.3.1 Examples 1: configure BGP neighbor .........................................................................39-15
39.3.2 Examples 2: configure BGP aggregation .....................................................................39-16
39.3.3 Examples 3: configure BGP community attribut es ........................................................39-16
39.3.4 Examples 4: configure BGP confederation ..................................................................39-17
39.3.5 Examples 5: configure BGP rout e reflector ..................................................................39-19
39.3.6 Examples 6: configure MED of BGP ...........................................................................39-20
39.3.7 Examples 7: example of BGP VPN .............................................................................39-22
39.4 BGP TROUBL ESHOOTING ......................................................................................................39-26
CHAPTER 40 MBGP4+ ............................................................................................................. 40-1
40.1 INT RODUCTION TO MBGP4+ ................................................................................................... 40-1
40.2 MBGP4+ CONFIGURATION TASK LIST ...................................................................................... 40-1
40.3 MBGP4+ EXAMPLES ............................................................................................................. 40-2
40.4 MBGP4+ T ROUBLESHOOTING ................................................................................................. 40-4
CHAPTER 41 BLACK HOLE ROUTING MANUAL ............................................................. 41-1
41.1 INT RODUCTION TO BLACK HOL E R OUTING ................................................................................. 41-1
41.2 IPV 4 BLACK HOL E R OUTING CONFIGURATION TASK ................................................................... 41-1
41.3 IPV 6 BLACK HOL E R OUTING CONFIGURATION TASK ................................................................... 41-1
41.4 BLACK HOL E R OUTING C ONFIGURATION EXMAPLES ................................................................... 41-1
41.5 BLACK HOL E R OUTING T ROUBL ESHOOTING .............................................................................. 41-3
CHAPTER 42 ECMP CONFIGURATION................................................................................ 42-1
42.1 INT RODUCTION TO ECMP ....................................................................................................... 42-1
42.2 ECMP CONFIGURATION TASK LIST .......................................................................................... 42-1
42.3 ECMP TYPICAL EXAMPLE ...................................................................................................... 42-2
42.3.1 Static Route Implements ECMP................................................................................... 42-2
42.3.2 OSPF Implements ECMP ........................................................................................... 42-3
9
CHAPTER 43 IPV4 MULTICAST PROTOCOL ..................................................................... 43-1
43.1 IPV 4 MULTICAST PROTOCOL OVERVIEW .................................................................................... 43-1
43.1.1 Introduction to Multicast .............................................................................................. 43-1
43.1.2 Multicast Address ....................................................................................................... 43-1
43.1.3 IP Multicast Packet Transmission ................................................................................ 43-3
43.1.4 IP Multicast Application ............................................................................................... 43-3
43.2 PIM-DM .............................................................................................................................. 43-3
43.2.1 Introduction to PIM-DM ............................................................................................... 43-3
43.2.2 PIM-DM Configuration Task List .................................................................................. 43-5
43.2.3 PIM-DM Configuration Examples ................................................................................. 43-7
43.2.4 PIM-DM Troubleshooting ............................................................................................ 43-8
43.3 PIM-SM ............................................................................................................................... 43-8
43.3.1 Introduction to PIM-SM ............................................................................................... 43-8
43.3.2 PIM-SM Configuration Task List................................................................................... 43-9
43.3.3 PIM-SM Configuration Examples ................................................................................43-13
43.3.4 PIM-SM Troubleshooting ...........................................................................................43-14
43.4 MS DP CONFIGURATION.........................................................................................................43-15
43.4.1 Introduction to MSDP ................................................................................................43-15
43.4.2 Brief Introduction to MSDP Configuration Tasks ...........................................................43-16
43.4.3 Configuration of MSDP Basic Function .......................................................................43-16
43.4.4 Configuration of MSDP Entities ..................................................................................43-17
43.4.5 Configuration of Delivery of MSDP Packet ..................................................................43-18
43.4.6 Configuration of Paramet ers of SA-cac he ...................................................................43-19
43.4.7 MSDP Configuration Examples ..................................................................................43-19
43.4.8 MSDP Troubleshooting ..............................................................................................43-24
43.5 ANYCAST RP CONFIGURATION .............................................................................................43-25
43.5.1 Introduction to ANYCAS T RP .....................................................................................43-25
43.5.2 A NYCAS T RP Configuration Task ...............................................................................43-25
43.5.3 A NYCAS T RP Configuration Examples .......................................................................43-27
43.5.4 A NYCAS T RP Troubleshooting ...................................................................................43-29
43.6 PIM-SSM ...........................................................................................................................43-30
43.6.1 Introduction to PIM-SSM ............................................................................................43-30
43.6.2 PIM-SSM Configuration Task List ...............................................................................43-30
43.6.3 PIM-SSM Configuration Examples ..............................................................................43-30
43.6.4 PIM-SSM Troubleshooting .........................................................................................43-32
43.7 DVMRP ..............................................................................................................................43-33
43.7.1 Introduction to DVMRP ..............................................................................................43-33
43.7.2 DVMRP Configuration Task List ..................................................................................43-34
43.7.3 DVMRP Configuration Examples ................................................................................43-37
43.7.4 DVMRP Troubleshooting ............................................................................................43-37
43.8 DCS CM .............................................................................................................................43-38
43.8.1 Introduction to DCS CM ..............................................................................................43-38
43.8.2 DCS CM Configuration Task List .................................................................................43-39
10
43.8.3 DCS CM Configuration Examples ................................................................................43-41
43.8.4 DCS CM Troubleshooting ...........................................................................................43-42
43.9 IGMP .................................................................................................................................43-42
43.9.1 Introduction to IGMP ..................................................................................................43-42
43.9.2 IGMP Configuration Task List .....................................................................................43-44
43.9.3 IGMP Configuration Examples ...................................................................................43-46
43.9.4 IGMP Troubleshooting ...............................................................................................43-47
43.10 IGMP SNOOPING ................................................................................................................43-47
43.10. 1 Introduction to IGMP Snooping .................................................................................43-47
43.10. 2 IGMP Snooping Configuration Task List ....................................................................43-47
43.10. 3 IGMP Snooping Examples .......................................................................................43-50
43.10. 4 IGMP Snooping Troubleshooting ..............................................................................43-52
43.11 IGMP PROXY CONFIGURATION .............................................................................................43-52
43.11. 1 Introduction to IGMP Proxy .......................................................................................43-52
43.11. 2 IGMP Proxy Configuration Task List ..........................................................................43-53
43.11. 3 IGMP Proxy Examples .............................................................................................43-54
43.11. 4 IGMP Proxy Troubleshooting ....................................................................................43-57
CHAPTER 44 IPV6 MULTICAST PROTOCOL ..................................................................... 44-1
44.1 PIM-DM6 ............................................................................................................................. 44-1
44.1.1 Introduction to PIM-DM6 ............................................................................................. 44-1
44.1.2 PIM-DM6 Configuration Task List ................................................................................ 44-2
44.1.3 PIM-DM6 Typical Application ....................................................................................... 44-4
44.1.4 PIM-DM6 Troubleshooting .......................................................................................... 44-5
44.2 PIM-SM6 ............................................................................................................................. 44-5
44.2.1 Introduction to PIM-SM6 ............................................................................................. 44-5
44.2.2 PIM-SM6 Configuration Task List ................................................................................. 44-7
44.2.3 PIM-SM6 Typical A pplication ......................................................................................44-10
44.2.4 PIM-SM6 Troubleshooting ..........................................................................................44-12
44.3 ANYCAST RP V 6 CONFIGURATION ........................................................................................44-12
44.3.1 Introduction to ANYCAS T RP v6 .................................................................................44-12
44.3.2 A NYCAS T RP v6 Configuration Task ..........................................................................44-12
44.3.3 A NYCAS T RP v6 Configuration Examples ..................................................................44-15
44.3.4 A NYCAS T RP v6 Troubleshooting ..............................................................................44-16
44.4 PIM-SSM6 ..........................................................................................................................44-16
44.4.1 Introduction to PIM-SSM6 ..........................................................................................44-16
44.4.2 PIM-SSM6 Configuration Task List .............................................................................44-17
44.4.3 PIM-SSM6 Configuration Example .............................................................................44-17
44.4.4 PIM-SSM6 Troubles hooting .......................................................................................44-19
44.5 IPV 6 DCS CM ......................................................................................................................44-19
44.5.1 Introduction to IP v6 DCSCM ......................................................................................44-19
44.5.2 IP v6 DCS CM Configuration Task Sequence ................................................................44-20
44.5.3 IP v6 DCS CM Typical Examples ..................................................................................44-23
44.5.4 IP v6 DCS CM Troubleshooting ....................................................................................44-24
11
44.6 MLD ..................................................................................................................................44-24
44.6.1 Introduction to MLD ...................................................................................................44-24
44.6.2 MLD Configuration Task List.......................................................................................44-24
44.6.3 MLD Typical Application .............................................................................................44-26
44.6.4 MLD Troubleshooting Help .........................................................................................44-27
44.7 MLD SNOOPING ...................................................................................................................44-27
44.7.1 Introduction to MLD Snooping ....................................................................................44-27
44.7.2 MLD Snooping Configuration Task ..............................................................................44-29
44.7.3 MLD Snooping Examples ...........................................................................................44-30
44.7.4 MLD Snooping Troubleshooting .................................................................................44-32
CHAPTER 45 MULTICAST VLAN ......................................................................................... 45-33
45.1 INT RODUCTIONS TO MULTICAST VLAN ....................................................................................45-33
45.2 M ULTICAST VLAN CONFIGURATION TASK LIST .........................................................................45-33
45.3 M ULTICAST VLAN EXAMPLES ................................................................................................45-34
CHAPTER 46 ACL CONFIGURATION ................................................................................... 46-1
46.1 INT RODUCTION TO ACL .......................................................................................................... 46-1
46.1.1 Access-list ................................................................................................................. 46-1
46.1.2 Access-group ............................................................................................................. 46-1
46.1.3 Access-list Action and Global Default Action ................................................................. 46-1
46.2 ACL C ONFIGURATION TASK LIST ............................................................................................. 46-2
46.3 ACL EXAMPLE.....................................................................................................................46-16
46.4 ACL T ROUBL ESHOOTING .......................................................................................................46-20
CHAPTER 47 802.1X CONFIGURATION .............................................................................. 47-1
47.1 INT RODUCTION TO 802.1 X ....................................................................................................... 47-1
47.1.1 The Authentication Structure of 802.1x ......................................................................... 47-1
47.1.2 The Work Mechanism of 802.1x .................................................................................. 47-3
47.1.3 The Encapsulation of EAPOL Messages ...................................................................... 47-3
47.1.4 The Encapsulation of EAP Attributes ............................................................................ 47-5
47.1.5 Web Authentication P roxy based on 802.1x ................................................................. 47-5
47.1.6 The Authentication Methods of 802.1x ......................................................................... 47-6
47.1.7 The Extension and Optimization of 802. 1x .................................................................. 47-11
47.1.8 The Features of VLAN Alloc ation ................................................................................47-12
47.2 802.1X CONFIGURATION TASK LIST .........................................................................................47-13
47.3 802.1X APPLICATION EXAMPLE ..............................................................................................47-16
47.3.1 Examples of Guest Vlan Applications ..........................................................................47-16
47.3.2 Examples of IP v4 Radius Applications ........................................................................47-18
47.3.3 Examples of IP v6 Radius Application ..........................................................................47-19
47.3.4 802.1x Web Proxy Authentication Sample Application ..................................................47-20
47.4 802.1X TROUBL ESHOOTING ...................................................................................................47-21
12
CHAPTER 48 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP
CONFIGURATION ...................................................................................................................... 48-1
48.1 INT RODUCTION TO THE N UMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP .................. 48-1
48.2 T HE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP CONFIGURATION TASK S EQUENCE
.................................................................................................................................................. 48-2
48.3 T HE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP TYPICAL EXAMPLES ............... 48-4
48.4 T HE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP TROUBL ESHOOTING H ELP ....... 48-5
CHAPTER 49 OPERATIONAL CONFIGURATION OF AM FUNCTION ........................... 49-1
49.1 INT RODUCTION TO AM FUNCTION ............................................................................................. 49-1
49.2 AM F UNCTION CONFIGURATION TASK LIST ................................................................................ 49-1
49.3 AM F UNCTION EXAMPLE......................................................................................................... 49-2
49.4 AM F UNCTION T ROUBLESHOOTING .......................................................................................... 49-3
CHAPTER 50 SECURITY FEATURE CONFIGURATION ................................................... 50-1
50.1 INT RODUCTION TO S ECURITY F EATURE ..................................................................................... 50-1
50.2 S ECURITY F EATURE C ONFIGURATION........................................................................................ 50-1
50.2.1 Prevent IP Spoofing Function Configuration Task Sequence .......................................... 50-1
50.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequenc e ............ 50-1
50.2.3 Anti Port Cheat Function Configuration Task Sequence ................................................. 50-2
50.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence ........................... 50-2
50.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence ......................... 50-2
50.3 S ECURITY F EATURE EXAMPLE ................................................................................................. 50-3
CHAPTER 51 TACACS+ CONFIGURATION ........................................................................ 51-1
51.1 INT RODUCTION TO TACACS+ ................................................................................................. 51-1
51.2 TACACS+ CONFIGURATION TASK LIST .................................................................................... 51-1
51.3 TACACS+ SCENARIOS TYPICAL EXAMPLES.............................................................................. 51-2
51.4 TACACS+ TROUBLESHOOTING ............................................................................................... 51-3
CHAPTER 52 RADIUS CONFIGURATION............................................................................ 52-1
52.1 INT RODUCTION TO RADIUS .................................................................................................... 52-1
52.1.1 AAA and RA DIUS Introduction .................................................................................... 52-1
52.1.2 Message structure for RA DIUS ................................................................................... 52-1
52.2 RADIUS CONFIGURATION TASK LIST ....................................................................................... 52-2
52.3 RADIUS TYPICAL EXAMPLES ................................................................................................. 52-5
52.3.1 IP v4 Radius Example ................................................................................................. 52-5
52.3.2 IP v6 RadiusExample .................................................................................................. 52-6
52.4 RADIUS T ROUBLESHOOTING .................................................................................................. 52-6
13
CHAPTER 53 SSL CONFIGURATION ................................................................................... 53-1
53.1 INT RODUCTION TO SSL .......................................................................................................... 53-1
53.1.1 Basic Element of SSL ................................................................................................. 53-1
53.2 SSL C ONFIGURATION TASK LIST.............................................................................................. 53-2
53.3 SSL TYPICAL EXAMPLE.......................................................................................................... 53-3
53.4 SSL TROUBL ESHOOTING ........................................................................................................ 53-4
CHAPTER 54 IPV6 SECURITY RA CONFIGURATION ...................................................... 54-1
54.1 INT RODUCTION TO IPV 6 SECURITY RA ...................................................................................... 54-1
54.2 IPV 6 SECURITY RA CONFIGURATION TASK S EQUENCE ................................................................ 54-1
54.3 IPV 6 SECURITY RA T YPICAL EXAMPLES ................................................................................... 54-2
54.4 IPV 6 SECURITY RA T ROUBLESHOOTING H ELP ........................................................................... 54-2
CHAPTER 55 VLAN-ACL CONFIGURATION....................................................................... 55-1
55.1 INT RODUCTION TO VLAN-ACL ................................................................................................ 55-1
55.2 VLAN-ACL C ONFIGURATION TASK LIST ................................................................................... 55-1
55.3 VLAN-ACL C ONFIGURATION EXAMPLE .................................................................................... 55-3
55.4 VLAN-ACL T ROUBL ESHOOTING ............................................................................................. 55-4
55.5 INT RODUCTION TO MIRROR ..................................................................................................... 55-4
55.6 MIRROR CONFIGURATION TASK LIST ......................................................................................... 55-5
55.7 MIRROR EXAMPLES ............................................................................................................... 55-6
55.8 D EVICE MIRROR T ROUBLESHOOTING ........................................................................................ 55-6
CHAPTER 56 RSPAN CONFIGURATION ............................................................................. 56-1
56.1 INT RODUCTION TO RSPAN ..................................................................................................... 56-1
56.2 RSPAN C ONFIGURATION TASK LIST......................................................................................... 56-2
56.3 TYPICAL EXAMPLES OF RSPAN .............................................................................................. 56-4
56.4 RSPAN TROUBL ESHOOTING ................................................................................................... 56-6
CHAPTER 57 SFLOW CONFIGURATION............................................................................. 57-1
57.1 INT RODUCTION TO SFLOW ....................................................................................................... 57-1
57.2 SFLOW CONFIGURATION TASK LIST .......................................................................................... 57-1
57.3 SFLOW EXAMPLES ................................................................................................................. 57-3
57.4 SFLOW T ROUBLESHOOTING .................................................................................................... 57-3
CHAPTER 58 VRRP CONFIGURATION ................................................................................ 58-1
58.1 INT RODUCTION TO V RRP ........................................................................................................ 58-1
58.2 VRRP C ONFIGURATION TASK LIST ........................................................................................... 58-2
14
58.3 VRRP TYPICAL EXAMPLES ..................................................................................................... 58-3
58.4 VRRP T ROUBL ESHOOTING ..................................................................................................... 58-4
CHAPTER 59 IPV6 VRRPV3 CONFIGURATION ................................................................. 59-1
59.1 INT RODUCTION TO V RRPV 3 .................................................................................................... 59-1
59.1.1 The Format of V RRP v3 Message ................................................................................ 59-2
59.1.2 VRRP v3 Working Mechanism ..................................................................................... 59-3
59.2 VRRPV 3 CONFIGURATION ...................................................................................................... 59-4
59.2.1 Configuration Task Sequence ...................................................................................... 59-4
59.3 VRRPV 3 TYPICAL EXAMPLES ................................................................................................. 59-5
59.4 VRRPV 3 TROUBL ESHOOTING ................................................................................................. 59-6
CHAPTER 60 MRPP CONFIGURATION................................................................................ 60-1
60.1 INT RODUCTION TO MRPP ....................................................................................................... 60-1
60.1.1 Conception Introduction .............................................................................................. 60-1
60.1.2 MRPP Protocol Packet Types ...................................................................................... 60-2
60.1.3 MRPP Protocol Operation System ............................................................................... 60-3
60.2 MRPP CONFIGURATION TASK LIST .......................................................................................... 60-3
60.3 MRPP TYPICAL SCENARIO ..................................................................................................... 60-5
60.4 MRPP TROUBLESHOOTING ..................................................................................................... 60-7
CHAPTER 61 ULPP CONFIGURATION ................................................................................ 61-1
61.1 INT RODUCTION TO ULPP ........................................................................................................ 61-1
61.2 ULPP CONFIGURATION TASK LIST ........................................................................................... 61-2
61.3 ULPP TYPICAL EXAMPLES ..................................................................................................... 61-4
61.3.1 ULPP Typical Example1 .............................................................................................. 61-4
61.3.2 ULPP Typical Example2 .............................................................................................. 61-6
61.4 ULPP TROUBLESHOOTING ...................................................................................................... 61-7
CHAPTER 62 ULSM CONFIGURATION................................................................................ 62-1
62.1 INT RODUCTION TO ULSM ....................................................................................................... 62-1
62.2 ULSM C ONFIGURATION TASK LIST........................................................................................... 62-2
62.3 ULSM TYPICAL EXAMPLE....................................................................................................... 62-2
62.4 ULSM T ROUBL ESHOOTING ..................................................................................................... 62-4
CHAPTER 63 SNTP CONFIGURATION ................................................................................ 63-1
63.1 INT RODUCTION TO S NTP ........................................................................................................ 63-1
63.2 TYPICAL EXAMPLES OF S NTP CONFIGURATION ......................................................................... 63-2
CHAPTER 64 NTP FUNCTION CONFIGURATION ............................................................. 64-1
15
64.1 INT RODUCTION TO NTP FUNCTION ........................................................................................... 64-1
64.2 NTP FUNCTION CONFIGURATION TASK LIST .............................................................................. 64-1
64.3 TYPICAL EXAMPLES OF NTP FUNCTION .................................................................................... 64-3
64.4 NTP FUNCTION T ROUBLESHOOTING ......................................................................................... 64-4
CHAPTER 65 DNSV4/V6 CONFIGURATION........................................................................ 65-1
65.1 INT RODUCTION TO DNS .......................................................................................................... 65-1
65.2 DNSV 4/ V 6 CONFIGURATION TASK LIST ..................................................................................... 65-2
65.3 TYPICAL EXAMPLES OF DNS ................................................................................................... 65-4
65.4 DNS T ROUBLESHOOTING ....................................................................................................... 65-5
CHAPTER 66 MONITOR AND DEBUG.................................................................................. 66-1
66.1 PING .................................................................................................................................... 66-1
66.2 PING6 .................................................................................................................................. 66-1
66.3 T RACEROUT E........................................................................................................................ 66-1
66.4 T RACEROUT E6 ...................................................................................................................... 66-1
66.5 S HOW .................................................................................................................................. 66-2
66.6 D EBUG ................................................................................................................................. 66-2
66.7 SYST EM LOG......................................................................................................................... 66-3
66.7.1 System Log Introduction ............................................................................................. 66-3
66.7.2 System Log Configuration ........................................................................................... 66-5
66.7.3 System Log Configuration Example ............................................................................. 66-6
CHAPTER 67 RELOAD SWITCH AFTER SPECIFIED TIME............................................. 67-1
67.1 INT RODUCE TO R ELOAD SWITCH AFTER SPECIFID TIME ............................................................... 67-1
67.2 R ELOAD SWITCH AFTER SPECIFID TIME TASK LIST...................................................................... 67-1
CHAPTER 68 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT
BY CPU......................................................................................................................................... 68-1
68.1 INT RODUCTION TO D EBUGGING AND DIAGNOSIS FOR PACKETS R ECEIVED AND S ENT BY CP U ........... 68-1
68.2 D EBUGGING AND DIAGNOSIS FOR PACKETS R ECEIVED AND SENT BY CPU TASK LIST ...................... 68-1
CHAPTER 69 SWITCH OPERATION ..................................................................................... 69-1
69.1 A DDRESS TABL E ................................................................................................................... 69-1
69.2 L EARNING ............................................................................................................................ 69-1
69.3 FORWARDING & FILT ERING ...................................................................................................... 69-1
69.4 STORE-AND-F ORWARD ........................................................................................................... 69-1
69.5 A UTO-N EGOTIATION ............................................................................................................... 69-2
16
CHAPTER 70 TROUBLE SHOOTING .................................................................................... 70-1
CHAPTER 71 APPENDEX A .................................................................................................... 71-1
71.1 A.1 SWITCH'S RJ-45 PIN A SSIGNMENTS ................................................................................... 71-1
71.2 A.2 10/100M BPS, 10/100BASE-TX ......................................................................................... 71-1
CHAPTER 72 GLOSSARY ....................................................................................................... 72-1
17
Chapter 1 INTRODUTION of XGS3-42000R
1.1 Packet Contents
Thank you for purchasing XGS 3-42000R is 4-Slot Layer 3 IP v6 / IP v4 Routing Chassis Switch. Terms of
“Cha ssi s Switch” means the XGS3-42000R mentioned titled in the cover page of this User’s manual.
Open the box of the Chassis Switch and carefully unpack it. The box should contain the following items:
Check the contents of your package for following parts:
 XGS3-42000R Cha ssi s Switch
X1
 User's Manual
X1
 Quick Installation Guide
X1
 RJ-45-to-DB9 Console Cable
X1
 USB-to-DB9 Console Cable
X1
 UTP Straight Network Cable
X1
 Power Cord
X1
 Ground Cable
X1
 Two Rack-mounting Brackets with
X1
Attachment Screws
The XGS 3-42000R supports various types of Ethernet module, and can s eamlessly support network
interfaces from 100Mbps, 1000Mbps to 10Gbps Ethernet. The Ethernet module should contain the following
model name:
Model Name
Product Description
XGS3-M24 GX
XGS3-42000R Management Module with 24-Port 10/100/1000Mbps(12-Port Combo) + 1-Port
10G XFP
XGS3-M44 G
XGS3-42000R Management Module with 44-Port 10/100/1000Mbps
XGS3-S24 G
XGS3-42000R Standard Ethernet Module with 24-Port 10/100/1000Mbps (12-Port Combo)
XGS3-S48 G
XGS3-42000R Standard Ethernet Module with 48-Port 10/100/1000Mbps
XGS3-S48 GF
XGS3-42000R Standard Ethernet Module with 48-Port Gibabit SFP interfaces
XGS3-S4XG
XGS3-42000R Standard Ethernet Module with 4-Port 10G XFP interfaces
Terms of “Management Module” means the XGS3-M24GX and XGS3-M44GX mentioned titled in the cover
page of this User’s manual. Terms of “Standard Ethernet Module” means the XGS3-S24G, XGS3-S 48G,
XGS 3-S48GF and XGS 3-S4XG mentioned titled in the cover page of this User’s manual.
Open the box of the Management / Standard Ethernet Module and carefully unpack it. The box should contain
the following items:
Check the contents of your package for following parts:
 Management Module / Standard Ethernet Module X1
 Quick Installation Guide
X1
1-1
If any of thes e are missing or damaged, please contact your dealer immediat ely, if possible, retain the carton
including the original packing material, and use them against to repack the product in case there is a need to
return it to us for repair.
1.2 Product Description
Overview
Extremely Flexible, Scalable and Resilient Chassi s-Ba sed Switch
The PLANET XGS3-42000R Core-Layer Routing Switch is specially designed for large network applications such as
Enterprise, Campus, Community, ISP or Data Center network where flexible configuration, large capacity, high-density,
high-reliability and advanced traffic management are required.
The XGS3-42000R is a High-Density Chassis-based Routing Switch built with 4 module slots and redundant power supply.
It pro vides great porting flexibility for network deployment by offering various and combinable management modules and
standard interfaces. With 10-Gigabit Ethernet technology applied, the XGS3-42000R provides broad bandwidth and
powerful processing capacity. The Chassis Switch supports wire-speed L2/L3 forwarding and high routing performance
for IPv4 and IPv6 protocols. The scalable and flexible modular architecture supports up to 376Gps forwarding
performance in a single system - within the 6U height, single chassis, the maximum configuration can be:
 188-Port 10/100/1000Ba se-T Copper
 156-Port 1000Ba se-SX/LX SFP Fiber Slots
 13-Port 10G XFP Fiber Slots
IPv6 Routing and 10G Ethernet Switch Solutions for the Next Generation Internet Protocol
IP v6 (Internet Protocol version 6) is well known as the next generation Internet Protocol to solve the lack of
available IP v4 addresses. IP v6 can provide larger address space than IP v4 for the rapid growing networks.
To provide smooth migration path from IP v4 to IP v6 for the future network upgrades, PLANE T releases the
multi-layer IP v6/ IP v4 Gigabit Ethernet Routing S witch, XGS3-42000R, to satisfy the bandwidth requirements
and protect net work investment for enterprises. The XGS 3-42000R is implemented with the following
advanced technologies:
 IPv6 / IPv4 Routing and Management
 10G Ethernet Switching
 Single IP Address Management
 Redundant Power System
Positioned as the distribution or aggregation layer switch of large networks, the XGS3-42000R supports IP
Stacking technology that helps to manage and configure up to 36 units via one single IP address easily. It
serves for campus networks and metropolitan IP networks by offering int elligent security feat ures, high
performance and flexibility. The XGS3-42000R can also be an excellent choice as a core layer switch for
enterprises, data centers or small & medium-sized networks.
Supports 10Gb Ethernet
10Gb Ethernet which adopts full-duplex technology instead of low-speed, half-duplex CSMA/CD protocol, is a
big leap in the evolution of Ethernet. 10Gb Ethernet can be deployed in star or ring topologies. With 10Gb
Ethernet technology applied, the XGS 3-42000R provides broad bandwidth and powerful processing capacity.
It is suitable for metropolitan networks and wide area networks. Using the XGS 3-42000R, users can simplify
network structures and reduce cost of network construction.
1-2
1.3 Product Features

Hardware and Performance

4 open module slots design:
− 2 Management Modules wit h 2 Standard Ethernet Modules
− 1 Management Module with 3 Standard Ethernet Modules

Up to 188-P ort Gigabit copper / 156-Port Gigabit SFP / 13-Port 10G XFP

Hot-S wappable switching modules

Non-Blocking wire-speed Layer 2 and Layer 3 switching

1 RJ-45 serial console interface on Management Module for Chassis Switch basic management and
setup





Redundant Power System

100~240V A C Dual power redundant
− 1 default AC power supply
− 1 additional open slot for optional power supply

Active-active redundant power failure prot ection

Backup of catastrophic power failure on one supply
IP Stacking

IP stacking technology, connect with stack member via any Gigabit or 10G int erface

Single IP address management, supports up to 36 units stacking together
IP Routing Features

IP Routing protocol supports RIP v1/ v2, OSPF v2, BGP4

Routing interface provides VLA N routing mode

Policy based Routing(PBR) for IP v4 and IP v6

VRRP protocol for redundant routing deploy

Supports route redistribution
Multicast Routing Features

Supports Multicast Routing Protocols:
− PIM-DM (Protocol Independent Multicast - Dense Mode)
− PIM-SM (P rotocol Independent Multicast - Sparse Mode)
− PIM-SSM (P rotocol Independent Multicast - Source-Specific multicast Mode)
− DVMRP (Distance Vector Multicast Routing Protoc ol)

Supports IGMP v1/ v2/ v3
Layer 2 Features

Supports Auto-negotiation, Auto-MDI/MDI-x and Half-Duplex / Full-Duplex modes for all 1000Base-T
ports.

Prevents packet loss with back pressure (Half-Duplex) and IEEE 802.3x PAUSE frame flow control
(Full-Duplex)
1-3





Support VLAN
− IEEE 802.1Q Tagged VLA N
− Up to 4K VLANs groups, out of 4041 VLAN IDs
− Provider Bridging (V LAN Q-in-Q) support (IEEE 802.1ad)
− GVRP protocol for VLA N Management
− Privat e VLAN Edge (PVE)

Support Spanning Tree Protocol
− STP, IEEE 802.1d (Spanning Tree Protocol)
− RS TP, IEEE 802.1w (Rapid Spanning Tree Protocol)
− MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by VLAN)

Support Link Aggregation
− 802.3ad Link Aggregation Cont rol Prot ocol (LA CP)
− Cisco ether-channel (Static Trunk)
− Maximum 6 trunk groups per module, up to 8 ports per trunk group
− Up to 16Gbps bandwidth(Duplex Mode)

Provide Port Mirror (many-to-1)

Port Mirroring to monitor the incoming or outgoing traffic on a particular port
Quality of Service

8 priority queues on all switch ports

Supports for strict priority and Weighted Round Robin (WRR) CoS policies

Ingress Shaper and Egress Rat e Limit per port bandwidth control

Traffic-policing policies based on application
Multicast

Supports IGMP Snooping v1, v2 and v3

Querier mode support
Security

IEEE 802.1x Port-Based network access authentication

MAC-Based net work access authentication

IP-Based Access Control List (ACL)

MAC-Based Access Control List

Static MAC
Management

IP v4 / IP v6 Switch Management Interfaces
− Cons ole / Telnet Command Line Int erface
− Web switch management
− SNMP v1, v2c, and v3 switch management
− SSH( Secure Shell) / SSL secure access

Four RMON groups (history, statistics, alarms, and events)

IP v6 IP Address / NTP / DNS management

Built-in Trivial File Transfer Protocol (TFTP ) client

BOOTP and DHCP for IP address assignment
1-4

DHCP / BootP relay and Relay Option 82

DHCP Server

DNS -Proxy

Firmware upload/download via FTP / TFTP

SNTP (Simple Network Time Protocol)

LLDP (Link Layer Discovery Protocol )

User Privilege levels control
1.4 Product Specification
1.4.1 XGS3-42000R Specification
Product
XGS3-42000R
Cha ssi s Slots
Total Number of Slots
Max. Management Module
Max. Standard Ethernet
Module
Management Module
Redundancy
Number of Power Supply
Bays
Number of FAN Trays
4 ( 2 Management Modules + 2 Standard Ethernet Modules or 1 Managed
module + 3 Standard Ethernet modules)
2
3
Yes
2
1, hot-pluggable
Total Port Capacity
Max. 10G XFP Slot
13
Max. 10/100/1000Ba se-T
188
Max. 1000Ba se-SX/LX SFP
Slot
156
Modules
XGS3-M24GX
XGS3-M44G
XGS3-S24G
Management module / 24 10/100/1000Base-T with 12 Shared SFP + 1
10G XFP Slot
Management module / 44 10/100/1000Bas e-T
Standard Ethernet module / 24 10/100/1000B ase-T with 12 Shared SFP
slots
XGS3-S48G
Standard Ethernet module / 48 10/ 100/1000Base-T
XGS3-S48GF
Standard Ethernet module/ 48 1000Base-S X/SL SFP slots
XGS3-S4X G
Standard Ethernet module / 4 10GB ase-S R/LR XFP slots
Performance
1-5
Switch Processing
Scheme
Store-and-Forward
Backplane Bandwidth
1.2Tbps
Switching Capacity
376Gbps
Full-Mesh Switching
Capacity
160Gbps
Forwarding Rate
282Mpps@64Bytes, Line speed
MAC Table
64K
VLAN Table
4K
ACL Table
16K max.
Routing Table
IP v4 Protocol: 128K max.
IP v6 Protocol: 64K max.
Layer 3 Interface
500
Port Queues
8
Flow Control
Jumbo Frame
IEEE 802.3x Pause Frame for Full-Duplex
Back pressure for Half-Duplex
9Kbytes
Hardware Specification
Dimension(W x D x H)
445mm x 421mm x 266mm
Relative Humidity
10%~90%, non-condensing
Operating Temperature
0°C~40°C
Power Input
AC: Input 100~240V, 50~60 Hz;
Power Consumption
≤400W
1.4.2 Management Module Specification
XGS3-42000R Management Module
Model Name
Product
XGS3-M24GX
XGS3-M44G
Hardware Specification
Copper Ports
24 x 10/100/1000Base-T RJ-45
ports
44 x 10/100/1000Bas e-T RJ-45 ports
SFP/mini-GBIC Slots
12 x 1000Base-S X/LX SFP slots
--
XFP/mini-GBIC Slots
1 x 10GBase-SR/LR XFP slot
--
Switch Fabric
68Gbps
88Gbps
Throughput
50Mpps@64Bytes
65Mpps@64Bytes
System:
System:
LED
PWR, RUN, Master, FAN
Ports:
PWR, RUN, Master, FAN
Ports:
1-6
10/100/1000M LNK/ACT
10/100/1000M LNK/ACT
1000M LNK/ACT
10G LNK/ACT
Dimension
339 x 357 x 43mm (W x D x H)
IPv4 Layer 3 functions
IP Routing Protocol
Static Route, RIP v1/ v2, OSPFv2, BGP4
Policy-Based Routing (PBR)
LPM Routing (MD5 authentication)
Multicast Routing
Protocol
IGMP v1 / 2 / 3, DVMRP, PIM-DM/SM, PIM-SSM
Layer 3 Protocol
VRRP, A RP, ARP Proxy
Routing Interface
Per VLAN
IPv6 Layer 3 functions
IP Routing Protocol
RIP ng, OSPFv3, BGP4+
Multicast Routing
Protocol
PIM-SM/ DM for IP v6
MLD for IP v6(v1)
MLDv1/ v2
MLD Snooping, 6 to 4 Tunnels
Multicast receive control
Illegal multicast source det ect
Layer 3 Protocol
Configured Tunnels , ISATA P, CIDR
Layer 2 function
Port disable/ enable.
Port configuration
Auto-negotiation 10/100/1000Mbps full and half duplex mode selection.
Bandwidth control on each port
Port Loopback detect
802.1Q Tagged Based VLAN ,up to 4K VLA N groups
VLAN
Q-in-Q
GVRP
Privat e VLAN
STP, IEEE 802.1d (Spanning Tree Protocol)
RS TP, IEEE 802.1w (Rapid Spanning Tree Protocol)
Spanning Tree Protocol
MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by
VLAN)
Root Guard
BPDU Guard
Static Trunk
Link Aggregation
IEEE 802.3ad LA CP
Support 8 groups of 8-Port trunk support
Traffic classification based, Strict priority and WRR
8-level priority for switching
QoS
- Port Number
- 802. 1p priority
1-7
- DSCP/ TOS field in IP Packet
Policy-based DiffServ
IGMP v1 / v2 / v3 Snooping
Multicast
IGMP Proxy
IGMP Querier mode support
MLDv1 / v2, MLD v1/ v2 Snooping
Support Standard and Expanded A CL
IP-Based ACL / MAC-Based A CL
Acce ss Control Li st
Time-Based A CL
ACL Pool can be used for QoS classification
Up to 1K ent ries
Support MAC+ port binding
IP v4 / IP v6 + MAC+ port binding
IP v4 / IP v6 + port binding
Security
Support MAC filt er
ARP Spoofing Prevention
ARP Scanning Prevention
IP Source Guard
Authenti cation
SNMP MIBs
IEEE 802.1x Port-Based network access control
AAA Authentication: IP v4 / IP v6 over RA DIUS
RFC-1213 MIB-II
IF-MIB
RFC-1493 Bridge MIB
RFC-1643 Ethernet MIB
RFC-2863 Interface MIB
RFC-2665 Ether-Like MIB
RFC-2674 Extended Bridge MIB
RFC-2819 RMON MIB (Group 1, 2, 3 and 9)
RFC-2737 Entity MIB
RFC-2618 RADIUS Client MIB
RFC-2933 IGMP -S TD-MIB
RFC3411 SNMP -Frameworks-MIB
IEEE802.1X PAE
LLDP
MAU-MIB
Management Function
System Configuration
Cons ole, Telnet, SSH, Web Browser, SSL, SNMP v1, v2c and v3
Management
Support the unite for IP v4 / IP v6 HTTP and SSL
Support the user IP security inspection for IP v4 / IP v6 SNMP
Support MIB and TRAP
Support IP v4 / IP v6 FTP/ TFTP
Support IP v4 / IP v6 NTP
Support RMOM 1, 2, 3, 9 four group
Support the RADIUS authentication for IP v4 / IPv6 telnet user name and
password
1-8
Support IP v4 / IP v6 SSH
The right configuration for us ers can adopt radius server’s shell
management
Support the function for timing-reset bases needs
Support CLI, support Console(RS-232), support Telnet
Support SNMP v1 / v2c / v3
Support Security IP safety net management function:avoid to unlawful
landing at nonrestrictive area.
Support TA CACS+
Standards Conformance
Regulation Compliance
FCC Part 15 Class A, CE
Standards Compliance
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
802.3 10Base-T
802.3u 100Base-TX
802.3z 1000Base-S X/LX
802.3ab Gigabit 1000T
802.3ae 10 Gigabit Ethernet
802.3x Flow Control and Back pressure
802.3ad Port trunk with LA CP
802.1d Spanning tree protocol
802.1w Rapid spanning tree protocol
802.1s Multiple spanning tree protocol
802.1p Class of service
802.1Q VLAN Tagging
802.1x Port Authentication Network Control
802.1ab LLDP
1.4.3 Standard Ethernet Module Specification
XGS3-42000R Standard Ethernet Module
Model Name
Product
XGS3-S24G
XGS3-S48G
XGS3-S48GF
XGS3-S4X G
Hardware Specification
Copper Ports
24 x
48 x
10/100/1000Bas e-T
10/100/1000Bas -T --
RJ-45 ports
RJ-45 ports
--
12 x
SFP/mini-GBIC
Slots
1000Base-S X/LX
SFP slots, shared
48 x
--
1000Base-S X/LX
with Port 13 to
SFP slots
Port-24
1-9
--
XFP/mini-GBIC
Slots
4x
--
--
10GB ase-S R/LRXFP
--
slots
Switch Fabric
68Gbps
96Gbps
96Gbps
Throughput
50Mpps@64Bytes
71Mpps@64Bytes 71Mpps@64Bytes
40Gbps
59Mpps@64Bytes
System:
PWR, RUN
LED
Ports:
10/100/1000M
LNK/ACT
Ports:
Ports:
10/100/1000M
1000M
LNK/ACT
LNK/ACT
System:
PWR, RUN
Ports:
10G LNK/ACT
1000M LNK/ACT
Dimension
339 x 357 x 43mm (W x D x H)
Standards Conformance
Regulation
Compliance
FCC Part 15 Class A, CE
IEEE 802.3
Standards
Compliance
10Base-T
IEEE 802.3
IEEE 802.3u
10Base-T
100Base-TX
IEEE 802.3z
Gigabit S X/ LX
IEEE 802.3ab
IEEE 802.3u
100Base-TX
IEEE 802.3ab
Gigabit 1000T
Gigabit 1000T
1-10
IEEE 802.3z
Gigabit S X/ LX
IEEE 802.3ae
10G Ethernet
Chapter 2 INSTALLATION
This section describes the hardware feat ures and installation of the Chassis Switch on the desktop or rack
mount. For easier management and control of the Chassis Switch, familiarize yourself with its display
indicators, and ports. Front panel illustrations in t his chapter display the unit LE D indic ators. Before
connecting any net work device to the Chassis Switch, please read this chapter completely.
2.1 Hardware Description
The Chassis Switch has a Power Supply Module, will not has any Management / Standard
Ethernet Module on shipment.
Slot 1 should installed with Management Module before power on the switch otherwise the
Chassis Switch will not operates normally.
2.1.1 Chassis Switch Hardware Description
The unit front panel provides a simple interfac e monitoring the XGS 3-42000R Chassis Switch. Figure 2-1-1
shows the front panel of the Chassis Switches.
XGS3-42000R Front Panel
Figure 2-1-1 XGS3-42000R front panel
■ Power slots
Used for system power supply modules, support up to two 400W AC modules (XGS3-PWR-A C).
2-1
■ Management slots
Slot1 & 2 support management module like XGS3-M24GX & XGS3-M44G.
■ Standard slots
Slot2~4 support standard module like XGS 3-S4XG, XGS3-S24G, XGS3-S48G & XGS3-S 48GF.
■ Fan tray slot
Supports one system fan assembly, each assembly consists of four axial fans.
The unit rear panel provides a simple interface monitoring the XGS3-42000R Chassis Switch. Figure 2-1-2
shows the rear panel of the Chassis Switches.
XGS3-42000R Rear Panel
Figure 2-1-2 XGS3-42000R rear panel
■ Power Sockets
For compatibility with electric service in most areas of the world, the Chassis Switch’s power supply
automatically adjusts to line power in the range 100-240VAC and 50/60 Hz.
■ Dust gauze slot
Exterior air inlet for the ventilation subsystem.
2-2
2.1.2 Management Module Hardware Description
2.1.2.1 XGS3-M24GX
The unit front panel provides a simple interface monitoring the XGS 3-M24GX Management Module. Figure
2-1-3 shows the front panel of the Management Module.
XGS3-M24GX Front Panel
Figure 2-1-3 XGS3-M24GX front panel
■ Gigabit TP interface
10/100/1000Bas e-T Copper, RJ-45 Twist-Pair: Up to 100 meters.
■ Gigabit SFP slots
1000Base-S X/LX mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters
(Multi-mode fiber), up to 10/30/50/70/120 kilometers (Single-mode fiber).
■ 10 Gigabit XFP slot
10GB ase-S R/LR mini-GBIC slot, XFP (10 Gigabit Small Form Factor Pluggable) transceiver module:
From 300 meters (Multi-mode fiber), up to 10 kilometers (Single-mode fiber).
■ Console Port
The console port is a RJ-45 type, RS-232 male seria port connector. It is an interfac e for connecting a
terminal directly. Through the console port, it provides rich diagnostic information includes IP Address
setting, factory reset, port management, link status and system setting. Users can us e the attached
RS-232 cable in the package and connect to the console port on the device. After the connection, users
an run any terminal emulation program (Hyper Terminal, ProComm Plus, Telix, Winterm and so on) to
enter the statup screen of the device.
Property
Specification
Connector
RJ-45 (receptacle)
Connector type
RS-232
Baud rate
9600bps (default)
Supporting service
Connects to character terminals
Connects to PC serial port and running terminal emulator on PC.
The front panel LE Ds indicates instant status of port links, data activity, system operation, system power,
master and system FA N, helps monitor and troubles hoot when needed. Figure 2-1-4 show t he front panel of
the Management Module.
2-3
XGS3-M24GX LED indication
Figure 2-1-4 XGS3-M24GX LED panel
■ System
LED
PWR
Color
Green
Off
Function
Lights to indicate that Management Module has power.
To indicate the Management Module power off.
Blink slowly to indicate that Management Module running in normal
RUN
Green
status.
Blink fa st to indicate that system loading (Management Module booting
after hot plug in).
Off
Master
Green
Off
Green
FAN
Running Status is failure.
Management Module operate at master mode.
Management Module operate at slave mode.
FAN works normally.
Red
FAN works abnormally.
Off
FAN does not present.
■ 10/100/1000Ba se-T interfaces
LED
Color
Green
LNK/ ACT
Yellow
Off
Function
To indicate the link through that port is successfully established with speed
10/100/1000Mbps.
To indicate that the Management Module is actively sending or receiving
data over that port.
No data go through the port.
■ SFP interfaces
LED
LNK
Color
Green
Off
ACT
Green
Function
To indicate the link through that port is successfully established with speed
1000Mbps.
No data go through the port.
Blink to indicate that the Management Module is actively sending or
receiving data over that port.
2-4
■ XFP interface
LED
LNK
Color
Green
Off
ACT
Green
Function
To indicate the link through that port is successfully established with speed
10Gbps.
No data go through the port.
Blink to indicate that the Management Module is actively sending or
receiving data over that port.
2.1.2.2 XGS3-M44G
The unit front panel provides a simple interface monitoring the XGS3-M44G Management Module. Figure
2-1-5 shows the front panel of the Management Module.
XGS3-M44G Front Panel
Figure 2-1-5 XGS3-M44G front panel
■ Gigabit TP interface
10/100/1000Bas e-T Copper, RJ-45 Twist-Pair: Up to 100 meters.
■ Console Port
The console port is a RJ-45 type, RS-232 male seria port connector. It is an interfac e for connecting a
terminal directly. Through the console port, it provides rich diagnostic information includes IP Address
setting, factory reset, port management, link status and system setting. Users can us e the attached
RS-232 cable in the package and connect to the console port on the device. After the connection, users
an run any terminal emulation program (Hyper Terminal, ProComm Plus, Telix, Winterm and so on) to
enter the statup screen of the device.
Property
Specification
Connector
RJ-45 (receptacle)
Connector type
RS-232
Baud rate
9600bps (default)
Supporting service
Connects to character terminals
Connects to PC serial port and running terminal emulator on PC.
The front panel LE Ds indicates instant status of port links, data activity, system operation, system power,
master and system FA N, helps monitor and troubles hoot when needed. Figure 2-1-6 show t he front panel of
the Management Module.
2-5
XGS3-M44G LED indication
Figure 2-1-6 XGS3-M44GX LED panel
■ System
LED
PWR
Color
Green
Off
Function
Lights to indicate that Management Module has power.
To indicate the Management Module power off.
Blink slowly to indicate that Management Module running in normal
RUN
Green
status.
Blink fa st to indicate that system loading (Management Module booting
after hot plug in).
Off
Master
Green
Off
Green
FAN
Running Status is failure.
Management Module operate at master mode.
Management Module operate at slave mode.
FAN works normally.
Red
FAN works abnormally.
Off
FAN does not present.
■ 10/100/1000Ba se-T interfaces
LED
Color
Green
LNK/ ACT
Yellow
Off
Function
To indicate the link through that port is successfully established with speed
10/100/1000Mbps.
To indicate that the Management Module is actively sending or receiving
data over that port.
No data go through the port.
2-6
2.1.3 Standard Ethernet Module Hardware Description
2.1.3.1 XGS3-S24G
The unit front panel provides a simple interface monitoring the XGS 3-S24G Standard Ethernet Module. Figure
2-1-7 shows the front panel of the Standard Ethernet Module.
XGS3-S24G Front Panel
Figure 2-1-7 XGS3-S 24G front panel
■ Gigabit TP interface
10/100/1000Bas e-T Copper, RJ-45 Twist-Pair: Up to 100 meters.
■ Gigabit SFP slots
1000Base-S X/LX mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters
(Multi-mode fiber), up to 10/30/50/70/120 kilometers (Single-mode fiber).
The front panel LEDs indicates instant status of port links, data activity, system operation and system power,
helps monitor and troubleshoot when needed. Figure 2-1-8 show the front panel of the Standard Ethernet
Module.
XGS3-S24G LED indication
Figure 2-1-8 XGS3-S 24G LED panel
■ System
LED
PWR
Color
Green
Off
Function
Lights to indicate that Standard Ethernet Module has power.
To indicate the Standard Ethernet Module power off.
Blink slowly to indic ate that Standard Ethernet Module running in normal
status.
Green
Blink fast to indicate that system loading (Standard Module booting after
hot plug in).
RUN
Yellow
Lights to indicate that Standard Ethernet Module shut down.
Red
Lights to indicate that Standard Ethernet Module is failure.
Off
Standard Ethernet Module is off and can be pulled out.
2-7
■ 10/100/1000Ba se-T interfaces
LED
Color
Green
LNK/ ACT
Yellow
Off
Function
To indicate the link through that port is successfully established with speed
10/100/1000Mbps.
To indicate that the Standard Ethernet Module is actively sending or
receiving data over that port.
No data go through the port.
■ SFP interfaces
LED
LNK
Color
Green
Off
ACT
Green
Function
To indicate the link through that port is successfully established with speed
1000Mbps.
No data go through the port.
Blink to indicate that the Standard Ethernet Module is actively sending or
receiving data over that port.
2.1.3.2 XGS3-S48G
The unit front panel provides a simple interface monitoring the XGS 3-S48G Standard Ethernet Module. Figure
2-1-9 shows the front panel of the Standard Ethernet Module.
XGS3-S48G Front Panel
Figure 2-1-9 XGS3-S 48G front panel
■ Gigabit TP interface
10/100/1000Bas e-T Copper, RJ-45 Twist-Pair: Up to 100 meters.
The front panel LEDs indicates instant status of port links and data activity, helps monitor and troubleshoot
when needed. Figure 2-1-10 show the front panel of the Standard Ethernet Module.
XGS3-S48G LED indication
Figure 2-1-10 XGS3-S48G LE D panel
2-8
■ 10/100/1000Ba se-T interfaces
LED
Color
Green
LNK/ ACT
Yellow
Off
Function
To indicate the link through that port is successfully established with speed
10/100/1000Mbps.
To indicate that the Standard Ethernet Module is actively sending or
receiving data over that port.
No data go through the port.
2.1.3.3 XGS3-S48GF
The unit front panel provides a simple interface monitoring the XGS3-S48GF Standard Ethernet Module.
Figure 2-1-11 shows the front panel of the Standard Ethernet Module.
XGS3-S48GF Front Panel
Figure 2-1-11 XGS 3-S48GF front panel
■ Gigabit SFP slots
1000Base-S X/LX mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters
(Multi-mode fiber), up to 10/30/50/70/120 kilometers (Single-mode fiber).
The front panel LEDs indicates instant status of port links and data activity, helps monitor and troubleshoot
when needed. Figure 2-1-12 show the front panel of the Standard Ethernet Module.
XGS3-S48GF LED indication
Figure 2-1-12 XGS3-S48GF LE D panel
■ SFP interfaces
LED
LNK
Color
Green
Off
ACT
Green
Function
To indicate the link through that port is successfully established with speed
1000Mbps.
No data go through the port.
Blink to indicate that the Standard Ethernet Module is actively sending or
receiving data over that port.
2.1.3.4 XGS3-S4XG
2-9
The unit front panel provides a simple interface monitoring the XGS3-S4XG Standard Ethernet Module.
Figure 2-1-13 shows the front panel of the Standard Ethernet Module.
XGS3-S4XG Front Panel
Figure 2-1-13 XGS3-S4XG front panel
■ 10 Gigabit XFP slots
10GB ase-S R/LR mini-GBIC slot, XFP (10 Gigabit Small Form Factor Pluggable) transceiver module:
From 300 meters (Multi-mode fiber), up to 10 kilometers (Single-mode fiber).
The front panel LEDs indicates instant status of port links, data activity, system operation and system power,
helps monit or and troubleshoot when needed. Figure 2-1-14 show the front panel of the Standard Ethernet
Module.
XGS3-S4X G LED indication
Figure 2-1-14 XGS3-S4XG LE D panel
■ System
LED
PWR
Color
Green
Off
Function
Lights to indicate that Standard Ethernet Module has power.
To indicate the Standard Ethernet Module power off.
Blink slowly to indic ate that Standard Ethernet Module running in normal
status.
Green
Blink fast to indicate that system loading (Standard Module Booting after
hot plug in).
RUN
Yellow
Lights to indicate that Standard Ethernet Module shut down.
Red
Lights to indicate that Standard Ethernet Module is failure.
Off
Standard Ethernet Module is off and can be pulled out.
2-10
2.1.4 AC Power Supply Module Hardware Description
The unit front panel provides a simple int erface monitoring the XGS3-PWR-A C AC P ower S upply Module.
Figure 2-1-15 shows the front panel of the A C Power Supply Module.
XGS3-PWR-AC Front Panel
Figure 2-1-15 XGS3-PWR-A C front panel
The front panel LEDs indicates instant status of power fault and good, helps monitor and troubleshoot when
needed. Figure 2-1-16 show the front panel of the AC Power Supply Module.
XGS3-S4X G LED indication
Figure 2-1-16 XGS3-S4XG LE D panel
■ Power
LED
Fault
Color
Yellow
Off
Output Good
Green
Off
Function
Lights to indicate that the A C Power Supply failure
To indicate the A C Power Supply Module fine.
Lights to indicate that A C Power Supply Module power on.
To indicate the A C Power Supply Module power off.
2-11
2.2 Install the Chassis Switch
This section describes how to install your Chassis Switch and mak e connections to the Chassis Switch.
Please read the following topics and perform the procedures in the order being presented. To install your
Chassis Switch on a desktop or shelf, simply complete the following steps.
During the installation, please take care and avoid crash, that may cause the device damage.
Due t o the XGS 3-42000R is heavy, please take care safety for installer. Pleas e make sure the
hardware had been located on the rack properly. If the hardware drops down, it is possible
make someone hurt. Please check the hardware again after the installation.
Max full configuration weight is 30KG.
2.2.1 Desktop Installation
To install the Chassis Switch on desktop or shelf, please follows these steps:
Step1: Attach the rubber feet to the recessed areas on the bottom of the Chassis Switch.
Step2: Place the Chassis Switch on the desktop or the shelf near an AC power source, as shown in Figure
2-2-1.
Figure 2-2-1 Place the Chassis Switch on the desktop
Step3: Keep enough ventilation spac e between the Chassis Switch and the surrounding objects.
When choosing a location, please keep in mind the environmental restrictions discussed in
Chapter 1, Section 4, and Specification.
2-12
Step4: Supply power to the Chassis Switch.
Connect one end of the power cable to the Chassis Switch.
Connect the power plug of the power cable to a standard wall outlet.
2.2.2 Rack Mounting
To install the Chassis Switch in a 19-inch standard rack, please follows the instructions described below.
Step1: Place the Chassis Switch on a hard flat surface, with the front panel positioned towards the front side.
Step2: Attach the rack-mount bracket to each side of the Chassis Switch with supplied screws attached to the
package. Figure 2-2-2 shows how to attach brackets to one side of the Chassis Switch.
Figure 2-2-2 Attach brackets to the Chassis Switch.
You must use the screws supplied wit h the mounting brackets. Damage caused to the
parts by using incorrect screws would invalidate the warranty.
Step3: Secure the brackets tightly.
Step4: Follow the same steps to attach the second bracket to the opposite side.
Step5: After the brackets are attached to the Chassis Switch, use suitable screws to securely attach the
brackets to the rack, as shown in Figure 2-2-3.
2-13
Figure 2-2-3 Mounting Chasssis Switch in a Rack
Please take care and avoid crash, that may cause the device damage or any harm to
the installer due to the device falling or drop.
The handles are designed for sliding into cabinet only; please don’t use handles to lift
the Chassis Switch.
Step6: Proceeds with the steps 4 and steps 5 of session 2.2.1 Desktop Installation to connect the network
cabling and supply power to the Chassis Switch.
2.2.3 Chassis Switch Grounding
A good grounding system is the groundwork for the smooth and safe operation of the XGS3-42000R, and an
excellent way to prevent lightning strikes and resistance int erference. Please follow t he XGS 3-42000R
grounding specification instructions, verify the installation site’s grounding condition and ensure proper
grounding accordingly.

Proper grounding
When using an AC power source, the device must be grounded with the green and yellow ground cables;
otherwise, shock hazards may occur when insulation resistance between the internal power supply and the
chassis degrades.
2-14

Lightning protection grounding
The lightning protection system is an independent system consisting of a lightning rod, conductor and
connection joint with the grounding system. The grounding system usually is shared with the power reference
grounding and green and yellow ground cable grounding. Lightning protection grounding is a building
requirement, not a specific requirement of the S witch.

Electromagnetic compliance grounding
This refers to the grounding to comply with XGS 3-42000R electromagnetic compatibility requirements,
including shielded grounding, filter grounds, noise, and interference control and level reference. The overall
grounding requirements are the sum total of the above. Ground resistance value should be less than 1 ohm.
The XGS3-42000R provides chassis grounding post in the lower rear chassis, marked as “GND”. Chassis protection
grounding should be properly connected to the rack grounding connector
The ground cabling procedures are listed below:
Step1:
Remove the nuts from the rear chassis grounding posts as shown in Figure 2-2-4.
Figure 2-2-4 guronding posts
Step2:
Wrap one end of the green and yellow grounding cable to the grounding posts.
Step3:
Attach the grounding post nut and tighten well.
Step4:
Attach the other end of the grounding cable to the rack grounding connector.

The grounding cable should be made of a good conductor, and the diameter should
be det ermined by the possible maximum current that may pass through.

Bare conductor cabling is forbidden.

Ground resistance value: the c ombined grounding resistance should be less than 1
ohm.
2-15
2.2.4 Installing the Management / Standard Ethernet Module

Hot-s wapping is supported by optional modules for the Chassis Switch. However,
for better convenience, it is recommended to power down the Chassis Switch before
installing the cards, if no module in the switch is running.

Slot 1 should installed with Management Module before power on the switch
otherwise the Chassis Switch will not operates normally.

The Chassis Switch supports maximum 2 Management module for purpose of
management redundancy at slot 1 and slot 2.
The installation procedure is the same for all cards, as shown below:
Step1
Power down the XGS3-42000R.
Step2
Ensure proper grounding of the XGS3-42000R.
Step3
Put on an ESD wrist strap before contact with the switch circuit, and make sure the ESD wrist strap is
connected securely to the ESD connector in the switch’s front panel.
Step4
Loosen the panel fasteners locking back plate counterclockwise and remove the back plate.
Step5
Insert the optional module into the slot; you can use the metal handle on the front plate of the module to
ensure good contact. Then lock the module with panel fasteners in the front plate as shown in Figure 2-2-5.
Figure 2-2-5 Insert the optional module into the slot of XGS3-42000R
2-16
2.2.5 Removing / Installing the Dust Gauze
Dust gauze is provided in the right section of the XGS3-42000R, which can be installed and removed from the back of
the XGS3-42000R. The dust gauze is meant to prevent large debris or particles in the air from being ingested into the
switch. Please perform cleaning on a regular basis according to the site conditions.
Step1
Loosen the 2 panel fasteners in the dust gauze.
Step2
Draw the dust gauze out smoothly by holding the 2 screws.
Step3
Clean the dust gauze with a brush (never wash with any liquid).
Step4
Insert the gauze back to its original position in the switch.
Step5
Tighten the panel fasteners.
The installation and removal of the dust gauze is shown below Figure 2-2-6:
Figure 2-2-6 Installation and Removal of the XGS3-42000R Dust Gauze
2.2.6 Removing / Installing the Fan Tray
One fan tray in the left section of t he XGS 3-42000R and can be servic ed from the front. The installation and
removal of the fan tray is relatively simple, please refer to following procedure for reference.

Install the Fan Tray
Step1
Just hold the fan tray in the correct direction, align with the corresponding slot and push to secure.
Step2
Tighten the panel fasteners in the font panel.
2-17

Remove the Fan Tray
Step1
Loosen the 2 screws in the front panel of the fan tray.
Step2
Hold the handle in the front panel of fan tray with your middle and ring fingers, press the locker slightly
down, and the fan tray can be drawn out smoothly.
The installation and removal of a fan tray is shown below Figure 2-2-7:
Figure 2-2-7 Installation and Removal the Fan Tray
2.2.7 Removing / Installing the Power Supply Unit
To install a power supply unit into XGS3-42000R, please fasten the hand screw clockwise and slide in the power
supply unit into the XGS3-42000R.
Pleaes slid in the PWR-AC module first before plug-in the rear power cord.
To remove a power supply unit out the XGS3-42000R, please loose the hand screw counter clockwise and pull out the
power supply unit from the XGS3-42000R.
Please put back the front cover after the PRW-AC module is removed.
2-18
Figure 2-2-8 Install and Removal the Power Supply Unit
2.2.8 Installing the SFP / XFP Transceiver
The sections describe how to insert an SFP / XFP transceiver into an SFP / XFP slot.
The SFP / XFP transceivers are hot-pluggable and hot -swappable. You can plug-in and out the transceiver
to/from any SFP / XFP port without having to power down the Chassis Switch. As the Figure 2-2-9 & Figure
2-2-10 appears.
Figure 2-2-9 Plug-in the SFP transceiver
2-19
Figure 2-2-10 Plug-in the XFP transceiver

Approved PLANET SFP Transceivers
PLANE T Chassis Switch supports both Single-mode and Multi-mode SFP transceiver. The following list of
approved PLANE T SFP transceivers is correct at the time of publication:
Gigabit SFP Transceiver modules:
■ MGB-SX SFP (1000BASE-S X SFP transceiver / Multi-mode / 850nm / 220m~550m)
■ MGB-LX SFP (1000BASE-LX SFP transceiver / Single-mode / 1310nm / 10km)
■ MGB-L30 SFP (1000BASE-LX SFP transceiver / Single-mode / 1310nm / 30km)
■ MGB-L50 SFP (1000BASE-LX SFP transceiver / Single-mode / 1310nm / 50km)
■ MGB-LA10 SFP (1000BASE-LX SFP transceiver / WDM Single-mode / TX: 1310nm, RX: 1550nm/
10km)
■ MGB-LB10 SFP (1000BASE-LX SFP transceiver / WDM Single-mode / TX: 1550nm, RX: 1310nm /
10km)
It recommends using PLA NE T SFPs on the Chassis Switch. If you insert a SFP
transceiver that is not supported, the Chassis Switch will not recognize it.
Before connect the other Chassis Switches, workstation or Media Converter.
1.
Make sure both side of the SFP transceiver are with the same media type, for example: 1000Base-S X to
1000Base-S X, 1000B as-LX to 1000B ase-LX.
2.
Check the fiber-optic cable type match the SFP transceiver model.

To connect to 1000Base-S X SFP transceiver, use the Multi-mode fiber cable-with one side must be
2-20
male duplex LC connector type.

To connect to 1000Base-LX SFP transceiver, use the Single-mode fiber cable-with one side must
be male duplex LC connector type.

Approved PLANET XFP Transceivers
PLANE T Chassis Switch supports both Single-mode and Multi-mode XFP transceiver. The following list of
approved PLANE T XFP transceivers is correct at the time of publication:
Gigabit SFP Transceiver modules:
■ MTB-XS R XFP (10GBASE-SR XFP transceiver / Multi-mode / 850nm / 300m)
■ MTB-XLR XFP (1000BASE-LR XFP transceiver / Single-mode / 1310nm / 10km)
It recommends using PLA NE T XFPs on the Chassis Switch. If you insert a XFP
transceiver that is not supported, the Chassis Switch will not recognize it.
Before connect the other Chassis Switches, workstation or Media Converter.
1.
Make sure both side of the XFP transceiver are with the same media type, for example: 10GB ase-S R to
10GB ase-S R, 10GB ase-LR to 10GBase-LR.
2.
Check the fiber-optic cable type match the XFP transceiver model.

To connect to 10GB ase-S R XFP transceiver, use the Multi-mode fiber cable-wit h one side must be
male duplex LC connector type.

To connect to 10GBase-LR XFP transceiver, use the Single-mode fiber cable-with one side must be
male duplex LC connector type.

Connect the fiber cable
1.
Attach the duplex LC connector on the net work cable into the SFP / XFP transceiver.
2.
Connect the other end of the cable to a device – switches with SFP / XFP installed, fiber NIC on a
workstation or a Media Converter.
3.
Check the LNK/ACT LE D of the SFP / XFP slot on the front of the Chassis Switch. Ensure that the SFP /
XFP
4.
transceiver is operating correctly.
Check the Link mode of the SFP / XFP port if the link failed. Co works with some fiber-NICs, Switch or
Media Converters, set the Link mode to “1000 Force” / “10G” is needed.

Remove the transceiver module
1.
Make sure there is no network activity by consult or check with the network administrator. Or through the
management interface of the switch/converter (if available) to disable the port in advanc e.
2.
Remove the Fiber Optic Cable gently.
3.
Turn the handle of the MGB / MTB module to horizontal.
4.
Pull out the module gently through the handle.
2-21
Figure 2-2-11 Pull out the SFP / XFP transceiver
Never pull out the module without pull the handle or the pus h bolts on the module.
Direct pull out the module with violent could damage the module and SFP / XFP
module slot of the Chassis Switch.
2-22
Chapter 3 Chassis Switch Management
3.1 Management Options
After purchasing the Chassis Switch, the user needs to configure the Chassis Switch for network
management. Chassis Switch provides two management options: in-band management and out -of-band
management.
The Chassis Switch is shipped without IP address assigned by default. User must
IMPORTANT!
assign an IP address to the Chassis Switch via the Console interface to be able to
remot e access the Chassis Switch through Telnet or HTTP.
3.1.1 Out-Of-Band Management
Out-of-band management is the management through Console interface. Generally, the user will use
out-of-band management for the initial Chassis Switch configuration, or when in-band management is not
available. For instance, the user must assign an IP address to the Chassis Switch via the Console interface to
be able to access the Chassis Switch through Telnet.
The procedures for managing the Chassis Switch via Console interface are listed below:
Step 1: Setting up the environment:
Figure 3-1-1 Out-of-band Management Configuration Environment
As shown in above, the serial port (RS -232) is connected to the Chassis Switch with the serial cable provided.
The table below lists all the devices used in the connection.
Device Name
Description
PC machine
Has functional keyboard and RS -232, with terminal emulator
3-23
installed, such as HyperTerminal included in Windows
9x/NT/2000/ XP.
Serial port cable
One end attach to the RS -232 serial port, the other end to the
Cons ole port.
Chassis Switch
Functional Console port required.
Step 2: Entering the HyperTerminal
Open the HyperTerminal included in Windows after the connection established. The example below is based
on the Hy perTerminal included in Windows XP.
1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal.
Figure 3-1-2 Opening Hyper Terminal
2) Type a name for opening HyperTerminal, such as “Switch”.
3-24
Figure 3-1-3 Opening HyperTerminal
3) In the “Connecting using” drop-list, select the RS-232 serial port used by the P C, e.g. COM1, and click
“OK”.
Figure 3-1-4 Opening HyperTerminal
4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1”
for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”.
3-25
Figure 3-1-5 Opening HyperTerminal
Step 3:
Entering switch CLI interface
Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode
for Chassis Switch.
Testing RAM...
134,217,728 RAM OK.
Initializing...
Attaching to file system ... done.
Loading flash:/nos.img ...
Starting at 0x10000...
Attaching to file system ... done.
Current time is Tue Dec 15 21:57:55 1970
XGS 3-42000R Series Switch Operating System
Software Package Version XGS 3-42000R_6.0.220.24
Compiled Mar 22 13:01:42 2010
Slot 1 become active master!
3-26
25 Ethernet/IEEE 802.3 interface(s )
Discovered modules:
--------------------Slot : 1-------------------Module type:
Work mode:
XGS3-M24GX
ACTIVE MASTE R
Hardware version:
3.0
Bootrom version:
2.2.1
Serial number:
N091600096
Manufacture date:
2009/04/21
--------------------Slot : 2-------------------Module type:
Work mode:
XGS3-S24G
SLAVE
Hardware version:
3.0
Bootrom version:
2.1.0
Serial number:
N093600029
Manufacture date:
2009/10/08
--------------------Slot : 4-------------------Module type:
Work mode:
XGS3-S4XG
SLAVE
Hardware version:
3.0
Bootrom version:
2.1.0
Serial number:
N093100064
Manufacture date:
2009/08/03
%Dec 15 21:58:08 1970 Clock between master and slave has been synchronized!
%Dec 15 21:58:08 1970 %LINK-5-CHANGED: Interface Ethernet0, changed state to
UP
%Dec 15 21:58:08 1970 %LINEPROTO-5-UPDOWN: Line prot ocol on Interface
Ethernet0, changed state to DOW N
Mac Addr 00-03-4f-10-e3-13
User Access Verification
Username:
The user can now enter commands to manage the Chassis Switch. For a detailed description for the
commands, please refer to the following chapt ers.
3-27
3.1.2 In-band Management
In-band management refers to the management by login to the Chassis Switch using Telnet, or using HTTP,
or using SNMP management software to configure the Chassis Switch. In-band management enables
management of the Chassis Switch for some devices attached to the Chassis Switch. In the case when
in-band management fails due to Chassis Switch configuration changes, out-of-band management can be
used for configuring and managing the Chassis Switch.
3.1.2.1 Management via Telnet
To manage the Chassis Switch with Telnet, the following conditions should be met:
1) Chassis Switch has an IP v4/IP v6 address configured;
2) The host IP address (Telnet client ) and the Chassis Switch’s VLAN interface IP v4/IP v6 address is in
the same net work segment;
3) If 2) is not met, Telnet client can connect to an IP v4/IP v6 address of the Chassis Switch via other
devic es, such as a router.
The Chasssis Switch is Layer 3 Chassis Switch that can be configured with several IP v4/ IP v6 addresses. The
following example assumes the shipment status of the Chassis Switch where only VLAN1 exists in the system.
The following describes the steps for a Telnet client to connect to the Chassis Switch’s VLAN1 interface by
Telnet (with IP v4 address example):
Figure 3-1-6 Manage the Chassis Switch by Telnet
Step 1: Configure the IP addresses for the Chassis Switch and start the Telnet Server function on the Chassis
Switch.
First is the configuration of host IP address. This should be within the same net work segment as the Chassis
Switch VLAN1 interface IP address. Suppose the switch VLA N1 interface IP address is 10.1.128.251/24.
Then, a possible host IP address is 10.1.128.252/24. Run “ping 10.1.128.251” from the host and verify the
result, check for reasons if ping failed.
3-28
The IP address configuration commands for VLA N1 interface are listed below. Before in-band management,
the switch must be configured with an IP address by out-of-band management (i.e. Console mode), the
configuration commands are as follows (All switch configuration prompts are assumed to be “XGS3-42000R”
hereafter if not otherwise specified):
XGS 3-42000R>
XGS 3-42000R>enable
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(Config-if-Vlan1)#ip address 10.1.128. 251 255. 255.255.0
XGS 3-42000R(Config-if-Vlan1)#no shutdown
To enable the Telnet Server function, users should type the CLI command telnet-s erver enable in the global
mode as below:
XGS 3-42000R>enable
XGS 3-42000R#config
XGS 3-42000R(config)# telnet-s erver enable
Step 2: Run Telnet Client program.
Run Telnet client program included in Windows with the specified Telnet target.
Figure 3-1-7 Run telnet client program included in Windows
Step 3: Login to the Chassis Switch.
Login to the Telnet configuration interface. Valid login name and password are required, otherwise the
Chassis Switch will reject Telnet access. This is a method to prot ect the Chassis Switch from unaut horized
access. As a result, when Telnet is enabled for configuring and managing the Chassis Switch, username and
password for authorized Telnet users must be configured with the following command:
username <username> privilege <privilege> [password (0|7) <password>].
To open the local authentication style with the following command: authentication line vty login local. Privilege
option must exist and just is 15. Assume an authorized user in the Chassis Switch has a us ername of “test”,
and password of “test”, the configuration procedure should like the following:
3-29
XGS 3-42000R>enable
XGS 3-42000R#config
XGS 3-42000R(config)#username test privilege 15 password 0 test
XGS 3-42000R(config)#aut hentication line vty login local
Enter valid login name and password in the Telnet configuration int erface, Telnet user will be able to enter the
switch’s CLI configuration interfac e. The commands used in the Telnet CLI interface after login is the same as
that in the Console interface.
Figure 3-1-8 Telnet Configuration Interface
3.1.2.2 Management via HTTP
To manage the Chassis Switch via HTTP, the following conditions should be met:
1)
Chassis Switch has an IP v4/IP v6 address configured;
2)
The host IP v4/ IP v6 address (HTTP client) and the switch’s VLAN interface IP v4/ IP v6 address are in
the same net work segment;
3)
If 2) is not met, HTTP client should connect to an IP v4/ IP v6 address of the switch via other devices,
such as a router.
Similar to management the Chassis Switch via Telnet, as soon as the host succeeds to ping/ping6 an
IP v4/IP v6 address of the Chassis Switch and to type the right login password, it can access the Chassis
Switch via HTTP. The configuration list is as below:
Step 1: Configure the IP addresses for the Chassis Switch and start the HTTP server function on the Chassis
Switch.
For configuring the IP address on the Chassis Switch through out-of-band management, see the telnet
3-30
management chapt er.
To enable the WEB configuration, users should type the CLI command IP http server in the global mode as
below:
XGS 3-42000R>enable
XGS 3-42000R#config
XGS 3-42000R(config)#ip http server
Step 2: Run HTTP protocol on the host.
Open the Web browser on the host and type the IP address of the Chassis Switch, or run directly the HTTP
protocol on the Windows. For example, the IP address of the Chassis Switch is “10.1.128. 251”;
Figure 3-1-9 Run HTTP Protocol
When accessing a Chassis Switch wit h IP v6 address, it is recommended to use t he Firefox browser with 1.5
or later version. For example, if the IP v6 address of the Chassis Switch is 3ffe: 506:1: 2::3. Input the IP v6
address of the Chassis Switch is http://[3ffe:506:1:2::3] and the address should draw t oget her with the
square brackets.
Step 3:
Login to the Chassis Switch.
Login to the Web configuration int erface. Valid login name and password are required, otherwise the Chassis
Switch will reject HTTP access. This is a method to protect the Chassis Switch from unauthorized access. As
a result, when Telnet is enabled for configuring and managing the Chassis Switch, username and password
for authorized Telnet users must be configured wit h the following command:
username <usernam e> privilege <privilege> [password (0|7) <password>]
To open the local aut hentication style with the following command: authentication line web login local.
Privilege option must exist and just is 15. Assume an authorized user in the Chassis Switch has a username
of “admin”, and password of “admin”, the configuration procedure should like the following:
XGS 3-42000R>enable
XGS 3-42000R#config
XGS 3-42000R(config)#username admin privilege 15 password 0 admin
XGS 3-42000R(config)#aut hentication line web login local
The Web login interface of XGS 3-42000R is as below:
3-31
Figure 3-1-10 Web Login Interface
Input the right username and password, and then the main Web configuration int erface is shown as below.
Figure 3-1-11 Main Web Configuration Interface
When configure the Chassis Switch, the name of the Chassis Switch is composed
with English letters.
3-32
3.1.2.3 Manage the Chassis Switch via SNMP Network Management
Software
The necessities required by SNMP network management soft ware to manage Chassis Switches:
1) IP addresses are configured on the Chassis Switch;
2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to
should be in the same segment;
3) If 2) is not met, the client should be able to reach an IP address of the Chassis Switch through
devic es like routers;
4) SNMP should be enabled.
The host with S NMP net work management software should be able to ping the IP address of the Chassis
Switch, so that, when running, SNMP network management software will be able to find it and implement
read/writ e operation on it. Details about how to manage switches via SNMP network management soft ware
will not be covered in this manual, please refer to “S nmp network management soft ware user manual”.
3.2 CLI Interface
The Chassis Switch provides thress management interface for users: CLI (Command Line Interface) interface,
Web interface, Snmp network management software. We will introduce the CLI interface and Web
configuration interfac e in details, Web interface is familiar with CLI interface function and will not be covered,
please refer to “S nmp network management software user manual”.
CLI interface is familiar to most users. As aforementioned, out-of-band management and Telnet login are all
performed through CLI interface to manage the Chassis Switch.
CLI Interface is supported by Shell program, which consists of a set of configuration commands. Those
commands are categorized according to their functions in Chassis Switch configuration and management.
Each category represents a different configuration mode. The Shell for the switch is described below:
 Configuration Modes
 Configuration Syntax
 Shortcut keys
 Help function
 Input verification
 Fuzzy match support
3-33
3.2.1 Configuration Modes
Figure 3-1-12 Shell Configuration Modes
3.2.1.1 User Mode
On entering the CLI interface, ent ering user ent ry system first. If as common user, it is defaulted to User Mode.
The prompt shown is “XGS3-42000R> “, the symbol “>“ is the prompt for User Mode. When exit command is
run under Admin Mode, it will also return to the Us er Mode.
Under User Mode, no configuration to the Chassis Switch is allowed, only clock time and version information
of the Chassis Switch can be queries.
3.2.1.2 Admin Mode
To A dmin Mode sees the following: In user entry system, if as Admin user, it is defaulted to Admin Mode.
Admin Mode prompt “X GS3-42000R#” can be entered under the User Mode by running the enable command
and entering corresponding access levels admin user password, if a password has been set. Or, when exit
command is run under Global Mode, it will also return to the Admin Mode. Chassis Switch also provides a
shortcut key sequence " Ctrl+z”, this allows an easy way to exit to Admin Mode from any configuration mode
(except User Mode).
Under Admin Mode, the user can query the Chassis Switch configuration information, connection status and
traffic statistics of all ports; and the user can further enter the Global Mode from Admin Mode to modify all
configurations of the Chasssis Switch. For this reason, a password must be set for entering Admin mode to
prevent unauthorized access and malicious modification to the Chassis Switch.
3-34
3.2.1.3 Global Mode
Ty pe the config command under Admin Mode will enter the Global Mode prompt “XGS3-42000R(config)#”.
Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global
Mode.
The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring,
VLAN creation, IGMP Snooping start and STP, etc. And the user can go further to Port Mode for configuration
of all the interfaces.

Interface Mode
Use the interface command under Global Mode can enter the interface mode specified. Chassis Switch
provides three interface type: 1. VLAN interfac e; 2. Ethernet port; 3. port-channel, accordingly the three
interface configuration modes.
Interface Type
VLAN Interface
Entry
Operates
Ty pe interface vlan <Vlan-id>
Configure switch IPs, etc
command under Global Mode.
Exit
Use the exit command
to return to Global
Mode.
Ethernet Port
port-channel

Ty pe interface ethernet
Configure supported
Use the exit command
<interface-list> command
duplex mode, speed, etc.
to return to Global
under Global Mode.
of Ethernet Port.
Mode.
Ty pe interface port-channel
Configure port-channel
Use the exit command
<port-channel-number>
related settings such as
to return to Global
command under Global Mode.
duplex mode, speed, etc.
Mode.
VLAN Mode
Using the vlan <vlan-id> command under Global Mode can enter the corresponding VLA N Mode. Under
VLAN Mode the us er can configure all member ports of the corresponding V LAN. Run the exit command
to exit the VLAN Mode to Global Mode.

DHCP Addre ss Pool Mode
Ty pe the ip dhcp pool <name> command under Global Mode will enter the DHCP Address Pool Mode
prompt “XGS3-42000R(config-<name>-dhcp)#”. DHCP address pool properties can be configured under
DHCP Address Pool Mode. Run the exit command to exit the DHCP Address Pool Mode to Global Mode.

Route Mode
Routing Protocol
Entry
Operates
Exit
RIP Routing
Type router rip command
Configure RIP
Use the exit
Protocol
under Global Mode.
protocol parameters.
command to return
to Global Mode.
OSPF Routing
Type router ospf command
Configure OSPF
Use the exit
Protocol
under Global Mode.
protocol parameters.
command to return
to Global Mode.
BGP Routing
Type router bgp <AS
Configure BGP
Use the exit
Protocol
mumber> command under
protocol parameters.
command to return
Global Mode.
to Global Mode.
3-35

ACL Mode
ACL type
Standard IP
Entry
ACL
Mode
Extended IP
ACL
Mode
Operates
Exit
Type ip access-li st
Configure parameters
Use the exit
standard command under
for Standard IP ACL
command to return
Global Mode.
Mode.
to Global Mode.
Type ip access-li st
Configure parameters
Use the exit
extanded command under
for Extended IP ACL
command to return
Global Mode.
Mode.
to Global Mode.
3.2.2 Configuration Syntax
Chasssis Switch provides various configuration commands. Although all the commands are different, they all
abide by the syntax for Chassis Switch configuration commands. The general commands format of Chassis
Switch is shown below:
cmdtxt <variable> {enum1 | … | enumN } [option1 | … | optionN]
Conventions: cmdtxt in bold font indicat es a command keyword; <variabl e> indicates a variable
parameter;{enum1 | … | enumN } indicates a mandatory parameter that should be selected from the
parameter set enum1~enumN; and the square bracket ([ ]) in [option1 | … | optionN] indicate an optional
parameter. There may be combinations of “< > “, “{ }” and “[ ]” in the c ommand line, such as [<variable>],
{enum1 <variable> | enum2}, [option1 [option2]], etc.
Here are examples for some actual configuration commands:
 show version, no parameters required. This is a command with only a keyword and no parameter, just
type in the command to run.
 vlan < vlan-id>, parameter values are required after the key word.
 firewall {enable | disable}, user can ent er firewall enable or firewall disable for this command.
 snmp-server community {ro | rw} <string>, the followings are possible:
snmp-server community ro <string>
snmp-server community rw <string>
3.2.3 Shortcut Key Support
Chassis Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and
Blank Space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead.
Key(s)
Function
Back Space
Delet e a character before the cursor, and the cursor moves back.
Up “↑”
Show previous command entered. Up to ten recently entered
commands can be shown.
Down “↓”
Show next command entered. When use the Up key to get previously
entered commands, you can use the Down key to return to the next
command
3-36
Left “←”
Right “→”
The cursor moves one character to
You can use the Left and
the left.
Right key to modify an
The cursor moves one character to
entered command.
the right.
Ctrl +p
The same as Up key “↑”.
Ctrl +n
The same as Down key “↓ ”.
Ctrl +b
The same as Left key “←”.
Ctrl +f
The same as Right key “→”.
Ctrl +z
Return to the A dmin Mode directly from the other configuration modes
(except User Mode).
Ctrl +c
Break the ongoing command process, such as ping or other command
execution.
Tab
When a string for a command or key word is entered, the Tab can be
used to complet e the command or keyword if there is no conflict.
3.2.4 Help Function
There are two ways in Chassis Switch for the user to access help information: the “help” command and the
“?”.
Acce ss to Help
Usage and function
Help
Under any command line prompt, type in “help” and press Enter will get a
brief description of the associated help system.
“?”
1. Under any command line prompt, enter “?” to get a command list of
the current mode and related brief description.
2. Enter a “?” after the command keyword with a embedded space. If the
position should be a parameter, a description of that parameter type,
scope, etc, will be returned; if the position should be a keyword, then a
set of keywords with brief description will be returned; if the output is
“<cr>“, then the command is complet e, press Enter to run the
command.
3. A “?” immediately following a string. This will display all the commands
that begin with that string.
3-37
3.2.5 Input Verification
3.2.5.1 Returned Information: success
All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the
user ent ered a correct command under corresponding modes and the execution is successful.
Returned Information: error
Output error message
Explanation
Unrecognized command or illegal
The entered command does not exist, or there is
parameter!
error in parameter scope, type or format.
Ambiguous command
At least two interpretations is possible basing on
the current input.
Invalid command or parameter
The command is recognized, but no valid
parameter record is found.
This command is not exist in
The command is recognized, but this command
current mode
can not be us ed under current mode.
Please configure precursor
The command is recognized, but the prerequisite
command "*" at first!
command has not been configured.
syntax error : missing '"' before the
Quotation marks are not used in pairs.
end of command line!
3.2.6 Fuzzy Match Support
Chassis Switch shell support fuzzy match in searching command and keyword. Shell will recognize
commands or keywords correctly if the entered string causes no conflict.
For example:
1) For command “s how interfaces status ethernet1/1”, typing “sh in status ethernet1/ 1” will work.
2) However, for command “show running-c onfig”, the system will report a “> Ambiguous command!”
error if only “show r” is entered, as Shell is unable to tell whether it is “show run” or “show
running-config”. Therefore, Shell will only recognize the command if “sh ru” is entered.
3-38
Chapter 4 Basic Chassis Switch
Configuration
4.1 Basic Configuration
Basic Chassis Switch configuration includes commands for entering and exiting the admin mode, commands
for entering and exiting interface mode, for configuring and displaying the Chassis Switch clock, for displaying
the version information of the Chassis Switch system, etc.
Command
Explanation
Normal User Mode/ Admin Mode
enable
disable
The User uses enable command to step into admin
mode from normal user mode. The di sable command
is for exiting admin mode.
Admin Mode
config [terminal]
Enter global mode from admin mode.
Various Modes
Exit current mode and enter previous mode, such as
exit
using this command in global mode to go back to
admin mode, and back to normal user mode from
admin mode.
Except User Mode/ Admin Mode
end
Quit current mode and return to Admin mode when not
at User Mode/ Admin Mode.
Admin Mode
clock set <HH:MM:SS>
[YYYY.MM.DD]
Set system date and time.
show version
Display version information of the Chassis Switch.
set default
Restore to the factory default.
write
reload
Save current configuration paramet ers to Flash
Memory.
Hot reset the Chassis Switch.
4.2 Telnet Management
4.2.1 Telnet
4.2.1.1 Introduction to Telnet
Telnet is a simple remote terminal protocol for remot e login. Using Telnet, the user can login to a remote host
with its IP address of hostname from his own workstation. Telnet can send the user’s keystrokes to the remote
host and send the remote host output to the user’s screen through TCP connection. This is a transparent
service, as to the user, the keyboard and monitor seems to be connected to the remote host directly.
Telnet employs the Client-Server mode, the local system is the Telnet client and the remote host is the Telnet
server. Chassis Switch can be either the Telnet Server or the Telnet client.
4-1
When Chassis Switch is used as the Telnet server, the us er can use the Telnet client program included in
Windows or the other operation systems to login to Chassis Switch, as described earlier in the In-band
management section. As a Telnet server, Chassis Switch allows up to 5 telnet client TCP connections.
And as Telnet client, using telnet command under Admin Mode allows the user to login to the other remote
hosts. Chassis Switch can only establish TCP connection to one rem ote host. If a connection to another
remot e host is desired, the current TCP connection must be dropped.
4.2.1.2 Telnet Configuration Task List
1.
Configuring Telnet Server
2.
Telnet to a remote host from the Chassis Switch.
1. Configuration of Telnet Server
Command
Explanation
Global Mode
telnet-server enable
no telnet-server enable
Enable the Telnet server function in the Chassis
Switch: the “no telnet-server enable” command
disables the Telnet function.
username <user-name> [privilege
Configure user name and password of the telnet.
<privilege>] [pa ssword {0 | 7} <password>]
The no form command deletes the telnet user
no username <usernam e>
authorization.
authentication securi tyip <ip-addr>
no authentication securi tyip <ip-addr>
authentication securi tyipv6 <ipv6-addr>
no authentication securi tyipv6 <ipv6-addr>
Configure the secure IP address to login to the
switch through Telnet: the no command deletes
the authorized Telnet secure address.
Configure the secure IP v6 address to login to the
Chassis Switch through Telnet: the no command
deletes the authorized Telnet secure address.
authentication ip access-class
Binding standard IP A CL prot ocol to login with
{<num-std> |<name>}
Telnet/SSH/Web; the no form command will
no authentication ip access-class
cancel the binding ACL.
authentication ipv6 access-class
Binding standard IP v6 A CL protocol to login with
{<num-std> |<name>}
Telnet/SSH/Web; the no form command will
no authentication ipv6 access-class
cancel the binding ACL.
authentication line {console | vty | web} login
{local | radius | tacacs }
no authentication line {console | vty | web}
Configure telnet authentication mode.
login
Admin Mode
terminal monitor
terminal no monitor
3.
Display debug information for Telnet client login to
the Chassis Switch; the no command disables the
debug information.
Telnet to a remote host from the Cha ssi s Switch
4-2
Command
Explanation
Admin Mode
telnet {<ip-addr> | <ipv6-addr>
| host
<hostname>} [<port>]
Login to a remote host with the Telnet client
included in the Chassis Switch.
4.2.2 SSH
4.2.2.1 Introduction to SSH
SSH (Secure Shell) is a protocol which ensures a secure remote access connection to net work devices. It is
based on the reliable TCP/ IP prot ocol. By conducting the mechanism such as key distribution, authentication
and encryption between SSH server and SSH client, a secure connection is established. The information
transferred on this connection is protected from being intercepted and decrypt ed. The Chassis Switch meets
the requirements of SSH2. 0. It supports SSH2.0 client software s uch as SSH S ecure Client and putty. Users
can run the above software to manage the Chassis Switch remotely.
The Chassis Switch presently supports RSA authentication, 3DES cryptography prot ocol and SS H user
password aut hentication etc.
4.2.2.2 SSH Server Configuration Task List
SSH Server Configuration
Command
Explanation
Global Mode
ssh-server enable
no ssh-server enable
ssh-user <user-nam e> password {0 | 7}
<password>
no ssh-user <user-nam e>
ssh-server timeout <timeout>
no ssh-server timeout
Enable SSH function on the Chassis Switch; the
“no ssh-server enable” command disables SSH
function.
Configure the username and password of SSH
client software for logging on the Chassis Switch;
the “no ssh-user <user-name>” command
deletes the username.
Configure timeout value for SSH authentication;
the “no ssh-server timeout” command restores
the default timeout value for SSH authentication.
Configure the number of times for retrying SSH
ssh-server authentication-retire s
authentication; the “no ssh-server
<authentication-retires>
authentication-retries” command restores the
no ssh-server authentication-retrie s
default number of times for retrying SSH
authentication.
ssh-server host-key create rsa modulus
Generat e the new RSA host key on the SSH
<moduls>
server.
Admin Mode
4-3
Display SSH debug information on the SSH client
terminal monitor
side; the “no terminal monitor” command stops
terminal no monitor
displaying SSH debug information on the SSH
client side.
4.2.2.3 Typical SSH Server Configuration
Example1:
Requirement: Enable SSH server on the Chassis Switch, and run SSH2.0 client software such as Secure
shell client or putty on the terminal. Log on the switch by using the us ername and password from the client.
Configure the IP address, add SSH user and enable SSH service on the Chassis Switch. SSH2.0 client can
log on the switch by using the username and password to configure the Chassis Switch.
XGS 3-42000R(config)#ssh-server enable
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 100.100.100.200 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#ssh-user test password 0 test
In IP v6 net works, the terminal should run IP v6-supporing SSH client software, such as putty6. Users should
make no modification to configurations on the Chassis Switch except allocating an IP v6 address for the local
host.
4.3 Configurate Chassis Switch IP Addresses
All Ethernet ports of Chassis Switch are default to Data Link layer ports and perform layer 2 forwarding. VLAN
interface represent a Lay er 3 interface function which can be assigned an IP address, which is also the IP
address of the switch. All VLAN interface related configuration commands can be configured under VLAN
Mode. Switch provides three IP address configuration methods:
 Manual
 BOOTP
 DHCP
Manual configuration of IP address is assign an IP address manually for the Chassis Switch.
In BOOTP/ DHCP mode, the Chassis Switch operates as a BOOTP/DHCP client, send broadcast packets of
BOOTP request to the BOOTP/DHCP servers, and the BOOTP/DHCP servers assign the address on
receiving the request. In addition, switch can act as a DHCP server, and dynamic ally assign network
parameters such as IP addresses, gateway addresses and DNS server addresses to DHCP clients DHCP
Server configuration is detailed in later chapters.
4.3.1 Chassis Switch IP Addresses Configuration Task List
1. Enable VLAN port mode
2. Manual configuration
3. BOOTP configuration
4. DHCP configuration
4-4
1. Enable VLAN port mode
Command
Explanation
Global Mode
interface vlan <vlan-id>
no interface vlan <vlan-id>
Create VLA N interface (layer 3 interfac e); the “ no
interface vlan <vlan-id> ” command deletes the
VLAN interface.
2. Manual configuration
Command
Explanation
VLAN Port Mode
ip address <ip_address> <mask>
Configure the VLA N interfac e IP address;
the “no
[secondary]
ip address <ip_address> <mask> [secondary]”
no ip address <ip_address> <mask>
command delet es VLAN interface IP address.
[secondary]
ipv6 address <ipv6-address /
Configure IP v6 address, including aggregation global
prefix-length> [eui-64]
unicast address, local site address and local link
no ipv6 address <ipv6-address /
address. The no form command deletes IP v6
prefix-length>
address.
3. BOOTP configuration
Command
Explanation
VLAN Port Mode
Enable the switch to be a BootP client and obtain IP
ip bootp-client enable
no ip bootp-client enable
address and gateway address through BootP
negotiation; the “no ip bootp-client enable”
command disables the BootP client function.
4-5
4. DHCP configuration
Command
Explanation
VLAN Port Mode
Enable the switch to be a DHCP client and obtain IP
ip bootp-client enable
address and gateway address through DHCP
no ip bootp-client enable
negotiation; the “no ip bootp-client enable”
command disables the DHCP client function.
4-6
4.4 SNMP Configuration
4.4.1 Introduction to SNMP
SNMP (Simple Network Management Protocol) is a standard net work management protocol widely used in
computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of
SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation; SNMP
v2c is an enhanced version of SNMP v1, which supports layered net work management; SNMP v3
strengthens the security by adding USM (User-ba sed Security Mode) and VACM (View-based Access
Control Model).
SNMP protocol provides a simple way of exchange net work management information between two points in
the network. SNMP employs a polling mechanism of message query, and transmits messages through UDP
(a connectionless transport layer protocol). Therefore it is well supported by the existing computer networks.
SNMP protoc ol employs a station-agent mode. There are two parts in this structure: NMS (Network
Management Station) and Agent. NMS is the workstation on which SNMP client program is running. It is the
core on the S NMP network management. Agent is the server software runs on the devices which need to be
managed. NMS manages all the managed objects through Agents. The switch supports Agent function.
The communication between NMS and A gent functions in Client/Server mode by exchanging standard
messages. NMS sends request and the Agent responds. There are seven types of SNMP message:







Get-Request
Get-Response
Get-Next-Request
Get-Bulk-Request
Set-Request
Trap
Inform-Request
NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and Set-Request
messages; and the Agent, upon receiving the requests, replies with Get-Response message. On some
special situations, like net work device ports are on Up/Down status or the net work topology changes, Agents
can send Trap messages to NMS to inform the abnormal events. Besides, NMS can also be set to alert to
some abnormal events by enabling RMON function. When alert events are triggered, Agents will send Trap
messages or log the event according to the settings. Inform -Request is mainly used for inter-NMS
communication in the layered network management.
USM ensures the trans fer security by well-designed encryption and authentication. USM encry pts the
messages according to the user typed password. This mechanism ensures that the messages can’t be
viewed on transmission. And USM authentication ensures that the messages can’t be changed on
transmission. USM employs DES-CBC cryptography. And HMAC-MD5 and HMAC-SHA are used for
authentication.
VACM is us ed to classify the users’ access permission. It puts the users with the same access permission in
the same group. Users can’t conduct the operation which is not authorized.
4-7
4.4.2 Introduction to MIB
The network management information accessed by NMS is well defined and organiz ed in a Management
Information Base (MIB). MIB is pre-defined information which can be accessed by network management
protocols. It is in layered and structured form. The pre-defined management information can be obtained from
monitored network devices. ISO AS N.1 defines a tree structure for MID. Each MIB organizes all the available
information with this tree structure. And each node on this tree contains an OID (Object Identifier) and a brief
description about the node. OID is a set of integers divided by periods. It identifies the node and can be used
to locate the node in a MID tree structure, shown in the figure below:
Figure 4-4-1 ASN.1 Tree Instance
In this figure, the OID of the object A is 1.2.1.1. NMS can locate t his object through this unique OID and gets
the standard variables of the object. MIB defines a set of standard variables for monitored net work devices by
following this structure.
If the variable information of A gent MIB needs to be browsed, the MIB browse software needs to be run on the
NMS. MIB in the Agent usually consists of public MIB and private MIB. The public MIB contains public network
management information that can be accessed by all NMS; private MIB contains specific information which
can be viewed and cont rolled by the support of the manufacturers.
MIB-I [RFC1156] is the first implemented public MIB of S NMP, and is replaced by MIB-II [RFC1213]. MIB-II
expands MIB-I and keeps the OID of MIB tree in MIB -I. MIB-II contains sub-trees which are called groups.
Objects in those groups cover all the functional domains in network management. NMS obtains the network
management information by visiting the MIB of S NMP Agent.
The switch can operate as a SNMP Agent, and supports both S NMP v1/ v2c and S NMP v3. The switch
supports basic MIB -II, RMON public MIB and other public MID such as BRIDGE MIB. Besides, the switch
supports self-defined private MIB.
4-8
4.4.3 Introduction to RMON
RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to
define standard net work monitor functions and interfaces, enabling the communication between SNMP
management terminals and remote monit ors. RMON provides a highly efficient method to monitor actions
inside the subnets.
MID of RMON consists of 10 groups. The switch supports the most frequently used group 1, 2, 3 and 9:



Statistics: Maintain basic usage and error statistics for each subnet monitored by the A gent.
Hi story: Record periodical statistic samples available from Statistics.
Alarm: Allow management console users to set any count or integer for sample intervals and alert
thresholds for RMON A gent records.

Event: A list of all events generated by RMON Agent.
Alarm depends on the implementation of E vent. Statistics and History display some current or history subnet
statistics. Alarm and E vent provide a method to monitor any integer data change in the net work, and provide
some alerts upon abnormal events (sending Trap or record in logs).
4.4.4 SNMP Configuration
4.4.4.1 SNMP Configuration Task List
1.
Enable or disable SNMP Agent server function
2.
Configure SNMP community string
3.
Configure IP address of SNMP management base
4.
Configure engine ID
5.
Configure user
6.
Configure group
7.
Configure view
8.
Configuring TRAP
9.
Enable/Disable RMON
1. Enable or disable SNMP Agent server function
Command
Explanation
Global Mode
snmp-server enabled
no snmp-server enabled
Enable the S NMP Agent function on the Chassis
Switch; the no command disables the SNMP Agent
function on the switch.
2. Configure SNMP community string
Command
Explanation
Global Mode
snmp-server communi ty {ro|rw} < string>
Configure the community string for t he Chassis
[acce ss {<num-std> |<name>}]
Switch; the no command deletes the configured
[ipv6-acce ss
community string.
4-9
{<ipv6-num -std>|<ipv6-name>}] [read
<read-view-nam e>] [write
<write-view-nam e>]
no snmp-server communi ty < string>
[acce ss {<num-std> |<name>}]
[ipv6-acce ss
{<ipv6-num -std>|<ipv6-name>}]
3. Configure IP address of SNMP management base
Command
Explanation
snmp-server securityip { <ipv4-addr> |
Configure the secure IP v4/ IP v6 address which is
<ipv6-addr> }
allowed t o access the switch on the NMS; the no
no snmp-se rver securityip { <ipv4-addr> |
command delet es configured secure address.
Global Mode
<ipv6-addr> }
snmp-server securi tyip enable
Enable or disable secure IP address check function
snmp-server securi tyip di sable
on the NMS.
4. Configure engine ID
Command
Explanation
Global Mode
5.
snmp-server engineid <engine-string>
Configure the local engine ID on the Chassis Switch.
no snmp-server engineid
This command is used for SNMP v3.
Configure user
Command
Explanation
Global Mode
snmp-server user <use-string> <group-string>
[{authPriv | authNoPriv} auth {md5 | sha}
<word>] [acce ss {<num-std>|<name>}]
[ipv6-acce ss {<ipv6-num -std>|<ipv6-name>}]
no snmp-server user <user-string> [acce ss
{<num-std>|<nam e>}] [ipv6-acce ss
{<ipv6-num -std>|<ipv6-name>}]
4-10
Add a user to a SNMP group. This command is
used to configure USM for SNMP v3.
6. Configure group
Command
Explanation
Global Mode
snmp-server group <group-string>
{noauthnopriv|authnopriv|authpriv} [[read
<read-string> ] [write <write-string>] [notify
<notify-string>]] [acce ss
{<num-std>|<nam e>}] [ipv6-acce ss
Set the group information on the Chassis Switch.
{<ipv6-num -std>|<ipv6-name>}]
This command is used to configure VACM for SNMP
no snmp-server group <group-string>
v3.
{noauthnopriv|authnopriv|authpriv}
[acce ss {<num-std> |<name>}]
[ipv6-acce ss
{<ipv6-num -std>|<ipv6-name>}]
7. Configure view
Command
Explanation
Global Mode
snmp-server view <view-string>
<oid-string> {include|exclude}
Configure
view on the Chassis
no snmp-server view
command is used for SNMP v3.
Switch.
This
<view-string>[<oid-string>]
8. Configuring TRAP
Command
Explanation
Global Mode
snmp-server enable traps
Enable the switch to send Trap message. This
no snmp-server enable traps
command is used for SNMP v1/ v2/ v3.
snmp-server host { <ipv4-addr> |
Set the host IP v4/IP v6 address which is used to
<ipv6-addr> } {v1 | v2c | {v3 {noauthnopriv
receive S NMP Trap information. For SNMP v1/ v2,
| authnopriv | authpriv}}} <user-string>
this command also configures Trap community
no snmp-server host { <ipv4-addr> |
string; for S NMP v3, this command also configures
<ipv6-addr> } {v1 | v2c | {v3 {noauthnopriv
Trap user name and security level. The “no” form of
| authnopriv | authpriv}}} <user-string>
this command cancels this IP v4 or IP v6 address.
9. Enable/Disable RMON
Command
Explanation
Global mode
rmon enable
no rmon enable
Enable/disable RMON.
4.4.5 Typical SNMP Configuration Examples
4-11
The IP address of the NMS is 1.1.1.5; the IP address of the Chassis XGS3-42000R(Agent) is 1.1.1.9.
Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the Chassis
Switch.
The configuration on the Chassis Switch is listed below:
XGS 3-42000R(config)#snmp-server enable
XGS 3-42000R(config)#snmp-server community rw privat e
XGS 3-42000R(config)#snmp-server community ro public
XGS 3-42000R(config)#snmp-server securityip 1.1.1.5
The NMS can use private as the community string to access the Chassis Switch with read-write permission,
or use public as the community string to access the Chassis Switch with read-only permission.
Scenario 2: NMS will receive Trap messages from the Chassis XGS3-42000R(Note: NMS may have
community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification
community string of usertrap).
The configuration on the Chassis Switch is listed below:
XGS 3-42000R(config)#snmp-server enable
XGS 3-42000R(config)#snmp-server host 1.1.1.5 v1 usertrap
XGS 3-42000R(config)#snmp-server enable traps
Scenario 3: NMS uses SNMP v3 to obtain information from the Chassis Switch.
The configuration on the Chassis Switch is listed below:
XGS 3-42000R(config)#snmp-server
XGS 3-42000R(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst
XGS 3-42000R(config)#snmp-server group UserGroup A uthPriv read max write max
notify max
XGS 3-42000R(config)#snmp-server view max 1 include
Scenario 4: NMS wants to receive the v3Trap messages sent by the Chassis Switch.
The configuration on the Chasssis Switch is listed below:
XGS 3-42000R(config)#snmp-server enable
XGS 3-42000R(config)#snmp-server host 10.1. 1.2 v3 authpriv tester
XGS 3-42000R(config)#snmp-server enable traps
Scenario 5: The IP v6 address of the NMS is 2004:1: 2:3::2; the IP v6 address of the Chassis
XGS 3-42000R(A gent ) is 2004: 1:2:3::1. The NMS net work administrative software uses SNMP protocol to
obtain data from the Chassis Switch.
The configuration on the Chassis Switch is listed below:
XGS 3-42000R(config)#snmp-server enable
4-12
XGS 3-42000R(config)#snmp-server community rw privat e
XGS 3-42000R(config)#snmp-server community ro public
XGS 3-42000R(config)#snmp-server securityip 2004:1:2: 3::2
The NMS can use private as the community string to access the Chassis Switch with read-write permission,
or use public as the community string to access the Chassis Switch with read-only permission.
Scenario 6: NMS will receive Trap messages from the Chassis XGS3-42000R(Note: NMS may have
community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification
community string of dcstrap).
The configuration on the switch is listed below:
XGS 3-42000R(config)#snmp-server host 2004:1:2:3::2 v1 dcstrap
XGS 3-42000R(config)#snmp-server enable traps
4.4.6 SNMP Troubleshooting
When users configure the S NMP, the SNMP server may fail to run properly due to physical connection failure
and wrong configuration, etc. Users can troubleshoot the problems by following the guide below:
 Good condition of the physical connection.
 Interface and datalink layer protoc ol is Up (use the “show interface” command), and the connection
between the Chassis Switch and host can be verified by ping (us e “ping” command).
 The Chassis Switch enabled S NMP Agent server function (use “snmp-server” command)
 Secure IP for NMS (use “snmp-server securityip” command) and community string (use “snmp-server
community” command) are correctly configured, as any of t hem fails, SNMP will not be able to
communicate with NMS properly.
 If Trap function is required, remember to enable Trap (use “snmp-server enable traps” command). And
remember to properly configure the target host IP address and community string for Trap (use
“snmp-server host” command) to ensure Trap message can be sent to the specified host.
 If RMON function is required, RMON must be enabled first (use “rmon enable” command).
 Use “show snmp” command to verify sent and received SNMP messages; Use “show snmp status”
command to verify SNMP configuration information; Use “debug snmp packet” to enable SNMP
debugging function and verify debug information.
If users still can’t solve the SNMP problems, Please contact our technical and service cent er.
4-13
4.5 Switch Upgrade
Chassis Switch provides two ways for switch upgrade: Boot ROM upgrade and the TFTP/FTP upgrade under
Shell.
4.5.1 Chassis Switch System Files
The system files includes system image file and boot file. The updating of the Chassis Switch is to update the
two files by overwrite the old files with the new ones.
The system image files refers to the compressed files of the Chassis Switch hardware drivers, and soft ware
support program, etc, namely what we usually call the IMG updat e file. The IMG file can only be saved in the
FLASH with a defined name of nos.img
The boot file is for initiating the Chassis Switch, namely what we usually call the ROM update file (It can be
compressed into IMG file if it is of large size). The boot file can only be saved in the ROM in which the file
name is defined as boot.rom
The update method of the system image file and the boot file is the same. The Chassis Switch supplies the
user with t wo modes of updating: 1. BootROM mode; 2. TFTP and FTP update at Shell mode. This two
update method will be explained in details in following t wo sections.
4.5.2 BootROM Upgrade
There are two methods for BootROM upgrade: TFTP and FTP, whic h can be selected at BootROM command
settings.
cable
Console cable
connection
connection
Figure 4-5-1 Ty pical topology for Chassis Switch upgrade in Boot ROM mode
The upgrade procedures are listed below:
Step 1:
As shown in the figure, a PC is used as the console for the Chassis Switch. A console cable is used to
connect PC to t he management port on the Chassis Switch. The PC should have FTP/ TFTP server soft ware
installed and has the image file required for the upgrade.
Step 2:
Press “ctrl+b” on Chassis Switch boot up until the Chassis Switch enters BootROM monitor mode. The
4-14
operation result is shown below:
[Boot]:
Step 3:
Under BootROM mode, run “setconfig” to set the IP address and mask of the Chassis Switch under BootROM
mode, server IP address and mask, and select TFTP or FTP upgrade. Suppose the Chassis Switch address
is 192.168.1.2, and P C address is 192.168.1.66, and select TFTP upgrade, the configuration should like:
[Boot]: setconfig
Host IP Address: [10.1.1.1] 192. 168.1. 2
Server IP Address: [10.1.1.2] 192.168.1.66
FTP (1) or TFTP(2): [1] 2
Network interface configure OK.
[Boot]
Step 4:
Enable FTP/ TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program.
Before start downloading upgrade file to the Chassis Switch, verify the connectivity between the server and
the Chassis Switch by ping from the server. If ping succeeds, run “load” command in the Boot ROM mode from
the Chassis Switch; if it fails, perform troubleshooting to find out the cause. The following is the c onfiguration
for system update image file.
[Boot]: load nos.img
Loading...
Loading file ok !
Step 5:
Execute “writ e nos.img” in BootROM mode. The following saves the system update image file.
[Boot]: write nos.img
File nos.img exists, overwrite? (Y/N)?[N] y
Writing nos.img.....................................................
Write nos.img OK.
[Boot]:
Step 6:
The following update file boot.rom, the basic environment is the same as Step 4.
[Boot]: load boot.room
Loading…
Loading file ok !
Step 7:
Execute “writ e boot.rom” in BootROM mode. The following saves the update file.
[Boot]: write boot.rom
4-15
File boot.rom exists, overwrite? (Y/N)?[N] y
Writing boot.rom………………………………………
Write boot.rom OK.
[Boot]:
Step 8:
After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration
interface.
[Boot]: run(or reboot)
Other commands in BootROM mode
1. DIR command
Used to list existing files in the FLASH .
[Boot]: dir
boot.rom
327,440 1900-01-01 00:00:00 --SH
boot.conf
83 1900-01-01 00:00:00 --S H
nos.img
2,431,631 1980-01-01 00:21:34 ----
startup-config
temp.img
2,922 1980-01-01 00:09:14 ---2,431,631 1980-01-01 00:00:32 ----
2. CONFIG RUN command
Used to set the IMAGE file to run upon system start-up, and the configuration file to run upon configuration
recovery.
[Boot]: config run
Boot File: [nos.img] nos.img
Config File: [boot.conf]
4.5.3 FTP/TFTP Upgrade
4.5.3.1 Introduction to FTP/TFTP
FTP (File Transfer Protocol)/ TFTP(Trivial File Trans fer Protocol) are both file transfer protocols that belonging
to fourth layer(application layer) of the TCP/IP protocol stack, used for trans ferring files bet ween hosts, hosts
and Chassis Switches. Both of them trans fer files in a client-server model. Their differences are listed below.
FTP builds upon TCP to provide reliable connection-oriented data stream trans fer service. However, it does
not provide file access authorization and uses simple authentication mechanism (trans fers username and
password in plain t ext for aut hentication). When using FTP to transfer files, two connections need to be
established between the client and the server: a management connection and a data connection. A transfer
request should be sent by the FTP client to establish management connection on port 21 in the server, and
negotiate a data connection through the management connection.
There are two types of data connections: active connection and passive connection.
In active connection, the client transmits its address and port number for data t ransmission to the server, the
4-16
management connection maintains until data trans fer is complet e. Then, using the address and port number
provided by the client, the server establishes data connection on port 20 (if not engaged) to transfer data; if
port 20 is engaged, the server automatically generates some other port number to establish data connection.
In passive connection, the client, through management connection, notify the server to establish a passive
connection. The s erver then creates its own data listening port and informs the client about the port, and the
client establishes data connection to the specified port.
As data connection is established through the specified address and port, there is a third party to provide data
connection service.
TFTP builds upon UDP, providing unreliable data stream transfer service wit h no user authentication or
permission-based file access authorization. It ensures correct data transmission by sending and
acknowledging mechanism and retransmission of time-out packets. The advantage of TFTP over FTP is that
it is a simple and low overhead file transfer service.
Chassis Switch can operate as either FTP/ TFTP client or server. When Chassis Switch operates as a
FTP/ TFTP client, configuration files or system files can be downloaded from the remote FTP/ TFTP servers
(can be hosts or ot her s witches) without affecting its normal operation. And file list can also be retrieved from
the server in ft p client mode. Of course, Chassis Switch can also upload current configuration files or system
files to the remote FTP/ TFTP servers (can be hosts or other switches). When Chassis Switch operates as a
FTP/ TFTP server, it can provide file upload and download service for aut horized FTP/ TFTP clients, as file list
service as FTP server.
Here are some terms frequently used in FTP/ TFTP.

ROM: Short for EPROM, eras able read-only memory. EPROM is repalced by FLASH memory in
Chassis Switch.

SDRAM: RAM memory in the Chassis Switch, used for system software operation and
configuration sequence storage.

FLASH: Flash memory used to save system file and configuration file.

System file: including system image file and boot file.

System image file: refers to the compressed file for Chassis Switch hardware driver and soft ware
support program, usually refer to as IMAGE upgrade file. In Chassis Switch, the system image file
is allowed to save in FLASH only. Chassis Switch mandates the name of system image file to be
uploaded via FTP in Global Mode to be nos.img, other IMAGE system files will be rejected.

Boot file: refers to the file initializes the Chassis Switch, also referred to as the ROM upgrade file
(Large size file can be compressed as IMAGE file). In Chassis Switch, the boot file is allowed to
save in ROM only. Chassis Switch mandates the name of the boot file to be boot.rom.

Configuration file: including start up configuration file and running configuration file. The
distinction bet ween start up configuration file and running configuration file c an facilitate the
backup and update of the configurations.

Start up configuration file: refers to the configuration sequence used in Chassis Switch start up.
Chassis Switch start up configuration file stores in FLASH only, corresponding to the so called
configuration save. To prevent illicit file upload and easier configuration, Chassis Switch mandates
the name of start up configuration file to be startup-c onfig.
4-17

Running configuration file: refers to the running configuration sequence use in the Chassis
Switch. In Chassis Switch, the running configuration file stores in t he RAM. In the current version,
the running configuration sequence running-config can be saved from the RAM to FLASH by write
command or copy running-config startup-config command, so that the running configuration
sequence becomes the start up configuration file, which is called configuration save. To prevent
illicit file upload and easier configuration, Chassis Switch mandates the name of running
configuration file to be running-config.

Factory configuration file: The configuration file shipped with Chassis Switch in the name of
factory-c onfig. Run set default and write, and restart the Chassis Switch, factory configuration file
will be loaded to overwrite current start up configuration file.
4.5.3.2 FTP/TFTP Configuration
The configurations of Chassis Switch as FTP and TFTP clients are almost the same, so the configuration
procedures for FTP and TFTP are described toget her in this manual.
4.5.3.2.1 FTP/TFTP Configuration Task List
1. FTP/ TFTP client configuration
(1) Upload/download the configuration file or system file.
(2) For FTP client, server file list can be checked.
2. FTP server configuration
(1) Start FTP server
(2) Configure FTP login username and password
(3) Modify FTP server connection idle time
(4) Shut down FTP server
3. TFTP server configuration
(1) Start TFTP server
(2) Configure TFTP server connection idle time
(3) Configure ret ransmission times before timeout for packets without acknowledgement
(4) Shut down TFTP server
1. FTP/TFTP client configuration
(1)FTP/ TFTP client upload/download file
Command
Explanation
Admin Mode
copy < source-url> <destination-url>
[ascii | binary]
FTP/ TFTP client upload/download file.
(2)For FTP client, server file list can be checked.
Admin Mode
4-18
For FTP client, server file list can be
checked. FtpServerUrl format looks like: ftp:
ftp-dir <ftpServerUrl>
//user: password@IP v4|IP v6 Address.
2. FTP server configuration
(1)Start FTP server
Command
Explanation
Global Mode
ftp-server enable
no ftp-server enable
Start FTP server and support IP v4, IP v6, the no
command shuts down FTP server and prevents
FTP user from logging in.
(2)Configure FTP login username and password
Command
Explanation
Global Mode
ip ftp username <username>
{nopassword | password {0 | 7}
<password>}
no ip ftp username<usernam e>
Configure FTP login username and password;
this no command will delete the username and
password.
(3)Modify FTP server connection idle time
Command
Explanation
Global Mode
ftp-server timeout <seconds>
Set connection idle time.
3. TFTP server configuration
(1)Start TFTP server
Command
Explanation
Global Mode
tftp-server enable
no tftp-server enable
Start TFTP server, the no command shuts down
TFTP server and prevents TFTP user from
logging in.
(2)Modify TFTP server connection idle time
Command
Explanation
Global Mode
tftp-server retransmi ssion-timeout
Set maximum retransmission time within timeout
<seconds>
interval.
(3)Modify TFTP server connection retransmission time
Command
Explanation
Global Mode
4-19
tftp-server retransmi ssion-number
<number>
Set the retransmission time for TFTP server.
4.5.3.3 FTP/TFTP Configuration Examples
It is the same configuration Chassis Switch for IP v4 addresses and IP v6 addresses. The example only for the
IP v4 addresses configuration.
10.1.1.2
10.1.1.1
Figure 4-5-2 Download nos.img file as FTP/TFTP client
Scenario 1: The Chassis Switch is used as FTP/TFTP client. The Chassis Switch connects from one of its
ports to a computer, which is a FTP/ TFTP server with an IP address of 10.1.1.1; the Chassis Switch acts as a
FTP/ TFTP client, the IP address of the Chassis Switch management VLAN is 10.1.1.2. Download “nos.img”
file in the computer to the Chassis Switch.
 FTP Configuration
Computer side configuration:
Start the FTP server software on the computer and set the username “S witch”, and the password “switch”.
Place the “12_30_nos.img” file to the appropriate FTP server directory on the computer.
The configuration procedures of the switch are listed below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#no shut
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#exit
XGS 3-42000R#copy ftp: //Switch:switch@10.1.1.1/12_30_nos.img nos.img
With the above commands, the Chassis Switch will have the “nos.img” file in the computer downloaded to the
FLASH.
 TFTP Configuration
Computer side configuration:
Start TFTP server software on the computer and place the “nos.img” file to the appropriate TFTP server
directory on the computer.
4-20
The configuration procedures of the Chassis Switch are listed below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#no shut
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#exit
XGS 3-42000R#copy tftp: //10.1.1.1/12_30_nos.img nos.img
Scenario 2: The Chassis Switch is used as FTP server. The Chassis Switch operates as the FTP server and
connects from one of its ports to a computer, which is a FTP client. Trans fer the “nos.img” file in the Chassis
Switch to the computer and save as 12_25_nos.img.
The configuration procedures of the Chassis Switch are listed below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#no shut
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#ftp-server enable
XGS 3-42000R(config)# username Admin password 0 switch
Computer side configuration:
Login to the Chassis Switch with any FTP client software, with the username “A dmin” and password “switch”,
use the command “get nos.img 12_25_nos.img” to download “nos.img” file from the Chassis Switch to the
computer.
Scenario 3: The Chassis Switch is used as TFTP server. The Chassis Switch operates as the TFTP server
and connects from one of its ports to a computer, which is a TFTP client. Transfer the “nos.img” file in the
Chassis Switch to the computer.
The configuration procedures of the Chassis Switch are listed below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#no shut
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#tftp-server enable
Computer side configuration:
Login to the Chassis Switch with any TFTP client software, use the “tftp” command to download “nos.img” file
from the Chassis Switch to the computer.
Scenario 4: Chassis Switch acts as FTP client to view file list on the FTP server.
Synchronization conditions: The Chassis Switch connects to a computer by an Ethernet port, the computer is
a FTP server with an IP address of 10.1.1.1; the Chassis Switch acts as a FTP client, and the IP address of
the Chassis Switch management VLAN1 interface is 10.1.1.2.
4-21
 FTP Configuration
PC side:
Start the FTP server soft ware on the PC and set the username “Switch”, and the password “A dmin”.
Switch:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#no shut
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R#copy ftp: //Switch: superuser@10.1.1.1
220 Serv-U FTP -Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 PORT Command successful.
150 Opening AS CII mode data connection for /bin/ls.
rec v total = 480
nos.img
nos.rom
parsecommandline.cpp
position.doc
qmdict.zip
…(some display omitted here)
show.txt
snmp.TXT
226 Transfer complete.
4.5.3.4 FTP/TFTP Troubleshooting
4.5.3.4.1 FTP Troubleshooting
When upload/download system file with FTP prot ocol, the connectivity of the link must be ensured, i.e.,
use the “Ping” command to verify the c onnectivity between t he FTP client and server before running t he FTP
program. If ping fails, you will need to check for appropriate troubles hooting information to recover the link
connectivity.
 The following is what the message displays when files are s uccessfully trans ferred. Otherwise, please
verify link connectivity and retry “copy” command again.
220 Serv-U FTP -Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 PORT Command successful.
nos.img file lengt h = 1526021
read file ok
send file
4-22
150 Opening AS CII mode data connection for nos.img.
226 Transfer complete.
close ftp client.
 The following is the message displays when files are successfully received. Otherwise, please verify
link connectivity and retry “copy ” command again.
220 Serv-U FTP -Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 PORT Command successful.
rec v total = 1526037
************************
write ok
150 Opening AS CII mode data connection for nos.img (1526037 bytes).
226 Transfer complete.
 If the Chassis Switch is upgrading system file or system start up file through FTP, the Chassis Switch
must not be restarted until “close ftp client ” or “226 Transfer complete.” is displayed, indicating upgrade
is successful, otherwise the Chassis Switch may be rendered unable to start. If the system file and
system start up file upgrade through FTP fails, please try to upgrade again or us e the BootROM mode
to upgrade.
4.5.3.4.2 TFTP Troubleshooting
When upload/download system file wit h TFTP protocol, the connectivity of the link must be ensured, i.e., use
the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP
program. If ping fails, you will need to check for appropriate troubles hooting information to recover the link
connectivity.
 The following is the message displays when files are successfully trans ferred. Otherwise, please verify
link connectivity and retry “copy ” command again.
nos.img file lengt h = 1526021
read file ok
begin to send file, wait...
file transfers complete.
Close tftp client.
 The following is the message displays when files are successfully received. Otherwise, please verify
link connectivity and retry “copy ” command again.

begin to receive file, wait...
rec v 1526037
************************
4-23
write ok
transfer complete
close tftp client.
If the Chassis Switch is upgrading system file or system start up file through TFTP, the Chassis Switch must
not be restarted until “close tftp client” is displayed, indicating upgrade is successful, otherwise the Chassis
Switch may be rendered unable to start. If the system file and system start up file upgrade through TFTP fails,
please try upgrade again or use the Boot ROM mode to upgrade.
4-24
Chapter 5 File System Operations
5.1 Introduction to File Storage Devices
File storage devices used in switches mainly include FLASH cards. As the most common storage device,
FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system
configuration files (CFG files).
Flash can copy, delete, or rename files under Shell or Bootrom mode.
5.2 File System Operation Configuration Task list
1.
Mounting and unmounting operations of memory cards
2.
The formatting operation of storage devices
3.
The creation of sub-directories
4.
The deletion of sub-directory
5.
Changing the current working directory of the storage device
6.
The display operation of the current working directory
7.
The display operation of information about a designated file or directory
8.
The deletion of a designated file in the file system
9.
The renaming operation of files
10. The copying operation of files
1. Mounting and unmounting operations of memory cards
Command
Explanation
Admin Configuration Mode
mount <device>
Mount and unmount memory cards.
unmount <device>
2.
The formatting operation of storage devices
Command
Explanation
Admin Configuration Mode
format <device>
3.
Format the storage device.
The creation of sub-directorie s
Command
Explanation
Admin Configuration Mode
mkdir <directory>
Create a sub-directory in a designated
directory on a certain device.
5-1
4.
The deletion of sub-directory
Command
Explanation
Admin Configuration Mode
rmdir <directory>
Delet e a sub-directory in a designated
directory on a certain device.
5.
Changing the current working directory of the storage device
Command
Explanation
Admin Configuration Mode
cd <directory>
Change the current working directory of the
storage device.
6.
The display operation of the current working directory
Command
Explanation
Admin Configuration Mode
pwd
7.
Display the current working directory.
The display operation of information about a designated file or directory
Command
Explanation
Admin Configuration Mode
dir [WORD]
Display information about a designated file or
directory on the storage device.
8.
The deletion of a designated file in the file system
Command
Explanation
Admin Configuration Mode
delete <file-url>
9.
Delet e the designated file in the file system.
The renaming operation of files
Command
Explanation
Admin Configuration Mode
rename <source-file-url> <dest-file>
Change the name of a designated file on the
Chassis Switch to a new one.
10. The copy operation of files
Command
Explanation
Admin Configuration Mode
copy < source-file-url > <dest-file-url>
Copy a designated file one the Chassis
Switch and store it as a new one.
5.3 Typical Applications
Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-5.2.1. 0.img.
The configuration of the Chassis Switch is as follows:
5-2
XGS 3-42000R#copy flash:/nos.img flash:/nos -5.2.1.0.img
Copy flash:/nos.img to flash:/nos-5.2.1.0.img? [Y:N] y
Copy ed file flash:/nos.img to flash:/nos-5.2.1. 0.img.
5.4 Troubleshooting
If errors occur when users try to implement file system operations, please check whet her they are caused by
the following reasons
 Whether file names or paths are entered correctly.
 When renaming a file, whether it is in use or the new file name is already used by an existing file or
directory.
5-3
Chapter 6 Cluster Configuration
6.1 Introduction to cluster network management
Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config
which implement a direct management of the target switches through a management workstation, cluster
network management implements a direct management of the target switches (member switches) through an
intermediate XGS3-42000R(commander s witch). A commander switch can manage multiple member
switches. As soon as a Public IP address is configured in the commander switch, all the member switches
which are configured with private IP addresses can be managed remotely. This feature economizes public IP
addresses which are short of supply. Cluster network management can dynamic ally discover cluster feature
enabled switches (candidate switches). Network administrators can statically or dynamically add the
candidate switches to the cluster which is already established. Accordingly, they can configure and manage
the member switches through the commander switch. When the member switches are distributed in various
physical locations (such as on the different floors of the same building), cluster network management has
obvious advantages. Moreover, cluster network management is an in-band management. The c ommander
switch can communicate with member s witches in existing network. There is no need to build a specific
network for network management.
Cluster network management has the following features:
 Save IP addresses
 Simplify configuration tasks
 Indifference to network topology and distance limitation
 Auto detecting and auto establishing
 With factory default settings, multiple switches can be managed through cluster network management
 The commander switch can upgrade and configure any member switches in the cluster
6.2 Cluster Network Management Configuration Sequence
Cluster Network Management Configuration Sequence:
1. Enable or disable cluster function
2. Create cluster
1) Configure privat e IP address pool for member switches of the cluster
2) Create or delete cluster
3) Add or remove a member switch
3. Configure attributes of the cluster in the commander switch
1) Enable or disable automatically adding cluster members
2) Set automatically added members to manually added ones
3) Set or modify the time interval of keep-alive messages on switches in the cluster.
4) Set or modify the max number of lost keep-alive messages that can be tolerated
5) Clear the list of candidat e switches maintained by the switch
4. Configure attributes of the cluster in the candidate switch
1) Set the time interval of keep-alive messages of the cluster
2) Set the max number of lost keep-alive messages that can be tolerated in the cluster
6-1
5. Remote cluster net work management
1) Remote configuration management
2) Remotely upgrade member switch
3) Reboot member switch
6. Manage cluster network with web
1) Enable http
7. Manage cluster network with snmp
1) Enable snmp server
1. Enable or disable cluster
Command
Explanation
Global Mode
cluster run [key <WORD>] [vid <VID> ]
Enable or disable cluster function in
no cluster run
the Chassis Switch.
2. Create a cluster
Command
Explanation
Global Mode
cluster ip-pool <commander-ip>
Configure the private IP address pool
no cluster ip-pool
for cluster member devices.
cluster commander [<cluster_name>]
Create or delete a cluster.
no cluster commander
cluster member {candidate-sn <candidate-sn>
| mac-address <m ac-addr> [id <member-id> ]}
no cluster member {id <member-id> |
Add or remove a member switch.
mac-address <mac-addr>}
4.
Configure attributes of the cluster in the commander switch
Command
Explanation
Global Mode
Enable or disable adding newly
cluster auto-add
discovered candidate switch to the
no cluster auto-add
cluster.
Change
cluster member auto-to-user
automatically
added
members into manually added ones.
cluster keepalive interval <second>
Set the keep-alive interval of the
no cluster keepalive interval
cluster.
Set
cluster keepalive loss-count <int>
the
max
number
of
lost
keep-alive messages that can be
no cluster keepalive loss-count
tolerated in the cluster.
Admin mode
clear cluster node s [node s-sn
Clear nodes in the list of candidat e
<candidate-sn-list> | mac-addre ss
switches maintained by the switch.
<mac-addr>]
6-2
5.
Configure attributes of the cluster in the candidate switch
Command
Explanation
Global Mode
cluster keepalive interval <second>
Set the keep-alive interval of the
no cluster keepalive interval
cluster.
Set
cluster keepalive loss-count <int>
max
number
of
lost
keep-alive messages that can be
no cluster keepalive loss-count
6.
the
tolerated in the clusters.
Remote cluster network management
Command
Explanation
Admin Mode
In
the
commander
switch,
this
command is used to configure and
rcommand member <member-id>
manage member switches.
In the member switch, this command
is used to configure the commander
rcommand commander
switch.
In
cluster reset member [id <member-id> |
the
commander
command is
mac-address <mac-addr>]
switch,
used to reset
this
the
member switch.
In
the
commander
is
used
switch,
to
this
cluster update member <member-id>
command
remotely
<src-url> <dst-filename>[a scii | binary]
upgrade the member switch. It can
only upgrade nos.img file.
7.
Manage cluster network with web
Command
Explanation
Global Mode
Enable http function in commander
switch and member switch.
Notice: must insure the http function
be enabled in member switch when
commander switch visiting member
ip http server
switch by web. The commander
switch visit member switch via beat
member node in member cluster
topology.
6-3
8.
Manage cluster network with snmp
Command
Explanation
Global Mode
Enable snmp server
commander
switch
function in
and
member
switch.
Notice: must insure the snmp server
function be enabled in member
switch
snmp-server enable
when
commander
s witch
visiting member switch by snmp. The
commander s witch
visit
member
switch via configure character string
<commander-community>@sw<me
mber id>.
6.3 Examples of Cluster Administration
Scenario:
The four switches SW1-SW4, amongst the SW1 is the command switch and ot her switches are member
switch. The SW2 and SW4 is directly connected with the command switch, SW3 connects to the command
switch through SW2.
E1
E2
E1
SW1
E2
E1
SW2
SW3
Figure 6-3-1 Examples of Cluster
Configuration Procedure
1.
Configure the command switch
Configuration of SW1:
XGS 3-42000R(config)#cluster run
XGS 3-42000R(config)#cluster ip-pool 10.2.3. 4
XGS 3-42000R(config)#cluster commander 5526
XGS 3-42000R(config)#cluster aut o-add
2.
Configure the member switch
Configuration of SW2-SW4
XGS 3-42000R(config)#cluster run
6-4
E1
SW4
6.4 Cluster Administration Troubleshooting
When encountering problems in applying the cluster admin, please check the following possible causes:
 If the command s witch is correctly configured and the auto adding function (cluster auto-add) is
enabled. If the ports connected the command switch and member switch belongs to the cluster vlan.
 After cluster commander is enabled in VLA N1 of the command switch, pleas e don’t enable a routing
protocol (RIP, OSPF, BGP) in this V LAN in order to prevent the routing protocol from broadcasting t he
private cluster addresses in this VLAN to other switches and cause routing loops.
 Whether the connection between the command switch and the member switch is correct. We can use
the debug cluster packets to check if the command and the member s witches can receive and process
related cluster admin packets correctly.
6-5
Chapter 7 Port Configuration
7.1 Introduction to Port
XGS 3-42000R Chassis Switche contain Cable ports and Combo ports. The Combo ports can be configured to
as either 1000GX-TX ports or SFP Gigabit fiber ports.
If the user needs to configure some net work ports, he/she can us e the interface ethernet <interface-list>
command to enter the appropriate Ethernet port configuration mode, where <int erface-list> stands for one or
more ports. If <interface-list> contains multiple ports, special characters such as '; ' or '-' can be used to
separate ports, ';' is used for discrete port numbers and '-' is used for consecutive port numbers. Suppose an
operation should be performed on ports 2, 3, 4, 5, the command would look like: interfac e ethernet 1/2-5. Port
speed, duplex mode and traffic control can be configured under Ethernet Port Mode causing the performance
of the corres ponding net work ports to change accordingly.
7.2 Network Port Configuration Task List
1. Enter the network port configuration mode
2. Configure the properties for the network ports
(1)
Configure combo mode for combo ports
(2)
Enable/ Disable ports
(3)
Configure port names
(4)
Configure port cable types
(5)
Configure port speed and duplex mode
(6)
Configure bandwidth control
(7)
Configure traffic control
(8)
Enable/ Disable port loopback function
(9)
Configure broadcast storm control function for the Chassis Switch
1. Enter the Ethernet port configuration mode
Command
Explanation
Global Mode
interface ethernet <interface-li st>
Enters the net work port configuration mode.
2. Configure the properties for the Ethernet ports
Command
Explanation
Port Mode
combo-forced-mode {copper-forced |
copper-preferred-auto | sfp-forced |
Sets the combo port mode (combo ports only).
sfp-preferred-auto }
shutdown
no shutdown
name <string>
no name
Enables/Disables specified ports.
Names or cancels the name of specified ports.
7-1
mdi {auto | across | normal}
no mdi
Sets the cable type for the specified port; this
command is not supported by combo port and
fiber port of Chassis Switch.
speed-duplex {auto | force10-half |
force10-full | force100-half |
force100-full | force100-fx
[module-type {auto-detected
|no-phy-integrated |phy-integrated}]
|{{force1g-half | force1g-full}
[nonegotiate [master | slave]] } }
Sets port speed and duplex mode of
100/1000Base-TX or 100Base-FX ports. The
no format of this command restores the default
setting, i.e., negotiates speed and duplex
mode automatically.
no speed-duplex
Enables/Disables the auto-negotiation
negotiation {on|off}
function of 1000Base-FX ports.
bandwidth control <bandwidth> [both
| receive | transmit]
Sets or cancels the bandwidt h used for
incoming/ outgoing traffic for specified ports.
no bandwidth control
flow control
Enables/Disables traffic control function for
no flow control
specified ports.
loopback
Enables/Disables loopback test function for
no loopback
specified ports.
Enables the storm control function for
broadcasts, multicasts and unicasts with
rate-suppre ssion {dlf | broadca st |
unknown destinations (short for broadcast),
multicast} <packets>
and sets the allowed broadcast packet
number; the no format of this command
disables the broadcast storm control function.
7.3 Port Configuration Example
Switch 1
1/7
1/9
1/10
1/12
1/8
Switch 2
Switch 3
Figure 7-3-1 Port Configuration Example
No VLA N has been configured in the switches, default VLAN1 is used.
Switch
Port
Property
7-2
Switch1
1/7
Ingress bandwidth limit: 150 M
Switch2
1/8
Mirror sourc e port
1/9
100Mbps full, mirror source port
1/10
1000Mbps full, mirror destination port
1/12
100Mbps full
Switch3
The configurations are listed below:
Switch1:
Switch1(config)#interface ethernet 1/7
Switch1(Config-If-Ethernet1/7)#bandwidth control 50 both
Switch2:
Switch2(config)#interface ethernet 1/9
Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full
Switch2(Config-If-Ethernet1/9)#exit
Switch2(config)#interface ethernet 1/10
Switch2(Config-If-Ethernet1/10)# speed-duplex force1000-full
Switch2(Config-If-Ethernet1/10)#exit
Switch2(config)#monitor session 1 source interface ethernet1/8;1/9
Switch2(config)#monitor session 1 destination int erface et hernet 1/10
Switch3:
Switch3(config)#interface ethernet 1/12
Switch3(Config-If-Ethernet1/12)#speed-duplex force1000-full
Switch3(Config-If-Ethernet1/12)#exit
7.4 Port Troubleshooting
Here are some situations that frequently occurs in port configuration and the advised solutions:
 Two connected fiber interfac es won’t link up if one interface is set to auto-negotiation but the other to
forced speed/duplex. This is determined by IEEE 802.3.
 The following combinations are not recommended: enabling traffic control as well as setting multicast
limiting for the same port; setting broadc ast, multicast and unk nown destination unicast control as well
as port bandwidth limiting for the same port. If such combinations are set, the port throughput may fall
below the expected performanc e.
7-3
Chapter 8 Port Isolation Function
Configuration
8.1 Introduction to Port Isolation Function
Port isolation is an independent port-based function working in an inter-port way, which isolates flows of
different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save
VLAN resources and enhance network security. After this function is configured, the ports in a port isolation
group will be isolated from each other, while ports belonging to different isolation groups or no such group can
forward data to one another normally. No more than 16 port isolation groups can a Chassis Switch have.
8.2 Task Sequence of Port Isolation
1. Create an isolate port group
2. Add Ethernet ports into the group
3. Specify the flow to be isolated
4. Display the configuration of port isolation
1. Create an isolate port group
Command
Explanation
Global Mode
isolate-port group <WORD>
no isolate-port group <WORD>
Set a port isolation group; the no operation of
this command will delete the port isolation
group.
2. Add Ethernet ports into the group
Command
Explanation
Global Mode
isolate-port group <WORD> switchport
Add one port or a group of ports into a port
interface [<ethernet>] < IFNAME>
isolation group to isolate, which will become
no isolate-port group <WORD>
isolated from the other ports in the group; the
switchport interface [<ethernet> ]
no operation of this command will remove one
<IFNAME>
port or a group of ports out of a port isolation
group.
3. Specify the flow to be isolated
Command
Explanation
Global Mode
isolate-port apply [<l2|l3|all>]
Apply the port isolation configuration to
isolate layer-2 flows, layer-3 flows or all flows.
8-1
4. Di splay the configuration of port i solation
Command
Explanation
Admin Mode and global Mode
Display the configuration of port isolation,
including all configured port isolation groups
show isolate-port group [ <WORD> ]
and Ethernet ports in each group.
8.3 Port Isolation Function Typical Examples
e1/15
Vlan
e1/1
S1
S2
e1/10
S3
Figure 8-3-1 A typical example of port isolation function
The topology and configuration of s witches are showed in the figure above, with e1/1, e1/10 and e1/15 all
belonging to V LAN 100. The requirement is that, aft er port isolation is enabled on switch S1, e1/1 and e1/10
on switch S1 can not communicate with each other, while bot h of them can communicate with the uplink port
e1/15. That is, the communication bet ween any pair of downlink ports is disabled while that bet ween any
downlink port and a specified uplink port is normal. The uplink port can communicate with any port normally.
The configuration of S1:
XGS 3-42000R(config)#isolate-port group test
XGS 3-42000R(config)#isolate-port group test switchport interface et hernet 1/1;1/10
8-2
Chapter 9 Port Loopback Detection Function
Configuration
9.1 Introduction to Port Loopback Detection Function
With the development of Chassis Switches, more and more users begin to access the network through
Ethernet switches. In enterprise network, users access the network through layer-2 s witches, which means
urgent demands for bot h internet and the int ernal layer 2 Interworking. When layer 2 Int erworking is required,
the messages will be forwarded through MAC addressing the accuracy of which is the key to a correct
Interworking bet ween users. In layer 2 switching, the messages are forwarded through MAC addressing.
Layer 2 devices learn MAC addresses via learning source MA C address, that is, when the port receives a
message from an unknown source MAC address, it will add this MAC to the receive port, so that the following
messages with a destination of this MAC can be forwarded directly, which also means learn the MAC address
once and for all to forward messages.
When a new source MA C is already learnt by the lay er 2 device, only with a different source port, the original
source port will be modified to the new one, whic h means to correspond the original MAC address with the
new port. As a result, if there is any loopback existing in the link, all MAC addresses within the whole layer 2
network will be corresponded with the port where the loopback appears (usually the MAC address will be
frequently shifted from one port to another ), causing the layer 2 network collapsed. That is why it is a
necessity to check port loopbacks in the network. When a loopback is detected, the detecting device should
send alarms to the net work management system, ensuring the network manager is able to discover, locate
and solve the problem in the network and protect users from a long-lasting disconnected network.
Since detecting loopbacks can make dynamic judgment of the existence of loopbacks in the link and tell
whet her it has gone, the devic es supporting port control (such as port isolation and port MAC address
learning control) can maintain t hat automatically, which will not only reduce the burden of net work managers
but also response time, minimizing the effect caused loopbacks to the network.
9.2 Port Loopback Detection Function Configuration Task List
1. Configure the time interval of loopback detection
2. Enable the function of port loopback detection
3. Configure the control method of port loopback detection
4. Display and debug the relevant information of port loopback detection
5. Configure the loopback-detection control mode (automatic recovery enabled or not )
9-3
1.Configure the time interval of loopback detection
Command
Explanation
Global Mode
loopback-detection interval-time
Configure the time interval of loopback
<loopback> <no-loopback>
detection.
no loopback-detection interval-time
2.Enable the function of port loopback detection
Command
Explanation
Port Mode
loopback-detection specified-vlan
<vlan-list>
Enable and disable the function of port
no loopback-detection specified-vlan
loopback detection.
<vlan-list>
3.Configure the control method of port loopback detection
Command
Explanation
Port Mode
loopback-detection control {shutdown
|block| learning}
no loopback-detection control
Enable and disable the function of port
loopback detection cont rol.
4.Di splay and debug the relevant information of port loopback detection
Command
Explanation
Admin Mode
Enable the debug information of the
debug loopback-detection
function module of port loopback detection.
no debug loopback-detection
The no operation of this command will
disable the debug information.
Display the state and result of the loopback
show loopback-detection [interface
detection of all ports, if no parameter is
<interface-li st>]
provided; otherwis e, display the state and
result of the corresponding ports.
5. Configure the loopback-detection control mode (automatic recovery enabled or not)
Command
Explanation
Global Mode
loopback-detection control -recovery
timeout <0-3600>
Configure the loopback-det ection control
mode (automatic recovery enabled or not )
or rec overy time.
9-4
9.3 Port Loopback Detection Function Example
SWITCH
Network Topology
Figure 9-3-1 A typical example of port loopback detection
As shown in the above configuration, the Chassis Switch will detect the existence of loopbacks in the network
topology. After enabling the function of loopback detection on the port connecting the Chassis Switch with the
outside net work, the Chassis Switch will notify the connected network about the existence of a loopback, and
control the port on the switch to guarantee the normal operation of the whole net work.
The configuration task sequence of SWITCH:
XGS 3-42000R(config)#loopback-detection interval-time 35 15
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)#loopback-detection special-vlan 1-3
XGS 3-42000R(config-If-Ethernet1/1)#loopback-detection control block
If adopting the control method of block, MS TP should be globally enabled. And the correspondence bet ween
the spanning tree instance and the VLA N should be configured.
XGS 3-42000R(config)#spanning-tree
XGS 3-42000R(config)#spanning-tree mst configuration
XGS 3-42000R(config-Mstp-Region)#instance 1 vlan 1
XGS 3-42000R(config-Mstp-Region)#instance 2 vlan 2
XGS 3-42000R(config-Mstp-Region)#
9.4 Port Loopback Detection Troubleshooting
The function of port loopback detection is disabled by default and should only be enabled if required.
Chapter 10 ULDP Function Configuration
10-5
10.1 Introduction to ULDP Function
Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link
means that only one port of the link can receive messages from the other port, while the latter one can not
receive messages from the former one. Since the physical layer of the link is connected and works normal, via
the checking mechanism of the physical layer, communication problems between the devices can not be
found. As shown in Graph, the problem in fiber connection can not be found through mechanisms in physical
layer like automatic negotiation.
Switch A
g1/1
g1/2
g1/3
g1/4
Switch B
Figure 10-1-1 Fiber Cross Connection
Switch A
g1/2
Switch B
g1/1
g1/3
Switch C
Figure 10-1-2 One End of Each Fiber Not Connected
This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface Converter) or
interfaces have problems, software problems, hardware bec omes unavailable or operates abnormally.
Unidirectional link will caus e a series of problems, such as spinning tree topological loop, broadcast black
hole.
10-6
ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations
mentioned above. In a Chassis Switch connected via fibers or copper Ethernet line (like ultra five-kind twisted
pair), ULDP can monitor t he link state of physical links. Whenever a unidirectional link is discovered, it will
send warnings to users and can dis able the port automatically or manually according to users’ configuration.
The ULDP of switches recognizes remote devices and check the correctness of link connections via
interacting ULDP messages. When ULDP is enabled on a port, protocol state mac hine will be started, which
means different types of messages will be sent at different states of the state machine to check the connection
state of the link by exchanging information with remote devices. ULDP can dynamically study the interval at
which the remote device sends notification messages and adjust the local TTL (time to live) according to that
interval. Besides, ULDP provides the reset mechanism, when the port is disabled by ULDP, it can check again
through reset mechanism. The time intervals of notification messages and reset in ULDP can be configured
by users, so that ULDP can respond faster to connection errors in different network environments.
The premise of ULDP working normally is that link works in duplex mode, which means ULDP is enabled on
both ends of the link, using the same method of authentication and password.
10.2 ULDP Configuration Task Sequence
1.
Enable ULDP function globally
2.
Enable ULDP function on a port
3.
Configure aggressive mode globally
4.
Configure aggressive mode on a port
5.
Configure the method to shut down unidirectional link
6.
Configure the interval of Hello messages
7.
Configure the interval of Recovery
8.
Reset the port shut down by ULDP
9.
Display and debug the relative information of ULDP
1. Enable ULDP function globally
Command
Explanation
Global configuration mode
uldp enable
Globally enable or disable ULDP function.
uldp disable
2. Enable ULDP function on a port
Command
Explanation
Port configuration mode
uldp enable
Enable or disable ULDP function on a port.
uldp disable
3. Configure aggressi ve mode globally
Command
Explanation
Global configuration mode
10-7
uldp aggressive-mode
no uldp aggressive-mode
Set the global working mode.
4. Configure aggressi ve mode on a port
Command
Explanation
Port configuration mode
uldp aggressive-mode
no uldp aggressive-mode
Set the working mode of the port.
5. Configure the method to shut down unidirectional link
Command
Explanation
Global configuration mode
uldp manual-shutdown
Configure the method to shut
no uldp manual-shutdown
unidirectional link.
down
6. Configure the interval of Hello message s
Command
Explanation
Global configuration mode
uldp hello-interval <integer>
no uldp hello-interval
Configure the interval of Hello messages,
ranging from 5 to 100 seconds. The value
is 10 seconds by default.
7. Configure the interval of Recovery
Command
Explanation
Global configuration mode
uldp recovery-time <integer>
no uldp recovery-time <integer>
Configure the interval of Recovery reset,
ranging from 30 to 86400 seconds. The
value is 0 second by default.
8. Reset the port shut down by ULDP
Command
Explanation
Global configuration mode or port
configuration mode
Reset all ports in global configuration
mode;
uldp reset
Rest
the
specified
port
configuration mode.
9. Di splay and debug the relative information of ULDP
Command
Explanation
Admin mode
10-8
in
port
Display ULDP information. No parameter
means to display global ULDP information.
The parameter specifying a port will display
show uldp [interface ethernet IFNAME]
global
information
and
the
neighbor
information of the port.
debug uldp fsm interface ethernet
Enable or disable the debug Chassis
<IFname>
Switch of the state machine transition
no debug uldp fsm interface ethernet
information on the specified port.
<IFname>
debug uldp error
Enable or disable the debug Chassis
no debug uldp error
Switch of error information.
debug uldp event
Enable or disable the debug Chassis
no debug uldp event
Switch of event information.
debug uldp packet {receive|send}
Enable or disable the type of messages
no debug uldp packet {receive|send}
can be received and sent on all ports.
debug uldp {hello|probe|echo|
unidir|all}[receive|send] interface
Enable or disable the content detail of a
ethernet <IFname>
particular
no debug uldp {hello|probe|echo|
type
of
messages
can
be
received and sent on the specified port.
unidir|all}[receive|send] interface
ethernet <IFname>
10.3 ULDP Function Typical Examples
Switch A
g1/1
g1/3
g1/2
g1/4
Switch B
PC2
PC1
Figure 10-3-1 Fiber Cross Connection
In the network topology in Graph, port g1/1 and port g1/2 of SWITCH A as well as port g1/3 and port g1/ 4 of
SWITCH B are all fiber ports. And the connection is cross connection. The physical layer is connected and
works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of
link. The final res ult is that port g1/1, g1/2 of SWITCH A and port g1/3, g1/ 4 of SWITCH B are all shut down by
ULDP. Only when the connection is correct, can the ports work normally (won’t be shut down).
10-9
Switch A configuration sequence:
SwitchA(config)#uldp enable
SwitchA(config)#int erface et hernet 1/1
SwitchA (Config-If-Ethernet1/1)#uldp enable
SwitchA (Config-If-Ethernet1/1)#exit
SwitchA(config)#int erface et hernet1/2
SwitchA(Config-If-Et hernet1/2)#uldp enable
Switch B configuration sequenc e:
SwitchB(config)#uldp enable
SwitchB(config)#int erface et hernet1/3
SwitchB(Config-If-Et hernet1/3)#uldp enable
SwitchB(Config-If-Et hernet1/3)#exit
SwitchB(config)#int erface et hernet1/4
SwitchB(Config-If-Et hernet1/4)#uldp enable
As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on
the CRT terminal of PC1.
%Oct 29 11:09:50 2007 A unidirectional link is detected!
Port Ethernet1/1 need to be shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/1 shut down!
%Oct 29 11:09:50 2007 A unidirectional link is detected!
Port Ethernet1/2 need to be shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/2 shutted down!
Port g1/3, and port g1/4 of SWITCH B are all shut down by ULDP, and there is notification information on the
CRT terminal of PC2.
%Oct 29 11:09:50 2007 A unidirectional link is detected!
Port Ethernet1/3 need to be shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/3 shutted down!
%Oct 29 11:09:50 2007 A unidirectional link is detected!
Port Ethernet1/4 need to be shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/4 shutted down!
10.4 ULDP Troubleshooting
Configuration Notice:
 In order to ensure that ULDP can discover that the one of fiber ports has not connected or the ports are
incorrectly cross connected, the ports have to work in duplex mode and have the same rate.
 If the automatic negotiation mechanism of the fiber ports with one port misconnected decides the
working mode and rate of the ports, ULDP won’t take effect no matter enabled or not. In such situation,
the port is considered as “Down”.
 In order to mak e sure that neighbors can be correctly created and unidirectional links can be correctly
discovered, it is required that both end of the link should enable ULDP, using the same authentication
method and password. At present, no password is needed on both ends.
 The hello interval of sending hello messages can be changed (it is10 seconds by default and ranges
from 5 to 100 s econds ) so that ULDP can respond faster to c onnection errors of links in different
network environments. But this interval should be less than 1/ 3 of the S TP convergence time. If t he
interval is too long, a STP loop will be generat ed before ULDP discovers and shuts down the
unidirectional connection port. If the interval is too short, the net work burden on the port will be
10-10
increased, which means a reduced bandwidth.
 ULDP does not handle any LACP event. It treats every link of TRUNK group (like Port-channal, TRUNK
ports) as independent, and handles each of them respectively.
 ULDP does not compact with similar protocols of other vendors, which means users can not use ULDP
on one end and use other similar protocols on the other end.
 ULDP function is disabled by default. After globally enabling ULDP function, the debug switch can be
enabled simultaneously to check the debug information. There are several DEBUG commands
provided to print debug information, such as information of events, state machine, errors and messages.
Different types of message information can als o be printed according to different parameters.
 The Recovery timer is disabled by default and will only be enabled when t he us ers have configured
recovery time (30-86400 seconds).
 Reset command and reset mechanism can only reset the ports automatically shut down by ULDP. The
ports shut down manually by users or by other modules won’t be reset by ULDP.
10-11
Chapter 11 LLDP Function Operation
Configuration
11.1 Introduction to LLDP Function
Link Layer Discovery Protocol (LLDP ) is a new protocol defined in 802.1ab. It enables neighbor devices to
send notices of their own state to other devic es, and enables all ports of every device to store information
about them. If necessary, the ports can also send update information t o the neighbor devices directly
connected to them, and those neighbor devices will store the information in standard SNMP MIBs. The
network management system can check the layer-t wo connection state from MIB. LLDP won’t configure or
control net work elements or flows, but only report the configuration of layer-two. Another content of 802.1ab is
to utilizing the information provided by LLDP to find the conflicts in layer-two. IEEE now uses the existing
physical topology, interfaces and Entity MIBs of IE TF.
To simplify, LLDP is a neighbor discovery protocol. It defines a standard method for Ethernet devices, such as
switches, routers and WLAN access points, to enable them to notify their existence to other nodes in the
network and store the discovery information of all neighbor devices. For example, the detail information of the
devic e configuration and discovery can bot h use this protocol to advertise.
In specific, LLDP defines a general advertisement information set, a transportation advertisement protocol
and a method to store the received advertisement information. The device to advertise its own information can
put multiple piec es of advertisement information in one LAN data packet to transport. The type of
transportation is the type length value (TLV) field. All devices supporting LLDP have to support device ID
and port ID advertisement, but it is assumed that, most devices should also support system name, system
description and system performance advertisement. System name and system description advertisement can
also provide useful information for collecting network flow data. System description advertisement can include
data such as the full name of the advertising device, hardware type of system, the version information of
software operation system and so on.
802.1AB Link Layer Discovery Protocol will make searching the problems in an enterprise network an easier
process and can strengt hen the ability of net work management tools to discover and maintain accurate
network topology structure.
Many kinds of net work management soft ware use “A utomat ed Discovery” function to trace the change and
condition of topology, but most of them can reach layer-three and classify the devices into all IP subnets at
best. This kind of data are very primitive, only referring to basic events like the adding and removing of relative
devic es instead of details about where and how these devices operate with the network.
Layer 2 discovery covers information like which devices have which ports, which switches connect to other
devic es and so on, it can also display the routs between clients, switches, routers, application servers and
network servers. Such details will be very meaningful for schedule and investigate the source of network
failure.
LLDP will be a very useful management tool, providing accurate information about network mirroring, flow
data and searching network problems.
11-1
11.2 LLDP Function Configuration Task Sequence
1.
Globally enable LLDP function
2.
Configure the port-based LLDP function switch
3.
Configure the operating state of port LLDP
4.
Configure the intervals of LLDP updating messages
5.
Configure the aging time multiplier of LLDP messages
6.
Configure the sending delay of updating messages
7.
Configure the intervals of sending Trap messages
8.
Configure to enable the Trap function of the port
9.
Configure the optional information-sending attribute of the port
10. Configure the size of space to store Remote Table of the port
11. Configure the type of operation when the Remote Table of the port is full
12. Display and debug the relative information of LLDP
1. Globally enable LLDP function
Command
Explanation
Global Mode
lldp enable
Globally enable or disable LLDP function.
lldp disable
2. Configure the port-ba se LLDP function switch
Command
Explanation
Port Mode
lldp enable
Configure the port-ba se LLDP function
lldp disable
switch.
3. Configure the operating state of port LLDP
Command
Explanation
Port Mode
Configure the operating state of port
lldp mode (send|receive|both|di sable)
LLDP.
4. Configure the intervals of LLDP updating message s
Command
Explanation
Global Mode
Configure the intervals of LLDP updating
lldp tx-interval <integer>
messages as the specified value or
no lldp tx-interval
default value.
5. Configure the aging time multiplier of LLDP message s
Command
Explanation
Global Mode
Configure the aging time multiplier of
lldp msgTxHold <value>
LLDP messages as the specified value or
no lldp msgTxHold
default value.
11-2
6. Configure the sending delay of updating messages
Command
Explanation
Global Mode
Configure the sending delay of updating
lldp transmit delay <seconds>
messages as the specified value or
no lldp transmit delay
default value.
7. Configure the intervals of sending Trap messages
Command
Explanation
Global Mode
Configure
lldp notification interval <seconds>
the
intervals
of
sending
Trap messages as the specified value or
no lldp notification interval
default value.
8. Configure to enable the Trap function of the port
Command
Explanation
Port Configuration Mode
Enable or disable the Trap function of
lldp trap <enable|di sable>
the port.
9. Configure the optional information-sending attribute of the port
Command
Explanation
Port Configuration Mode
lldp transmit optional tlv [portDe sc]
Configure
the
optional
[sysName] [sysDe sc] [sysCap]
information-s ending attribute of the port
no lldp transmit optional tlv
as the option value of default values.
10. Configure the size of space to store Remote Table of the port
Command
Explanation
Port Configuration Mode
Configure the size of space to store
lldp neighbors max-num < value >
Remote Table of the port
no lldp neighbors max-num
as
the
specified value or default value.
11. Configure the type of operation when the Remote Table of the port is full
Command
Explanation
Port Configuration Mode
lldp tooManyNeighbors {di scard|
Configure the type of operation when the
delete}
Remote Table of the port is full.
12. Di splay and debug the relative information of LLDP
Command
Explanation
Admin, Global Mode
11-3
show
Display
lldp
the
current
LLDP
configuration
information.
show lldp interface ethernet <IFNAME>
Display the LLDP configuration information of
the current port.
show lldp traffic
Display the information of all kinds of counters.
show lldp neighbors interface
Display the information of LLDP
ethernet < IFNAME >
of the current port.
show debugging lldp
Display all ports with LLDP debug enabled.
neighbors
Admin Mode
debug lldp
Enable or disable the DEBUG switch.
no debug lldp
debug lldp packets interface ethernet
<IFNAME>
Enable or disable the DEB UG packet-receiving
no debug lldp packets interface ethernet
and sending function in port or global mode.
<IFNAME>
Port configuration mode
clear lldp remote-table
Clear Remote-table of the port.
11.3 LLDP Function Typical Example
Figure 11-3-1 LLDP Function Typical Configuration Example
In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port
1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is
configured as portDes and SysCap.
SWITCH A configuration task sequence:
Switch A(config)# lldp enable
Switch A(config)#int erface ethernet 1/4
Switch A(Config-If-Ethernet1/4)# lldp transmit optional tlv port Desc sysCap
Switch A(Config-If-Ethernet1/4)exit
SWITCH B configuration task sequence:
Switch B(config)#lldp enable
Switch B(config)#interface ethernet1/1
11-4
Switch B(Config-If-Ethernet1/1)# lldp mode receive
Switch B(Config-If-Ethernet1/1)#exit
11.4 LLDP Function Troubleshooting
 LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable t he
debug switch “debug lldp” simultaneously to check debug information.
 Using “show” function of LLDP function can display the configuration information in global or port
configuration mode.
11-5
Chapter 12 Port Channel Configuration
12.1 Introduction to Port Channel
To understand P ort Channel, Port Group should be int roduced first. Port Group is a group of physical ports in
the configuration level; only physical ports in the Port Group can take part in link aggregation and become a
member port of a Port Channel. Logically, Port Group is not a port but a port sequence. Under certain
conditions, physical ports in a Port Group perform port aggregation to form a Port Channel that has all the
properties of a logical port, therefore it bec omes an independent logical port. Port aggregation is a process of
logical abstraction to abstract a set of ports (port sequence) wit h the same properties to a logical port. Port
Channel is a collection of physical ports and used logic ally as one physical port. Port Channel can be used as
a normal port by the user, and can not only add net work’s bandwidth, but also provide link backup. Port
aggregation is usually used when the switch is connected to routers, PCs or other switches.
SwitchA
SwitchB
Figure 12-1-1 Port aggregation
As shown in the above, SwitchA is aggregated to a Port Channel, the bandwidth of this Port Channel is the
total of all the four ports. If traffic from S witchA needs to be transferred to SwitchB through the Port Channel,
traffic allocation calculation will be performed based on the source MAC address and the lowest bit of target
MAC address. The calculation result will decide which port to convey the traffic. If a port in Port Channel fails,
the other ports will undertake traffic of t hat port through a traffic allocation algorithm. This algorithm is carried
out by the hardware.
Chassis Switch offers two methods for configuring port aggregation: manual Port Channel creation and LACP
(Link Aggregation Control P rotocol) dynamic Port Channel creation. Port aggregation can only be performed
on ports in full-duplex mode.
For Port Channel to work properly, member ports of the Port Channel must have the same properties as
follows:
 All ports are in full-duplex mode.
 All Ports are of the same speed.
 All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports.
 If the ports are all TRUNK ports or Hybrid ports , then their “Allowed VLA N” and “Native VLAN” property
should also be the same.
12-1
If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with
the smallest number to be Master Port of the Port Channel. If the spanning tree function is enabled in the
Chassis Switch, the spanning tree protocol will regard Port Channel as a logical port and send BP DU frames
via the master port.
Port aggregation is closely related with Chassis Switch hardware. Chassis Switch allow physical port
aggregation of any two switches, maximum 128 port groups and 8 ports in each port group are supported.
Once ports are aggregat ed, they can be used as a normal port. Chassis Switch have a built-in aggregation
interface configuration mode, the user can perform related configuration in this mode just like in the VLAN and
physical port configuration mode.
12.2 Brief Introduction to LACP
LACP (Link Aggregation Control Protocol) is a kind of protocol based on IEEE802.3ad standard to
implement the link dynamic aggregation. LA CP protocol us es LACP DU (Link Aggregation Control Protocol
Data Unit) to exchange the information with the other end.
After LACP protocol of the port is enabled, this port will send LACPDU to the other end to notify the system
priority, the MAC address of the system, the priority of the port, the port ID and the operation Key. After the
other end receives the information, the information is compared with the saving information of other ports to
select the port which can be aggregated, accordingly, both sides can reach an agreement about the ports join
or exit the dynamic aggregation group.
The operation Key is created by LACP protocol according to the combination of configuration (speed, duplex,
basic configuration, management Key) of the ports to be aggregated.
After the dynamic aggregation port enables LACP protocol, the management Key is 0 by default. After the
static aggregation port enables LACP, the management Key of the port is the same with the ID of the
aggregation group.
For the dy namic aggregation group, the members of the same group have the same operation Key, for the
static aggregation group, the ports of Active have the same operation Key.
The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the
out/in load balance in each member port of the aggregation group and provides the better reliability.
12.2.1 Static LACP Aggregation
Static LACP aggregation is enforced by users configuration, and do not enable LA CP protocol. When
configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group.
12-2
12.2.2 Dynamic LACP Aggregation
1. The summary of the dynamic LACP aggregation
Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow
the user to add or delete the member ports of the dynamic LACP aggregation. The ports which have the same
attribute of s peed and duplex, are connected to the same device, have the s ame basic configuration, can be
dynamically aggregat ed together. E ven if only one port can creat e the dynamic aggregation, that is the single
port aggregation. In the dynamic aggregation, LA CP prot ocol of the port is at the enable state.
2. The port state of the dynamic aggregation group
In dynamic aggregation group, the ports have two states: selected or standby. Both selected ports and
standby ports can receive and send LA CP protocol, but standby ports can not forward the data packets.
Because the limitation of the max port number in the aggregation group, if the current number of the member
ports exceeds the limitation of the max port number, then the system of this end will negotiates with the other
end to decide the port state according to the port ID. The negotiation steps are as follows:
Compare ID of the devices (the priority of the system + the MAC address of the system). First, compare the
priority of the systems, if they are same, then compare the MAC address of the systems. The end with a small
devic e ID has the high priority.
Compare the ID of the ports (the priority of the port + the ID of the port). For each port in the side of the device
which has the high device priority, first, compare the priority of the ports, if the priorities are same, then
compare the ID of t he ports. The port with a small port ID is selected, and the others become the standby
ports.
In an aggregation group, the port which has the smallest port ID and is at the selected state will be the master
port, the other ports at the selected state will be the member port.
12.3 Port Channel Configuration Task List
1. Create a port group in Global Mode.
2. Add ports to the specified group from the Port Mode of respective ports.
3. Enter port-channel configuration mode.
4. Set load-balance method for Port-group
5. Set the system priority of LACP protocol
6. Set the port priority of the current port in LACP protocol
12-3
1. Creating a port group
Command
Explanation
Global Mode
port-group <port-group-number>
Creates or deletes a port group.
no port-group <port-group-number>
2. Add physical ports to the port group
Command
Explanation
Port Mode
port-group <port-group-number> mode
Adds ports to the port group and sets their
{active | passive | on}
mode.
no port-group
3. Enter port-channel configuration mode.
Command
Explanation
Global Mode
interface port-channel
Enters port-channel configuration mode.
<port-channel-number>
4. Set load-balance method for Port-group
Command
Explanation
Aggregation port configuration mode
load-balance {src-mac | dst-mac |
Set load-balance for port -group.
dst-src-mac | src-ip | dst-ip | dst-src-ip}
5. Set the system priority of LACP protocol
Command
Explanation
Global mode
lacp system-priority < system-priority>
Set the system priority of LA CP prot ocol,
no lacp system-priority
the no command restores the default value.
6. Set the port priority of the current port in LACP protocol
Command
Explanation
Port mode
lacp port-priority <port-priority>
Set the port priority in LACP protocol. The
no lacp port-priority
no command restores the default value.
12-4
12.4 Port Channel Examples
Scenario 1: Configuring Port Channel in LACP.
SwitchA
SwitchB
Figure 12-4-1 Configuring Port Channel in LACP
The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of SwitchA are
access ports that belong to VLAN1. Add those four ports to group1 in active mode. Ports 6, 8, 9, 10 of SwitchB
are access ports that also belong to VLA N1. Add these four ports to group2 in passive mode. All the ports
should be connected wit h cables.
The configuration steps are listed below:
SwitchA#config
SwitchA (config)#int erface ethernet 1/1-4
SwitchA (Config-If-P ort-Range)#port-group 1 mode active
SwitchA (Config-If-P ort-Range)#exit
SwitchA (config)#int erface port-channel 1
SwitchA (Config-If-P ort-Channel1)#
SwitchB#config
SwitchB (config)#port-group 2
SwitchB (config)#interface ethernet 1/6
SwitchB (Config-If-Ethernet1/6)#port-group 2 mode passive
SwitchB (Config-If-Ethernet1/6)#exit
SwitchB (config)#interface ethernet 1/8-10
SwitchB (Config-If-P ort-Range)#port-group 2 mode passive
SwitchB (Config-If-P ort-Range)#exit
SwitchB (config)#interface port-channel 2
SwitchB (Config-If-P ort-Channel2)#
Configuration result:
Shell prompts ports aggregated successfully after a while, now ports 1, 2, 3, 4 of Switch A form an aggregated
port named “P ort-Channel1”, ports 6, 8, 9, 10 of S witch B forms an aggregated port named “Port -Channel2”;
configurations can be made in their respective aggregated port configuration mode.
Scenario 2: Configuring Port Channel in ON mode.
12-5
SwitchA
SwitchB
Figure 12-4-2 Configuring Port Channel in ON mode
Example: As shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to VLAN1. Add those
four ports to group1 in “on” mode. Ports 6, 8, 9, 10 of SwitchB are access ports that also belong to VLAN1,
add these four ports to group2 in “on” mode.
The configuration steps are listed below:
SwitchA#config
SwitchA (config)#int erface ethernet 1/1
SwitchA (Config-If-Ethernet1/1)#port-group 1 mode on
SwitchA (Config-If-Ethernet1/1)#exit
SwitchA (config)#int erface ethernet 1/2
SwitchA (Config-If-Ethernet1/2)#port-group 1 mode on
SwitchA (Config-If-Ethernet1/2)#exit
SwitchA (config)#int erface ethernet 1/3
SwitchA (Config-If-Ethernet1/3)#port-group 1 mode on
SwitchA (Config-If-Ethernet1/3)#exit
SwitchA (config)#int erface ethernet 1/4
SwitchA (Config-If-Ethernet1/4)#port-group 1 mode on
SwitchA (Config-If-Ethernet1/4)#exit
SwitchB#config
SwitchB (config)#port-group 2
SwitchB (config)#interface ethernet 1/6
SwitchB (Config-If-Ethernet1/6)#port-group 2 mode on
SwitchB (Config-If-Ethernet1/6)#exit
SwitchB (config)#interface ethernet 1/8-10
SwitchB (Config-If-P ort-Range)#port-group 2 mode on
SwitchB (Config-If-P ort-Range)#exit
12-6
Configuration result:
Add ports 1, 2, 3, 4 of Switch 1 to port-group 1 in order, and we can see a group in “on” mode is completely
joined forcedly, Chassis Switch in other ends won’t exchange LA CP BPDU to complete aggregation.
Aggregation finishes immediately when the command to add port 2 to port-group 1 is entered, port 1 and port
2 aggregate to be port-channel 1, when port 3 joins port-group 1, port-c hannel 1 of port 1 and 2 are
ungrouped and re-aggregate with port 3 to form port-channel 1, when port 4 joins port -group 1, port-channel 1
of port 1, 2 and 3 are ungrouped and re-aggregate with port 4 to form port -channel 1. (It should be noted that
whenever a new port joins in an aggregated port group, the group will be ungrouped first and re-aggregated to
form a new group.) Now all four ports in both S witchA and SwitchB are aggregated in “on” mode and become
an aggregated port respectively.
12.5 Port Channel Troubleshooting
If problems occur when configuring port aggregation, please first check the following for causes.
 Ensure all ports in a port group have the same properties, i.e., whether they are in full-duplex mode,
forced to the same speed, and have the same VLAN properties, etc. If inconsistency occurs, make
corrections.
 Some commands cannot be used on a port in port-channel, such as arp, bandwidth, ip, ip-forward, etc.
12-7
Chapter 13 Jumbo Configuration
13.1 Introduction to Jumbo
So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format
and length of t he frame). Normally frames sized within 1519-9000 should be considered jumbo frame.
Networks with jumbo frames will increase the speed of the whole net work by 2% to 5%. Technically the Jumbo
is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames,
they will not be sent to CP U. We discarded the Jumbo frames sent to CP U in the packet rec eiving process.
13.2 Jumbo Configuration Task Sequence
1. Configure enable Jumbo function
Command
Explanation
Global Mode
Enable sending/receiving function of the
jumbo enable [<mtu-value>]
Jumbo frames. The no command disables
no jumbo enable
sending and receiving function of the Jumbo
frames.
13-1
Chapter 14 VLAN Configuration
14.1 VLAN Configuration
14.1.1 Introduction to VLAN
VLAN (Virtual Local Area Network) is a t echnology that divides the logical addresses of devices within the
network to separate network segments basing on functions, applications or management requirements. By
this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE
announced IEEE 802. 1Q protocol to direct the standardized V LAN implementation, and the V LAN function of
Chassis Switch is implemented following IEEE 802.1Q.
The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast
domains dynamically to meet the demands.
Switch
Switch
Switch
VLAN1
Server
VLAN2
Server
PC
VLAN3
Server
PC
PC
PC
Laser Printer
PC
Figure 14-1-1 A VLA N net work defined logically
Each broadcast domain is a VLAN. VLANs have the same properties as the physical LANs, except VLAN is a
logical partition rather than physical one. Therefore, the partition of VLA Ns can be performed regardless of
physical locations, and the broadcast, multicast and unicast traffic within a V LAN is separated from the other
VLANs.
With the aforementioned features, VLAN technology provides us with the following convenienc e:
 Improving network performanc e
 Saving net work resources
 Simplifying network management
 Lowering network cost
 Enhancing network security
14-1
XGS 3 Chassis Switch Ethernet P orts can works in three kinds of modes: Access, Hybrid and Trunk, each
mode has a different processing method in forwarding the packets with tagged or untagged.
The ports of Access type only belongs to one VLA N, usually they are used t o connect the ports of the
computer.
The ports of Trunk type allow multi-VLA Ns to pass, can receive and send the packets of multi-V LANs. Usually
they are used to connect between the switches.
The ports of Hybrid type allow multi-VLA Ns to pass, can receive and send the packets of multi-VLA Ns. They
can be used to connect between the switches, or to a computer of the user.
Hybrid ports and Trunk ports receive the data with the same process method, but
send the data with
different method: Hybrid ports can send the packets of multi-VLANs without the VLAN tag, while Trunk ports
send the packets of multi-VLANs wit h the VLAN tag except the port native VLAN.
The Chassis Switch implements VLAN and GV RP (GA RP VLAN Registration Prot ocol) which are defined by
802.1Q. The chapter will ex plain the use and the configuration of VLAN and GVRP in detail.
14.1.2 VLAN Configuration Task List
1.
Creat e or delete VLA N
2.
Set or delete VLA N name
3.
Assign Switch ports for VLA N
4.
Set the switch port type
5.
Set Trunk port
6.
Set Access port
7.
Set Hybrid port
8.
Enable/Disable VLA N ingress rules on ports
9.
Configure Privat e VLAN
10. Set Private V LAN association
1. Create or delete VLAN
Command
Explanation
Global Mode
vlan WORD
Create/delete VLAN or enter VLA N Mode
no vlan WORD
2. Set or delete VLAN name
Command
Explanation
Global Mode
name <vlan-name>
Set or delete VLAN name.
no name
3. Assigning Switch ports for VLAN
Command
Explanation
VLAN Mode
14-2
switchport interface <interface-li st>
Assign Chassis Switch ports to VLAN.
no switchport interface <interface-li st>
4. Set the Switch Port Type
Command
Explanation
Port Mode
switchport mode {trunk | acce ss | hybrid}
Set the current port as Trunk, Access
Hybrid port.
5. Set Trunk port
Command
Explanation
Port Mode
switchport trunk allowed vlan {WORD | all
| add WORD | except WORD|remove
Set/delete VLA N allowed to be crossed
by Trunk. The “no” command restores
WORD}
the default setting.
no switchport trunk allowed vlan
switchport trunk native vlan <vlan-id>
Set/delete PVID for Trunk port.
no switchport trunk native vlan
6. Set Access port
Command
Explanation
Port Mode
Add the current port to the specified
switchport acce ss vlan <vlan-id>
VLAN. The “no” command restores the
no switchport acce ss vlan
default setting.
7. Set Hybrid port
Command
Explanation
Port Mode
switchport hybrid allowed vlan {WORD |
all | add WORD | except WORD|remove
Set/delete the VLA N which is allowed by
WORD} {tag|untag}
Hybrid port with tag or untag mode.
no switchport hybrid allowed vlan
switchport hybrid native vlan <vlan-id>
Set/delete PVID of the port.
no switchport hybrid native vlan
9.
Di sable/Enable VLAN Ingress Rules
Command
Explanation
Port Mode
vlan ingress enable
Enable/Disable VLAN ingress rules.
no vlan ingress enable
9. Configure Private VLAN
Command
Explanation
VLAN mode
14-3
private-vlan {primary | isolated |
Configure current VLA N to Private VLA N.
community}
The no command deletes private VLA N.
no private-vlan
10. Set Private VLAN association
Command
Explanation
VLAN mode
private-vlan association
<secondary-vl an-li st>
Set/delete Private VLA N association.
no private-vlan association
14.1.3 Typical VLAN Application
Scenario:
VLAN100
VLAN2
VLAN200
PC
Workstation
Workstation
PC
PC
PC
Switch A
Trunk Link
Switch B
PC
PC
VLAN2
PC
Workstation
VLAN100
Workstation
PC
VLAN200
Figure 14-1-2 Typical VLA N Application Topology
The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The
three VLA Ns are VLAN2, VLAN100 and VLA N200. Those three VLA Ns are cross two different location A and
B. One switch is placed in each site, and cross-location requirement can be met if VLA N traffic can be
transferred between the two switches.
Configuration Item
Configuration description
VLAN2
Site A and site B switch port 2 -4.
VLAN100
Site A and site B switch port 5 -7.
VLAN200
Site A and site B switch port 8 -10.
Trunk port
Site A and site B switch port 11.
14-4
Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLA N traffic; connect all
network devices to the other ports of corresponding VLA Ns.
In this example, port 1 and port 12 is spared and can be used for management port or for other purposes.
The configuration steps are listed below:
Switch A:
XGS 3-42000R(config)#vlan 2
XGS 3-42000R(config-Vlan2)#s witchport interface ethernet 1/2-4
XGS 3-42000R(config-Vlan2)#exit
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(config-Vlan100)#switchport interface ethernet 1/5-7
XGS 3-42000R(config-Vlan100)#exit
XGS 3-42000R(config)#vlan 200
XGS 3-42000R(config-Vlan200)#switchport interface ethernet 1/8-10
XGS 3-42000R(config-Vlan200)#exit
XGS 3-42000R(config)#interface ethernet 1/11
XGS 3-42000R(config-If-Ethernet1/11)#s witchport mode trunk
XGS 3-42000R(config-If-Ethernet1/11)#exit
XGS 3-42000R(config)#
Switch B:
XGS 3-42000R(config)#vlan 2
XGS 3-42000R(config-Vlan2)#s witchport interface ethernet 1/2-4
XGS 3-42000R(config-Vlan2)#exit
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(config-Vlan100)#switchport interface ethernet 1/5-7
XGS 3-42000R(config-Vlan100)#exit
XGS 3-42000R(config)#vlan 200
XGS 3-42000R(config-Vlan200)#switchport interface ethernet 1/8-10
XGS 3-42000R(config-Vlan200)#exit
XGS 3-42000R(config)#interface ethernet 1/11
XGS 3-42000R(config-If-Ethernet1/11)#s witchport mode trunk
XGS 3-42000R(config-If-Ethernet1/11)#exit
14-5
14.1.4 Typical Application of Hybrid Port
Scenario:
internet
Switch A
Switch B
PC1
PC2
Figure 14-1-3 Typical Application of Hy brid Port
PC1 connects to the interface Ethernet 1/7 of SwitchB, PC2 connects to the interface Ethernet 1/9 of SwitchB,
Ethernet 1/10 of SwitchA connect to Ethernet 1/10 of SwitchB.
It is required that PC1 and PC2 can not mutually access due to reason of
the security, but PC1 and PC2 can
access other network resources through the gat eway SwitchA. We can implement this status through Hybrid
port.
Configuration items are as follows:
Port
Type
PVID
Port 1/10 of Switch A
Access
10
Port 1/10 of Switch B
Hybrid
10
Port 1/7 of Switch B
Hybrid
7
Port 1/9 of Switch B
Hybrid
9
14-6
the VLANs are allowed to pass
Allow the packets of VLA N 10 to pass
with untag method.
Allow the packets of VLA N 7, 9, 10 to
pass with untag method.
Allow the packets of VLAN 7, 10 to pass
with untag method.
Allow the packets of VLAN 9, 10 to pass
with untag method.
The configuration steps are listed below:
Switch A:
XGS 3-42000R(config)#vlan 10
XGS 3-42000R(Config-Vlan10)#switchport interfac e ethernet 1/10
Switch B:
XGS 3-42000R(config)#vlan 7;9; 10
XGS 3-42000R(config)#interface ethernet 1/7
XGS 3-42000R(Config-If-Ethernet1/7)#switchport mode hybrid
XGS 3-42000R(Config-If-Ethernet1/7)#switchport hybrid native vlan 7
XGS 3-42000R(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag
XGS 3-42000R(Config-If-Ethernet1/7)#exit
XGS 3-42000R(Config)#interface Ethernet 1/9
XGS 3-42000R(Config-If-Ethernet1/9)#switchport mode hybrid
XGS 3-42000R(Config-If-Ethernet1/9)#switchport hybrid native vlan 9
XGS 3-42000R(Config-If-Ethernet1/9)#switchport hybrid allowed vlan 9;10 untag
XGS 3-42000R(Config-If-Ethernet1/9)#exit
XGS 3-42000R(Config)#interface Ethernet 1/10
XGS 3-42000R(Config-If-Ethernet1/10)#s witchport mode hybrid
XGS 3-42000R(Config-If-Ethernet1/10)#s witchport hybrid native vlan 10
XGS 3-42000R(Config-If-Ethernet1/10)#s witchport hybrid allowed vlan 7;9;10 untag
XGS 3-42000R(Config-If-Ethernet1/10)#exit
14.2 GVRP Configuration
14.2.1 Introduction to GVRP
GARP (Generic Attribute Registration Protocol) can be used to dynamically distribute, populate and register
property information bet ween switch members within a Chassis Switch network, the property can be VLA N
information, Multicast MAC address of the other information. As a matter of fact, GARP protocol can convey
multiple property features the Chassis Switch need to populate. Various GARP applications are defined on the
basis of GA RP, which are called GARP application entities, and GV RP is one of them.
GVRP (GARP VLA N Registration Protocol) is an application based on GARP working mechanism. It is
responsible for the maintenanc e of dynamic VLAN register information and population of such register
information to t he other switches. Switches support GV RP can receive V LAN dynamic register information
from the other switches, and update local VLAN register information according the information received. The
switch enabled GVRP can also populate their own VLAN register information to the other switches. The
populated VLA N register information includes local static information manually configured and dynamic
information learnt from the other switches. Therefore, by populating the VLA N register information, VLAN
information consistency can be achieved among all GVRP enabled switches.
14-7
14.2.2 GVRP Configuration Task List
1. Configuring GARP Timer parameters
Command
Explanation
Port Mode
garp timer join <timer-value>
no garp timer join
garp timer leave <timer-value>
Configure the hold, join and
no garp timer leave
leave timers for GA RP.
garp timer hold <timer-value>
no garp timer hold
Global Mode
garp timer leaveall <timer-value>
Configure the leave all timer for
no garp timer leaveall
GARP.
2. Enable GVRP function
Command
Explanation
Port Mode
gvrp
Enable/disable the GVRP
no gvrp
function on current port.
Global Mode
gvrp
Enable/disable the GVRP
no gvrp
function for the switch.
14-8
14.2.3 Typical GVRP Application
Scenario:
PC
Switch A
Switch B
Switch C
PC
Figure 14-2-1 Typical GV RP Application Topology
To enable dynamic VLAN information register and updat e among switches, GVRP protocol is to be configured
in the Chassis Switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically
so that the two workstation connected to VLAN100 in Switch A and C can communicate with each other
through Switch B without static VLAN100 entries.
Configuration Item
Configuration description
VLAN100
Port 2 -6 of Switch A and C.
Trunk port
Port 11 of Switch A and C, Port 10, 11 of Switch B.
Global GVRP
Switch A, B, C.
Port GVRP
Port 11 of Switch A and C, Port 10, 11 of Switch B.
Connect the two workstation to the VLAN100 ports in switch A and B, connect port 11 of S witch A to port 10 of
Switch B, and port 11 of Switch B to port 11 of Switch C.
The configuration steps are listed below:
Switch A:
XGS 3-42000R(config)# gvrp
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(config-Vlan100)#switchport interface ethernet 1/2-6
XGS 3-42000R(config-Vlan100)#exit
XGS 3-42000R(config)#interface Ethernet 1/11
XGS 3-42000R(config-If-Ethernet1/11)#s witchport mode trunk
14-9
XGS 3-42000R(config-If-Ethernet1/11)# gvrp
XGS 3-42000R(config-If-Ethernet1/11)#exit
Switch B:
XGS 3-42000R(config)# bridge-ext gvrp
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#s witchport mode trunk
XGS 3-42000R(config-If-Ethernet1/10)# gvrp
XGS 3-42000R(config-If-Ethernet1/10)#exit
XGS 3-42000R(config)#interface ethernet 1/11
XGS 3-42000R(config-If-Ethernet1/11)#s witchport mode trunk
XGS 3-42000R(config-If-Ethernet1/11)# gvrp
XGS 3-42000R(config-If-Ethernet1/11)#exit
Switch C:
XGS 3-42000R(config)# gvrp
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(config-Vlan100)#switchport interface ethernet 1/2-6
XGS 3-42000R(config-Vlan100)#exit
XGS 3-42000R(config)#interface ethernet 1/11
XGS 3-42000R(config-If-Ethernet1/11)#s witchport mode trunk
XGS 3-42000R(config-If-Ethernet1/11)# gvrp
XGS 3-42000R(config-If-Ethernet1/11)#exit
14.2.4 GVRP Troubleshooting
The GARP counter setting in for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will
not work properly. It is recommended to avoid enabling GVRP and RS TP at the same time in Chassis Switch.
If GV RP is to be enabled, RS TP function for the ports must be disabled first.
14.3 Dot1q-tunnel Configuration
14.3.1 Introduction to Dot1q-tunnel
Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is
encapsulating the customer VLAN tag (CVLA N tag) to the service provider VLA N tag (SPVLA N tag). Carrying
the two VLAN tags the packet is transmitted through the backbone net work of the ISP internet, so to provide a
simple layer-2 tunnel for the users. It is simple and easy to manage, applicable only by static configuration,
and especially adaptive to small office net work or small scale metropolitan area network using layer-3 switch
as backbone equipment.
14-10
On the customer port
Trunk VLAN 200-300
Unsymmetrical
CE1 connection
This port on PE1 is enabled
QinQ and belong to VLAN3
PE1
Customer
networks1
SP networks
Trunk connection
P
Trunk connection
This port on PE1 is enabled
QinQ and belong to VLAN3
PE2
CE2
Unsymmetrical
Customer
connection
networks2
On the customer port
Trunk VLAN 200-300
Figure 14-3-1 Dot1q-tunnel based Internet working mode
As shown in above, aft er being enabled on the user port, dot1q-t unnel assigns each user an SPVLAN
identification (SPVID). Here the identification of user is 3. Same SPVID should be assigned for the same
network user on different PEs. When packet reaches PE1 from CE1, it carries the VLAN tag 200-300 of the
user internal network. Since the dot1q-tunnel function is enabled, the user port on PE1 will add on the packet
another VLAN tag, of which the ID is the SPVID assigned to the user. Afterwards, the packet will only be
transmitted in VLAN3 when traveling in the ISP internet net work while carrying two VLAN tags (the inner tag is
added when entering PE 1, and the outer is SPVID), whereas the VLA N information of the user net work is
open to the provider net work. When the packet reaches PE2 and before being forwarded t o CE 2 from the
client port on PE2, the outer VLA N tag is removed, then the packet CE2 receives is absolut ely identical to the
one sent by CE1. For the user, the role the operat or network plays bet ween PE1 and PE 2, is to provide a
reliable layer-2 link.
The technology of Dot1q-tuunel provides the ISP internet the ability of supporting many client VLA Ns by only
one VLA N of theirselves. Both the ISP internet and the clients can configure their own VLAN independently.
It is obvious that, the dot1q-tunnel function has got following characteristics:
 Applicable through simple static configuration, no complex configuration or maintenance to be needed.
 Operators will only have to assign one SPVID for each user, which increases the number of concurrent
supportable users; while the users has got the ultimate freedom in selecting and managing the VLAN
IDs (select within 1~4094 at users’ will).
 The user network is considerably independent. When the ISP internet is upgrading their network, the
user net works do not have to change their original configuration.
Detailed description on the application and configuration of dot1q-tunnel will be provided in this section.
14.3.2 Dot1q-tunnel Configuration
Configuration Task Sequence of Dot1q-Tunnel:
1. Configure the dot1q-tunnel function on the ports
Command
Explanation
Port mode
14-11
dot1q-tunnel enable
Enter/exit the dot1q-t unnel mode on the
no dot1q-tunnel enable
ports.
2. Configure the type of protocol (TPI D) on the ports
Command
Explanation
Port mode
dot1q-tunnel tpid
Configure the type of protoc ol on TRUNK
{0x8100|0x9100|0x9200|<1-65535>}
port.
14.3.3 Typical Applications of the Dot1q-tunnel
Scenario:
Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data bet ween CE1 and CE2 of the
client network with VLA N3. The port1 of PE1 is connected to CE1, port10 is connected to public network, the
TP ID of the connected equipment is 9100; port1 of PE2 is connected to CE2, port10 is connected to public
network.
Configuration Item
Configuration Explanation
VLAN3
Port1 of PE1 and PE2.
dot1q-tunnel
Port1 of PE1 and PE2.
tpid
9100
Configuration procedure is as follows:
PE1:
XGS 3-42000R(config)#vlan 3
XGS 3-42000R(config-Vlan3)#s witchport interface ethernet 1/1
XGS 3-42000R(config-Vlan3)#exit
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-Ethernet1/1)# dot1q-tunnel enable
XGS 3-42000R(config-Ethernet1/1)# exit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-Ethernet1/10)#s witchport mode trunk
XGS 3-42000R(config-Ethernet1/10)#dot1q-tunnel tpid 0x9100
XGS 3-42000R(config-Ethernet1/10)#exit
XGS 3-42000R(config)#
PE2:
XGS 3-42000R(config)#vlan 3
XGS 3-42000R(config-Vlan3)#s witchport interface ethernet 1/1
XGS 3-42000R(config-Vlan3)#exit
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-Ethernet1/1)# dot1q-tunnel enable
XGS 3-42000R(config-Ethernet1/1)# exit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-Ethernet1/10)#s witchport mode trunk
XGS 3-42000R(config-Ethernet1/10)#dot1q-tunnel tpid 0x9100
14-12
XGS 3-42000R(config-Ethernet1/10)#exit
XGS 3-42000R(config)#
14.4 VLAN-translation Configuration
14.4.1 Introduction to VLAN-translation
VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID
according to the user requirements so to exchange data across different VLANs. The VLAN translation is
classified to ingress translation and egress translation, res pectively translation the VLA N ID at the ent rance or
exit.
Application and configuration of VLA N translation will be explained in detail in this section.
14.4.2 VLAN-translation Configuration
Configuration task sequence of VLAN-translation:
1.
Configure the VLA N-translation function on the port
2.
Configure the VLA N-translation relations on the port
3.
Configure the VLA N-translation packet dropped on port if there is any failure
1. Configure the VLAN-translation of the port
Command
Explanation
Port mode
vlan-translation enable
Enter/exit the port VLAN-translation
no vlan-translation enable
mode.
2. Configure the VLAN-translation relation of the port
Command
Explanation
Port mode
vlan-translation <old-vlan-id> to
<new-vlan-id> {in|out}
Add/delete a VLAN-translation relation.
no vlan-translation old-vlan-id {in|out}
3. Configure the VLAN-translation relation, check if there is any failure or packet dropped
Command
Explanation
Port mode
vlan-translation miss drop {in|out|both}
Configure the VLA N-translation packet
no vlan-translation miss drop {in|out|both}
dropped on port if there is any failure.
14-13
14.4.3 Typical application of VLAN-translation
Scenario:
Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE 2 of the
client net work with VLA N3. The port1 of PE 1 is connected to CE 1, port10 is connected to public net work;
port1 of PE2 is connected to CE2, port10 is connected to public network.
On the customer port
Trunk VLAN 200-300
Unsymmetrical
CE1 connection
This port on PE1 is enabled
QinQ and belong to VLAN3
PE1
SP networks
Trunk connection
Customer
networks1
P
Trunk connection
This port on PE1 is enabled
QinQ and belong to VLAN3
PE2
CE2
Unsymmetrical
Customer
connection
networks2
On the customer port
Trunk VLAN 200-300
Figure 14-4-1 Vlan translation topology mode
Configuration Item
Configuration Explanation
VLAN-translation
Port1 of PE1 and PE2.
Trunk port
Port1 and Port10 of PE1 and PE2.
Configuration procedure is as follows:
PE1、PE2:
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-Ethernet1/1)#switchport mode trunk
XGS 3-42000R(config-Ethernet1/1)# dot1q-tunnel enable
XGS 3-42000R(config-Ethernet1/1)# vlan-translation enable
XGS 3-42000R(config-Ethernet1/1)# vlan-translation 20 to 3 in
XGS 3-42000R(config-Ethernet1/1)# vlan-translation 3 to 20 out
XGS 3-42000R(config-Ethernet1/1)# exit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-Ethernet1/10)#s witchport mode trunk
XGS 3-42000R(config-Ethernet1/10)#exit
XGS 3-42000R(config)#
14-14
14.4.4 VLAN-translation Troubleshooting
 Normally the VLAN-translation is applied on trunk ports. Normally before using the VLA N-translation,
the dot1q-tunnel function needs to be enabled, becoming adaptable to double tag data packet and
translating the VLAN normally.
14.5 Dynamic VLAN Configuration
14.5.1 Introduction to Dynamic VLAN
The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic
VLAN supported by the Chassis Switch includes MAC-bas ed VLAN, IP -subnet-based VLAN and
Protocol-based VLAN. Detailed description is as follows:
The MAC-based VLAN division is based on the MA C address of each host, namely every host with a MAC
address will be assigned to certain VLAN. By the means, the network user will maintain his membership in his
belonging VLAN when moves from a physical location to another. As we can see the greatest advantage of
this VLAN division is that the VLAN does not have to be re-configured when the user physic location change,
namely shift from one switch to another, which is because it is user based, not switch port based.
The IP subnet based VLA N is divided according to the source IP address and its subnet mask of every host. It
assigns corres ponding VLAN ID to the data packet according to the subnet segment, leading the data packet
to specified VLA N. Its advantage is the same as that of the MA C-based VLA N: the us er does not have to
change configuration when relocat ed.
The VLAN is divided by the network layer protoc ol, assigning different protocol to different VLANs. This is very
attractive to the network administrators who wish to organize the user by applications and services. Moreover
the user can move freely within the network while maintaining his members hip. Advantage of this method
enables user to change physical position without changing their VLAN residing configuration, while the VLA N
can be divided by types of protocols whic h is important to the network administrators. Further, this method has
no need of added frame label to identify the VLAN which reduce the net work traffic.
Notice: Dynamic VLAN needs to associate with Hybrid attribut e of the ports to work, so the ports that may be
added to a dynamic VLAN must be configured as Hybrid port.
14.5.2 Dynamic VLAN Configuration
Dynamic VLAN Configuration Task Sequence:
1.
Configure the MAC-based VLA N function on the port
2.
Set the VLAN to MAC VLA N
3.
Configure the correspondence between the MAC address and the VLAN
4.
Configure the IP-subnet-based VLAN function on the port
5.
Configure the correspondence between the IP subnet and the VLAN
6.
Configure the correspondence between the Protoc ols and the VLA N
7.
Adjust the priority of the dynamic VLAN
1. Configure the MAC-ba sed VLAN function on the port
14-15
Command
Explanation
Port Mode
switchport mac-vlan enable
Enable/disable the MAC-based VLAN
no switchport mac-vlan enable
function on the port.
2. Set the VLAN to MAC VLAN
Command
Explanation
Global Mode
Configure the specified VLA N to MAC
mac-vlan vlan <vlan-id>
VLAN; the “no mac-vlan” command
no mac-vlan
cancels the MAC VLAN configuration of
this VLAN.
3. Configure the corre spondence between the MAC address and the VLAN
Command
Explanation
Global Mode
Add/delete the correspondence between
mac-vlan mac <mac-addrss> vlan
the MAC address and the VLA N, namely
<vlan-id> priority <priority-id>
specified MAC address join/leave
no mac-vlan {mac <mac-addrss>|all}
specified VLAN.
4. Configure the IP-subnet-based VLAN function on the port
Command
Explanation
Port Mode
switchport subnet-vlan enable
Enable/disable the port IP-subnet-base
no switchport subnet-vlan enable
VLAN function on the port.
5. Configure the corre spondence between the IP subnet and the VLAN
Command
Explanation
Global Mode
subnet-vlan ip-address <ipv4-addrss>
Add/delete the correspondence between
mask < subnet-mask> vlan <vlan-id>
the IP subnet and the VLAN, namely
priority <priority-id>
no subnet-vlan {ip-address <ipv4-addrss>
mask < subnet-mask>|all}
specified IP subnet joins/leaves specified
VLAN.
6. Configure the corre spondence between the Protocol s and the VLAN
Command
Explanation
Global Mode
protocol-vlan mode {ethernetii etype
<etype-id>|llc {dsap <dsap-id> ssap
<ssap-id>}|snap etype <etype-id>} vlan
<vlan-id> priority <priority-id>
no protocol-vlan {mode {ethernetii etype
<etype-id>|llc {dsap <dsap-id> ssap
<ssap-id>}|snap etype <etype-id>}|all}
14-16
Add/delete the correspondence between
the Protocols and the VLA N, namely
specified protocol joins/leaves specified
VLAN.
7. Adjust the priority of the dynamic VLAN
Command
Explanation
Global Mode
dynamic-vlan mac-vlan prefer
Configure the priority of the dynamic
dynamic-vlan subnet-vlan prefer
VLAN.
14.5.3 Typical Application of the Dynamic VLAN
Scenario:
In the office network Department A belongs to VLAN100. Several members of this department often have the
need to move within the whole office network. It is also required t o ensure the res ourc e for other members of
the department to access VLAN 100. Assume one of the members is M, the MAC address of his PC is
00-30-4f-11-22-33, when M moves to VLAN200 or VLAN300, the port connecting M is configured as Hybrid
mode and belongs to VLAN100 with untag mode. In this way, the data of VLAN100 will be forwarded to the
port connecting M, and implement the communication requirement in VLAN100.
SwitchA
SwitchB
SwitchC
VLAN100
VLAN200
VLAN300
M
Figure 14-5-1 Typical topology application of dynamic VLAN
Configuration Items
MAC-based VLA N
Configuration Explanation
Global configuration on Switch A, Switch B, Switch C.
For example, M at E1/1 of S witchA, then the configuration procedures are as follows:
Switch A, Switch B, Switch C:
SwitchA (Config)#mac-vlan mac 00-03 -0f-11-22-33 vlan 100 priority 0
SwitchA (Config)#int erface ethernet 1/1
SwitchA (Config-Ethernet1/ 1)# swportport mode hybrid
SwitchA (Config-Ethernet1/ 1)# swportport hybrid allowed vlan 100 untagged
SwitchB (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan 100 priority 0
SwitchB (Config)#exit
SwitchB#
SwitchC (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan 100 priority 0
14-17
SwitchC (Config)#exit
SwitchC#
14.5.4 Dynamic VLAN Troubleshooting
 On the s witch configured with dynamic VLA N, if the two connected equipment (e. g. PC) are both
belongs to the same dynamic VLAN, first communication between the two equipment may not go
through. The solution will be letting the two equipment positively send data packet to the
XGS 3-42000R(such as ping), to let the switch learn their source MA C, then the two equipment will be
able to communicate freely within the dynamic VLAN.
Ping 192.168.1.200
Ping 192.168.1.100
Dynamic VLAN
192.168.1.100/24
192.168.1.200/24
Figure 14-5-2 Dynamic VLAN Troubleshooting
14.6 Voice VLAN Configuration
14.6.1 Introduction to Voice VLAN
Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and adding the
ports of the connected voice equipments to Voice VLAN, the user will be able to configure QoS (Quality of
service) service for voice data, and improve voice data traffic transmission priority to ensure the calling quality.
The Chassis Switch can judge if the data traffic is the voice data traffic from specified equipment according to
the source MAC address field of the data packet entering the port. The packet with the source MAC address
complying with the system defined voice equipment OUI (Organizationally Unique Identifier) will be
considered the voice data traffic and transmitted to the Voice VLA N.
The configuration is based on MAC address, acquiring a mechanism in which every voice equipment
transmitting information through the net work has got its unique MA C address. VLAN will trace the address
belongs to specified MAC. By this means, VLAN allows the voice equipment always belong to Voice VLA N
when relocated physically. The greatest advantage of the VLA N is the equipment can be automatically placed
into Voice VLAN according to its voice traffic which will be transmitted at specified priority. Meanwhile, when
voice equipment is physically relocated, it still belongs to the Voice V LAN without any furt her c onfiguration
modification, which is because it is based on voice equipment other than switch port.
Notice: Voice VLAN needs to associate with Hybrid attribute of the ports to work, so the ports that may be
added to Voice VLA N must be configured as Hybrid port.
14.6.2 Voice VLAN Configuration
14-18
Voice VLAN Configuration Task Sequence:
1.
Set the VLAN to Voice VLA N
2.
Add a voice equipment to Voice VLAN
3.
Enable the Voice VLA N on the port
1. Configure the VLAN to Voice VLAN
Command
Explanation
Global Mode
voice-vlan vlan <vlan-id>
Set/cancel the VLAN as a Voice VLA N
no voice-vlan
2. Add a Voice equipment to a Voice VLAN
Command
Explanation
Global Mode
voice-vlan mac <mac-address> ma sk
<mac-mask> priority <priori ty-id> [name
<voice-name>]
no voice-vlan {mac <mac-address> ma sk
Specify certain voic e equipment
join/leave the
Voice VLAN
<mac-mask> |name <voice-name> |all}
3. Enable the Voice VLAN of the port
Command
Explanation
Port Mode
switchport voice-vlan enable
Enable/disable the Voice VLA N function
no switchport voice-vlan enable
on the port
14.6.3 Typical Applications of the Voice VLAN
Scenario:
A company realizes voice communication through configuring Voice VLA N. IP -phone1 and IP-phone2 can be
connected to any port of the switch, namely normal communication and interconnected with other switches
through t he uplink port. IP-phone1 MAC address is 00-30-4f-11-22-33, connect port 1/1 of the switch,
IP-phone2 MAC address is 00-30-4f-11-22-55, connect port 1/2 of the switch,.
14-19
Switch
IP-phone1
IP-phone2
Figure 14-6-1 VLA N typical apply topology
Configuration items
Voice VLAN
Configuration Explanation
Global configuration on the Chassis Switch.
Configuration procedure:
Switch 1:
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(config-Vlan100)#exit
XGS 3-42000R(config)#voice-vlan vlan 100
XGS 3-42000R(config)#voice-vlan mac 00-30-4f-11-22-33 mask 255 priority 5 name company
XGS 3-42000R(config)#voice-vlan mac 00-30-4f-11-22-55 mask 255 priority 5 name company
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#s witchport mode trunk
XGS 3-42000R(config-If-Ethernet1/10)#exit
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)#switchport mode hybrid
XGS 3-42000R(config-If-Ethernet1/1)#switchport hybrid allowed vlan 100 untag
XGS 3-42000R(config-If-Ethernet1/1)#exit
XGS 3-42000R(config)#interface ethernet 1/2
XGS 3-42000R(config-If-Ethernet1/2)#switchport mode hybrid
XGS 3-42000R(config-If-Ethernet1/2)#switchport hybrid allowed vlan 100 untag
XGS 3-42000R(config-If-Ethernet1/2)#exit
14.6.4 Voice VLAN Troubleshooting
 Voice VLAN can not be applied concurrently with MAC-base VLA N
 The Voice VLAN support maximum 1024 sets of voice equipments, the exceeded number of
equipments will not be supported
 The Voice VLA N on the port is enabled by default. If the configured data can no longer enter the Voice
VLAN during operation, please check if the Voice VLA N function has been disabled on the port.
14-20
Chapter 15 MAC Table Configuration
15.1 Introduction to MAC Table
MAC table is a table identifies the mapping relationship between destination MAC addresses and Chassis
Switch ports. MAC addresses can be cat egorized as static MAC addresses and dynamic MA C addresses.
Static MAC addresses are manually configured by the user, have the highest priority and are permanently
effective (will not be overwritten by dynamic MAC addresses); dynamic MAC addresses are entries learnt by
the Chassis Switch in data frame forwarding, and is effective for a limited period. When the switch receives a
data frame to be forwarded, it stores the source MAC address of the data frame and creat es a mapping to the
destination port. Then the MAC table is queried for the destination MAC address, if hit, the data frame is
forwarded in the associated port, otherwise, the Chassis Switch forwards the data frame to its broadcast
domain. If a dynamic MA C address is not learnt from the data frames to be forwarded for a long time, the
entry will be deleted from the switch MAC table.
There are two MA C table operations:
1.
Obtain a MA C address.
2.
Forward or filter data frame according to the MA C table.
15.1.1 Obtaining MAC Table
The MAC table can be built up statically and dynamically. Static configuration is to set up a mapping bet ween
the MAC addresses and the ports; dynamic learning is the process in which the Chassis Switch learns the
mapping between MAC addresses and ports, and updat es the MA C table regularly. In t his section, we will
focus on the dynamic learning process of MA C table.
Port 5
PC1
Port 12
PC2
MAC 00-01-11-11-11-11
PC4
PC3
MAC 00-01-33-33-33-33
MAC 00-01-22-22-22-22
MAC 00 01 44 44 44 44
Figure 15-1-1 MAC Table dynamic learning
15-1
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical
segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs
to the same physical segment that connects to port 1/12 of switch.
The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 as an
example, the MA C address learning process is as follow:
1.
When PC1 sends
message to PC3,
the switch receives
the source MAC address
00-01-11-11-11-11 from this message, the mapping entry of 00-01-11-11-11-11 and port 1/5 is
added to the switch MAC table.
2.
At the same time, the switch learns the message is destined to 00-01-33-33-33-33, as the MA C
table contains only a mapping entry of MAC address 00-01-11-11-11-11 and port1/5, and no port
mapping for 00-01-33-33-33-33 pres ent, the switch broadcast this message to all the ports in the
XGS 3-42000R(assuming all ports belong to the default VLA N1).
3.
PC3 and PC4 on port 1/12 receive the message sent by PC1, but PC4 will not reply, as the
destination MAC address is 00-01-33-33-33-33, only PC3 will reply to PC1. When port 1/12
receives the message sent by P C3, a mapping entry for MAC address 00-01-33-33-33-33 and port
1/12 is added to the MA C table.
4.
Now the MAC table has two dynamic entries, MAC address 00-01-11-11-11-11 - port 1/5 and
00-01-33-33-33-33 -port1/12.
5.
After the communication bet ween P C1 and P C3, the switch does not receive any message sent
from PC1 and P C3. And t he MA C address mapping entries in the MAC table are delet ed after 300
seconds. The 300 seconds here is the default aging time for MAC address entry in switch. Aging
time can be modified in switch.
15.1.2 Forward or Filter
The Chassis Switch will forward or filter received data frames according to the MA C table. Take the above
figure as an example, assuming Chassis Switch have learnt the MAC address of P C1 and PC3, and the user
manually configured the mapping relationship for PC2 and PC4 to ports. The MAC table of Chassis Switch will
be:
1.
MAC Address
Port number
Entry added by
00-01-11-11-11-11
1/5
Dynamic learning
00-01-22-22-22-22
1/5
Static configuration
00-01-33-33-33-33
1/12
Dynamic learning
00-01-44-44-44-44
1/12
Static configuration
Forward data according to the MAC table
If PC1 sends a message to PC3, the Chassis Switch will forward the data received on port 1/5 from
port1/ 12.
2.
Filter data according to the MAC table
If P C1 sends a message to PC2, the Chassis Switch, on checking the MAC table, will find P C2 and P C1
are in the same physical segment and filter the message (i.e. drop this message).
15-2
Three types of frames can be forwarded by the Chassis Switch:
 Broadcast frame
 Multicast frame
 Unicast frame
The following describes how the Chassis Switch deals with all the three types of frames:

Broadcast frame: The s witch can segregate collision domains but not broadcast domains. If no
VLAN is set, all devices connected to the Chassis Switch are in the same broadcast domain. When
the Chassis Switch receives a broadcast frame, it forwards the frame in all ports. When VLANs are
configured in the Chassis Switch, the MAC table will be adapted accordingly to add VLAN
information. In this case, the Chassis Switch will not forward the received broadcast frames in all
ports, but forward the frames in all ports in the same VLA N.

Multicast frame: When IGMP Snooping function is not enabled, multicast frames are processed in
the same way as broadcast frames; when IGMP Snooping is enabled, the Chassis Switch will only
forward the multicast frames to the ports belonging to the very multicast group.

Unicast frame: When no VLAN is configured, if the destination MAC addresses are in the Chassis
Switch MAC table, the Chassis Switch will directly forward the frames to the associated ports; when
the destination MAC address in a unicast frame is not found in the MAC table, the Chassis Switch
will broadcast the unicast frame. When VLA Ns are configured, the switch will forward unicast frame
within the same VLAN. If the destination MAC address is found in the MAC table but belonging to
different VLANs, the Chassis Switch can only broadcast the unicast frame in the VLAN it belongs to.
15.2 Mac Address Table Configuration Task List
1.
1.
Configure the MAC address aging-time
2.
Configure static MAC forwarding or filter entry
Configure the MAC aging-time
Command
Explanation
Global Mode
mac-address-table aging-time
Configure the MAC address aging-time.
<0|aging-time>
no mac-address-table aging-time
2.
Configure static MAC forwarding or filter entry
Command
Explanation
Global Mode
mac-address-table {static | blackhole}
address <mac-addr> vlan <vlan-id >
[interface [ethernet | portchannel]
<interface-nam e>] |
Configure static MAC forwarding or filter
[source|de stination|both]
no mac-address-table {static | blackhole |
dynamic} [address <mac-addr>] [vlan
<vlan-id>] [interface [ethernet |
portchannel] <interface-name>]
15-3
entry.
15.3 Typical Configuration Examples
1/5
PC1
1/7
1/9
PC2
1/11
PC3
PC4
MAC 00-01-33-33-33-33
MAC 00-01-11-11-11-11
MAC 00-01-22-22-22-22
MAC 00-01-44-44-44-44
Figure 15-3-1 MAC Table typical configuration ex ample
Scenario:
Four PCs as shown in the above figure connect to port 1/5、1/7、1/9、1/11 of Chassis Switch, all the four PCs
belong to the default VLAN1. As required by the network environment, dynamic learning is enabled. PC1
holds sensitive data and can not be accessed by any other P C that is in anot her physical segment; PC2 and
PC3 have static mapping set to port 7 and port 9, respectively.
The configuration steps are listed below:
1.
Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address.
XGS 3-42000R(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1.
2.
Set the static mapping relationship for PC2 and PC3 to port 7 and port 9, respectively.
XGS 3-42000R(config)#mac-address-table static 00-01-22-22-22-22 interface ethernet 1/7 vlan 1
XGS 3-42000R(config)#mac-address-table static 00-01-33-33-33-33 interface ethernet 1/9 vlan 1
15.4 MAC Table Troubleshooting
Using the show mac-address-table command, a port is found to be failed t o learn the MA C of a device
connected to it. Possible reasons:
 The connected cable is broken.
 Spanning Tree is enabled and the port is in “discarding” status; or the device is just connected to the
port and Spanning Tree is still under calculation, wait until the Spanning Tree calculation finishes, and
the port will learn the MAC address.
 If not the problems mentioned above , please check for the Chassis Switch port and contact technical
support for solution.
15-4
15.5 MAC Address Function Extension
15.5.1 MAC Address Binding
15.5.1.1 Introduction to MAC Address Binding
Most switches support MAC address learning, each port can dynamically learn several MAC addresses, so
that forwarding data streams between known MAC addresses within the ports can be achieved. If a MAC
address is aged, the packet destined for that entry will be broadcasted. In other words, a MAC address
learned in a port will be used for forwarding in that port, if the connection is changed to another port, the
switch will learn the MAC address again to forward data in the new port.
However, in some cases, security or management policy may require MAC addresses to be bound with the
ports, only data stream from the binding MAC are allowed to be forwarded in the ports. That is to say, after a
MAC address is bound to a port, only the data stream destined for that MAC address can flow in from the
binding port, data stream destined for the other MAC addresses that not bound to the port will not be allowed
to pass through the port.
15.5.1.2 MAC Address Binding Configuration Task List
1.
1.
Enable MAC address binding function for the ports
2.
Lock the MAC addresses for a port
3.
MAC address binding property configuration
Enable MAC address binding function for the ports
Command
Explanation
Port Mode
Enable MAC address binding function for
the port and lock the port. When a port is
locked, the MAC address learning function
switchport port-security
for the port will be disabled: the “no
no switchport port-security
switchport port-security” command
disables the MA C address binding function
for the port, and restores the MA C address
learning function for the port.
15-5
2.
Lock the MAC addresse s for a port
Command
Explanation
Port Mode
Lock the port, then MA C addresses
switchport port-security lock
learned will be disabled. The “no
no switchport port-security lock
switchport port-security lock” command
restores the function.
Convert dynamic secure MAC addresses
learned by the port to static secure MAC
switchport port-security convert
addresses.
switchport port-security timeout <value>
no switchport port-security timeout
Enable port locking timer function; the “no
switchport port-security timeout”
restores the default setting.
switchport port-security mac-address
Add static secure MAC address; the “no
<mac-address>
switchport port-security mac-address”
no switchport port-security
command delet es static secure MAC
mac-address <mac-address>
address.
Admin Mode
3.
clear port-security dynamic [address
Clear dynamic MAC addresses learned by
<mac-addr> | interface <interface-id>]
the specified port.
MAC addre ss binding property configuration
Command
Explanation
Port Mode
switchport port-security maximum
Set the maximum number of secure MA C
<value>
addresses for a port; the “no switchport
no switchport port-security maximum
port-se curity maximum” command
<value>
restores the default value.
switchport port-security violation
Set the violation mode for the port; the “no
{protect | shutdown}
switchport port-security violation”
no switchport port-security violation
command restores the default setting.
15.5.1.3 Binding MAC Address Binding Troubleshooting
Enabling MA C address binding for ports may fail in some occasions. Here are some possible causes and
solutions:
15-6
Chapter 16 MSTP Configuration
16.1 Introduction to MSTP
The MSTP (Multiple STP) is a new spanning-t ree protocol which is based on the STP and the RS TP. It runs
on all the bridges of a bridged-LA N. It calculates a common and internal spanning tree (CIS T) for the
bridge-LAN which consists of the bridges running the MS TP, the RS TP and the S TP. It also calculat es the
independent multiple spanning-tree instances (MS TI) for each MS T domain (MS TP domain). The MS TP,
which adopts the RS TP for its rapid convergence of the spanning tree, enables multiple VLANs to be mapped
to the same spanning-t ree instance which is independent to other spanning-t ree instances. The MS TP
provides multiple forwarding paths for data traffic and enables load balancing. Moreover, because multiple
VLANs share a same MSTI, the MSTP can reduce the number of spanning-t ree instances, which consumes
less CPU resources and reduces the bandwidt h consumption.
16.1.1 MSTP Region
Because multiple VLA Ns can be mapped to a single spanning tree instanc e, IEEE 802.1s committee raises
the MS T concept. The MS T is used to make the association of a certain VLAN to a certain spanning tree
instance.
A MSTP region is composed of one or multiple bridges with the same MCID (MST Configuration Identification)
and the bridged-LAN (a certain bridge in the MS TP region is the designated bridge of the LA N, and the
bridges attaching to the LAN are not running S TP). All the bridges in the same MSTP region have the same
MSID.
MSID consists of 3 attributes:
 Configuration Name: Composed by digits and letters
 Revision Level
 Configuration Digest: VLANs mapping to spanning tree instances
The bridges with the same 3 above attribut es are considered as in the same MST region.
When the MS TP calculates CIS T in a bridged-LA N, a MS TP region is considered as a bridge. See the figure
below:
Root
A
Root
A
B
M
E
MST
D
F
REGION
C
Figure 16-1-1 Example of CIST and MS T Region
16-1
D
In the above network, if the bridges are running the STP or the RS TP, one port between Bridge M and Bridge
B should be blocked. But if the bridges in the yellow range run the MS TP and are configured in the same MS T
region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and
one port on B ridge D is blocked.
16.1.1.1 Operations within an MSTP Region
The IS T connects all the MSTP bridges in a region. When the IS T converges, the root of the IS T bec omes the
IS T master, which is the switch within the region with the lowest bridge ID and pat h cost to the CST root. The
IS T master is also the CST root if there is only one region within the net work. If the CS T root is outside the
region, one of the MS TP bridges at the boundary of the region is selected as the IS T master.
When an MS TP bridge initializes, it sends BPDUs claiming itself as the root of the CST and the IS T master,
with both of the path costs to the CST root and to the IS T master set to zero. The bridge also initializes all of
its MST instances and claims to be the root for all of them. If the bridge receives superior MST root information
(lower bridge ID, lower path cost, and so forth) than currently stored for the port, it relinquishes its claim as the
IS T master. Within a MS T region, the IS T is the only spanning-tree instance that sends and receives BPDUs.
Because the MST BPDU carries information for all instances, the number of BPDUs that need to be
processed by a switch to support multiple spanning-tree instances is significantly reduced.
All MST instances within the same region share the same prot ocol timers, but each MS T instance has its own
topology parameters, such as root switch ID, root path cost, and so forth.
16.1.1.2 Operations between MST Regions
If there are multiple regions or legacy 802. 1D bridges within the network, MSTP establishes and maintains the
CST, which includes all MS T regions and all legacy STP bridges in the net work. The MS T instances combine
with the IS T at the boundary of the region to become the CS T.
The MSTI is only valid within its MST region. An MS TI has nothing to do with MS TIs in other MS T regions. The
bridges in a MS T region receive the MST BP DU of other regions through Boundary Ports. They only proc ess
CIS T related information and abandon MS TI information.
16-2
16.1.2 Port Roles
The MS TP bridge assigns a port role to each port which runs MSTP.
 CIS T port roles: Root Port, Designated Port, Alternate Port and B ackup Port
 On top of those roles, each MS TI port has one new role: Master Port.
The port roles in the CIS T (Root Port, Designated Port, Alternate Port and B ackup Port ) are defined in the
same ways as those in the RS TP.
16.1.3 MSTP Load Balance
In a MS TP region, VLA Ns can by mapped to various instances. That can form various topologies. Each
instance is independent from the others and each distance can have its own attribut es such as bridge priority
and port cost etc. Consequently, the VLANs in different instances have their own paths. The traffic of the
VLANs are load-balanced.
16.2 MSTP Configuration Task List
MSTP configuration task list:
1.
Enable the MS TP and set the running mode
2.
Configure instance parameters
3.
Configure MS TP region parameters
4.
Configure MS TP time parameters
5.
Configure the fast migrate feature for MS TP
6.
Configure the format of port packet
7.
Configure the snooping attribute of authentication key
8.
Configure the FLUS H mode once topology changes
1. Enable MSTP and set the running mode
Command
Explanation
Global Mode and Port Mode
spanning-tree
no spanning-tree
Enable/Disable MS TP.
Global Mode
spanning-tree mode {mstp|stp|rstp}
no spanning-tree mode
Set MSTP running mode.
Port Mode
spanning-tree mcheck
Force port migrate to run under MSTP.
2. Configure instance parameters
Command
Explanation
Global Mode
spanning-tree mst <instance-id> priority
<bridge-priori ty>
Set bridge priority for specified instance.
16-3
no spanning-tree mst <instance-id>
priority
spanning-tree priority <bridge-priority>
Configure the spanning-t ree priority of the
no spanning-tree priority
switch.
Port Mode
spanning-tree mst <instance-id> cost
<cost>
Set port path cost for specified instance.
no spanning-tree mst <instance-id> cost
spanning-tree mst <instance-id>
port-priority <port-priority>
no spanning-tree mst <instance-id>
Set port priority for specified instance.
port-priority
spanning-tree mst <instance-id>
rootguard
no spanning-tree mst <instance-id>
rootguard
spanning-tree rootguard
no spanning-tree rootguard
Configure currently port whether running
rootguard in specified instance, configure
the rootguard port can’t turn to root port.
Configure currently port whether running
rootguard in instance 0, configure the
rootguard port can’t turn to root port.
3. Configure MSTP region parameters
Command
Explanation
Global Mode
spanning-tree mst configuration
Enter MS TP region mode. The no
no spanning-tree mst configuration
command restores the default setting.
MSTP region mode
instance <instance-id> vlan <vlan-list>
Create Instanc e and set
no instance <instance-id> [vlan <vlan-li st>]
between VLA N and Instance.
name <name>
mapping
Set MSTP region name.
no name
revision-level <level>
Set MSTP region revision level.
no revision-level
Quit MS TP region mode and return t o
Global mode without saving MS TP
abort
region configuration.
Quit MS TP region mode and return t o
Global mode with saving MSTP region
exit
configuration.
4. Configure MSTP time parameters
Command
Explanation
Global Mode
spanning-tree forward-time <time>
Set the value for switch forward delay
no spanning-tree forward-time
time.
spanning-tree hello-time <time>
Set the Hello time for sending BP DU
16-4
no spanning-tree hello-time
messages.
spanning-tree maxage <time>
Set Aging time for BPDU messages.
no spanning-tree maxage
spanning-tree max-hop <hop-count>
Set Maximum number of hops of
no spanning-tree max-hop
BPDU messages in the MS TP region.
5. Configure the fa st migrate feature for MSTP
Command
Explanation
Port Mode
spanning-tree
link-type
p2p
{auto|force-true|force-false}
Set the port link type.
no spanning-tree link-type
Set and cancel the port to be an
spanning-tree
portfa st
[bpdufilter|
bpduguard]
boundary port. bpdufilter rec eives the
BPDU discarding; bpduguard receives
the BPDU will disable port; no parameter
no spanning-tree portfast
receives the BPDU, the port becomes a
non-boundary port.
6. Configure the format of MSTP
Command
Explanation
Port Mode
spanning-tree format standard
Configure
the
format
of
port
spanning-t ree packet,standard format
spanning-tree format privacy
is
spanning-tree format auto
compatible with
no spanning-tree format
means the format is determined by
provided
by
IEEE,
privacy
CIS CO
is
and aut o
checking the rec eived packet.
7. Configure the snooping attribute of authentication key
Command
Explanation
Port Mode
Set the port to use the aut hentication
spanning-tree digest-snooping
string of partner port. The no restores
no spanning-tree digest-snooping
to use the generated string.
8. Configure the FLUS H mode once topology change s
Command
Explanation
Global Mode
Enable: the spanning-tree flush once
the topology changes.
spanning-tree tcflush {enable| disable|
Disable: the spanning tree don’t flush
protect}
when the topology changes.
no spanning-tree tcflush
Protect: the spanning-t ree flush not
more
16-5
than
one
time
every
ten
seconds.
The no command restores to default
setting,
enable
flush
once
the
topology changes.
Port Mode
spanning-tree tcflush {enable| disable|
Configure the port flush mode. The no
protect}
command restores to use the global
no spanning-tree tcflush
configured flush mode.
16.3 MSTP Example
The following is a typical MSTP application example:
Switch1
2
1
Switch2
1
4
5
5 x
2
2 x 1
3
3 x
4
6 x
Switch3
6
7
7x
Switch4
Figure 16-3-1 Typical MS TP Application Scenario
The connections among t he s witches are shown in the above figure. All the s witches run in the MS TP mode
by default, their bridge priority, port priority and port route cost are all in the default values (equal). The default
configuration for switches is listed below:
Bridge Name
Switch1
Switch2
Switch3
Switch4
Bridge MAC
…00-00-01
…00-00-02
…00-00-03
…00-00-04
32768
32768
32768
32768
Port 1
128
128
128
Port 2
128
128
128
Port 3
128
128
Port 4
128
128
Port 5
128
128
Address
Port Priority
Bridge Priority
Port 6
128
128
Port 7
128
128
16-6
Rout e Cost
Port 1
200000
200000
200000
Port 2
200000
200000
200000
Port 3
200000
200000
Port 4
200000
200000
Port 5
200000
200000
Port 6
200000
200000
Port 7
200000
200000
By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with
“x” are in the discarding status, and the other ports are in the forwarding status.
Configurations Steps:
Step 1: Configure port to VLAN mapping:
 Create VLA N 20, 30, 40, 50 in Switch2, Switch3 and S witch4.
 Set ports 1-7 as trunk ports in Switch2 Switch3 and S witch4.
Step 2: Set Switch2, Switch3 and Switch4 in the same MS TP:
 Set Switch2, Switch3 and Switch4 to have the same region name as mstp.
 Map VLAN 20 and VLAN 30 in Switch2, Switch3 and S witch4 to Instance 3; Map VLA N 40 and VLAN
50 in Switch2, Switch3 and S witch4 to Instance 4.
Step 3: Set Switch3 as the root bridge of Instance 3; Set Switch4 as the root bridge of Instance 4
 Set the bridge priority of Instanc e 3 in Switch3 as 0.
 Set the bridge priority of Instanc e 4 in Switch4 as 0.
The detailed configuration is listed below:
Switch2:
Switch2(config)#vlan 20
Switch2(Config-Vlan20)#exit
Switch2(config)#vlan 30
Switch2(Config-Vlan30)#exit
Switch2(config)#vlan 40
Switch2(Config-Vlan40)#exit
Switch2(config)#vlan 50
Switch2(Config-Vlan50)#exit
Switch2(config)#spanning-tree mst configuration
Switch2(Config-Mstp-Region)#name mstp
Switch2(Config-Mstp-Region)#instance 3 vlan 20;30
Switch2(Config-Mstp-Region)#instance 4 vlan 40;50
Switch2(Config-Mstp-Region)#exit
Switch2(config)#interface e1/1-7
Switch2(Config-Port-Range)#s witchport mode trunk
Switch2(Config-Port-Range)#exit
Switch2(config)#spanning-tree
16-7
Switch3:
Switch3(config)#vlan 20
Switch3(Config-Vlan20)#exit
Switch3(config)#vlan 30
Switch3(Config-Vlan30)#exit
Switch3(config)#vlan 40
Switch3(Config-Vlan40)#exit
Switch3(config)#vlan 50
Switch3(Config-Vlan50)#exit
Switch3(config)#spanning-tree mst configuration
Switch3(Config-Mstp-Region)#name mstp
Switch3(Config-Mstp-Region)#instance 3 vlan 20;30
Switch3(Config-Mstp-Region)#instance 4 vlan 40;50
Switch3(Config-Mstp-Region)#exit
Switch3(config)#interface e1/1-7
Switch3(Config-Port-Range)#s witchport mode trunk
Switch3(Config-Port-Range)#exit
Switch3(config)#spanning-tree
Switch3(config)#spanning-tree mst 3 priority 0
Switch4:
Switch4(config)#vlan 20
Switch4(Config-Vlan20)#exit
Switch4(config)#vlan 30
Switch4(Config-Vlan30)#exit
Switch4(config)#vlan 40
Switch4(Config-Vlan40)#exit
Switch4(config)#vlan 50
Switch4(Config-Vlan50)#exit
Switch4(config)#spanning-tree mst configuration
Switch4(Config-Mstp-Region)#name mstp
Switch4(Config-Mstp-Region)#instance 3 vlan 20;30
Switch4(Config-Mstp-Region)#instance 4 vlan 40;50
Switch4(Config-Mstp-Region)#exit
Switch4(config)#interface e1/1-7
Switch4(Config-Port-Range)#s witchport mode trunk
Switch4(Config-Port-Range)#exit
Switch4(config)#spanning-tree
Switch4(config)#spanning-tree mst 4 priority 0
After the above configuration, Switch1 is the root bridge of the instance 0 of t he entire net work. In the MS TP
region which Switch2, Switch3 and Switch4 belong to, Switch2 is the region root of the instance 0, Switch3 is
the region root of t he instance 3 and Switch4 is the region root of the instance 4. The traffic of VLAN 20 and
VLAN 30 is sent through the topology of t he instance 3. The traffic of VLAN 40 and VLA N 50 is sent through
the topology of the instance 4. And the traffic of other VLANs is sent through the topology of the instance 0.
16-8
The port 1 in Switch2 is the master port of the instance 3 and the instance 4.
The MS TP calculation generates 3 topologies: the instance 0, the instance 3 and the instanc e 4 (marked with
blue lines). The ports with the mark “x” are in the status of discarding. The other ports are the status of
forwarding. Because the instance 3 and the instance 4 are only valid in the MS TP region, the following figure
only shows the topology of the MS TP region.
Switch1
1
1
Switch2
5
4
2
2
2
3
3X
4
1X
6
7
Switch3
6X
5X
7X
Switch4
Figure 16-3-2 The Topology Of the Instance 0 after the MS TP Calculation
2
Switch2
5
4
2
3X
3
4X
6
7
Switch3
6
5X
7X
Switch4
Figure 16-3-3 The Topology Of the Instance 3 after the MS TP Calculation
16-9
2
Switch2
5X
4
2X
3
3X
4
6
7X
Switch3
6
5
7
Switch4
Figure 16-3-4 The Topology Of the Instance 4 after the MS TP Calculation
16.4 MSTP Troubleshooting
 In order to run t he MS TP on the switch port, the MS TP has to be enabled globally. If the MS TP is not
enabled globally, it can’t be enabled on the port.
 The MS TP parameters co work wit h each other, so the parameters should meet the following
conditions. Otherwis e, the MSTP may work incorrectly.
2×(Bridge_Forward_Delay -1.0 seconds ) >= Bridge_Max_A ge
Bridge_Max_Age >= 2 ×(Bridge_Hello_Time + 1.0 seconds)
 When users modify the MSTP parameters, they have to be sure about the changes of the topologies.
The global configuration is based on the bridge. Other configurations are bas ed on the individual
instances.
16-10
Chapter 17 QoS Configuration
17.1 Introduction to QoS
QoS (Quality of S ervice) is a set of capabilities that allow you to create differentiated servic es for network
traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of
consistent and predictable data transfer service to fulfill program requirements. QoS cannot generate extra
bandwidth but provides more effective bandwidth management according to the application requirement and
network management policy.
17.1.1 QoS Terms
CoS: Class of Service, the classification information carried by Layer 2 802.1Q frames, taking 3 bits of the Tag
field in frame header, is called user priority level in the range of 0 to 7.
Figure 17-1-1 CoS priority
ToS: Type of Service, a one-byte field c arried in Layer 3 IP v4 packet header t o symbolize the servic e type of
IP packets. Among ToS field can be IP Precedence value or DS CP value.
Figure 17-1-2 ToS priority
IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header, occupying 3 bits, in
the range of 0 to 7.
DSCP : Differentiated S ervices Code Point, classification information carried in Layer 3 IP packet header,
occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence.
DSCP -inside: The switch-inside priority configuration, be used to partition priority for the switch-inside data,
range from 0 to 63.
Classi fication: The entry action of QoS, classifying packet traffic according to the classification information
carried in the packet and ACLs.
Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets.
Remark: Ingress action of QoS, perform allowing, degrading or discarding operations to packets according to
the policing policies.
Queuing: Egress QoS action. Put the packets to appropriate egress queues according to the packet CoS
value.
Scheduling: QoS egress action. Configure the weight for eight egress queues WRR (Weight ed Round
Robin).
17-1
In-Profile: Traffic within the QoS policing policy range (bandwidth or burst value) is called “In-P rofile".
Out-of-P rofile: Traffic out the QoS policing policy range (bandwidth or burst value) is called “Out-of-Profile".
17.1.2 QoS Implementation
To implement the Chassis Switch software QoS, a general, mature reference model should be given. QoS can
not creat e new bandwidt h, but can maximize the adjustment and configuration for the current bandwidth
resource. Fully implemented QoS can achieve complet e management over the net work traffic. The following
is as accurate as possible a description of QoS.
The data transfer specifications of IP cover only addresses and s ervices of source and destination, and
ensure correct packet transmission using OSI layer 4 or above protocols such as TCP. However, rather than
provide a mechanism for providing and protecting packet transmission bandwidth, IP provide bandwidth
service by the best effort. This is acceptable for services like Mail and FTP, but for increasing multimedia
business data and e-business data transmission, this best effort method cannot satisfy the bandwidth and
low-lag requirement.
Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification
information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header. QoS provides same
service to packets of the same priority, while offers different operations for packets of different priority.
QoS-enabled switch or router can provide different bandwidth according to the packet classification
information, and can remark on the classification information according to the policing policies configured, and
may discard some low priority packets in case of bandwidth shortage.
If devices of each hop in a network support differentiated service, an end-to-end QoS solution can be created.
QoS configuration is flexible, the complexity or simplicity depends on the net work topology and devic es and
analysis to incoming/outgoing traffic.
17.1.3 Basic QoS Model
The basic QoS consists of five parts: Classification, Policing, Remark, Queuing and Scheduling, where
classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are QoS
egress actions.
Ingress
Classification
Generate
DSCP
l
Sort the packet traffic
according
to
the
classification info and ACLs
and convert classification
info to DSCP value
egress
Policing
Remark
Decide whether the
traffic is in-profile or
out-of-profile according
to the packet DSCP
value and plicing policy
Forward in-profile
packets,
degrade/discard
out-of-profile
packets
Figure 17-1-3 Basic QoS Model
17-2
Queuing and
scheduling
Place packets into priority
queues according to CoS
value
and
service
according
the queue
Classi fication: Classify traffic according to packet classification information and generate internal DSCP
value based on the classification information. For different packet types and switch configurations,
classification is performed differently; the flowchart below ex plains this in detail.
Figure 17-1-4 Classification process
Policing and remark: Each packet in classified ingress traffic is assigned an internal DS CP value and can be
policed and remarked.
Policing can be performed based on DSCP value to configure different policies that allocate bandwidth to
classified traffic. If the traffic exceeds the bandwidth set in the policy (out-of-profile), the out of profile traffic
can be allowed, discarded or remarked. Remarking uses a new DS CP value of lower priority to replace the
original higher level DS CP value in the packet; this is also called Marking Down. The following flowchart
describes the operations during policing and remarking.
17-3
Check policing policy, is
traffic in-profile?
Figure 17-1-5 Policing and Remarking process
Queuing and scheduling: Packets at the egress will re-map the internal DS CP value to CoS value, the
queuing operation assigns packets to appropriate queues of priority according to the CoS value; while the
scheduling operation performs packet forwarding according to the prioritized queue weight. The following
flowchart describes the operations during queuing and scheduling.
17-4
Figure 17-1-6 Queuing and Scheduling process
17.2 QoS Configuration Task List
1. Enable QoS
QoS can be enabled or disabled in Global Mode. QoS must be enabled first in Global
Mode to configure the other QoS commands.
2. Configure class map.
Set up a classification rule according t o ACL, CoS, VLA N ID, IP v4 Precedent, DS CP, IPV 6 FL to classify
the data stream. Different classes of data streams will be proc essed with different policies.
3. Configure a policy map.
After data steam classification, a policy map can be created to associate with the class map created
earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading assigning
new DS CP value) can be applied to different data streams. You can also define a policy set that can be
use in a policy map by several classes.
4. Apply QoS to the ports
Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a port when it is
bound to that port.
5. Configure queue out method and weight
17-5
Configure queue out to PQ or WRR, set the proportion of the 8 egress queues bandwidth and mapping
from internal priority to egress queue.
6. Configure QoS mapping
Configure the mapping from CoS to DSCP, DSCP to CoS, DS CP to DS CP mutation, IP precedence to
DSCP, and policed DS CP.
1. Enable QoS
Command
Explanation
Global Mode
mls qos
Enable/disable QoS function.
no mls qos
2. Configure class map.
Command
Explanation
Global Mode
Create a class map and enter class map
class-map <class-map-name>
mode;
the
“no
class-map
no class-map <class-map-name>
<class-map-name> ” command deletes
the specified class map.
match {access-group <acl-index-or-name> |
ip dscp <dscp-li st> | ip precedence
<ip-precedence-list> | ipv6 access-group
Set matching criterion (classify data
<acl-index-or-name> | ipv6 dscp <dscp-li st> |
stream by ACL, CoS, VLAN ID, IP v4
ipv6 flowlabel <flowlabel-list> | vlan
Precedence, IP v6 FL or DSCP, etc) for
<vlan-list> | cos <cos-li st>}
the class map; the no command deletes
no match {access-group | ip dscp | ip
specified matching criterion.
precedence | ipv6 access-group | ipv6 dscp |
ipv6 flowlabel | vlan | cos }
3. Configure a policy map
Command
Explanation
Global Mode
Create a policy map and enter policy
policy-map <policy-map-nam e>
map
mode;
the
“no
no policy-map <policy-map-nam e>
<policy-map-name> ”
policy-map
command
deletes the specified policy map.
After a policy map is created, it can be
associated to a class. Different policy or
class <class-map-name>
new DS CP value can be applied to
no class <class-map-name>
different data streams in class mode; the
“no
class
<class-map-name> ”
command delet es the specified class.
set {ip dscp <new-dscp> | ip precedence
Assign
<new-precedence> | ipv6 dscp <new-dscp> |
Precedence value for the classified
ipv6 flowlabel <new-flowlabel> | ip nexthop
traffic; the no command cancels the
<ip-address> |cos <new-cos> }
newly assigned value.
17-6
a
new
DS CP,
CoS,
IP
no set {ip dscp <new-dscp> | ip precedence
<new-precedence> | ipv6 dscp <new-dscp> |
ipv6 flowlabel <new-flowlabel> | ip nexthop
<ip-address> | cos }
policy <bits_per_second>
The non-aggregation policer command
<normal_burst_bytes> ({conform-action
supporting
(drop | set-dscp-transmit <dscp_value> |
whet her the working mode of token
set-prec-transmit <ip_precedence_value> |
bucket is singe rage single bucket,
transmit) | exceed-action (drop |
single rate single bucket, single rate
policed-dscp-transmit | transmit) } | )
dual bucket or dual rate dual bucket, by
no policy <bits_per_second>
analyzing
<normal_burst_bytes> ({conform-action
command
(drop | set-dscp-transmit <dscp_value> |
configuration.
three
the
will
colors.
Determine
parameters.
delet e
the
The
no
mode
set-prec-transmit <ip_precedence_value> |
transmit) | exceed-action (drop |
policed-dscp-transmit | transmit)} | )
policy <bits_per_second>
<normal_burst_byte s> (pir <peak_rate_bps>
| ) <maximum_burst_byte s>
({conform-action (drop | set-dscp-transmit
<dscp_value> | set-prec-transmit
<ip_precedence_value> | transmit)
exceed-action (drop | policed-dscp-transmit |
transmit) | violate-action (drop |
policed-dscp-transmit | transmit)} | )
no policy <bits_per_second>
<normal_burst_byte s> (pir <peak_rate_bps>
| ) <maximum_burst_byte s>
({conform-action (drop | set-dscp-transmit
<dscp_value> | set-prec-transmit
<ip_precedence_value> | transmit)
exceed-action (drop | policed-dscp-transmit |
transmit) | violate-action (drop |
policed-dscp-transmit | transmit)} | )
mls qos aggregate-policy <policer_name>
Analyze the working mode of the token
<bits_per_second> <normal_burst_bytes>
bucket, whether it is single rate singe
({conform-action (drop | set-dscp-transmit
bucket, singe rate dual bucket or dual
<dscp_value> | set-prec-transmit
rate dual bucket. This policy can be
<ip_precedence_value> | transmit) |
used by more than one policy class in
exceed-action (drop | policed-dscp-transmit |
one policy map. The no operation will
transmit) } | )
delete the mode configuration.
mls qos aggregate-policy <policer_name>
<bits_per_second><normal_burst_bytes>(pi
r <peak_rate_bps>|)
<maximum_burst_byte s> ({conform-action
(drop | set-dscp-transmit <dscp_value>
17-7
|set-prec-transmit <ip_precedence_value>
|transmit) exceed-action
(drop|policed-dscp-transmit |transmit)|
violate-action (dro |policed-dscp-transmit|
transmit)} | )
no mls qos aggregate-policy
policy aggregate <aggregate-policy-nam e>
no policy aggregate
Apply a policy set to classified traffic; the
“no
policy
aggregate
<aggregate-policy-name>” command
<aggregate-policy-name>
deletes the specified policy set.
4. Apply QoS to port or VLAN interface
Command
Explanation
Interface Configuration Mode
mls qos trust [cos [pa ss-through-dscp]
Configure port trust; the “no mls qos
[pass-through-cos]|dscp [pa ss-through-cos]
trust” command disables the current
[pass-through-dscp]|ip-precedence
trust status of the port.
[pass-through-cos] [pa ss-through-dscp]|port
priority <cos> [pa ss-through-cos]
[pass-through-dscp]]
no mls qos trust
Configure the default CoS value of the
mls qos cos {<defaul t-cos>}
port; the “no mls qos cos” command
no mls qos cos
restores the default setting.
mls qos dscp-mutation
Apply a DSCP trans form mapping to the
<dscp-mutation-name>
specified port; the no command is the
no mls qos dscp-mutation
default
<dscp-mutation-name>
transform mapping.
value
of
resume
DS CP
Apply a policy map to the specified port
or VLAN interface; the no command
servi ce-policy input <policy-map-name>
no servi ce-policy input <policy-map-name>
deletes the specified policy map applied
to the port or VLAN interface. Egress
policy map is not supported yet.
5. Configure queue out method and weight
Command
Explanation
Interface Configuration Mode
wrr-queue bandwidth <weight1 weight2
Sets the WRR weight for specified egress
weight3 weight4 weight5 weight6 weight7
queue; the no command restores the
weight8>
default setting.
no wrr-queue bandwidth
priority-queue out
Configure queue
out
met hod
no priority-queue out
method; the no command restores the
default WRR queue out method.
17-8
to pq
Global Mode
wrr-queue cos-map <queue-id> <cos1 ...
Set CoS value mapping to specified
cos8>
egress queue; the no command restores
no wrr-queue cos-map
the default setting.
6. Configure QoS mapping
Command
Explanation
Global Mode
mls qos map (cos-dscp <dscp1...dscp8> |
Support the configuration of all actions
dscp-cos <dscp-list> to <cos> | dscp-mutation
in dual rat e dual bucket mode. Sets
<dscp-mutation-name> <in-dscp> to
class
<out-dscp> |ip-prec-dscp <dscp1...dscp8> |
(CoS )-to-Differentiat ed Services Code
policed-dscp (normal-burst | max-burst)
Point (DSCP) mapping, DS CP to CoS
<dscp-li st> to <mark-down-dscp>)
mapping, DS CP to DSCP mutation
no mls qos map (cos-dscp | dscp-cos |
mapping, IP precedence to DSCP and
dscp-mutation
policed
<dscp-mutation-name> |
of
DS CP
service
mapping;
the
ip-prec-dscp | policed-dscp (normal-burst |
exceed-action and violate-action use
max-burst))
different policied-dscp map tables.
The no command restores the default
mapping.
7. Apply QoS to queue of egress port
Command
Explanation
Interface Mode
queue-bandwidth <queue-id>
Configure the bandwidth pledge function
<min_kbits_per_se cond>
of egress queue; the no command deletes
<max_kbits_per_se cond>
the bandwidth configuration of queue.
no queue-bandwidth <queue-id>
17.3 QoS Example
Example 1:
Enable QoS function, change the queue out weight of port ethernet 1/1 to 1:1:2:2:4:4:8: 8, and set the port in
trust QoS mode without changing DSCP value, and set the default QoS value of the port to 5.
The configuration steps are listed below:
XGS 3-42000R#config
XGS 3-42000R(config)#mls qos
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)#wrr-queue bandwidth 1: 1:2:2:4:4:8:8
XGS 3-42000R(config-If-Ethernet1/1)#mls qos trust cos pass-through-dscp
XGS 3-42000R(config-If-Ethernet1/1)#mls qos cos 5
17-9
Configuration result:
When QoS enabled in Global Mode, the egress queue bandwidt h proportion of port ethernet 1/1 is
1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/1, it will be map to the queue
out according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8, respectively. If
the incoming packet has no CoS value, it is default to 5 and will be put in queue6. All passing packets would
not have their DS CP values changed.
Example 2:
In port ethernet1/2, set the bandwidth for packets from segment 192.168.1.0 to 10 Mb/s, with a burst value of
4 MB, all packets exceed this bandwidth setting will be dropped.
The configuration steps are listed below:
XGS 3-42000R#config
XGS 3-42000R(config)#access-list 1 permit 192.168.1.0 0.0.0.255
XGS 3-42000R(config)#mls qos
XGS 3-42000R(config)#class-map c1
XGS 3-42000R(config-ClassMap-c1)#match access-group 1
XGS 3-42000R(config-ClassMap-c1)#exit
XGS 3-42000R(config)#policy-map p1
XGS 3-42000R(config-P olicyMap-p1)#class c1
XGS 3-42000R(config-P olicyMap-p1-Class-c1)#policy 10000 4000 exceed-action drop
XGS 3-42000R(config-P olicyMap-p1-Class-c1)#exit
XGS 3-42000R(config-P olicyMap-p1)#exit
XGS 3-42000R(config)#interface ethernet 1/2
XGS 3-42000R(config-If-Ethernet1/2)#service-policy input p1
17-10
Configuration result:
An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map named c1,
matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1, set appropriate
policies to limit bandwidth and burst value. Apply this policy map on port ethernet1/2. After the above settings
done, bandwidth for packets from segment 192.168.1.0 through port ethernet 1/2 is set to 10 Mb/s, with a
burst value of 4 MB, all packets exceed this bandwidt h setting in that segment will be dropped.
Example 3:
Server
QoS area
Switch3
Switch2
Trunk
Switch1
Figure 17-3-1 Typical QoS topology
As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns
different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on
port ethernet1/1. The port connecting to switch2 is a trunk port. In Switch2, set port ethernet 1/1 that
connecting to swtich1 to trust CoS precedence. Thus inside the QoS domain, packets of different priorities will
go to different queues and get different bandwidth.
The configuration steps are listed below:
QoS configuration in SwitchA:
XGS 3-42000R#config
XGS 3-42000R(config)#access-list 1 permit 192.168.1.0 0.0.0.255
XGS 3-42000R(config)#mls qos
XGS 3-42000R(config)#class-map c1
XGS 3-42000R(config-ClassMap-c1)#match access-group 1
XGS 3-42000R(config-ClassMap-c1)#exit
XGS 3-42000R(config)#policy-map p1
XGS 3-42000R(config-P olicyMap-p1)#class c1
XGS 3-42000R(config-P olicyMap-p1-Class-c1)# set ip precedence 5
XGS 3-42000R(config-P olicyMap-p1-Class-c1)#exit
XGS 3-42000R(config-P olicyMap-p1)#exit
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)#service-policy input p1
17-11
QoS configuration in Switch2:
XGS 3-42000R#config
XGS 3-42000R(config)#mls qos
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)#mls qos trust ip-precedence pass-through-qos
17.4 QoS Troubleshooting
 QoS is disabled on Chassis Switch ports by default, 8 sending queues are set by default, queue1
forwards normal packets, other queues are used for some important control packets (such as BPDU).
 When QoS is enabled in Global Mode, QoS is enabled on all ports with 8 traffic queues. The default
CoS value of the port is 0; the port is in not Trusted state by default; the default queue weight values are
1, 2, 3, 4, 5, 6, 7, 8. in order, all QoS Map is using the default value.
 CoS value 7 maps to queue 8 t hat has the highest priority and us ually reserved for c ertain protocol
packets. It is not recommended for the user to change the mapping between CoS 7 to Queue 8, or set
the default port CoS value to 7.
 Policy map can only be bound to ingress direction, egress is not supported yet.
17-12
Chapter 18 PBR Configuration
18.1 Introduction to PBR
PBR(Policy-Ba sed Routing)is a method which det ermines the next-hop of the data packets by policy
messages such as source address, destination address, IP priority, TOS value, IP protocol, source port No,
destination port No, etc.
18.2 PBR Configuration
The PBR configuration task list is as follows:
Initiate PBR function
Enable or disable PBR function automatically when turn on or turn off the QoS function at global mode.
Configuration classmap
Establish a class rule and apply different policies on different kinds of data streams thereafter.
Configuration policymap
A policymap can be established after the data streams are classified. Assign each stream to previously
created class-map and then enter the policy class-map mode. In this way different data streams can now be
assigned to different next-hop IP address and apply the policy to the port.
A policy will not be valid until it is bonded to a specified port.
18.3 PBR Examples
Example1 :
On port ethernet1/1, apply policy-based routing on packages from 192.168.1.0/ 24 segment, and set the
next-hop as 218.31. 1.119, meanwhile the local network IP of this network ranges within 192. 168. 0.0/16. To
assure normal communication in local network, messages from 192.168.1.0/ 24 to local IP 192.168.0.0/16 are
not applied with policy routing.
Configuration procedure is as follows:
XGS 3-42000R#config
XGS 3-42000R(config)#access-list ip extended a1
XGS 3-42000R(config-IP-Ext-Nacl-a1)#permit ip 192.168.1.0 0.0. 0.255 any-destination
XGS 3-42000R(config-IP-Ext-Nacl-a1)#deny ip 192.168.1.0 0.0.0. 255 192.168.0. 0 0.0.255.255
XGS 3-42000R(config-IP-Ext-Nacl-a1)#exit
XGS 3-42000R(config)#mls qos
XGS 3-42000R(config)#class-map c1
XGS 3-42000R(config-ClassMap-c1)#match access-group a1
XGS 3-42000R(config-ClassMap-c1)# exit
XGS 3-42000R(config)#policy-map p1
XGS 3-42000R(config-P olicyMap-p1)#class c1
XGS 3-42000R(config-P olicyMap-p1-Class-c1)#set ip nexthop 218.31.1.119
18-1
XGS 3-42000R(config-P olicyMap-p1-Class-c1)#exit
XGS 3-42000R(config-P olicyMap-p1)#exit
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)#service-policy input p1
Configuration results:
First set an ACL a1 with two items. The first item matches source IP segments 192.168.1.0/24(allowed). The
second item matches source IP segments 192.168.1.0/ 24 and destination IP segments 192.168.0.0/16
(rejected). Turn on QoS function in global mode and create a class-map: c1 in which matches ACL a1, and
create a policy-map in which quote c1. Set the next-hop IP as 218.31.1.119 and apply the policy-map at port
ethernet1/1. A fter t hat, all messages on port ethernet 1/1 from segment 192.168.1. 0/24 will be transmitted
through 218. 31.1.119 except those from 192.168.0.0/16 segment which are still be transmitted through
normal L3 routing.
18-2
Chapter 19 IPv6 PBR Configuration
19.1 Introduction to PBR(Policy-based Router)
Policy-based routing provides a more powerful control over the forwarding and store of messages than
traditional routing protocol to network managers. Traditionally, routers use the routing table derived from
router protoc ol, and forward according to destination addresses. The policy-based router is more powerful
and more flexible than the traditional one, because it enables network managers to choose the forwarding
route not only according to destination addresses but also the size of messages, or source IP addresses.
Policy can be defined as according to the balance of load in multiple rout ers or according t o the quality of
service (QOS) of the total flow forwarded in each line.
PBR (Policy-Ba sed Routing) is a method which politically specifies the next hop when forwarding a data
packet according to the source address, destination address, IP priority, TOS value, IP protocol, source port,
destination port and other information of an IP packet.
19.2 PBR Configuration Task Sequence
1.
Enable PBR function
2.
Configure a class-map
3.
Set the match standard in the class-map
4.
Configure a policy-map
5.
Configure to correlate a policy and a class-map
6.
Configure the next hop IP v6 address
7.
Configure the port binding policy map
1. Enable PBR function
Command
Explanation
Global Configuration Mode
mls qos
Globally enable or disable PBR function.
no mls qos
2. Configure a class-map
Command
Explanation
Global Configuration Mode
class-map <class-map-name>
no class-map <class-map-name>
Create or delete a class-map.
3. Set the match standard in the class-map
Command
Explanation
Class-map Mode
match ipv6 {acce ss-group
<acl-index-or-nam e>}
Set the match standard in the class-map.
no match ipv6 {acce ss-group }
19-1
4. Configure a policy-map
Command
Explanation
Global Configuration Mode
policy-map <policy-map-nam e>
Create or delete a policy-map.
no policy-map <policy-map-nam e>
5. Configure to correlate a policy and a class-map
Command
Explanation
Policy-map Mode
class <class-map-name>
Correlate with a class, and enter the
no class <class-map-name>
policy-map mode.
6. Configure the next hop IPv6 address
Command
Explanation
Policy-class-map Mode
set {ipv6 nexthop <nexthop-ip>}
Set the next hop IP v6 address of the
no set {ipv6 nexthop}
classed flow.
7. Configure the port binding policy-map
Command
Explanation
Port Configuration Mode
Configure the trust state of a port is
mutually exclusive to applying policy-map
servi ce-policy {input
on a port. After configure the trust state of a
<policy-map-name> | output
port or applying policy-map, if this port
<policy-map-name>}
needs to configure new trust state or
no servi ce-policy {input
applying policy-map, then deleting the old
<policy-map-name> | output
configuration at first; there can be only one
<policy-map-name>}
policy-map on each direction of a port. The
output policy-map is not supported at
present.
19.3 PBR Examples
Example 1:
On port ethernet 1/1, set the messages whose source IP is within the segment 2000:: /64 to do policy routing,
the next hop is 3100::2.
The following is the configuration steps:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000::1/64
XGS 3-42000R(config-if-Vlan1)#ipv6 neighbor 2000::2 00-00-00-00-00-01 interface Ethernet 1/1
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ipv6 address 3000::1/64
XGS 3-42000R(config-if-Vlan2)#ipv6 neighbor 3000::2 00-00-00-00-00-02 interface Ethernet 1/2
XGS 3-42000R(config)#interface vlan 3
19-2
XGS 3-42000R(config-if-Vlan3)#ipv6 address 3100::1/64
XGS 3-42000R(config-if-Vlan3)#ipv6 neighbor 3100::2 00-00-00-00-00-03 interface Ethernet 1/5
XGS 3-42000R(config)# ipv6 access-list extended b1
XGS 3-42000R(config-IP v6-Ext-Nacl-b1)# permit tcp 2000:: /64 any-destination
XGS 3-42000R(config-IP v6-Ext-Nacl-b1)#exit
XGS 3-42000R(config)#mls qos
XGS 3-42000R(config)#class-map c1
XGS 3-42000R(config-ClassMap)#match ipv6 access-group b1
XGS 3-42000R(config-ClassMap)# exit
XGS 3-42000R(config)#policy-map p1
XGS 3-42000R(config-P olicyMap)#class c1
XGS 3-42000R(config-P olicy-Class)# set ipv6 nexthop 3100::2
XGS 3-42000R(config--Policy-Class)#exit
XGS 3-42000R(config-P olicyMap)#exit
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-Ethernet1/1)#service-policy input p1
Configuration result:
First, set an ACL containing one ent ry, names it as b1, matching source IP segment 2000::/64(permit).
Globally enable QoS function, create a class-map:c1, and match ACL b1 in the class-map. Create a
policy-map: p1, quoting c1 in p1, and set the next hop as 3100::2. Apply this policy-map on port ethernet 1/1.
After that, the messages whose source IP are within the segment 2000::/64 received on port ethernet 1/1 will
be forwarded through 3100::2.
19.4 PBR Troubleshooting Help
 At present, policy-map can only be bound to input port but not output port.
 Since hardware resources are limited, if the policy is too complicated to configure, relative information
will be noticed to users.
19-3
Chapter 20 Flow-based Redirection
20.1 Introduction to Flow-based Redirection
Flow-bas ed redirection function enables the Chassis Switch to transmit the data frames meeting some special
condition (specified by ACL) to another specified port. The fames meeting a same special condition are called
a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified
egress port is called the destination port of redirection. Usually there are two kinds of application of
flow-based redirection: 1. connecting a protocol analyzer (for example, Sniffer) or a RMON monitor to the
destination port of redirection, to monitor and manage the net work, and diagnose the problems in the network;
2. Special transmission policy for a special type of data frames.
The Chassis Switch can only designate a single destination port of redirection for a same class of flow within a
source port of redirection, while it can designate different destination ports of redirection for different classes
of flows within a source port of redirection. The same class of flow can be applied to different source ports.
20.2 Flow-based Redirection Configuration Task Sequence
1. Flow-bas ed redirection configuration
2. Check the current flow-based redirection configuration
1. Flow-based redirection configuration
Command
Explanation
Physical Interface Configuration Mode
Specify flow-based redirection
access-group <aclnam e> redirect to interface
for
the
port;
the
“no
[ethernet <IFNAME>|<IFNAME>]
access-group
no access-group <aclnam e> redirect
redirect” command is used to
<aclnam e>
delete flow-based redirection.
2. Check the current flow-ba sed redirection configuration
Command
Explanation
Global Mode/Admin Mode
show flow-based-redirect {interface [ethernet
<IFNAME> |<IFNAME>]}
Display
the
information
current flow-based redirection
in the system/port.
20-4
of
20.3 Flow-based Redirection Examples
Example:
User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111
received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 rec eived from port
1 through port 6.
Modification of configuration:
1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111;
2: Apply the redirection based on this flow to port 1.
The following is the configuration procedure:
XGS 3-42000R(config)#access-list 1 permit host 192.168.1.111
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-If-Ethernet1/1)# access-group 1 redirect to interface ethernet 1/6
20.4 Flow-based Redirection Troubleshooting Help
When the configuration of flow-bas ed redirection fails, please check that whet her it is the following reasons
causing the problem:
 The type of flow (ACL) can only be digital standard IP ACL, digital extensive IP ACL, nomenclature
standard IP ACL, nomenclature extensive IP ACL, digital standard IP v6 ACL, and nomenclature
standard IP v6 A CL;
 Parameters of Timerange and Portrange can not be set in ACL, the type of ACL should be Permit.
 The redirection port must be 1000Mb port in the flow-bas ed redirection function.
20-5
Chapter 21 Layer 3 Forward Configuration
Chassis Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across
VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in
its own routing table and decide the operation according to the lookup result. If the IP packet is destined to
another subnet reachable from this Chassis Switch, then the packet will be forwarded to the appropriate
interface. Chassis Switch can forward IP packets by hardware, the forwarding chip of Chassis Switch have a
host route table and default rout e table. Host route table stores host routes to connect to the Chassis Switch
directly; default route table stores network routes (after aggregation algorithm process).
If the route (either host route or network route) for forwarding unicast traffic exists in the forwarding chip, the
forwarding of traffic will be completely handled by hardware. As a result, forwarding efficiency can be greatly
improved, even to wire speed.
21.1 Layer 3 Interface
21.1.1 Introduction to Layer 3 Interface
Layer 3 interface can be created on Chassis Switch. The Layer 3 int erface is not a physical interfac e but a
virtual interface. Layer 3 interfac e is built on VLANs. The Layer 3 interface can contain one or more layer 2
ports which belong to the same VLAN, or contain no layer 2 ports. At least one of the Layer 2 ports contained
in Layer 3 interface should be in UP state for Layer 3 interface in UP state, otherwise, Layer 3 interface will be
in DOWN state. All layer 3 interfaces in the Chassis Switch use the same MA C address by default, this
address is selected from the reserved MAC address while creating Layer 3 interface. The Layer 3 interface is
the base for layer 3 protocols. The Chassis Switch can use the IP addresses set in the layer 3 interfaces to
communicate wit h the other devices via IP. The Chassis Switch can forward IP packets between different
Layer 3 interfaces. Loopback interface belongs to Layer 3 interfac e.
21.1.2 Layer 3 Interface Configuration Task List
Layer 3 Interface Configuration Task List:
1. Create Lay er 3 interface
2. Bandwidth for Layer 3 Interface configuration
3. Open or close the VLA N interfac e
1. Create Layer 3 Interface
Command
Explanation
Global Mode
21-1
Creates a VLA N interface (V LAN int erface is
a Layer 3 interface); the no command deletes
interface vlan <vlan-id>
the VLAN interface
no interface vlan <vlan-id>
(Lay er 3 interface)
created in the Chassis Switch.
Creates a Loopback interface then ent er the
loopback
interface loopback <loopback-id>
Port
Mode;
the no command
deletes the Loopback interface
no interface loopback <loopback-id>
created in
the Chassis Switch.
2. Bandwidth for Layer 3 Interface configuration
Command
Explanation
VLAN Interface Mode
bandwidth <bandwidth>
Configure the bandwidth for Layer 3 Interface.
no bandwidth
The no command recovery the default value.
3. Open or close the vlan interface
Command
Explanation
VLAN Interface Mode
shutdown
Open or close the vlan interface.
no shutdown
21.2 IP Configuration
21.2.1 Introduction to IPv4, IPv6
IP v4 is the current version of global universal Internet protocol. The practice has proved that IP v4 is simple,
flexible, open, stable, strong and easy to implement while collaborating well with various prot ocols of upper
and lower layers. Although IP v4 almost has not been changed sinc e it was established in 1980’s, it has kept
growing to the current global scale with the promotion of Internet. However, as Internet infrastructure and
Internet application services continue boosting, IP v4 has shown its deficiency when facing the present scale
and complexity of Internet.
IP v6 refers to the sixth version of Internet protocol which is the next generation Internet protocol designed by
IE TF to replace the current Internet protocol version 4 (IPv4). IP v6 was specially developed to make up the
shortages of IP v4 addresses so that Int ernet can develop furt her.
The most important problem IP v6 has solved is to add the amount of IP addresses. IP v4 addresses have
nearly run out, whereas the amount of Internet users has been increasing in geometric series. With the greatly
and continuously boosting of Int ernet services and application devices (Home and Small Office Net work, IP
phone and Wireless Service Information Terminal which make use of Internet,) which require IP addresses,
the supply of IP addresses turns out to be more and more tense. People have been working on the problem of
shortage of IP v4 addresses for a long time by introducing various technologies to prolong the lifespan of
existing IP v4 infrastructure, including Network Address Translation(NAT for short), and Classless
Inter-Domain Routing(CI DR for short), etc.
21-2
Although the combination of CIDR, NAT and private addressing has temporarily mitigated the problem of IP v4
address space shortage, NAT technology has disrupted the end-to-end model which is the original intention of
IP design by making it necessary for router devices that serve as network intermediate nodes to maintain
every connection status which increases network delay greatly and decreases network performance.
Moreover, the translation of network data packet addresses baffles the end-to-end net work security check,
IPSec authentication header is such an example.
Therefore, in order to solve all kinds of problems existing in IPv4 comprehensively, the next generation
Internet Protocol IP v6 designed by IE TF has become the only feasible solution at present.
First of all, the 128 bits addressing scheme of IP v6 Protocol can guarantee to provide enough globally unique
IP addresses for global IP network nodes in the range of time and space. Moreover, besides inc reasing
address space, IP v6 also enhanced many other essential designs of IP v4.
Hierarchical addressing scheme facilitates Route A ggregation, effectively reduces route table ent ries and
enhances the efficiency and expansibility of routing and data packet processing.
The header design of IP v6 is more efficient compared with IP v4. It has less data fields and takes out header
checksum, thus expedites the processing speed of basic IP v6 header. In IP v6 header, fragment field can be
shown as an optional extended field, so that data packets fragmentation process won’t be done in router
forwarding process, and Path MTU Discovery Mechanism collaborates with data packet source which
enhances the processing efficiency of router.
Address automatic configuration and plug-and-play is supported. Large amounts of hosts can find network
routers easily by address automatic configuration function of IP v6 while obtaining a globally unique IP v6
address automatically as well which makes the devices using IP v6 Internet plug-and-play. Automatic address
configuration function also makes the readdressing of existing network easier and more convenient, and it is
more convenient for net work operators to manage the transformation from one provider to anot her.
Support IPS ec. IPSec is optional in IP v4, but required in IP v6 Protocol. IP v6 provides security extended
header, which provides end-to-end security services such as access control, confidentiality and data integrity,
consequently making the implement of encryption, validation and Virtual Private Network easier.
Enhance the support for Mobile IP and mobile calc ulating devices. The Mobile IP Protocol defined in IE TF
standard mak es mobile devices movable without cutting the existing connection, which is a network function
getting more and more important. Unlike IP v4, the mobility of IP v6 is from embedded automatic configuration
to get transmission address (Care-Of-A ddress); therefore it doesn’t need Foreign Agent. Furthermore, this
kind of binding process enables Correspondent Node communicat e with Mobile Node directly, thereby avoids
the extra system cost caused by triangle routing choice required in IP v4.
Avoid the use of Net work Address Translation. The purpose of the introduction of NAT mechanism is to share
and reuse same address space among different network segments. This mechanism mitigates the problem of
the shortage of IP v4 address temporally; meanwhile it adds the burden of address translation process for
network device and application. Since the address space of IP v6 has increased greatly, address translation
becomes unnecessary, thus the problems and system cost caused by NAT deployment are solved naturally.
Support extensively deployed Routing Prot ocol. IP v6 has kept and extended the supports for existing Internal
Gateway Protocol s (IGP for short), and Exterior Gateway Protocol s (EGP for short). For ex ample, IP v6
Routing Prot ocol such as RIP ng, OSPFv3, IS-IS v6 and MBGP4+, etc.
21-3
Multicast addresses increased and the support for multicast has enhanc ed. By dealing with IP v4 broadcast
functions such as Router Discovery and Router Query, IP v6 multicast has completely replaced IP v4
broadcast in the sense of function. Multicast not only saves network bandwidth, but enhances network
efficiency as well.
21.2.2 IP Configuration
Layer 3 interface can be configured as IP v4 int erface, IP v6 int erface.
21.2.2.1 IPv4 Address Configuration
IP v4 address configuration task list:
1.Configure the IP v4 address of three-layer interfac e
1. Configure the IPv4 address of three-layer interface
Command
Explanation
VLAN Interface Configuration Mode
ip address <ip-address> <mask> [secondary]
no ip address [<ip-address> <mask>]
Configure
IP
interface;
the
address
no
of
ip
VLA N
address
[<ip-address> <mask>] command
cancels
IP
address
of
VLA N
interface.
21.2.2.2 IPv6 Address Configuration
The configuration Task List of IP v6 is as follows:
1. IP v6 basic configuration
(1) Globally enable IP v6
(2) Configure interface IP v6 address
(3) Configure IP v6 static routing
2. IP v6 Neighbor Discovery Configuration
(1) Configure DA D neighbor solicitation message number
(2) Configure send neighbor solicitation message interval
(3) Enable and disable rout er advertisement
(4) Configure router lifespan
(5) Configure router advertisement minimum interval
(6) Configure router advertisement maximum int erval
(7) Configure prefix advertisement paramet ers
(8) Configure static IPv6 neighbor entries
(9) Delet e all entries in IP v6 neighbor table
(10) Set the hoplimit of sending router advertisement
(11) Set the mtu of sending router advertisement
(12) Set the reachable-time of sending router advertisement
(13) Set the retrans-timer of sending router advertisement
(14) Set the flag representing whether information other than the address information will be obtained via
21-4
DHCP v6
(15) Set the flag representing whether the address information will be obtained via DHCP v6
3. IP v6 Tunnel configuration
(1) Create/Delete Tunnel
(2) Configure tunnel description
(3) Configure Tunnel Sourc e
(4) Configure Tunnel Destination
(5) Configure Tunnel Next-Hop
(6) Configure Tunnel Mode
(7) Configure Tunnel Routing
1. IPv6 Basi c Configuration
(1) Globally enable IP v6
Command
Explanation
Global mode
Enable functions such as IP v6 data packet
ipv6 enable
transmission,
neighbor
discovery,
router
no ipv6 enable
advertisement, routing protocol, etc. The NO
command disables IP v6 function.
(2) Configure interface IP v6 address
Command
Explanation
Interface Configuration Mode
ipv6 address
Configure IP v6 address, including aggregatable
<ipv6-address/prefix-length>
global unicast addresses, site-local addresses
[eui-64]
and link-local addresses. The no ipv6 address
no ipv6 address
<ipv6-address/prefix-length>
<ipv6-address/prefix-length>
cancels IP v6 address.
(3) Set IP v6 Static Routing
Command
Explanation
Global mode
21-5
command
ipv6 route
<ipv6-prefix/prefix-length>
{<nexthop-ipv6-addre ss> |<interfac
e-type interface-number> |
{<nexthop-ipv6-addre ss>
<interface-type
interface-number>}} [di stance]
Configure
IP v6
static
routing.
no ipv6 route
command cancels IP v6 static routing.
The
no
<ipv6-prefix/prefix-length>
{<nexthop-ipv6-addre ss> |<interfac
e-type interface-number>
|{<nexthop-ipv6-addre ss>
<interface-type
interface-number>}} [di stance]
2. IPv6 Neighbor Di scovery Configuration
(1) Configure DA D Neighbor solicitation Message number
Command
Explanation
Interface Configuration Mode
Set the neighbor query message number sent in
ipv6 nd dad attempts <value>
sequence when the interface makes duplicate
no ipv6 nd dad attempts <value>
address detection. The no command res umes
default value (1).
(2) Configure Send Neighbor solicitation Message Interval
Command
Explanation
Interface Configuration Mode
ipv6 nd ns-interval <seconds>
no ipv6 nd ns-interval <seconds>
Set the interval of t he interface to send neighbor
query message. The NO command res umes
default value (1 second).
(3) Enable and disable rout er advertisement
Command
Explanation
Interface Configuration Mode
ipv6 nd suppre ss-ra
Forbid IP v6 Router Advertisement. The NO
no ipv6 nd suppre ss-ra
command enables IP v6 rout er advertisement.
(4) Configure Router Lifespan
Command
Explanation
Interface Configuration Mode
ipv6 nd ra-lifetime <seconds>
no ipv6 nd ra-lifetime <seconds>
Configure Router advertisement Lifespan. The
NO command res umes default value (1800
seconds).
21-6
(5) Configure router advertisement Minimum Interval
Command
Description
Interface Configuration Mode
ipv6 nd min-ra-interval <seconds>
Configure the minimum
no ipv6 nd min-ra-interval
advertisement. The NO command res umes
interval
for router
<seconds>
default value (200 seconds).
(6) Configure router advertisement Maximum Interval
Command
Explanation
Interface Configuration Mode
ipv6 nd max-ra-interval <seconds>
Configure the maximum int erval for router
no ipv6 nd max-ra-interval
advertisement. The NO command res umes
<seconds>
default value (600 seconds).
(7) Configure prefix advertisement paramet ers
Command
Explanation
Interface Configuration Mode
ipv6 nd prefix
<ipv6-addre ss/prefix-length>
<valid-lifetime>
<preferred-lifetime> [off-link]
[no-autoconfig]
no ipv6 nd prefix
<ipv6-address/prefix-length>
Configure the address prefix and advertisement
parameters of router. The NO command cancels
the address prefix of routing advertisement.
<valid-lifetime>
<preferred-lifetime> [off-link]
[no-autoconfig]
(8) Configure static IPv6 neighbor Entries
Command
Explanation
Interface Configuration Mode
ipv6 neighbor <ipv6-addre ss>
Set static neighbor table entries, including
<hardware-address> interface
neighbor IP v6 address, MAC address and
<interface-type interface-number>
two-layer port.
no ipv6 neighbor <ipv6-addre ss>
Delet e neighbor table entries.
21-7
(9) Delet e all entries in IP v6 neighbor table
Command
Explanation
Admin Mode
clear ipv6 neighbors
Clear all static neighbor table entries.
(10) Set the hoplimit of sending router advertisement
Command
Explanation
Interface Configuration Mode
ipv6 nd ra-hoplimit <value>
Set the hoplimit of sending router advertisement.
(11) Set the mtu of sending router advertisement
Command
Explanation
Interface Configuration Mode
ipv6 nd ra-mtu <value>
Set the mtu of sending rout er advertisement.
(12) Set the reachable-time of sending router advertisement
Command
Explanation
Interface Configuration Mode
ipv6 nd reachable-time <seconds>
Set
the
reachable-time
of
sending
router
sending
router
advertisement.
(13) Set the retrans-timer of sending router advertisement
Command
Explanation
Interface Configuration Mode
ipv6 nd retrans-timer <seconds>
Set
the
retrans-timer
of
advertisement.
(14) Set the flag representing whether information other than the address information will be obtained via
DHCP v6.
Command
Explanation
Interface Configuration Mode
Set the flag representing whether information
ipv6 nd other-config-flag
other than the address information will be
obtained via DHCP v6.
(15) Set the flag representing whether the address information will be obtained via DHCP v6
Command
Explanation
Interface Configuration Mode
ipv6 nd managed-config-flag
Set the flag representing whether the address
information will be obtained via DHCP v6.
21-8
3. IPv6 Tunnel Configuration
(1) A dd/Delete tunnel
Command
Explanation
Global mode
interface tunnel <tnl-id>
Create a tunnel. The NO command deletes a
no interface tunnel <tnl-id>
tunnel.
(2) Configure tunnel description
Command
Explanation
Tunnel Configuration Mode
description <desc>
Configure tunnel description. The NO command
no description <desc>
deletes the tunnel description.
(3) Configure tunnel source
Command
Explanation
Tunnel Configuration Mode
[tunnel soure { <ipv4-address> |
<interface-nam e> }
no tunnel soure { <ipv4-address> |
<interface-nam e> }
Configure tunnel source end IP v4 address. The
NO command deletes the IP v4 address of tunnel
source end.
(4) Configure Tunnel Destination
Command
Explanation
Tunnel Configuration Mode
tunnel destination <ipv4-addre ss>
Configure tunnel destination end IP v4 address.
no tunnel destination
The NO command deletes the IP v4 address of
<ipv4-addre ss>
tunnel destination end.
(5) Configure Tunnel Next-Hop
Command
Explanation
Tunnel Configuration Mode
tunnel nexthop <ipv4-address>
no tunnel nexthop <ipv4-address>
Configure tunnel next-hop IP v4 address. The
NO command deletes the IP v4 address of tunnel
next-hop end.
21-9
(6) Configure Tunnel Mode
Command
Explanation
Tunnel Configuration Mode
tunnel mode ipv6ip [6to4 | isatap]
no tunnel mode ipv6ip [6to4 |
isatap]
Configure tunnel mode. The NO command
clears tunnel mode.
(7) Configure Tunnel Routing
Command
Explanation
Global mode
ipv6 route
<ipv6-addre ss/prefix-length>
{<interface-type interface-number>
| tunnel <tnl-id>}
Configure tunnel routing. The NO command
no ipv6 route
clears tunnel routing.
<ipv6-addre ss/prefix-length>
{<interface-type interface-number>
| tunnel <tnl-id>}
21.2.3 IP Configuration Examples
21.2.3.1 Configuration Examples of IPv4
PC1
Switch2
Switch1
PC2
Figure 21-2-1 IP v4 configuration example
The user’s configuration requirements are: Configure IP address of different network segments on S witch1
and Switch2, configure static routing and validate accessibility using ping function.
Configuration De scription:
1. Configure two VLA Ns on Switch1, namely, VLAN1 and VLAN2.
2. Configure IP v4 address 192. 168. 1.1 255.255.255.0 in VLAN1 of Switch1, and configure IP v4
address 192. 168. 2.1 255.255.255.0 in VLAN2.
3. Configure two VLA Ns on Switch2, respectively VLAN2 and VLA N3.
21-10
4. Configure IP v4 address 192. 168. 2.2 255.255.255.0 in VLAN2 of Switch2, and configure IP v4
address 192. 168. 3.1 255.255.255.0 in VLAN3.
5. The IP v4 address of P C1 is 192.168.1.100 255.255.255.0, and the IP v4 address of P C2 is
192.168.3.100 255.255.255.0.
6. Configure static routing 192.168.3.0/24 on S witch1, and configure static routing 192.168.1. 0/24 on
Switch2.
7. Ping each ot her among PCs.
First make sure PC1 and Switch can access each other by ping, and PC2 and
Switch2 can access each other by ping.
The configuration procedure is a s follow s:
Switch1(config)#interface vlan 1
Switch1(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0
Switch1(config)#interface vlan 2
Switch1(Config-if-Vlan2)#ip address 192.168.2.1 255.255.255.0
Switch1(Config-if-Vlan2)#exit
Switch1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.2
Switch2(config)#interface vlan 2
Switch2(Config-if-Vlan2)#ip address 192.168.2.2 255.255.2550
Switch2(config)#interface vlan 3
Switch2(Config-if-Vlan3)#ip address 192.168.3.1 255.255.255.0
Switch2(Config-if-Vlan3)#exit
Switch2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1
21-11
21.2.3.2 Configuration Examples of IPv6
Example 1:
PC1
Switch2
Switch1
PC2
Figure 21-2-2 IP v6 configuration example
The user’s configuration requirements are: Configure IP v6 address of different net work segments on S witch1
and Switch2, configure static routing and validate reachability using ping6 function.
Configuration De scription:
1. Configure two VLA Ns on Switch1, namely, VLAN1 and VLAN2.
2. Configure IP v6 address 2001::1/64 in VLAN1 of Switch1, and configure IP v6 address 2002::1/64 in
VLAN2.
3. Configure 2 VLA Ns on Switch2, namely, VLAN2 and VLA N3.
4. Configure IP v6 address 2002::2/64 in VLAN2 of Switch2, and configure IP v6 address 2003::1/64 in
VLAN3.
5. The IP v6 address of P C1 is 2001::11/64, and the IP v6 address of PC2 is 2003::33/64.
6. Configure static routing 2003:33/64 on Switch1, and configure static routing 2001::11/ 64 on Switch2.
7. ping6 each ot her among PCs.
First make sure PC1 and Switch1 can access each other by ping, and PC2 and
Switch2 can access each other by ping.
The configuration procedure is a s follow s:
Switch1(Config)#ipv6 enable
Switch1(Config)#interface vlan 1
Switch1(Config-if-Vlan1)#ipv6 address 2001::1/64
Switch1(Config)#interface vlan 2
Switch1(Config-if-Vlan2)#ipv6 address 2002::1/64
Switch1(Config-if-Vlan2)#exit
Switch1(Config)#ipv6 route 2003::33/64 2002::2
Switch2(Config)#ipv6 enable
Switch2(Config)#interface vlan 2
Switch2(Config-if-Vlan2)#ipv6 address 2002::2/64
21-12
Switch2(Config)#interface vlan 3
Switch2(Config-if-Vlan3)#ipv6 address 2003::1/64
Switch2(Config-if-Vlan3)#exit
Switch2(Config)#ipv6 route 2001::33/64 2002::1
Switch1#ping6 2003::33
Configuration result:
Switch1#show run
interface Vlan1
ipv6 address 2001::1/64
!
interface Vlan2
ipv6 address 2002::2/64
!
interface Loopback
mtu 3924
!
ipv6 rout e 2003::/64 2002::2
!
no login
!
end
Switch2#show run
interface Vlan2
ipv6 address 2002::2/64
!
interface Vlan3
ipv6 address 2003::1/64
!
interface Loopback
mtu 3924
!
ipv6 rout e 2001::/64 2002::1
!
no login
!
End
21-13
Example 2:
SwitchC
SwithA
SwitchB
PC-A
PC-B
Figure 21-2-3 IP v6 tunnel
This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel
nodes, dual-stack is supported. SwitchC only runs IP v4, PC-A and PC-B communicate.
Configuration De scription:
1.
Configure two vlans on SwitchA, namely, VLAN1 and VLA N2. VLA N1 is IP v6 domain, VLAN2 connects
to IP v4 domain.
2.
Configure IP v6 address 2002:caca:ca01:2::1/64 in VLA N1 of SwitchA and turn on RA function, configure
IP v4 address 202.202.202.1 in VLA N2.
3.
Configure two VLANs on S witchB, namely, VLAN3 and VLAN4, VLA N4 is IP v6 domain, and VLAN3
connects to IP v4 domain.
4.
Configure IP v6 address 2002:cbcb:cb01:2::1/64 in VLAN4 of SwitchB and turn on RA function, configure
IP v4 address 203.203.203.1 on VLA N3.
5.
Configure tunnel on SwitchA, the source IP v4 address of the tunnel is 202.202.202.1, the tunnel routing
is ::/0
6.
Configure tunnel on S witchB, the source IP v4 address of the tunnel is 202.202.202.2, and the t unnel
routing is ::/0
7.
Configure two VLANs
on SwitchC,
namely,
VLAN2 and VLAN3.
Configure IP v4 address
202.202.202.202 on VLAN2 and configure IP v4 address 203.203.203.203 on VLA N3.
8.
PC-A and PC-B get the prefix of 2002 via S witchA and SwitchB to configure IP v6 address automatically.
9.
On PC-A, ping IP v6 address of P C-B
21-14
The configuration procedure is a s follow s:
SwitchA(config)#ipv6 enable
SwitchA(Config-if-Vlan1)#ipv6 address 2002:caca:ca01:2::1/64
SwitchA(Config-if-Vlan1)#no ipv6 nd suppress-ra
SwitchA(Config-if-Vlan1)#interface vlan 2
SwitchA(Config-if-Vlan2)#ipv4 address 202.202.202.1 255.255.255.0
SwitchA(Config-if-Vlan1)#exit
SwitchA(config)# interface tunnel 1
SwitchA(Config-if-Tunnel1)#tunnel source 202.202.202.1
SwitchA(Config-if-Tunnel1)#tunnel destination 203.203.203.1
SwitchA(Config-if-Tunnel1)#tunnel mode ipv6ip
SwitchA(config)#ipv6 route ::/0 tunnel1
SwitchB(config)#ipv6 enable
SwitchB(Config-if-Vlan4)#ipv6 address 2002:cbcb:cb01::2/64
SwitchB(Config-if-Vlan4)#no ipv6 nd suppress-ra
SwitchB (Config-if-Vlan3)#interface vlan 3
SwitchB (Config-if-Vlan2)#ipv4 address 203.203.203.1 255.255.255.0
SwitchB (Config-if-Vlan1)#exit
SwitchB(config)#int erface tunnel 1
SwitchB(Config-if-Tunnel1)#tunnel source 203.203.203.1
SwitchB(Config-if-Tunnel1)#tunnel destination 202.202.202.1
SwitchB(Config-if-Tunnel1)#tunnel mode ipv6ip
SwitchB(config)#ipv6 route ::/0 tunnel1
21.2.4 IPv6 Troubleshooting
 IP v6 on-off must be turned on when configuring IP v6 commands, otherwise the configuration is invalid.
 The router lifespan configured should not be smaller then the Send Router advertisement Interval. If the
connected PC has not obtained IP v6 address, you should check the RA announcement Chassis
XGS 3-42000R(the default is turned off)
21.3 IP Forwarding
21.3.1 Introduction to IP Forwarding
Gateway devices can forward IP packets from one subnet to another; such forwarding uses routes to find a
path. IP forwarding of switch is done with the participation of hardware, and can achieve wire speed
forwarding. In addition, flexible management is provided to adjust and monitor forwarding. Chassis Switch
supports aggregation algorithm enabling/dis abling optimization to adjust generation of network route ent ry in
the switch chip and view statistics for IP forwarding and hardware forwarding chip status.
21.3.2 IP Route Aggregation Configuration Task
21-15
IP route aggregation configuration task:
1. Set whether IP route aggregation algorithm with/ without optimization should be used
1. Set whether IP route aggregation algorithm with/without optimization should be used
Command
Explanation
Global Mode
Enables the switch to use optimized IP route
ip fib optimize
aggregation
algorithm;
the
“no
ip
fib
no ip fib optimize
optimize” disables the optimized IP route
aggregation algorithm.
21.4 URPF
21.4.1 Introduction to URPF
URPF (Unica st Reverse Path Forwarding) introduces the RPF technology applied in multicast to unicast, so
to protect the net work from the attacks which is based on source address cheat.
When Chassis Switch receives the packet, it will search the route in the route table using the source address
as the destination address which is acquired from the packet. If the found rout er exit interface does not match
the entrance interface acquired from this packet, the switch will consider this packet a fake packet and discard
it.
In Source Address Spoofing attacks, attackers will construct a series of messages with fake source addresses.
For applications based on IP address verification, such attacks may allow unauthorized users to access the
system as some authorized ones, or even the administrator. Even if the response messages can’t reach the
attackers, they will also damage the targets.
1.1.1.8/8
2.2.2.1/8
Source IP:2.2.2.1/8
Rout er A
Rout er B
Rout er C
Figure 21-4-1 URPF application situation
In the above figure, Router A sends requests to the server Router B by faking messages whose source
address are 2.2.2.1/8 . In response, Router B will send the messages to the real ”2.2.2.1/8”. Such illegal
messages attack both Router B and Router C. The application of URPF technology in the situation described
above can avoid the attacks based on the Source Address Spoofing.
21-16
21.4.1.1 IP URPF Operating Mechanism
At present the UP RF relies on the A CL function provided by the Chassis Switch chips.
Firstly, globally enable the URPF function to monitor the changes in the router table: create a corresponding
URPF permit ACL rule for each router in the router table FIB. In URPF strict mode, the format of ACL rules is:
the source address segments of inbound packets + the ingress interface VID of inbound packets. The source
address segments of inbound packets are in correspondence with the destination address segments in the
FIB rout er table entries, while the ingress interface VID of inbound packets with the egress interfac e VID in the
FIB router table entries. In URPF loose mode, the format of A CL rules is the source address segments of
inbound packets, which are in correspondence with destination address segments in the FIB router table
entries.
After enabling URPF on the port: bind the port to RUPF rules, and create the default hardware for DENY ALL
rule distribution.
The above operations will guarantee that, when data reac h the port, only those match the rules can pass
through it with all others dumped.
The present corresponding A CL rule privilege is low, not blocking all kinds of protocol packets; hence,
enabling this function will not affect the normal operation of routing protocols of the switch.
21.4.2 URPF Configuration Task Sequence
1.
Enable URPF
2.
Enable URPF on port
3.
Display and debug URP F relevant information
1. Globally enable URPF
Command
Explanation
Global mode
urpf enable
Globally enable and disable URPF.
no urpf enable
2. Enable URPF on port
Command
Explanation
Port mode
ip urpf enable {loose | strict}
{allow-default-route }
Enable and disable URPF on port.
no ip urpf enable
3. Di splay and debug URPF relevant information
Command
Explanation
Admin mode
21-17
debug l4driver urpf {notice |warning
Enable the URPF debug function to display
|error|}
no debug l4driver urpf {notice | warning |
error|}
error information if failures occur during the
installation of URPF rules.
Admin and Config Mode
Display
show urpf
which
interfaces
have
been
enabled with URPF function.
show urpf rule ipv4 num interface
Display the number of IP v4 rules bonded to
ethernet IFNAME
the port.
show urpf rule ipv6 num interface
Display the number of IP v6 rules bonded to
ethernet IFNAME
the port.
show urpf rule ipv4 interface ethernet
Display the details of IP v4 rules bonded to
IFNAME
the port.
show urpf rule ipv6 interface ethernet
Display the details of IP v6 rules bonded to
IFNAME
the port.
21.4.3 URPF Typical Example
SW3
E3/2
SW1
E1/8
SW2
E1/8
Globally enable URPF
Vlan3
E3/2
10.1.1.10/24
vlan1
Vlan4
E3/3
Enable URPF
E1/2
Pretending to be SW2 by
using 10.1.1.10 to launch a
vicious attack
PC
PC
Vicious access host
2002::4/64
In the network, topology shown in the graph above, IP URPF function is enabled on SW3. When there is
someone in the network pret ending to be someone else by using his IP address to launch a vicious attack, the
switch will drop all the attacking messages directly through the hardware FFP function.
Enable the URPF function in SW3 Ethernet3/ 3.
SW3 configuration task sequenc e:
Switch3#config
Switch3(config)#urpf enable
Switch3(config)#interface ethernet 3/3
Switch3(Config-If-Ethernet3/3)#ip urpf enable strict
21-18
21.4.4 URPF Troubleshooting
Proper operation of the URPF protocol depends greatly on whether the corresponding URPF rules can be
applied correctly. If after the URPF configuration is done and the function does not meet the expectation:
 Check if the Chassis Switch has been configured with the rules conflicting with URPF (URPF priority is
lower than ACL), the ACL rules will validate if confliction exits.
 Check whether there is a relative route in the FIB table. Only when one is found, can the ACL rules be
distributed to the port.
 Check if the hardware A CL performance is full which lead to the newly generated route can not be
applied with A CL rules.
 If all configurations are normal but URPF still can’t operate as expected, please enable the URPF
debug function and use the “show urpf” command and ot her commands which display the rule number
and details to observe whether the created URPF rules are correct, and send the result to the
technology service center.
21.5 ARP
21.5.1 Introduction to ARP
ARP (Address Resolution Protoc ol) is mainly used to resolve IP address to Ethernet MAC address. Chassis
Switch supports both dynamic ARP and static ARP configuration.Furthermore, chassis switch supports the
configuration of proxy ARP for some applications. For instance, when an ARP request is received on the port,
requesting an IP address in the same IP segment of the port but not the same physical network, if the port has
enabled proxy ARP, the port would reply to the ARP with its own MAC address and forward the actual packets
received. Enabling proxy ARP allows machines physically separated but of the same IP segment ignores the
physical separation and communicate via proxy ARP interface as if in the same physical network.
21.5.2 ARP Configuration Task List
ARP Configuration Task List:
1. Configure static ARP
2. Configure proxy ARP
3. Clear dynamic A RP
4. Select hash arithmetic
5. Clear the statistic information of A RP messages
1. Configure static ARP
Command
Explanation
VLAN Port Mode
arp <ip_address> <mac_address>
Configures a static ARP entry; the no
{interface [ethernet] <portName>}
command deletes
no arp <ip_address>
specified IP address.
21-19
a ARP
entry
of the
2. Configure proxy ARP
Command
Explanation
VLAN Port Mode
ip proxy-arp
Enables the proxy ARP function for Ethernet
no ip proxy-arp
ports: the no command disables the proxy
ARP.
3. Clear dynamic ARP
Command
Explanation
Admin mode
The command clear arp-cache clears the
content of current ARP table, but it does not
clear arp-cache
clear the current static ARP table.
4. Select hash arithmetic
Command
Explanation
Global mode
Set the hash arit hmetic of the lay er 3 table.
This command refers to ARP table list storage
l3 hashselect
in the hardware, the implement need to guide
[<crc16l |crc16u|crc32l |crc32u|l sb>]
by
the technique specialist.
The
detail
information please refer to the interrelated
Command Guide.
5. Clear the statistic information of ARP message
Command
Explanation
Admin mode
clear arp traffic
Clear
the
statistic
information
messages of the switch.
21-20
of
ARP
21.5.3 ARP Troubleshooting
If ping from the switch to directly connected net work devices fails, the following can be used to check the
possible cause and create a solution.
 Check whether the corresponding A RP has been learned by the Chassis Switch.
 If A RP has not been learned, then enabled ARP debugging information and view the sending/rec eiving
condition of A RP packets.
 Defective cable is a common cause of ARP problems and may disable A RP learning.
21-21
Chapter 22 ARP Scanning Prevention
Function Configuration
22.1 Introduction to ARP Scanning Prevention Function
ARP scanning is a common method of network attack. In order to detect all the active hosts in a network
segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large
part of the bandwidth of the network. It might even do large-traffic-attack in the net work via fake ARP
messages to collaps e of the network by exhausting the bandwidth. Usually ARP scanning is just a preface of
other more dangerous attack methods, such as automatic virus infection or the ensuing port scanning,
vulnerability scanning aiming at stealing information, distorted message attack, and DOS attack, etc.
Since ARP scanning threatens the security and stability of the network with great danger, so it is very
significant to prevent it. XGS 3 series switch provides a complete res olution to prevent ARP scanning: if there
is any host or port with ARP scanning features is found in the segment, the switch will cut off the attack source
to ensure the security of the net work.
There are two methods to prevent ARP scanning: port-based and IP-based. The port-based ARP scanning
will count the number to ARP messages received from a port in a certain time range, if the number is larger
than a preset threshold, this port will be “down”. The IP-based ARP scanning will count the number to ARP
messages received from an IP in the segment in a certain time range, if the number is larger than a preset
threshold, any traffic from this IP will be blocked, while the port related with this IP will not be “down”. These
two met hods can be enabled simultaneously. After a port or an IP is disabled, users can recover its state via
automatic recovery function.
To improve the effect of the Chassis Switch, users can configure trusted ports and IP, the ARP messages from
which will not be checked by the Chassis Switch. Thus the load of the switch can be effectively decreased.
22.2 ARP Scanning Prevention Configuration Task Sequence
1. Enable the ARP Scanning Prevention function.
2. Configure the threshold of the port-based and IP-based A RP Scanning Prevention
3. Configure trusted ports
4. Configure trusted IP
5. Configure aut omatic recovery time
6. Display relative information of debug information and A RP scanning
1. Enable the ARP Scanning Prevention function.
Command
Explanation
Global configuration mode
anti-arpscan enable
Enable or disable the ARP Scanning
no anti-arpscan enable
Prevention function globally.
22-1
2. Configure the thre shold of the port-ba sed and IP-based ARP Scanning Prevention
Command
Explanation
Global configuration mode
anti-arpscan port-ba sed thre shold
<threshold-value>
Set the threshold of the port-based
no anti-arpscan port-ba sed
ARP Scanning Prevention.
thre shold
anti-arpscan ip-ba sed thre shold
Set the threshold of the IP -based A RP
<threshold-value>
Scanning Prevention.
no anti-arpscan ip-ba sed thre shold
3. Configure trusted ports
Command
Explanation
Port configuration mode
anti-arpscan trust <port |
supertrust-port>
Set the trust attributes of the ports.
no anti-arpscan trust <port |
supertrust-port>
4. Configure trusted IP
Command
Explanation
Global configuration mode
anti-arpscan trust ip <ip-address>
[<netm ask>]
Set the trust attributes of IP.
no anti-arpscan trust ip <ip-address>
[<netm ask>]
5. Configure automatic recovery time
Command
Explanation
Global configuration mode
anti-arpscan recovery enable
Enable
no anti-arpscan recovery enable
recovery function.
anti-arpscan recovery time <seconds>
disable
the
automatic
Set automatic recovery time.
no anti-arpscan recovery time
6.
or
Di splay relative information of debug information and ARP scanning
Command
Explanation
Global configuration mode
anti-arpscan log enable
Enable or disable the log function of ARP
no anti-arpscan log enable
scanning prevention.
anti-arpscan trap enable
Enable or disable the S NMP Trap function
no anti-arpscan trap enable
of A RP scanning prevention.
show anti-arpscan [trust <ip | port |
Display
supertrust-port> | prohibited <ip | port>]
configuration of A RP scanning prevention.
22-2
the
state
of
operation
and
Admin Mode
debug anti-arpscan <port | ip>
Enable or disable the debug switch of A RP
no debug anti-arpscan <port | ip>
scanning prevention.
22.3 ARP Scanning Prevention Typical Examples
SWITCH B
E1/1
E1/19
SWITCH A
E1/2
E1/2
PC
Server
192.168.1.100/24
PC
Figure 22-3-1 A RP scanning prevention typical configuration example
In the net work topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2
of SWITCH A is connected to file server (IP address is 192.168. 1.100), and all the other ports of SWITCH A
are connected to common P C. The following configuration can prevent ARP scanning effectively without
affecting the normal operation of the system.
SWITCH A configuration task sequence:
SwitchA(config)#anti-arpscan enable
SwitchA(config)#anti-arpscan recovery time 3600
SwitchA(config)#anti-arpscan trust ip 192.168.1.0 255.255.255.0
SwitchA(config)#int erface et hernet1/2
SwitchA (Config-If-Ethernet1/2)#anti-arpscan trust port
SwitchA (Config-If-Ethernet1/2)#exit
SwitchA(config)#int erface et hernet1/19
SwitchA (Config-If-Ethernet1/19)#anti-arpscan trust supertrust-port
Switch A(Config-If-Ethernet1/19)#exit
22-3
SWITCHB configuration ta sk sequence:
Switch B(config)# anti-arpscan enable
SwitchB(config)#int erface et hernet1/1
SwitchB (Config-If-Ethernet 1/1)#anti-arpscan trust port
SwitchB (Config-If-Ethernet 1/1)exit
22.4 ARP Scanning Prevention Troubleshooting Help
 ARP scanning prevention is disabled by default. After enabling A RP scanning prevention, users can
enable the debug switch, “debug anti-arpscan”, to view debug information.
22-4
Chapter 23 Prevent ARP, ND Spoofing
Configuration
23.1 Overview
23.1.1 ARP (Address Resolution Protocol)
Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit
physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is
00-30-4f-FD-1D-2B. What the whole mapping process is that a host computer s end broadc ast data packet
involving IP address information of destination host computer, ARP request, and then the destination host
computer send a data packet involving its IP address and Mac address to the host, so two host computers can
exchange data by MAC address.
23.1.2 ARP Spoofing
In terms of ARP Protocol design, to reduce redundant ARP data communication on net works, even though a
host computer receives an ARP reply which is not requested by itself, it will also insert an entry to its ARP
cache table, so it creates a possibility of “A RP spoofing”. If the hacker wants to snoop t he communication
between two host computers in the same network (even if are connected by the switches), it sends an ARP
reply packet to two hosts separately, and make them misunderstand MA C address of the ot her side as the
hacker host MAC address. In this way, the direct communication is actually communicated indirectly among
the hacker host computer. The hackers not only obtain communication information they need, but also only
need to modify some information in data packet and forward successfully. In this sniff way, the hacker host
computer doesn’t need t o configure intermix mode of network card, that is because the data packet bet ween
two communication sides are sent to hacker host computer on physical layer, which works as a relay.
23.1.3 How to prevent void ARP/ND Spoofing
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and most of attack
behaviors are bas ed on A RP spoofing, so it is very important to prevent ARP spoofing. ARP spoofing
accesses normal network environment by counterfeiting legal IP address firstly, and sends a great deal of
counterfeited ARP application packets to switches, after switches learn these packets, they will cover
previously corrected IP, mapping of MA C address, and then some corrected IP, MAC address mapping are
modified to correspondence relationship configured by attack packets so that the switch makes mistake on
transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious
attackers, and they intercept and capture packets transferred by switches or attack other switches, host
computers or net work equipment.
What the essential method on preventing attack and spoofing s witches based on ARP in net works is to
disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid
wrong packets transfer and c an’t obtain other information. At one time, it doesn’t interrupt the automatic
learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.
ND is neighbor discovering protocol in IP v6 protocol, and it’s similar to ARP on operation principle, therefore
23-1
we do in the same way as preventing A RP spoofing to prevent ND spoofing and attack.
23.2 Prevent ARP, ND Spoofing configuration
The steps of preventing A RP, ND spoofing configuration as below:
1.
Disable A RP, ND automatic updat e function
2.
Disable A RP, ND automatic learning function
3.
Changing dynamic ARP, ND to static ARP, ND
1. Di sable ARP, ND automatic update function
Command
Explanation
Global Mode and Port Mode
ip arp-securi ty updateprotect
no ip arp-securi ty updateprotect
Disable and enable ARP, ND automatic update
ipv6 nd-security updateprotect
function.
no ipv6 nd-security updateprotect
2. Di sable ARP, ND automatic learning function
Command
Explanation
Global mode and Int erface Mode
ip arp-securi ty learnprotect
no ip arp-securi ty learnprotect
Disable and enable ARP, ND aut omatic learning
ipv6 nd-security learnprotect
function.
no ipv6 nd-security learnprotect
3. Function on changing dynamic ARP, ND to static ARP, ND
Command
Explanation
Global Mode and Port Mode
ip arp-securi ty convert
Change dynamic A RP, ND to static ARP, ND.
ipv6 nd-s ecurity convert
23.3 Prevent ARP, ND Spoofing Example
Switch
A
B
C
Equipment Explanation
Equipment
Configuration
Quality
switch
IP:192.168.2.4; IP:192.168.1.4;
23-2
mac: 04-04-04-04-04-04
1
A
IP:192.168.2.1;
mac: 01-01-01-01-01-01
1
B
IP:192.168.1.2;
mac: 02-02-02-02-02-02
1
C
IP:192.168.2.3;
mac: 03-03-03-03-03-03
some
There is a normal communication between B and C on above diagram. A wants switch to forward packets sent
by B to itself, so need switch sends the packets transfer from B to A. firstly A sends ARP reply packet to switch,
format is: 192.168.2.3, 01-01-01-01-01-01, mapping its MAC address to C’s IP, so the switch changes IP
address when it updates ARP list., then data packet of 192.168.2.3 is transferred to 01-01-01-01-01-01
address (A MAC address).
In further, a trans fers its received packets to C by modifying source address and destination address, the
mutual communicated data bet ween B and C are received by A unconsciously. Because the ARP list is update
timely, another task for A is to continuously send ARP reply packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command in stable environment,
and then change all dynamic ARP to static ARP, the learned A RP will not be refreshed, and protect for users.
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)#arp 192.168.2. 1 01-01-01-01-01-01 interface et h 1/2
XGS 3-42000R(config-If-Vlan1)#int erface vlan 2
XGS 3-42000R(config-If-Vlan2)#arp 192.168.1. 2 02-02-02-02-02-02 interface et h 1/2
XGS 3-42000R(config-If-Vlan2#interface vlan 3
XGS 3-42000R(config-If-Vlan3)#arp 192.168.2. 3 03-03-03-03-03-03 interface et h 1/2
XGS 3-42000R(config-If-Vlan3)#exit
XGS 3-42000R(config)#ip arp-s ecurity learnprotect
XGS 3-42000R(config)#
XGS 3-42000R(config)#ip arp-s ecurity convert
If the environment changing, it enable to forbid A RP refresh, once it learns ARP property, it wont be refreshed
by new A RP reply packet, and protect use data from sniffing.
XGS 3-42000R#config
XGS 3-42000R(config)#ip arp-s ecurity updateprotect
23-3
Chapter 24 ARP GUARD Configuration
24.1 Introduction to ARP GUARD
There is serious security vulnerability in the design of ARP protocol, which is any network device, can send
ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a
chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to
advertise a wrong mapping relationship between IP address and MAC address, causing problems in network
communication. The danger of ARP cheating has two forms: 1. PC4 sends an A RP message to advertise that
the IP address of PC2 is mapped to the MAC address of PC4, which will cause all the IP messages to PC2
will be sent to PC4, thus PC4 will be able to monitor and capture the messages to PC2; 2. PC4 sends ARP
messages to advertise that the IP address of PC2 is mapped to an illegal MAC address, which will prevent
PC2 from receiving the messages to it. Particularly, if the attacker pretends to be the gateway and do ARP
cheating, the whole net work will be collapsed.
PC1
Switch
HUB
A
B
C
D
PC2
PC3
PC4
PC5
PC6
Figure 24-1-1 A RP GUARD schematic diagram
We utilize the filtering entries of the switch to protect the ARP entries of important net work devic es from being
imitated by other devices. The basic theory of doing this is that utilizing the filtering entries of the switch to
check all the ARP messages entering through the port, if the source address of the A RP message is protected,
the messages will be directly dropped and will not be forwarded.
ARP GUARD function is usually used to protect the gateway from being attacked. If all the accessed PCs in
the network should be protected from A RP cheating, then a large number of ARP GUARD address should be
configured on the port, which will take up a big part of FFP entries in the chip, and as a result, might affect
other applications. So this will be improper. It is recommended that adopting FREE RESOURCE related
accessing scheme. Please refer to relative documents for details.
24-1
24.2 ARP GUARD Configuration Task List
1. Configure the protected IP address
Command
Explanation
Port configuration mode
arp-guard ip <addr>
no arp-guard ip <addr>
Configure/delete ARP GUARD address
24-2
Chapter 25 ARP Local Proxy Configuration
25.1 Introduction to ARP Local Proxy function
In a real application environment, the switches in the aggregation layer are required to implement local ARP
proxy function to avoid A RP cheating. This function will restrict the forwarding of ARP messages in the same
vlan and thus direct the L3 forwarding of the data flow through the switch.
192.168.1.1
192.168.1.200
192.168.1.100
As shown in the figure above, PC1 wants to send an IP message to PC2, the overall procedure goes as
follows (some non-arp details are ignored)
1. Since PC1 does not have the ARP of PC2, it sends and broadc asts ARP request.
2. Receiving the ARP message, the switch hardware will send the ARP request to CPU instead of
forwarding this message via hardware, according to new ARP handling rules.
3. With local ARP proxy enabled, the switch will send ARP reply message to PC1 (to fill up its mac address)
4. After rec eiving the ARP reply, PC1 will create ARP, send an IP message, and set the destination MA C of
the Ethernet head as the MAC of the switch.
5. After receiving the ip message, the switch will searc h the router table (to create rout er cache) and
distribute hardware entries.
6. If the switch has the ARP of PC2, it will directly encapsulate the Ethernet head and send the message
(the destination MA C is that of PC2)
7. If the s witch does not have the A RP of PC2, it will request it and then send the ip message.
This function should cooperate wit h other security functions. When users configure local A RP proxy on an
aggregation s witch while configuring interface isolation function on the layer-2 switch connected to it, all ip
flow will be forwarded on layer 3 via the aggregation switch. And due to the interface isolation, ARP messages
will not be forwarded within the vlan, which means other PCs will not receive it.
25-1
25.2 ARP Local Proxy Function Configuration Task List
1.Enable/disable ARP local proxy function
Command
Explanation
Interface vlan mode
ip local proxy-arp
Enable or disable ARP local proxy function.
no ip local proxy-arp
25.3 Typical Examples of ARP Local Proxy Function
As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is
layer-2 access switches supporting interface isolation.
Considering security, interface isolation function is enabled on S2. Thus all downlink ports of S2 is isolated
from each other, making all ARP messages able to be forwarded through S1. if A RP local proxy is enabled on
S1, then all interfaces on S 1 isolate ARP while S1 serves as an ARP proxy. As a result, IP flow will be
forwarded at layer 3 through S1 instead of S2.
We can configure as follows:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#ip local proxy-arp
XGS 3-42000R(config-if-Vlan1)#exit
25-2
25.4 ARP Local Proxy Function Troubleshooting
ARP local proxy function is disabled by default. Users can view the current configuration with display
command. With correct configuration, by enabling debug of ARP, users can check whether t he A RP proxy is
normal and send proxy ARP messages.
In the process of operation, the system will show corresponding prompts if any operational error occurs.
25-3
Chapter 26 Gratuitous ARP Configuration
26.1 Introduction to Gratuitous ARP
Gratuitous ARP is a kind of A RP request that is sent by the host with its IP address as the destination of the
ARP request.
The basic working mode for XGS3 Chassis Switches is as below: The Layer 3 interfaces of the Chassis
Switch can be configured to advertise grat uitous ARP packets period or the Chassis Switch can be configured
to enable to send gratuit ous ARP packets in all the interfaces globally.
The purpose of gratuitous A RP is as below:
1.
To reduce the frequency that the host sends ARP request to the switch. The hosts in the network will
periodically send A RP requests to the gateway to update the MA C address of the gat eway. If the
switch advertises gratuitous ARP requests, the host will not have to send these requests. This will
reduce the frequency the hosts’ sending ARP requests for the gateway’s MAC address.
2.
Gratuitous ARP is a method to prevent ARP cheating. The switch’s advertising gratuitous ARP
request will force the hosts to update its ARP table cache. Thus, forged ARP of gateway cannot
function.
26.2 Gratuitous ARP Configuration Task List
1. Enable gratuitous ARP and configure the interval to send gratuitous ARP request
2. Display configurations about gratuitous ARP
1. Enable gratuitous ARP and configure the interval to send gratuitous ARP request.
Command
Explanation
Global Configuration Mode and Interface
Configuration Mode.
ip gratuitous-arp <5-1200>
no ip gratuitous-arp
To enable gratuitous ARP and configure the
interval to send grat uitous ARP request.
The no command cancels the gratuitous ARP.
2. Di splay configurations about gratuitous ARP
Command
Explanation
Admin Mode and Configuration Mode
show ip gratuitous-arp [interface vlan
To display configurations about grat uitous
<1-4094> ]
ARP.
26-1
26.3 Gratuitous ARP Configuration Example
Switch
Interface vlan10
192.168.15.254
255.255.255.0
Interface vlan1
192.168.14.254
255.255.255.0
PC1
PC2
PC3
PC4
PC5
Figure 26-3-1 Gratuitous ARP Configuration Example
For the network topology shown in the figure above, interfac e VLAN10 whose IP address is 192.168.15.254
and net work address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are
connected to the interface. The IP address of int erface V LAN 1 is 192. 168. 14.254, its network address mask
is 255.255.255.0. Two PCs – PC1 and PC2 are connected to this interface. Grat uitous ARP can be enabled
through the following configuration:
1.
Configure two int erfaces to use gratuitous ARP at one time.
XGS 3-42000R(config)#ip gratuitous-arp 300
XGS 3-42000R(config)#exit
2.
Configure gratuitous A RP specifically for only one interface at one time.
XGS 3-42000R(config)#interface vlan 10
XGS 3-42000R(conFIG-if-V LAN10)#ip grat uitous-arp 300
XGS 3-42000R(conFIG-if-V LAN10)#exit
XGS 3-42000R(config) #exit
26.4 Gratuitous ARP Troubleshooting
Gratuitous ARP is disabled by default. And when gratuit ous ARP is enabled, the debugging information about
ARP packets can be retrieved through the command debug A RP send.
If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global configuration mode.
If grat uitous ARP is configured in interface configuration mode, the configuration can only be disabled in
interface configuration mode.
26-2
Chapter 27 ND Snooping Configuration
27.1 Introduction to ND Snooping
The purpose of developing ND snooping module: using Control Packet Snooping (CPS ) mechanism, that
means to detect the validity of access packets through the method which bind the source IP v6 address and
the anchor information, so as to permit the matched packets and drop the unmatched packets that will control
access of the direct connected IP v6 nodes. The development of this module requirement refers to IP v6 NDP
and 《 Control Packet Snooping Based Binding draft-bi-savi-cps-00 》 draft. ND snooping adopts the
“first-come first-serve” of the 《 First-Come First-Serve S ourc e-Address Validation Implementation
draft-iet f-savi-fcfs-01》 draft that means to set up the first bound nodes as the legality nodes, and it is a
principle to check the validity of the nodes.
ND snooping is mostly applied to the access device (such as layer 2 switch, wireless access node). The
access device creat es the binding information table of link-local nodes (the binding refers to the IP v6 address
and the port ID and the MA C address of the nodes) according to the NDP packets received from theses ports,
then creates the rules of FFP (Fast Filter Processor) hardware drive according to the binding information table,
and implements the access control of the link-local nodes.
27.2 ND Snooping Basic Configuration
ND Snooping Configuration Task List:
1.
Enable or disable the monitor function of ND Snooping
2.
Configure the lifetime of ND Snooping
3.
4.
1)
Set the binding lifetime of SAC_B OUND state
2)
Set the binding lifetime of SAC_S TA RT state
3)
Set the binding lifetime of SAC-QUE RY state
The binding function of ND Snooping
1)
Configure the dynamic binding policy of ND Snooping address
2)
Add a static binding
3)
Configure the max number of IP v6 addresses that can be bound to the same MA C address
4)
Set the max binding number for the ports
5)
Clear all dynamic bindings of ND Snooping
Set the trust port of the switch
1. Enable or disable the monitor function of ND Snooping
Command
Expalnation
Global mode
ipv6 nd snooping enable
Enable or disable ND Snooping
no ipv6 nd snooping enable
globally.
Port mode
ipv6 nd snooping user-control
Enable or disable ND Snooping in a
no ipv6 nd snooping user-control
port.
27-1
2. Configure the lifetime of ND Snooping
Explanation
Command
Global mode
Reset
[no] ipv6 nd snooping max-sac-lifetime
<max-sac-lifetime>
binding
lifetime
as
SAC_BOUND.
Reset
[no] ipv6 nd snooping max-dad-delay
the
binding
lifetime
as
<max-dad-delay> or 1 second for
<max-dad-delay>
SAC_S TART.
[no] ipv6 nd snooping max-dad-prepare-delay
<max-dad-prepare-delay>
3.
the
<max-s ac-lifetime> or 2 hours for
Reset
the
binding
lifetime
<max-dad-prepare-delay>
half
as
a
second for SAC_QUERY.
The binding function of ND Snooping
Command
Explanation
Global mode
[no] ipv6 nd snooping policy
Configure the dy namic binding policy
{bind-eui64-addre ss |
of ND Snooping address.
bind-non-eui64-addre ss}
ipv6 nd snooping static-binding
<ipv6-address> hardware-address
<hardware-address> interface
Add a static binding.
<interface-nam e>
no ipv6 nd snooping static-binding
<ipv6-address>
ipv6 nd snooping mac-binding-limit <number>
no ipv6 nd snooping mac-binding-limit
Configure the max number of IP v6
addresses that can be bound to the
same MAC address.
Port mode
Set the binding number for the ports.
ipv6 nd snooping port-binding-limit
The binding number only limits the
<binding-number>
dynamic binding number of the ports,
no ipv6 nd snooping port-binding-limit
do not limit the static binding number
of the ports.
Admin mode
clear ipv6 nd snooping binding
Clear
all
[<interface-name>]
Snooping.
static
binding
of
4. Set the trust port of the switch
Command
Explanation
Global mode
ipv6 nd snooping trust
Set the trust port of the switch.
no ipv6 nd snooping trust
27-2
ND
27.3 ND Snooping Example
Typical example:
The application environment of ND Snooping, the figure is as follows:
Figure 27-3-1 ND Snooping typical configuration
The configuration explanation:
SW2 is layer 3 switch, it connect to the layer 2 switch SW1, and enable IP v6 function and RA function;
SW1 is layer 2 switch, it enables IP v6 function and ND Snooping, and enable the cont rol function of ND
snooping on the ports which connect three P C nodes.
PC1, PC2, PC3 are three PCs, each P C installed IP v6 protocol and directly connect SW1, the direct ports are
1/1, 1/2, 1/3. Layer 2 switch SW1 enabled ND Snooping. PC1, PC2 and PC3 correctly receive RA router
advertisement packets from SW2. According to the link prefix 2001::/64 of RA packets, three PCs create IP v6
addresses automatically, they are:
PC1: FE80::2AA:FF:FE9A:4CA2, 2001::2AA:FF:FE9A:4CA2, 2001::23:4A:1122:C411;
PC2: FE80::2BB:FF:FE9A:4CA2, 2001::2BB:FF:FE9A:4CA2, 2001::32:4B:2211:11C4;
PC3: FE80::2CC:FF:FE 9A:4CA2, 2001::2CC:FF:FE9A:4CA2, 2001::22:4A:1133:C422;
At the same time, three PCs send the DA D (duplicate address det ect) NS packets to the link-local, ND
Snooping module receives DAD NS packets and set up the corresponding dynamic binding table according to
these packets , the table is as follows:
27-3
IP v6 address
MAC address
Port ID
FE80::2AA:FF:FE9A:4CA 2
02-AA -00-9A -4C-A2
1/1
2001::2AA:FF:FE9A:4CA2
02-AA -00-9A -4C-A2
1/1
2001::23:4A:1122: C411
02-AA -00-9A -4C-A2
1/1
FE80:: BB:FF:FE9A:4CA2
02-BB -00-9A -4C-A2
1/2
2001::2BB:FF:FE9A:4CA2
02-BB -00-9A -4C-A2
1/2
2001::32:4B:2211:11C4
02-BB -00-9A -4C-A2
1/2
FE80:: CC:FF:FE9A:4CA2
02-CC-00-9A-4C-A2
1/3
2001::2CC:FF:FE9A:4CA2
02-CC-00-9A-4C-A2
1/3
2001::22:4A:1133: C422
02-CC-00-9A-4C-A2
1/3
If three PCs do not receive the responding DA D NA packets in the set time, then port 1/1, port 1/2, port 1/3
send to the FFP hardware drive binding entries according to the dynamic binding table. Aft er that, these port
will detect the source addresses of the received data packet, if it match the binding entries, then t he IP v6
packet are allowed to pass, otherwise, the IP v6 packet are denied.
Configuration steps:
SW1:
SW1(config)# ipv6 enable
SW1(config)# ipv6 nd snooping enable
SW1(config)# interface vlan 1
SW1(config-if-vlan1)# ipv6 address 2001::1/64
SW1(config)# interface ethernet 1/1; 1/2; 1/3
SW1(config-if-port-range)# ipv6 nd snooping user-control
SW2:
SW2(config)# ipv6 enable
SW2(config)# interface vlan 1
SW2(config-if-vlan1)# ipv6 address 2001::2/64
SW2(config-if-vlan1)# no ipv6 nd suppress-ra
27.4 ND Snooping Troubleshooting
If there is any problem happens when using ND Snooping, please check whether the problem is caused by
the following reasons:
 Whether ipv6 nd snooping enable is enabled globally and ipv6 nd snooping user-control is configured in
the port.
 Use debug ipv6 nd snooping to check whether the switch can correctly receive and process the relative
packets.
27-4
Chapter 28 DHCP Configuration
28.1 Introduction to DHCP
DHCP [RFC2131] is the acronym for Dynamic Host Configuration P rotocol. It is a protoc ol that assigns IP
address dynamically from the address pool as well as other network configuration parameters such as default
gateway, DNS server, and default route and host image file position within the net work. DHCP is the
enhanced version of BOOTP. It is a mainstream technology that can not only provide boot information for
diskless workstations, but can also release the administrators from manual rec ording of IP allocation and
reduce user effort and cost on configuration. Another benefit of DHCP is it can partially ease the pressure on
IP demands, when the user of an IP leaves the network that IP can be assigned to another user.
DHCP is a client-server protocol, the DHCP client requests the network address and configuration parameters
from the DHCP server; the server provides the network address and configuration parameters for the clients;
if DHCP server and clients are located in different subnets, DHCP relay is required for DHCP packets to be
transferred between the DHCP client and DHCP server. The implementation of DHCP is shown below:
Discover
Offer
Request
Ack
DHCP SERVER
DHCP CLIENT
Figure 28-1-1 DHCP protocol interaction
Explanation:
1. DHCP client broadcasts DHCPDIS COVER packets in the local subnet.
2. On receiving the DHCPDIS COVER packet, DHCP server sends a DHCP OFFER packet along with IP
address and other network parameters to the DHCP client.
3. DHCP client broadcast DHCP REQUES T packet with the information for the DHCP server it selected after
selecting from the DHCPOFFE R packets.
4. The DHCP server selected by the client sends a DHCPACK packet and the client gets an IP address and
other network configuration parameters.
The above four steps finish a Dynamic host configuration assignment process. However, if the DHCP server
and the DHCP client are not in the same network, the server will not receive the DHCP broadcast packets
sent by the client, therefore no DHCP packets will be sent to the client by the server. In this case, a DHCP
relay is required to forward such DHCP packets so that the DHCP packets exchange can be completed
between the DHCP client and server.
Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address
assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address
or specified device ID over a long period. The differences and relations bet ween dynamic IP address
allocation and manual IP address binding are: 1) IP address obtained dynamically can be different every time;
manually bound IP address will be the same all the time. 2) The lease period of IP address obtained
28-1
dynamically is the same as the lease period of t he address pool, and is limited; the lease of manually bound
IP address is theoretically endless. 3) Dynamic ally allocated address cannot be bound manually. 4) Dynamic
DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of
the relat ed segment.
28.2 DHCP Server Configuration
DHCP Sever Configuration Task List:
1.
Enable/Disable DHCP server
2.
Configure DHCP Address pool
(1) Create/Delete DHCP Address pool
(2) Configure DHCP address pool parameters
(3) Configure manual DHCP address pool paramet ers
3.
Enable logging for address conflicts
1. Enable/Disable DHCP server
Command
Explanation
Global Mode
servi ce dhcp
Enable DHCP server. The no command
no servi ce dhcp
disables DHCP server.
2. Configure DHCP Addre ss pool
(1) Create/Delete DHCP Address pool
Command
Explanation
Global Mode
ip dhcp pool <name>
Configure DHCP Address pool. The no
no ip dhcp pool <name>
operation cancels the DHCP Address pool.
(2) Configure DHCP address pool parameters
Command
Explanation
DHCP Address Pool Mode
network-address <network-number>
[mask | prefix-length]
no network-address
default-router
[<address1>[<address2> […<address8>
]]]
no default-router
dns-server
[<address1>[<address2> […<address8>
]]]
no dns-server
Configure the address scope that can be
allocated to the address pool. The no
operation of this command cancels the
allocation address pool.
Configure default gateway for DHCP clients.
The no operation cancels
the default
gateway.
Configure DNS server for DHCP clients. The
no
command
configuration.
28-2
deletes
DNS
server
Configure Domain name for DHCP clients;
domain-name <domain>
the “no domain-name” command deletes
no domain-name
the domain name.
netbios-name-server
[<address1>[<address2> […<address8>
Configure the address for WINS server. The
]]]
no operation cancels the address for server.
no netbios-name-server
netbios-node-type
Configure node type for DHCP clients. The
{b-node|h-node |m-node|p-node|<type-n
no operation cancels the node type for
umber>}
DHCP clients.
no netbios-node-type
Configure the file to be import ed for DHCP
bootfile <filename>
clients on boot up. The no command
no bootfile
cancels this operation.
next-server
[<address1>[<address2> […<address8>
Configure the address of the server hosting
]]]
file for importing. The no command deletes
no next-server
the address of the server hosting file for
[<address1>[<address2> […<address8>
importing.
]]]
Configure the network parameter specified
option <code> {a scii < string> | hex
by the option code. The no command
<hex> | ipaddress <ipaddress>}
deletes the network parameter specified by
no option <code>
the option code.
Configure the lease period allocated to
lease { days [hours][minute s] | infinite }
addresses in the address pool. The no
no lease
command deletes the leas e period allocated
to addresses in the address pool.
Global Mode
ip dhcp excluded-address
<low-address> [<high-address>]
Exclude the addresses in the address pool
no ip dhcp excluded-address
that are not for dynamic allocation.
<low-address> [<high-address>]
(3) Configure manual DHCP address pool paramet ers
Command
Explanation
DHCP Address Pool Mode
hardware-address <hardware-address>
[{Ethernet | IEEE802|< type-number>}]
no hardware-address
Specify/delete
the
hardware
address
when assigning address manually.
host <address> [<mask> |
Specify/delete the IP
<prefix-length> ]
assigned to the specified client when
no host
binding address manually.
client-identifier <unique-identifier>
Specify/delete the unique ID of the user
no client-identifier
when binding address manually.
28-3
address
to be
client-name <name>
Configure/delete a client name when
no client-name
binding address manually.
3. Enable logging for address conflicts
Command
Explanation
Global Mode
ip dhcp conflict logging
Enable/disable logging for DHCP address to
no ip dhcp conflict logging
detect address conflicts.
Admin Mode
Delet e a single address conflict record or all
clear ip dhcp conflict <address | all >
conflict records.
28.3 DHCP Relay Configuration
When the DHCP client and server are in different segments, DHCP relay is required to transfer DHCP packets.
Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server
can provide the network configuration parameter for clients from multiple segments, which is not only
cost-effective but also management-effective.
DHCPDi scover
DHCPDi scover ( Br oadcast )
DHCPOFFER( Uni cast )
DHCPOFFER
DHCPREQUEST
DHCPREQUEST( Br oadcast )
DHCP Cl i ent
DHCPACK( Uni cast )
DHCP Rel ay
DHCPACK
DHCP Ser ver
Figure 28-3-1 DHCP relay
As shown in the above figure, the DHCP client and the DHCP server are in different net works, the DHCP
client performs the four DHCP steps as usual yet DHCP relay is added to the process.
1.
The client broadcasts a DHCP DIS COVE R packet, and DHCP relay inserts its own IP address to the
relay agent field in t he DHCPDIS COVER packet on rec eiving the packet, and forwards the packet to
the specified DHCP server (for DHCP frame format, please refer to RFC2131).
2.
On the receiving the DHCP DIS COVE R packets forwarded by DHCP relay, the DHCP server sends
the DHCPOFFER packet via DHCP relay to the DHCP client.
3.
DHCP client chooses a DHCP server and broadcasts a DHCP REQUEST packet, DHCP relay
forwards the packet to the DHCP server after processing.
4.
On rec eiving DHCPREQUES T, the DHCP server responds with a DHCPACK packet via DHCP relay
to the DHCP client.
DHCP Relay Configuration Task List:
1.
Enable DHCP relay.
2.
Configure DHCP relay to forward DHCP broadcast packet.
28-4
1. Enable DHCP relay.
Command
Explanation
Global Mode
servi ce dhcp
DHCP server and DHCP relay is enabled as the
no servi ce dhcp
DHCP servic e is enabled.
2. Configure DHCP relay to forward DHCP broadca st packet.
Command
Explanation
Global Mode
ip forward-protocol udp bootps
The UDP port 67 is used for DHCP broadcast
no ip forward-protocol udp bootps
packet forwarding.
Interface Configuration Mode
ip helper-address <ipaddress>
no ip helper-address <ipaddress>
Set the destination IP address for DHCP relay
forwarding;
the
“no
ip
helper-address
<ipaddress>“command cancels the setting.
28.4 DHCP Configuration Examples
Scenario 1:
To save configuration efforts of network administrators and users, a company is using switch as a DHCP
server. The Admin VLAN IP address is 10.16.1.2/16. The local area net work for the company is divided into
network A and B according to the office locations. The net work configurations for location A and B are shown
below.
PoolA(network 10.16.1.0)
PoolB(network 10.16.2.0)
Device
IP address
Device
IP address
Default gateway
10.16. 1.200
Default gateway
10.16. 1.200
10.16. 1.201
10.16. 1.201
DNS server
10.16. 1.202
DNS server
10.16. 1.202
WINS server
10.16. 1.209
WWW server
10.16. 1.209
WINS node type
H-node
Lease
3 days
Lease
1day
In loc ation A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of
10.16. 1.210 and named as “management”.
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-Vlan-1)#ip address 10.16.1. 2 255.255. 0.0
XGS 3-42000R(config-Vlan-1)#exit
XGS 3-42000R(config)#ip dhcp pool A
XGS 3-42000R (dhcp-A -config)#network 10.16.1.0 24
XGS 3-42000R (dhcp-A -config)#lease 3
XGS 3-42000R (dhcp-A -config)#default -route 10.16.1.200 10.16.1.201
XGS 3-42000R (dhcp-A -config)#dns-server 10.16.1.202
XGS 3-42000R (dhcp-A -config)#netbios -name-server 10.16. 1.209
XGS 3-42000R (dhcp-A -config)#netbios -node-type H-node
XGS 3-42000R (dhcp-A -config)#exit
28-5
XGS 3-42000R(config)#ip dhcp excluded-address 10.16.1.200 10. 16.1.201
XGS 3-42000R(config)#ip dhcp pool B
XGS 3-42000R (dhcp-B -config)#network 10.16.2.0 24
XGS 3-42000R (dhcp-B -config)#lease 1
XGS 3-42000R (dhcp-B -config)#default -route 10.16.2.200 10.16.2.201
XGS 3-42000R (dhcp-B -config)#dns-server 10.16.2.202
XGS 3-42000R (dhcp-B -config)#option 72 ip 10.16.2.209
XGS 3-42000R (dhcp-config)#exit
XGS 3-42000R(config)#ip dhcp excluded-address 10.16.2.200 10. 16.2.201
XGS 3-42000R(config)#ip dhcp pool A1
XGS 3-42000R (dhcp-A 1-config)#host 10.16.1.210
XGS 3-42000R (dhcp-A 1-config)#hardware-address 00-03-22-23-dc-ab
XGS 3-42000R (dhcp-A 1-config)#client-name management
XGS 3-42000R (dhcp-A 1-config)#exit
Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch, the client can only
get its address from 10.16.1.0/24 instead of 10.16.2.0/24. This is because the broadcast packet from the
client will be requesting the IP address in the same segment of the VLAN int erface after VLA N interface
forwarding, and the VLAN interface IP address is 10.16.1.2/24, therefore the IP address assigned to the client
will belong to 10.16.1.0/ 24.
If the DHCP/BOOTP client wants to have an address in 10.16. 2.0/24, the gateway forwarding broadcast
packets of the client must belong to 10.16.2. 0/24. The connectivity between the client gateway and the switch
must be ensured for the client to get an IP address from the 10.16.2. 0/24 address pool.
Scenario 2:
DHCP Client
E1/1
E1/2
192.168.1.1
DHCP Client
10.1.1.1
DHCP Relay
DHCP Server
10.1.1.10
DHCP Client
Figure 28-4-1 DHCP Relay Configuration
28-6
As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is
10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#vlan 2
XGS 3-42000R(config-Vlan-2)#exit
XGS 3-42000R(config)#interface Ethernet 1/2
XGS 3-42000R(config-E rthernet 1/2)#switchport access vlan 2
XGS 3-42000R(config-E rthernet 1/2)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#ip forward-protocol udp bootps
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip help-address 10.1.1.10
XGS 3-42000R(config-if-Vlan1)#exit
It is recommended t o use the combination of command ip forward-protocol udp <port>
and ip helper-address <ipaddress>. ip help-address can only be configured for ports
on layer 3 and cannot be configured on lay er 2 ports directly.
28.5 DHCP Troubleshooting
If the DHCP clients cannot obtain IP addresses and ot her net work parameters, the following procedures can
be followed when DHCP client hardware and cables have been verified ok.
 Verify the DHCP server is running, start the relat ed DHCP server if not running. If the DHCP clients and
servers are not in the same physical network, verify the router responsible for DHCP packet forwarding
has DHCP relay function. If DHCP relay is not available for the intermediate router, it is recommended
to replac e the router or upgrade its software to one that has a DHCP relay function.
 In such case, DHCP server should be examined for an address pool that is in the same segment of the
switch VLAN, such a pool should be added if not present, and (This does not indicate switch cannot
assign IP address for different segments, see solution 2 for details.)
 In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e., if command
“network-addre ss” and “host” are run for a pool, only one of them will take effect; furthermore, in
manual binding, only one IP -MAC binding can be configured in one pool. If multiple bindings are
required, multiple manual pools can be created and IP-MA C bindings set for each pool. New
configuration in the same pool overwrites the previous configuration.
28-7
Chapter 29 DHCPv6 Configuration
29.1 Introduction to DHCPv6
DHCP v6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol
that assigns IP v6 address as well as other network configuration parameters such as DNS address, and
domain name to DHCP v6 client, DHCP v6 is a conditional auto address configuration prot ocol relative to IP v6.
In the conditional address configuration process, DHCP v6 server assigns a complete IP v6 address to client,
and provides DNS address, domain name and other configuration information, maybe the DHCP v6 packet
can transmit through relay delegation, at last the binding of IP v6 address and client can be recorded by
DHCP v6 server, all that can enhance the management of network; DHCP v6 server can also provide non state
DHCP v6 service, that is only assigns DNS address and domain name and other configuration information but
not assigns IP v6 address, it can solve the bug of IP v6 auto address configuration in non state; DHCP v6 can
provide extend function of DHCP v6 prefix delegation, upstream rout e can assign address prefix to
downstream route automatically, that achieve the IP v6 address auto assignment in levels of network
environment, and resolved the problem of ISP and IP v6 network dispose.
There are three entities in the DHCP v6 prot ocol – the client, the relay and the server. The DHCP v6 prot ocol is
based on the UDP protocol. The DHCP v6 client sends request messages to the DHCP server or DHCP relay
with the destination port as 547, and the DHCP v6 server and relay send replying messages with the
destination port as 546. The DHCP v6 client sends solicit or request messages with the multicast address –
ff02::1:2 for DHCP relay and server.
Solicit (Muticast)
Advertise (Unicast)
Request (Muticast)
Reply (Unicast)
DHCP v6 SERVER
DHCP v6 CLIE NT
Figure 29-1-1
DHCP v6 negotiation
When a DHCP v6 client tries to request an IP v6 address and other configurations from the DHCP v6 server,
the client has to find the location of the DHCP server, and then request configurations from the DHCP server.
1.
In the time of located server, the DHCP client tries to find a DHCP v6 server by broadcasting a
SOLICIT packet to all the DHCP delay delegation and server with broadcast address as FF02::1:2.
2.
Any DHCP server which receives the request, will reply the client with an ADVERTISE message,
which includes the identity of the server –DUID, and its priority.
3.
It is possible that the client receives multiple ADVERTISE messages. The client should select one
and reply it with a REQUES T message to request the address which is advertised in the
ADVERTISE message.
4.
The selected DHCP v6 server then confirms the client about the IP v6 address and any other
configuration with the REP LY message.
29-1
The above four steps finish a Dynamic host configuration assignment process. However, if the DHCP v6
server and the DHCP v6 client are not in the same network, the server will not rec eive the DHCP v6 broadcast
packets sent by the client, therefore no DHCP v6 packets will be sent to the client by the server. In this case, a
DHCP v6 relay is required to forward such DHCP v6 packets so that the DHCP v6 packets exchange can be
completed between the DHCP v6 client and server.
At the time this manual is written, DHCP v6 server, relay and prefix delegation client have been implemented
on the switch. When the DHCP v6 relay rec eives any messages from the DHCP v6 client, it will encapsulate
the request in a Relay -forward packet and deliver it to the next DHCP v6 relay or the DHCP v6 server. The
DHCP v6 messages coming from the server will be encapsulated as relay reply packets to the DHCP v6 relay.
The relay then removes the encapsulation and delivers it the DHCP v6 client or the next DHCP v6 relay in the
network.
For DHCP v6 prefix delegation where DHCP v6 server is configured on the PE router and DHCP v6 client it
configured on the CPE router, the CPE router is able to send address prefix allocation request to the PE
router and get a pre-configured address prefix, but not set the address prefix manually. The protocol
negotiation bet ween the client and the prefix delegation client is quite similar to that when getting a DHCP v6
address. Then the CPE router divides the allocated prefix – whose length should be less than 64 characters,
into 64 subnets. The divided address prefix will be advertised through routing advertisement messages (RA)
to the host directly connected to the client.
29.2 DHCPv6 Server Configuration
DHCP v6 server configuration task list as below:
1.
To enable/disable DHCP v6 service
2.
To configure DHCP v6 address pool
(1) To achieve/ delet e DHCP v6 address pool
(2) To configure parameter of DHCP v6 address pool
3.
To enable DHCP v6 server function on port
1. To enable/disable DHCP v6 service
Command
Explanation
Global Mode
servi ce dhcpv6
no servi ce dhcpv6
To enable DHCP v6 service.
2. To configure DHCP v6 address pool
(1)To achieve/delete DHCP v6 address pool
Command
Explanation
Global Mode
ipv6 dhcp pool <poolnam e>
no ipv6 dhcp pool <poolnam e>
To configure DHCP v6 address pool.
29-2
(2)To configure parameter of DHCP v6 address pool
Command
Explanation
DHCP v6 address pool Configuration
Mode
network-address
<ipv6-pool -start-address>
{<ipv6-pool-end-address> |
<prefix-length>} [eui-64]
To configure the range of IP v6 address
assignable of address pool.
no network-address
dns-server <ipv6-address>
To configure DNS
no dns-server <ipv6-address>
DHCP v6 client.
domain-name <domain-name>
no domain-name <domain-name>
server address
for
To configure DHCP v6 client domain name.
excluded-address <ipv6-address>
To exclude IP v6 address which isn’t used for
no excluded-address <ipv6-address>
dynamic assignment in address pool.
lifetime {<valid-time> | infinity}
{<preferred-time> | infinity}
no lifetime
To configure valid time or preferred time of
DHCP v6 address pool.
3. To enable DHCPv6 server function on port.
Command
Explanation
Interface Configuration Mode
ipv6 dhcp server <poolnam e>
[preference <value>] [rapid-commit]
[allow-hint]
no ipv6 dhcp server
To enable DHCP v6 server function on
specified
port,
and
binding
DHCP v6 address pool.
29.3 DHCPv6 Relay Delegation Configuration
DHCP v6 relay delegation configuration task list as below:
1. To enable/disable DHCP v6 service
2. To configure DHCP v6 relay delegation on port
1. To enable DHCPv6 service
Command
Explanation
Global Mode
servi ce dhcpv6
no servi ce dhcpv6
To enableDHCP v6 service.
29-3
the
used
2. To configure DHCP v6 relay delegation on port
Command
Explanation
Interface Configuration Mode
ipv6 dhcp relay destination
{ [<ipv6-address> ] [ interface
To specify the destination address of
{ <interface-nam e> | vlan <1-4096> } ] }
DHCP v6 relay transmit; The no form of
no ipv6 dhcp relay destination
this command delete the configuration.
{ [<ipv6-address> ] [ interface
{ <interface-nam e> | vlan <1-4096> } ] }
29.4 DHCPv6 Prefix Delegation Server Configuration
DHCP v6 prefix delegation server configuration task list as below:
1.
To enable/delete DHCP v6 service
2.
To configure prefix delegation pool
3. To configure DHCP v6 address pool
(1) To achieve/ delet e DHCP v6 address pool
(2) To configure prefix delegation pool used by DHCP v6 address pool
(3) To configure static prefix delegation binding
(4) To configure other parameters of DHCP v6 address pool
4.
To enable DHCP v6 prefix delegation server function on port
1. To enable/delete DHCPv6 service
Command
Explanation
Global Mode
servi ce dhcpv6
no servi ce dhcpv6
To enable DHCP v6 service.
2. To configure prefix delegation pool
Command
Explanation
Global Mode
ipv6 local pool <poolname>
<prefix|prefix-length>
<assigned-length>
To configure prefix delegation pool.
no ipv6 local pool <poolname>
3. To configure DHCP v6 address pool
(1)To achieve/delete DHCP v6 address pool
Command
Explanation
Global Mode
ipv6 dhcp pool <poolnam e>
no ipv6 dhcp pool <poolnam e>
To configure DHCP v6 address pool.
29-4
(2)To configure prefix delegation pool us ed by DHCP v6 address pool
Command
Explanation
DHCP v6 address pool Configuration
Mode
prefix-delegation pool <poolname>
[lifetime { <valid-time> | infinity}
{ <preferred-time> | infinity}]
no prefix-delegation pool <poolname>
To specify prefix delegation pool used by
DHCP v6 address pool, and assign usable
prefix to client.
(3) To configure static prefix delegation binding
Command
Explanation
DHCP v6 address pool Configuration
Mode
prefix-delegation
<ipv6-prefix/prefix-length>
<client-DUID> [iaid <iaid> ] [lifetime
{ <valid-time> | infinity}
To specify IP v6 prefix and any prefix
{ <preferred-time> | infinity}]
required static binding by client.
no prefix-delegation
<ipv6-prefix/prefix-length>
<client-DUID> [iaid <iaid> ]
(5)
To configure other parameter of DHCP v6 address pool
Command
Explanation
DHCP v6 address pool Configuration
Mode
dns-server <ipv6-address>
To configure DNS
no dns-server <ipv6-address>
DHCP v6 client.
server address
for
domain-name <domain-name>
To configure domain name for DHCP v6
no domain-name <domain-name>
client.
4. To enable DHCPv6 prefix delegation server function on port
Command
Explanation
Interface Configuration Mode
ipv6 dhcp server <poolnam e>
[preference <value>] [rapid-commit]
[allow-hint]
no ipv6 dhcp server
To enable DHCP v6 server function on
specified port, and binding used DHCP v6
address pool.
29.5 DHCPv6 Prefix Delegation Client Configuration
DHCP v6 prefix delegation client configuration task list as below:
1.
To enable/disable DHCP v6 service
2.
To enable DHCP v6 prefix delegation client function on port
1. To enable/disable DHCP v6 service
29-5
Command
Explanation
Global Mode
servi ce dhcpv6
no servi ce dhcpv6
To enable DHCP v6 service.
2. To enable DHCPv6 prefix delegation client function on port
Command
Explanation
Interface Configuration Mode
ipv6 dhcp client pd <prefix-nam e>
[rapid-commit]
no ipv6 dhcp client pd
To enable client prefix delegation request
function on specified port, and the prefix
obtained associate with universal prefix
configured.
29.6 DHCPv6 Configuration Examples
Example1:
When deploying IP v6 net working, XGS 3 series switches can be configured as DHCP v6 server in order to
manage the allocation of IP v6 addresses. Both the state and the stateless DHCP v6 are supported.
Topology:
The access layer use Switch1 switch to connect users of dormitory buildings; Switch2 is configured as
DHCP v6 relay delegation in primary aggregation layer; Switch3 is configured as DHCP v6 server in secondary
aggregation layer, and connected with backbone network or higher aggregation layers; The Windows Vista
which be provided with DHCP v6 client must load on P C.
29-6
Usage guide:
Switch3 configuration:
Switch3>enable
Switch3#config
Switch3(config)#ipv6 enable
Switch3(config)#service dhcpv6
Switch3(config)#ipv6 dhcp pool EastDormPool
Switch3(dhcpv6-EastDormPool-config)#net work-address 2001:da8: 100: 1::1 2001:da8:100:1::100
Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1
Switch3(dhcpv6-EastDormPool-config)#dns-s erver 2001:da8::20
Switch3(dhcpv6-EastDormPool-config)#dns-s erver 2001:da8::21
Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.com
Switch3(dhcpv6-EastDormPool-config)#lifetime 1000 600
Switch3(dhcpv6-EastDormPool-config)#exit
Switch3(config)#interface vlan 1
Switch3(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::1/64
Switch3(Config-if-Vlan1)#exit
Switch3(config)#interface vlan 10
Switch3(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::1/64
Switch3(Config-if-Vlan10)#ipv6 dhcp server EastDormPool preference 80
Switch3(Config-if-Vlan10)#exit
Switch3(config)#
Switch2 configuration:
Switch2>enable
Switch2#config
Switch2(config)#ipv6 enable
Switch2(config)#service dhcpv6
Switch2(config)#interface vlan 1
Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64
Switch2(Config-if-Vlan1)#exit
Switch2(config)#interface vlan 10
Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64
Switch2(Config-if-Vlan10)#exit
Switch2(config)#interface vlan 100
Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64
Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra
Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag
Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag
Switch2(Config-if-Vlan100)#ipv6 dhcp relay destination 2001: da8: 10:1::1
Switch2(Config-if-Vlan100)#exit
Switch2(config)#
29-7
Example2:
When the net work operator is deploying IP v6 networks, network automatically configuration can be achieved
through the prefix delegation allocation of IP v6 addresses, in stead of configuring manually for eac h switch:
1.
To configure the switching or routing device which is connected to the client switch as DHCP v6
prefix delegation server, that is to setup a local databas e for the relations hip between t he allocated
prefix and the DUID of the client switch.
2.
To configure the switch as the prefix delegation client, and make the client switch to get IPv6
address prefix from the prefix delegation server, through a process which is much like the process
of DHCP v6 address allocation.
3.
The edge devices which receive the address prefix, send routing advertisement - RA messages, to
the client hosts about the address prefix through the interface which is connected to the hosts, then
the hosts get an valid IP v6 address through stateless auto configuration, while at the same time, the
stateless DHCP v6 server will be configured for the interfac e, in order to provide the DHCP v6 client
with information such as DNS, and domain name, etc.
Network Topology:
The edge switch is a Switch1 switch. The interface connected to the trunk switch which is Switch2, is
configured as the prefix delegation client. The interfaces connected to hosts, are configured as stateless
DHCP v6 servers to provide the hosts with stateless information such as DNS and domain names, also routing
advertisement of stateless address allocation is enabled for the host interfaces; On Switch2, the prefix
delegation server is configured, and routing advertisement of state address allocation is enabled; On the host
side, DHCP v6 client capable operating system such Windows Vista should be installed.
Usage guide:
Switch2 configuration
Switch2>enable
Switch2#config
Switch2(config)#ipv6 enable
Switch2(config)#interface vlan 2
Switch2(Config-if-Vlan2)#ipv6 address 2001:da8:1100::1/64
Switch2(Config-if-Vlan2)#exit
Switch2(config)#service dhcpv6
29-8
Switch2(config)#ipv6 local pool client-prefix -pool 2001:da8:1800::/40 48
Switch2(config)#ipv6 dhcp pool dhcp-pool
Switch2(dhcpv6-dhc p-pool-config)#prefix-delegation pool client-prefix-pool 1800 600
Switch2(dhcpv6-dhc p-pool-config)#exit
Switch2(config)#interface vlan 2
Switch2(Config-if-Vlan2)#ipv6 dhcp server dhcp-pool
Switch2(Config-if-Vlan2)#exit
Switch1 configuration
Switch1>enable
Switch1#config
Switch1(config)#ipv6 enable
Switch1(config)#service dhcpv6
Switch1(config)#interface vlan 2
Switch1(Config-if-Vlan2)#ipv6 dhcp client pd prefix -from-provider
Switch1(Config-if-Vlan2)#exit
Switch1(config)#interface vlan 3
Switch1(Config-if-Vlan3)#ipv6 address prefix-from-provider 0:0:0:1::1/64
Switch1(Config-if-Vlan3)#exit
Switch1(config)#ipv6 dhcp pool foo
Switch1(dhcpv6-foo-config)#dns-server 2001: 4::1
Switch1(dhcpv6-foo-config)#domain-name www.ipv6.org
Switch1(dhcpv6-foo-config)#exit
Switch1(config)#interface vlan 3
Switch1(Config-if-Vlan3)#ipv6 dhcp server foo
Switch1(Config-if-Vlan3)#ipv6 nd ot her-config-flag
Switch1(Config-if-Vlan3)#no ipv6 nd suppress-ra
Switch1(Config-if-Vlan3)#exit
29-9
29.7 DHCPv6 Troubleshooting
If the DHCP v6 clients cannot obtain IP v6 addresses and other network parameters, the following procedures
can be followed when DHCP v6 client hardware and cables have been verified ok:
 Verify the DHCP v6 server is running, start the related DHCP v6 server function if not running;
 If the DHCP v6 clients and servers are not in the same physical network, verify the router responsible
for DHCP v6 packet forwarding has DHCP v6 relay function. If DHCP v6 relay is not available for the
intermediate router, it is recommended to replace the router or upgrade its software to one that has a
DHCP v6 relay function;
 Sometimes hosts are connected to the DHCP v6 enabled switches, but can not get IP v6 addresses. In
this situation, it should be checked first whether the ports which the hosts are connected to, are
connected with the port which the DHCP v6 server is connected to. If connected directly, it should be
checked then whether the IP v6 address pool of the VLA N which the port belongs to, is in the same
subnet with the address pool configure in the DHCP v6 server; If not connected directly, and any layer
three DHCP v6 relay is configured between the hosts and the DHCP v6 server, it should be checked first
whet her an valid IP v6 address has been configured for the switch interface which the hosts are
connected to. If not configured, configure an valid IP v6 address. If configured, it should be checked
whet her the configured IP v6 address is in the same subnet with the DHCP v6 server. If not, pleas e add
it to the address pool.
29-10
Chapter 30 DHCP option 82 Configuration
30.1 Introduction to DHCP option 82
DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at
strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay
Agent adds option 82 (including the client’s physical access port, the access device ID and other information),
to the DHCP request message from the client then forwards the message to DHCP server. When the DHCP
server which supports the option 82 function receives the message, it will allocate an IP address and other
configuration information for the client according to preconfigured policies and the option 82 information in the
message. At the same time, DHCP server can identify all the possible DHCP attack messages according to
the information in option 82 and defend against them. DHCP Relay Agent will peel the option 82 from the reply
messages it receives, and forward the reply message to the specified port of the net work access device,
according to the physical port information in the option. The application of DHCP option 82 is transparent for
the client.
30.1.1 DHCP option 82 Message Structure
A DHCP message can have several option segments; option 82 is one of them. It has to be placed after other
options but before option 255. The following is its format:
Code: represents the sequence number of the relay agent information option, the option 82 is called so
because RFC3046 is defined as 82.
Len: the number of bytes in Agent Information Field, not including the two bytes in Code segment and Len
segment.
Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines the following
two sub-options, whose formats are showed as follows:
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the
sequence number of Remote ID sub-option is 2.
Len: the number of bytes in Sub-option Value, not including the two bytes in S ubOpt segment and Len
segment.
30-1
30.1.2 option 82 Working Mechanism
DHCP Relay Agent
DHCP Request
DHCP Request
Option82
DHCP Reply
DHCP Reply Option82
DHCP Client
DHCP Server
Figure 30-1-1 DHCP option 82 flow chart
If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get
its IP address from the DHCP server: discover, offer, select and acknowledge. The DHCP protocol follows the
procedure below:
1)DHCP client sends a request broadcast message while initializing. This request message does not have
option 82.
2)DHCP Relay Agent will add the option 82 to the end of the request message it receives, then relay and
forward the message to the DHCP server. By default, the sub-option 1 of option 82 (Circuit ID) is the
interface information of the switch connected to the DHCP client (VLA N name and physical port name),
but the users can configure the Circuit ID as they wish. The sub-option 2 of option 82(Remote ID) is the
MAC address of the DHCP relay device.
3)After receiving the DHCP request message, the DHCP server will allocate IP address and other information
for the client according to the information and preconfigured policy in the option segment of the message.
Then it will forward the reply message with DHCP configuration information and option 82 information to
DHCP Relay Agent.
4)DHCP Relay Agent will peel the option 82 information from the replay message sent by DHCP server, and
then forward the message with DHCP configuration information to the DHCP client.
30.2 DHCP option 82 Configuration Task List
1. Enabling the DHCP option 82 of the Relay Agent.
2. Configure the DHCP option 82 attributes of the interface.
3. Enable the DHCP option 82 of server.
4. Diagnose and maintain DHCP option 82.
30-2
1.
Enabling the DHCP option 82 of the Relay Agent.
Command
Explanation
Global mode
Set this command to enable the option 82
ip dhcp relay information option
no ip dhcp relay information option
function of the switch Relay Agent. The “no
ip dhcp relay information option” is used to
disable t he option 82 function of the s witch
Relay Agent.
2.
Configure the DHCP option 82 attributes of the interface
Command
Explanation
Interface configuration mode
This
command
is
used
to
set
the
retransmitting policy of the system for the
received DHCP request message which
contains option 82. The drop mode means
that if the message has option82, then the
system will drop it without proc essing; keep
ip dhcp relay information policy {drop |
keep | replace}
no ip dhcp relay information policy
mode means that the system will keep the
original option 82 segment in the message,
and forward it to the server to process;
replace mode means that the system will
replace the option 82 segment in the existing
message wit h its own option 82, and forward
the message to the server to process. The
“no ip dhc p relay information policy” will set
the retransmitting policy of the option 82
DCHP message as “replace”.
This command is used to set the format of
option 82 sub-option1(Circuit ID option)
added to the DHCP request messages from
interface, standard means the standard
ip dhcp relay information option
subscriber-id {standard | <circuit-id>}
no ip dhcp relay information option
subscriber-id
VLAN name and physical port name format,
like”Vlan2+Ethernet1/12”,<circuit-id>
is the
circuit-id contents of option 82 specified by
users, which is a string no longer than
64characters.
The” no
information
option
ip
dhcp
relay
subscriber-id”
command will set the format of added option
82
sub-option1
standard format.
30-3
(Circuit
ID
option)
as
3. Enable the DHCP option 82 of server.
Command
Explanation
Global mode
This command is used to enable the switch
ip dhcp server relay information enable
DHCP server to identify option82. The “no
no ip dhcp server relay information
ip dhcp server relay information enable”
enable
command will make the server ignore the
option 82.
4. Diagnose and maintain DHCP option 82
Command
Explanation
Admin mode
This
command
will
display
the state
information of the DHCP option 82 in the
show ip dhcp relay information option
system, including option82 enabling switch,
the interface retransmitting policy, the
circuit ID mode and the DHCP server
option82 enabling switch.
This command is used to display the
information of data packets processing in
debug ip dhcp relay packet
DHCP Relay Agent, including the “add” and
“peel” action of option 82.
30.3 DHCP option 82 Application Examples
DHCP Relay Agent
Vlan2:ethernet1/3
Switch3
DHCP Client PC1
Switch1
Vlan3
Vlan2:ethernet1/2
DHCP Server
Switch2
DHCP Client PC2
Figure 30-3-1 A DHCP option 82 typical application example
In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3,
Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also
transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. If the
DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the
network connected to Switch1 or Switch2. So, all the PC terminals connected to Switch1 and Switch2 will get
addresses from the public address pool of the DHCP server. After the DHCP option 82 function is enabled,
since the Switch3 appends the port information of accessing Switch3 to the request message from the client,
the server can tell that whether the client is from the network of Swich1 or Swich2, and thus can allocate
separate address spaces for the two net works, to simplify the management of networks.
30-4
The following is the configuration of Switch3(MA C address is 00:03:0f:02:33:01):
Switch3(config)#service dhcp
Switch3(config)#ip dhcp relay information option
Switch3(config)#ip forward-protocol udp bootps
Switch3(Config-if-vlan3)#ip address 192.168. 10.222 255.255.255.0
Switch3(Config-if-vlan2)#ip address 192.168. 102. 2 255.255.255. 0
Switch3(Config-if-vlan2)#ip helper 192.168.10.88
Linux IS C DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddns-update-style interim;
ignore client-updates;
class "Switch3Vlan2Class1" {
match if option agent.circuit-id = "Vlan2+Ethernet1/2" and option agent.remote-id=00:03:0f:02: 33:01;
}
class "Switch3Vlan2Class2" {
match if option agent.circuit-id = "Vlan2+Ethernet1/3" and option agent.remote-id=00:03:0f:02: 33:01;
}
subnet 192.168.102.0 netmask 255.255.255.0 {
option routers 192.168. 102. 2;
option subnet -mask 255. 255.255.0;
option domain-name "example.com.cn";
option domain-name-servers 192.168.10.3;
authoritative;
pool {
range 192.168.102.21 192.168. 102. 50;
default-lease-time 86400; #24 Hours
max-leas e-time 172800; #48 Hours
allow members of "Switch3Vlan2Class1";
}
pool {
range 192.168.102.51 192.168. 102. 80;
default-lease-time 43200; #12 Hours
max-leas e-time 86400; #24 Hours
allow members of "Switch3Vlan2Class2";
}
}
Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relay ed by
Switch3 within the range of 192.168.102.21 ~ 192.168.102. 50, and allocate addresses for the network nodes
from Switch1 wit hin the range of 192.168.102.51~192.168.102.80.
30-5
Chapter 31 DHCP Snooping Configuration
31.1 Introduction to DHCP Snooping
DHCP Snooping means that the switch monitors the IP-getting proc ess of DHCP CLIE NT via DHCP protocol.
It prevents DHCP attacks and illegal DHCP SE RVER by setting trust ports and untrust ports. And the DHCP
messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to
connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to c onnect DHCP CLINE T. The
switch will forward the DCHP request messages from untrust ports, but not DHCP reply ones. If any DHCP
reply messages is received from a untrust port, besides giving an alarm, the switch will also implement
designated actions on the port according to settings, such as “shutdown”, or distributing a “blackhole”. If
DHCP Snooping binding is enabled, the switch will save binding information (including its MAC address, IP
address, IP lease, VLAN number and port number) of each DHCP CLINE T on untrust ports in DHCP snooping
binding table With such information, DHCP Snooping can combine modules like dot1x and ARP, or implement
user-access-control independently.
Defense against Fake DHCP Server: onc e the switch intercepts the DHCP Server reply packets(including
DHCPOFFE R, DHCPACK, and DHCPNAK), it will alarm and respond according to t he situation(shutdown
the port or send Black hole)。
Defense against DHCP over load attacks: To avoid too many DHCP messages attacking CPU, users
should limit the DHCP speed of receiving packets on trusted and non-trusted ports.
Record the binding data of DHCP : DHCP SNOOP ING will record the binding data allocated by DHCP
SERVER while forwarding DHCP messages, it can also upload the binding data to the specified s erver to
backup it. The binding data is mainly us ed to configure the dynamic users of dot 1x user based ports. Please
refer to the chapter called“dot1x configuration” to find more about the us age of dot1x use-based mode.
Add binding ARP: DHCP SNOOP ING can add static binding ARP according to the binding data after
capturing binding data, thus to avoid A RP cheating.
Add trusted users: DHCP SNOOP ING can add trusted user list ent ries according t o the parameters in
binding data after capturing binding data; thus these users can access all resources without DOT1X
authentication.
Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically
recover the communication of the port or source MA C and send information to Log Server via syslog.
LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should
send syslog information to Log Server.
The Encryption of Private Messages: The communication between the switch and the inner network
security management system TrustView uses private messages. And the users can encrypt those messages
of version 2.
Add option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different option 82 will be
added in DHCP messages according to us er’s aut hentication status.
31-1
31.2 DHCP Snooping Configuration Task Sequence
1.
Enable DHCP Snooping
2.
Enable DHCP Snooping binding function
3.
Enable DHCP Snooping binding A RP function
4.
Enable DHCP Snooping option82 function
5.
Set the private packet version
6.
Set DES encrypted key for private packets
7.
Set helper server address
8.
Set trusted ports
9.
Enable DHCP Snooping binding DOT1X function
10. Enable DHCP Snooping binding USE R function
11. Adding static list entries function
12. Set defense actions
13. Set rate limitation of DHCP messages
14. Enable the debug switch
1.Enable DHCP Snooping
Command
Explanation
Globe mode
ip dhcp snooping enable
no ip dhcp snooping enable
Enable or disable the DHCP snooping function.
2. Enable DHCP Snooping binding
Command
Explanation
Globe mode
ip dhcp snooping binding enable
no ip dhcp snooping binding
enable
Enable or disable the DHCP snooping binding
function.
3. Enable DHCP Snooping binding ARP function
Command
Explanation
Globe mode
ip dhcp snooping binding arp
Enable or disable the dhcp snooping binding
no ip dhcp snooping binding arp
ARP function.
4. Enable DHCP Snooping option82 function
Command
Explanation
Globe mode
ip dhcp snooping information enable
no ip dhcp snooping information
enable
ip dhcp snooping option82 enable
no ip dhcp snooping option82
enable
Enable/disable
DHCP
Snooping
option
82
function.
To enable/delete DHCP option82 of dot 1x in
access switch.
31-2
5. Set the private packet version
Command
Explanation
Globe mode
ip user private packet version two
no ip user private packet version two
To configure/delete the private packet version.
6. Set DES encrypted key for private packets
Command
Explanation
enable trustview key 0/7 <password>
To configure/delete DES encrypted key for
no enable trustview key
private packets.
Globe mode
7. Set helper server address
Command
Explanation
Globe mode
ip user helper-address A.B. C.D
[port <udpport>] source <ipAddr>
(secondary|)
Set or delete helper server address.
no ip user helper-address
(secondary|)
8. Set trusted ports
Command
Explanation
Port mode
ip dhcp snooping trust
Set or delete the DHCP snooping trust attributes
no ip dhcp snooping trust
of ports.
9. Enable DHCP SNOOPING binding DOT1X function
Command
Explanation
Port mode
ip dhcp snooping binding dot1x
Enable or disable the DHCP snooping binding
no ip dhcp snooping binding dot1x
dot1x function.
10. Enable or disable the DHCP SNOOPI NG binding US ER function
Command
Explanation
Port mode
ip dhcp snooping binding
user-control
Enable or disable the DHCP snooping binding
no ip dhcp snooping binding
user function.
user-control
11. Add static binding information
Command
Explanation
Globe mode
ip dhcp snooping binding user
Add/delete DHCP snooping static binding list
31-3
<mac> address <ipAddr> <mask>
entries.
vlan <vid> interface (ethernet|)
<ifname>
no ip dhcp snooping binding user
<mac> interface (ethernet|)
<ifname>
12. Set defense actions
Command
Explanation
Port mode
ip dhcp snooping action
{shutdown|blackhole} [recovery
Set or delete the DHCP snooping automatic
<second> ]
defense actions of ports.
no ip dhcp snooping action
13. Set rate limitation of data transmi ssion
Command
Explanation
Globe mode
ip dhcp snooping limit-rate <pps>
Set rate limitation of the transmission of DHCP
no ip dhcp snooping limit-rate
snooping messages.
14. Enable the debug switch
Command
Explanation
Admin mode
debug ip dhcp snooping packet
debug ip dhcp snooping event
Please
refer
debug ip dhcp snooping update
troubleshooting.
to
the
debug ip dhcp snooping binding
31.3 DHCP Snooping Typical Application
Figure 31-3-1 Sketch Map of TRUNK
31-4
chapter
on
system
As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the
switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports
1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to
fake a DHCP Server(by sending DHCPA CK). Setting DHCP S nooping on the s witch will effectively detect
and block this kind of network attack.
Configuration sequence is:
XGS 3-42000R#
XGS 3-42000R#config
XGS 3-42000R(config)#ip dhcp snooping enable
XGS 3-42000R(config)#interface ethernet 1/11
XGS 3-42000R(config-If-Ethernet1/11)#ip dhcp snooping trust
XGS 3-42000R(config-If-Ethernet1/11)#exit
XGS 3-42000R(config)#interface ethernet 1/12
XGS 3-42000R(config-If-Ethernet1/12)#ip dhcp snooping trust
XGS 3-42000R(config-If-Ethernet1/12)#exit
XGS 3-42000R(config)#interface ethernet 1/1-10
XGS 3-42000R(config-P ort-Range)#ip dhcp snooping action shutdown
XGS 3-42000R(config-P ort-Range)#
31.4 DHCP Snooping Troubleshooting Help
31.4.1 Monitor and Debug Information
The “debug ip dhcp snooping” command can be used to monitor the debug information.
31-5
31.4.2 DHCP Snooping Troubleshooting Help
If there is any problem happens when using DHCP Snooping function, please check if the problem is caused
by the following reasons:
 Check that whether the global DHCP Snooping is enabled;
 If the port does not react to invalid DHCP Server packets, please check that whether the port is set as a
non-trusted port of DHCP Snooping.
31-6
Chapter 32 DHCPv6 Snooping Configuration
32.1 Introduction to DHCPv6 Snooping
DHCP v6 Snooping monitors the interaction flow of the packets between DHCP v6 client and server, so as to
create the binding table of the user, and implement all kinds of security policies based on the binding table.
DHCP v6 Snooping has the following functions:
32.1.1 Defense against Fake DHCPv6 Server
DHCP v6 Snooping can set the port of connecting DHCP v6 server as the trust port, other ports as the
un-trusted ports by default, so as to avoid the user to configure DHCP v6 server privat ely in network. DHCP v6
Snooping does not forward DHCP v6 response packets which are received by the un-trusted ports, and
according to the source MAC of the received DHCP v6 response packets to implement the security policy. For
example, this MAC is set as a blackhole MAC wit hin a period, or this port is directly shutdown within a period.
32.1.2 Defense against Fake IPv6 Address
DHCP v6 Snooping function can send the cont rol list entries based the binding on the port. The port denies all
IP v6 traffic by default, it only allows to forward IP v6 packets of which the IP v6 addresses and the MA C
addresses are bound by this port as the source. In this way, it can effectively prevent the malicious user fake
or privat ely set IP v6 address to access the network.
32.1.3 Defense against the attack of DHCPv6 addresses
exhaustion
DHCP v6 Snooping can limit the binding number of the port. The port of which the binding number exceeds
the threshold, does not forward and drop the after DHCP v6 application packets. In this way, it can effectively
prevent the attack of DHCP v6 addresses exhaustion.
32.1.4 Defense against ND cheat
The IP v6 address obtained by DHCP v6 protocol can be trustier in IP v6 net work, so DHCP v6 Snooping can
convert the binding list entries to static one, and effectively prevent the attack of ND cheat to a gateway device.
The function of binding ND for DHCP v6 Snooping needs to be enabled on the devic e of lay er 3 gateway.
32-1
32.1.5 Reply the remove requirement for port
Through capturing the ports of DHCP v6 packets, DHCP v6 Snooping judges the port connected to the
DHCP v6
user.
After
DHCP v6
Snooping
binding
is
created,
if
DHCP v6
Snooping
receives
CONFIRM/ REQUES T packets and response packets of DHCP v6 client from ot her ports, it needs to use DA D
NS/NA to detect whether the binding of the original port is still usable, if it is still usable (that means to receive
the response of DAD NA), then do not creat e new binding on new port, contrarily (that means the response of
DAD NA is not received in set time), create the binding on new port and deletes the binding on the original
port.
32.2 DHCPv6 Snooping Configuration Task Sequence
1.
Enable DHCP v6 Snooping
2.
Enable DHCP v6 Snooping binding function
3.
Enable DHCP v6 Snooping binding ND function
4.
Delet e dynamic binding information for DHCP v6 Snooping
5.
Set the binding limitation number for the ports
6.
Configure static binding list entries
7.
Set trust ports
8.
Set defense actions
9.
Set the max number for Blackhole MAC
10. Enable user access control function
11. Enable the debug
12. Show the configuration status
1. Enable DHCPv6 Snooping
Command
Explanation
Global mode
ipv6 dhcp snooping enable
no ipv6 dhcp snooping enable
Enable or disable DHCP v6 Snooping function.
2. Enable DHCPv6 Snooping binding function
Command
Explanation
Global mode
ipv6 dhcp snooping binding enable
no ipv6 dhcp snooping binding
enable
Enable or disable DHCP v6 Snooping binding
function.
3. Enable DHCPv6 Snooping binding ND function
Command
explanation
Global mode
ipv6 dhcp snooping binding nd
Enable or disable DHCP v6 Snooping binding
no ipv6 dhcp snooping binding nd
ND function.
4. Delete dynamic binding information for DHCPv6 Snooping
32-2
Command
Explanation
Admin mode
clear ipv6 dhcp snooping binding
{<MAC> | <ipv6address> | interface
Delet e the dynamic binding information for
{ethernet <IFNAME> |
DHCP v6 Snooping.
<IFNAME>} | all}
5. Set the binding limitation number for the ports
Command
Explanation
Port mode
ipv6 dhcp snooping binding-limit
<max-num>
no ipv6 dhcp snooping
binding-limit
Set or delete the max number of DHCP v6
Snooping dynamic binding which is allowed to
set up on the port.
6. Configure static binding list entries
Command
explanation
Global mode
ipv6 dhcp snooping binding user
mac <MAC-address> address
<ipv6-address> vlan <vid> interface
Configure or delete t he configured static binding
[ethernet | port-channel] <ifname>
list entries.
no ipv6 dhcp snooping binding
user mac <MAC-address>
7. Set trust ports
Command
Explanation
Port mode
ipv6 dhcp snooping trust
Set or delete DHCP v6 Snooping trust attribute
no ipv6 dhcp snooping trust
for the ports.
8. Set defense actions
Command
Explanation
Port mode
ipv6 dhcp snooping action
{shutdown | blackhole} [recovery
Set or delete the automatic defense actions of
<second> ]
DHCP v6 Snooping for the ports.
no ipv6 dhcp snooping action
9. Set the max number of Blackhole MAC
Command
Explanation
Global mode
ipv6 dhcp snooping action
Set the max number of blackhole MAC which
{<max-num> | default}
can be sent by each un-t rusted port.
10. Enable user acce ss control function
32-3
Command
Explanation
Port mode
ipv6 dhcp snooping binding
user-control
Enable or disable the user access control
no ipv6 dhcp snooping binding
function is bound by DHCP v6 Snooping.
user-control
11. Enable the debug switch
Command
Explanation
Admin mode
debug ipv6 dhcp snooping packet
debug ipv6 dhcp snooping event
Enable the debug of DHCP Snooping.
debug ipv6 dhcp snooping binding
12. Show the configuration status
Command
Explanation
Admin mode
show ipv6 dhcp snooping
show ipv6 dhcp snooping interface
<szIfName>
show ipv6 dhcp snooping binding
Show DHCP Snooping and binding information.
{<MAC> | <ipv6address> | interface
{ethernet <IFNAME> | <IFNAME>} |
all}
32.3 DHCPv6 Snooping Typical Application
DHCP v6 Server
Interface E1/1
Interface E1/2
Interface E1/4
Interface E1/3
MAC-AA
MAC-CC
MAC-BB
Virtual DHCP v6 Server
Figure 32-3-1 Sketch Map of preventing lawless DHCP v6 Server
32-4
As showed in the above chart, MAC-AA and MAC-BB devices are normal users, they are connected to the
non-trusted ports 1/2 and 1/3 of the switch, and obtain IP 2010::3 and IP 2010::4 through DHCP v6 Client;
DHCP v6 Server are c onnected to the trust port 1/1 of the switch; the malicious user Mac-CC is connected to
the non-trusted port1/4, it tries to fake DHCP v6 Server. Setting DHCP v6 Snooping on the switch will
effectively detect and prevent this kind of net work attack.
Configuration sequence is:
XGS 3-42000R#
XGS 3-42000R#config
XGS 3-42000R(config)#ipv6 dhcp snooping enable
XGS 3-42000R(config)#ipv6 dhcp snooping binding enable
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(config-Ethernet 1/1)#ipv6 dhcp snooping trust
XGS 3-42000R(config-Ethernet1/1)#exit
XGS 3-42000R(config)#interface ethernet 1/4-10
XGS 3-42000R(config-P ort-Range)#ipv6 dhcp snooping action shutdown
XGS 3-42000R(config-P ort-Range)#
32.4 DHCPv6 Snooping Troubleshooting
32.4.1 Monitor and Debug Information
The “debug ipv6 dhcp snooping” command can be us ed to monit or the debug information.
32.4.2 DHCPv6 Snooping Troubleshooting Help
If there is any problem happens when using DHCP v6 Snooping function, please check whether the problem is
caused by the following reasons:
 Check whether the DHCP v6 Snooping is enabled globally;
 If DHCP client does not obtain IP when configuring DHCP v6 Snooping, please check whether t he port
connected by DHCP v6 server/relay is set as a trust port.
32-5
Chapter 33 Routing Protocol Overview
To communicate with a remote host over the Internet, a host must choose a proper route via a set of rout ers or
Layer3 switches. Both routers and layer3 switches calculate the rout e using CP U, the difference is that layer3
switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router
always store the calculated route in the route table or route buffer, and data forwarding is performed by the
CPU. For this reason, although both routers and switches can perform route s election, lay er3 switches have
great advantage over routers in data forwarding. The following describes basic principle and methods used in
layer3 switch route selection.
In route s election, the responsibility of each layer3 switch is to select a proper midway route according to the
destination of the packet received; and send the packet to the next layer3 switch until the last layer3 switch in
the route send the packet to the destination host. A route is the path selected by each layer3 switch to pass
the packet to the next layer3 switch. Route can be grouped into direct route, static route and dynamic route.
Direct route refer to the path directly connects to the layer3 switch, and can be obtained with no calculation.
Static route is the manually specified path to a network or a host; static route cannot be changed freely. The
advantage of static route is simple and consistent, and it can limit illegal route modification, and is convenient
for load balance and rout e backup. However, as this is set manually, it is not suitable for mid- or large-scale
networks for the route in such conditions are too huge and complex.
Dynamic route is the path to a network or a host calculated by the layer3 switch according to the routing
protocols enabled. If the next hop layer3 switch in the path is not reachable, layer3 switch will automatically
discard the path to that next hop lay er3 switch and choose the path through other layer3 switches.
There are two dynamic routing protocols: Interior Gateway Protocol (IGP) and Exterior Gateway protocol
(EGP). IGP is the prot ocol used to calculate the route to a destination inside an autonomous system. IGP
supported by switch include RIP and OSPF, RIP and OSRF c an be configured according to the requirement.
Switch supports running several IGP dynamic routing protocols at the same time. Or, other dynamic routing
protocols and static route can be introduced to a dynamic routing protocol, so that multiple routing protocols
can be associated.
EGP is used to exchange routing information among different autonomous systems, such as BGP protocol.
EGP support ed by switch include BGP-4, BGP-4+.
33.1 Routing Table
As mentioned before, layer3 switch is mainly used to establish the route from the current layer3 switch to a
network or a host, and to forward packets according to the route. Each layer3 switch has its own route table
containing all routes used by that switch. Each route entry in the route table specifies the physical port should
be used for forwarding packet to reach a destination host or the next hop layer3 switch to the host.
The route table mainly consists of the following:
 Destination address: used to identify the destination address or destination net work of an IP
packet.
 Network mask: used t ogether with destination address to identify the destination host or t he
33-1
network the layer3 switch resides. Network mask consists of several cons ecutive binary 1's, and
usually in the format of dotted decimal (an address consists of 1 to 4 255’s.) When “A ND” the
destination address with network mask, we can get the network address for the destination host or
the net work the layer3 s witch resides. For example, the network address of a host or the segment
the layer3 switch resides with a destination address of 200.1.1.1 and mask 255.255.255. 0 is
200.1. 1.0.
 Output interface: specify the interface of layer3 switch to forward IP packets.
 IP address of the next layer3 XGS3-42000R(next hop): specify the next layer3 switch the IP packet
will pass.
 Rout e entry priority: There may be several different next hop routes leading to the same destination.
Those routes may be discovered by different dynamic routing protocols or static routes manually
configured. The entry with the highest priority (smallest value) becomes the current best route. The
user can configure several routes of different priority to the same destination; layer3 switch will
choose one route for IP packet forwarding according to the priority order.
To prevent too large route table, a default route can be set. Once route table look up fails, the default route will
be chosen for forwarding packets.
The table below describes the routing protocols supported by switch and the default route look up priority
value.
Routing Prot ocols or route type
Default priority value
Direct route
0
OSPF
110
Static route
1
RIP
120
OSPF ASE
150
IBGP
200
EBGP
20
Unknown route
255
33.2 IP Routing Policy
33.2.1 Introduction to Routing Policy
Some policies have to be applied when the router publishing and receiving routing messages so to filter
routing messages, such as only receiving or publishing routing messages meets the specified conditions. A
routing protocol maybe need redistribut e other routing messages found by other protocols such as OSPF so
to increase its own routing knowledge; when the router redistributing routing messages from other routing
protocols there may be only part of the qualified routing messages is needed, and some properties may have
to be configured to suit this protocol.
To achieve routing policy, first we have to define the characteristics of the routing messages to be applied with
routing policies, namely define a group matching rules. We can configure by different properties in the routing
messages such as destination address, the router address publishing the routing messages. The matching
rules can be previously configured to be applied in the routing publishing, rec eiving and distributing policies.
Five filters are provided in switch: route-map, acl, as-path, community-list and ip-prefix for use. We will
33-2
introduce eac h filter in following sections:
1. route-map
For matching certain properties of the specified routing information and setting some routing propertities
when the conditions are fulfilled.
Rout e-map is for controlling and changing the routing messages while also controlling the redistribution
among routes. A route-map consists of a series of match and set commands in which the match command
specifies the conditions required matching, and the set command specifies the actions to be taken when
matches. The rout e-map is also for controlling route publishing among different route proc ess. It can also
used on policy routing which select different routes for the messages other than the shortest route.
A group matches and set clauses make up a node. A route-map may consist of several nodes each of
which is a unit for matching test. We match among nodes with by sequence-number. Match claus es define
matching rules. The matching objects are some properties of routing messages. Different match clause in
the same node is “and” relation logically, which means the matching test of a node, will not be passed until
conditions in its entire match clause are matched. Set clause specifies actions, namely configure some
properties of routing messages after the matching test is passed.
Different nodes in a route-map is an “or” relation logically. The system checks each node of the route-map
in turn and once certain node test is passed the rout e-map test will be passed without taking the next node
test.
2. access control list(acl)
ACL (Access Control Lists) is a data packet filter mechanism in the switch. The switch cont rols the network
access and secure the network service by permitting or denying certain data packet transmtting out from or
into the network. Users can establish a group of rules by certain messages in the packet, in which each rule
to be applied on certain amount of matching messages: permit or deny. The users can apply these rules to
the entrance or exit of specified switch, with which data stream in certain direction on certain port would
have to follow the specified A CL rules in-and-out the switch. Please refer to chapter “ACL Configuration”.
3. Ip-prefix list
The ip-prefix list acts similarly to acl while more flexible and more understandable. The match object of
ip-prefix is the destination address messages field of routing messages when applied in routing messages
filtering.
An ip-prefix is identified by prefix list name. Each prefix list may contain multiple items, eac h of whic h
specifies a matching range of a network prefix type and identifies with a sequence-number which specifies
the matching check order of ip-prefix.
In the process of matching, the switch check each items identified by sequence-number in ascending order
and the filter will be passed once certain items is matched( wit hout checking rest items)
4. Autonomic system path information access-li st a s-path
The autonomic system path information access-list as-path is only used in BGP. In the BGP routing
messages packet there is an autonomic system path field (in which autonomic system path the routing
messages passes through is recorded). As-path is specially for specifying matching conditions for
autonomic system path field.
As for relevant as-path configurations, pleas e refer to the ip as-path command in BGP configuration.
33-3
5. community-li st
Community-list is only for BGP. There is a community property field in the BGP routing messages packet for
identifying a community. The community list is for specifying matching conditions for Community-list field.
As for relevant Community-list configuration, please refer to the ip as-path command in BGP configuration
33.2.2 IP Routing Policy Configuration Task List
1.
Define route-map
2.
Define the match clause in route-map
3.
Define the set clause in route-map
4.
Define address prefix list
1. Define route-map
Command
Explanation
Global mode
Configure route-map; the
no route-map
route-map <map_name> {deny | permit}
<map_name> [{deny |
<sequence_num>
permit}
no route-map <map_name> [{deny | permit}
<sequence_num>]
<sequence_num>]
command delet es the
route-map.
2. Define the match clause in route-map
Command
Explanation
Rout e-map configuration mode
Match the autonomous
system as path
access-list the BGP route
match as-path <list-name>
passes through; the no
no match as-path [<li st-nam e>]
match as-path
[<list-name>] command
deletes match condition.
Match a community
property access-list. The
match community <community-li st-name |
no match community
community-list-num > [exact-match]
[<community-li st-name
no match community [< community-li st-name |
| community-li st-num >
community-list-num > [exact-match]]
[exact-match]]
command delet es match
condition.
33-4
Match by ports; The no
match interface
match interface <interface-name >
[<interface-name >]
no match interface [<interface-name >]
command delet es match
condition.
Match the address or
match ip <address | next-hop> <ip-acl -name | ip-acl-num
| prefix-list li st-nam e>
no match ip <address | next-hop> [<ip-acl-name |
ip-acl-num
| prefix-list [li st-name]> ]
next-hop; The no match
ip <address | next-hop>
[<ip-acl -name |
ip-acl-num | prefix-list
[list-name]> ] command
deletes match condition.
Match the routing metric
value; The no match
match metric <metric-val >
metric [<metric-val >]
no match metric [<metric-val >]
command delet es match
condition.
Match the route origin;
The no match origin
match origin <egp | igp | incomplete >
[<egp | igp |
no match origin [<egp | igp | incomplete >]
incomplete >] command
deletes match condition.
Match the route type; The
no match route-type
match route-type external <type-1 | type-2 >
no match route-type external [<type-1 | type-2 >]
external [<type-1 |
type-2 >] command
deletes match condition.
Match the route tag; The
match tag <tag-val >
no match tag
no match tag [<tag-val >]
[<tag-val >] command
deletes match condition.
3. Define the set clause in route-map
Command
Explanation
Rout e-map configuration mode
Distribute an AS No. for
set aggregator as <as-number> <ip_addr>
BGP aggregator; The no
no set aggregator as [ <as-number> <ip_addr> ]
command
deletes
the
configuration
set a s-path prepend <as-num>
Add a s pecified AS No.
no set a s-path prepend [ <as-num> ]
before the BGP routing
messages
as-path
series; The no c ommand
deletes the configuration
33-5
set atomic-aggregate
Configure the BGP
no set atomic-aggregate
atomic aggregate
property; The no
command delet es the
configuration
set comm-li st <community-li st-name |
Delet e BGP community
community-list-num > delete
list value; The no
no set comm-li st <community-li st-name |
command delet es the
community-list-num > delete
configuration
set community [AA:NN] [internet] [local-AS]
Configure BGP
[no-adverti se] [no-export] [none] [additive]
community list value; The
no set community [AA:NN] [internet] [local-AS]
no command deletes the
[no-adverti se] [no-export] [none] [additive]
configuration
set extcommunity <rt | soo> <AA:NN>
Configure BGP extended
no set extcommunity <rt | soo> [ <AA:NN> ]
community list property;
The no command deletes
the configuration
set ip next-hop <ip_addr>
Set next-hop IP address;
no set ip next-hop [ <ip_addr> ]
The no command deletes
the configuration
set local-preference <pre_val>
Set local preference; The
no set local-preference [ <pre_val> ]
no command deletes the
configuration
set metric < +/- metric_val | metric_val>
Set routing metric value;
no set metric [ +/- metri c_val | metric_val ]
The no command deletes
the configuration
set metric-type <type-1 | type-2>
Set OSPF metric type;
no set metric-type [<type-1 | type-2>]
The no command deletes
the configuration
set origin <egp | igp | incomplete >
Set BGP routing origin;
no set origin [<egp | igp | incomplete >]
The no command deletes
the configuration
set originator-id <ip_addr>
Set routing originator ID;
no set originator-id [ <ip_addr> ]
The no command deletes
the configuration
set tag <tag_val>
Set OSPF routing tag
no set tag [ <tag_val> ]
value; The no command
deletes the configuration
set vpnv4 next-hop <ip_addr>
Set BGP VPNv4
no set vpnv4 next-hop [ <ip_addr> ]
next-hop address; the no
command delet es the
configuration
33-6
set weight < weight_val>
Set BGP routing weight;
no set weight [ <weight_val> ]
The no command deletes
the configuration
4. Define address prefix list
Command
Explanation
Global mode
Describe the prefix list;
ip prefix-list <list_nam e> description <description>
no ip prefix-list <list_nam e> description
The no ip prefix-list
<list_name>
description command
deletes the configuration.
Set the prefix list; The no
ip prefix-list
ip prefix-list <list_nam e> [seq <sequence_number>]
<list_name> [seq
<deny | permit> < any | ip_addr/mask_l ength [ge
<sequence_number>]
min_prefix_len] [le max_prefix_l en]>
[<deny | permit> < any |
no ip prefix-list <list_nam e> [seq <sequence_number>]
ip_addr/mask_l ength
[<deny | permit> < any | ip_addr/mask_length [ge
[ge min_prefix_len] [le
min_prefix_len] [le max_prefix_l en]>]
max_prefix_len]>]
command delet es the
configuration.
33.2.3 Configuration Examples
The figure below shows a network consisting of four Layer 3 switches. This example demonstrates how to set
the BGP as-path properties through route-map. BGP protocol is applied among the Layer 3 switches. As for
switchC, the network 192. 68.11.0/24 can be reached t hrough two paths in which one is AS-PATH 1 by IBGP
(going through SwitchD), the other one is AS-PATH 2 by EBGP (going through S witchB). BGP selects the
shortest path, so AS-PATH 1 is the preferred pat h. If the pat h 2 is wished, which is through EBGP path, we
can add two extra AS path numbers into the AS-PATH messages from SwitchA to SwitchD so as to change
the determination SwitchC take to 192.68.11.0/ 24.
33-7
AS1
AS2
192.68.11.1
VLAN1
VLAN3
192.68.10.1
VLAN2
192.68.6.1 SwitchB
SwitchA
VLAN3
172.16.20.1
VLAN2
192.68.6.2
VLAN3
172.16.20.2
VLAN1
192.68.5.2
AS3
VLAN1
192.68.5.1
SwitchC
VLAN2
172.16.1.2
SwitchD
VLAN2
172 16 1 1
Figure 33-2-1 Policy routing Configuration
Configuration procedure: (only SwitchA is listed, configurations for other switches are omitted.)
The configuration of Lay er 3 switchA:
SwitchA#config
SwitchA(config) #router bgp 1
SwitchA(config-router)#net work 192.68.11.0 mask 255.255.255.0
SwitchA(config-router)#neighbor 172.16.20.2 remote-as 3
SwitchA(config-router)#neighbor 172.16.20.2 rout e-map AddAsNumbers out
SwitchA(config-router)#neighbor 192.68.6.1 remote-as 2
SwitchA(config-router)#exit
SwitchA(config)#route-map AddAsNumbers permit 10
SwitchA(config-route-map)#set as-path prepend 1 1
33.2.4 Troubleshooting
Faq: The routing protocol could not achieve the routing messages study under normal protocol running state
Troubleshooting: check following errors:
 Each node of route-map should at least has one node is permit match mode. When the route map is
used in routing messages filtering, the routing messages will be considered not pass the routing
messages filtering if certain routing messages does not pass the filtering of any nodes. When all nodes
are set to deny mode, all routing messages will not pass the filtering in this route-map.
 Items in address prefix list should at least have one item set to permit mode. The deny mode items can
be defined first to fast remove the unmatched routing messages, however if all the items are set to
deny mode, any route will not be able to pass the filtering of this address prefix list. We can define a
permit 0.0.0.0/0 le 32 item aft er several deny mode items are defined so to permit all other routing
messages pass through. Only default route will be matched in less-equal 32 is not specified.
33-8
Chapter 34 Static Route
34.1 Introduction to Static Route
As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is
simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route
backup. However, it also has its own defects. Static route, as its name indicates, is static, it won’t modify the
route automatically on net work failure, and manual configuration is required on such occasions, therefore it is
not suitable for mid and large-scale networks.
Static route is mainly us ed in the following two conditions: 1) in stable networks to reduce load of route
selection and routing data streams. For example, static route can be used in route to STUB network. 2) For
route backup, configure static route in the backup line, with a lower priority than the main line.
Static route and dynamic route can coexist; layer3 switch will choose the route with the highest priority
according to the priority of routing protocols. At the same time, static route can be introduced (redistribute) in
dynamic route, and change the priority of the static route introduced as required.
34.2 Introduction to Default Route
Default route is a kind of static route, which is used only when no matching route is found. In the route table,
default route in is indicated by a destination address of 0. 0.0.0 and a network mask of 0.0.0.0, too. If the route
table does not have the destination of a packet and has no default route configured, the packet will be
discarded, and an ICMP packet will be sent to the source address indicate the destination address or network
is unreac hable.
34.3 Static Route Configuration Task List
1. Static route configuration
1. Static route configuration
Command
Explanation
Global mode
Set static routing; the no ip
ip route {<ip-prefix> <mask> |
<ip-prefix>/<prefix-l ength>} {<gateway-address> |
<gateway-interface>} [<di stance>]
route {<ip-prefix> <mask> |
<ip-prefix>/<prefix-l ength>}
[<gateway-address>
no ip route {<ip-prefix> <mask> |
<ip-prefix>/<prefix-l ength>} [<gateway-address> |
<gateway-interface> ] [<di stance>]
<gateway-interface> ]
[<di stance> ] command deletes
a static route entry
34-1
|
34.4 Static Route Configuration Examples
The figure shown below is a simple network consisting of three layer3 switches, the network mask for all
switches and PC is 255.255.255.0. PC-A and PC-C are connected via the static route set in SwtichA and
SwitchC; PC3 and PC-B are connected via the static route set in SwtichC to SwitchB; PC-B and PC-C is
connected via the default route set in SwitchB.
PC-C:10.1.5.2
PC-A:10.1.1.2
PC-B:10.1.4.2
SwitchC
vlan3 :10.1.5.1
vlan2 :10.1.2.2
vlan1 :10.1.3.2
vlan1 :10.1.1.1
SwitchA
vlan2 :10.1..2.1
vlan2 :10.1.4.1
vlan1 :10.1.3.1
SwitchB
Figure 34-4-1 Static Rout e Configurations
Configuration steps:
Configuration of layer3 SwitchA
XGS 3-42000R#config
XGS 3-42000R(config) #ip route 10. 1.5.0 255.255.255.0 10.1. 2.2
Configuration of layer3 SwitchC
XGS 3-42000R#config
Next hop use the partner IP address
XGS 3-42000R(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1
Next hop use the partner IP address
XGS 3-42000R(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1
Configuration of layer3 SwitchB
XGS 3-42000R#config
XGS 3-42000R(config)#ip route 0.0. 0.0 0.0.0.0 10.1.3.2
In this way, ping connectivity can be established bet ween PC-A and PC-C, and PC-B and P C-C.
34-2
Chapter 35 RIP
35.1 Introduction to RIP
RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance
vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol
send two kind of information to the neighboring devices regularly:
• Number of hops to reach the destination network, or met rics to use or number of networks to pass.
• What is the next hop, or the director (vector) to use to reac h the destination network.
The distance vector Layer 3 switch send all their route selecting tables to the neighbor layer3 switches at
regular interval. A lay er3 s witch will build their own route selecting information table based on the information
received from the neighbor layer3 switches. Then, it will send this information to its own neighbor layer3
switches. As a result, the route selection table is built on second hand information, route beyond 15 hops will
be deemed as unreachable.
RIP protocol is an optional routing prot ocol based on UDP. Hosts using RIP send and receive packets on UDP
port 520. All layer3 switches running RIP send their route table to all neighbor layer3 switches every 30
seconds for update. If no information from the partner is received in 180 seconds, then the device is deemed
to have failed and the net work connected to that device is considered t o be unreachable. However, the route
of that layer3 switch will be kept in the route table for another 120 seconds before deletion.
As layer3 switches running RIP built route table with second hand information, infinite count may occur. For a
network running RIP routing protocol, when an RIP route becomes unreachable, the neighboring RIP layer3
switch will not send route updat e packets at once, instead, it waits until the update int erval timeout (every 30
seconds) and sends the update packets containing that rout e. If before it receives the updated packet, its
neighbors send packets containing the information about the failed neighbor, “infinite count” will be resulted. In
other words, the route of unreachable layer3 switch will be selected with the metrics increasing progressively.
This greatly affects the route selection and route aggregation time.
To prevent “infinit e count ”, RIP provides mechanism such as “split horizon” and “triggered update” to solve
route loop. “Split horiz on” is done by avoiding sending to a gateway routes leaned from that gateway. There
are two split horizon methods: “simple split horizon” and “poison reverse split horizon”. Simple split horizon
deletes from the route to be sent to the neighbor gateways the routes learnt from the neighbor gateways;
poison reverse split horizon not only deletes the abovementioned routes, but set the costs of those routes to
infinit e. “Triggering update” mechanism defines whenever rout e metric changed by the gateway, the gateway
advertise the update packets immediately, regardless of the 30 second updat e timer status.
There two versions of RIP, version 1 and version 2. RFC1058 int roduces RIP-I protocol, RFC2453 introduces
RIP -II, which is compatible with RFC1723 and RFC1388. RIP -I updat es packets by packets broadcast, subnet
mask and authentication is not supported. Some fields in the RIP -I packets are not used and are required to
be all 0’s; for this reason, such all 0's fields should be checked when using RIP-I, the RIP-I packets should be
discarded if such fields are non-zero. RIP-II is a more improved version than RIP -I. RIP -II sends route update
packets by multicast packets (multicast address is 224.0.0.9). S ubnet mask field and RIP authentication filed
(simple plaintext password and MD5 password authentication are supported), and support variable length
subnet mask. RIP-II used some of the zero field of RIP -I and require no zero field verification. switch send
RIP -II packets in multicast by default, both RIP-I and RIP-II packets will be accepted.
Each layer3 switch running RIP has a route database, which contains all route ent ries for reachable
35-1
destination, and route table is built based on this databas e. When a RIP layer3 switch sent route update
packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large
network, routing data to be trans ferred and processed for each layer3 switch is quite large, causing degraded
network performance.
Besides the above mentioned, RIP protocol allows route information discovered by the other routing protocols
to be introduced to the route table.
The operation of RIP protocol is shown below:
1. Enable RIP. The switch sends request packets to the neighbor layer3 switches by broadcasting;
on receiving the request, the neighbor devices reply with the packets containing their local
routing information.
2. The Layer3 switch modifies its local route table on receiving the reply packets and sends
triggered update packets to the neighbor devices to advertise route updat e information. On
receiving the triggered updat e packet, the neighbor lay3 switches send triggered updat e packets
to their neighbor lay3 switches. After a sequence of triggered update packet broadcast, all layer3
switches get and maintain the latest route information.
In addition, RIP layer3 switches will advertise its local route table to their neighbor devices every 30 seconds.
On receiving the packets, neighbor devices maintain their local route table, select the best route and advertise
the updated information to their own neighbor devices, so that the updat ed routes are globally valid. Moreover,
RIP uses a timeout mechanism for outdated route, that is, if a switch does not receive regular updat e packets
from a neighbor within a certain interval (invalid timer interval), it considers the rout e from that neighbor invalid,
after holding the rout e fro a certain interval (holddown timer interval), it will delete that route.
35.2 RIP Configuration Task List
1. Enable RIP (required)
(1) Enable/disable RIP module.
(2) Enable interface to send/rec eive RIP packets
2. Configure RIP protoc ol parameters (optional)
(1) Configure RIP sending mechanism
1) Configure specified RIP packets transmission address
2) Configure RIP interface broadcast
(2) Configure the RIP routing parameters
1) Configure rout e introduction (default rout e metric, configure routes of the other protocols to be
introduced in RIP )
2) Configure int erface authentication mode and password
3) Configure the route deviation
4) Configure and apply route filt er
5) Configure Split Horizon
(3) Configure other RIP protocol parameters
1) Configure the managing distance of RIP route
2) Configure the RIP route capacity limit in route table
3) Configure the RIP update, timeout, holddown and other timer.
4) Configure the receiving buffer size of RIP UDP
35-2
3. Configure RIP-I/RIP-II switch
(1) Configure the RIP version to be used in all interfac es
(2) Configure the RIP version to send/receive in all interfaces
(3) Configure whether to enable RIP packets sending/receiving for interfaces
4. Delete the specified route in RIP route table
5. Configure the RIP routing aggregation
(1) Configure aggregation route of IP v4 route mode
(2) Configure aggregation route of IP v4 int erface configuration mode
(3) Display IP v4 aggregation route information
6. Configure redistribution of OSPF routing to RIP
(1) Enable Redistribution of OSPF routing to RIP
(2) Display and debug the information about configuration of redistribution of OSPF routing to RIP
1. Enable RIP protocol
Applying RIP route protocol with basic configuration in switch is simple. Normally you only have to open the
RIP switch and configure the segments running RIP, namely send and receive the RIP data packet by
default RIP configuration. The version of data packet sending and receiving is variable when needed,
allow/ deny sending, receiving RIP data packet. Refer to 3.
Command
Explanation
Global Mode
router rip
Enables RIP; the “no router rip” command
no router rip
disables RIP.
Rout er and address family configuration
mode
network <A.B.C.D/M | ifname|vl an>
no network <A.B.C.D/M | ifname|vl an>
Enables the segment running RIP protocol; the
no network <A.B.C.D/M | ifname|vl an>
command delet es the segment.
2. Configure RIP protocol parameters
(1)Configure RIP packet transmitting mechanism
1)Configure the RIP data packet point-transmitting
2)Configure the Rip broadcast
Command
Explanation
Rout er Configuration Mode
Specify the IP address of the neighbor router
neighbor <A.B.C.D>
needs
point -transmitting;
the no
no neighbor <A.B.C.D>
<A.B.C.D> command cancels the appointed
neighbor
router.
Block the RIP broadc ast on specified pot and the
passi ve-interface<ifname|vlan>
no passive-interface<ifname|vlan >
RIP data packet is only transmittable among
Layer 3 switch configured with neighbor. The no
passive-interface<ifname|vlan
cancels the function.
35-3
>
command
(2)Configure RIP route parameters
1)Configure route introduction (default route metric, configure routes of the other protocols to be introduced in
RIP )
Command
Explanation
Rout er Configuration Mode
default-metric <value>
no default-metric
Sets the default route metric for route to be
introduced; the “no default-metric” command
restores the default setting.
redistribute {kernel |connected| static|
Redistribute the routes distributed in other
ospf | i si s| bgp} [metric< value> ]
routing protocols into the RIP data packet; the
[route-map<word> ]
no redistribute {kernel |connected| static|
no redistribute {kernel |connected|
ospf
static| ospf | i si s| bgp} [metric< value>]
[route-map<word>]
[route-map<word> ]
distributed route of corresponding protocols.
default-information originate
no default-information originate
|
i si s|
bgp}
[metric<value>]
command
cancels
the
Generat e a default route to the RIP prot ocol; the
no default-information originate command
cancels the feature.
2)Configure interface authentication mode and password
Command
Explanation
Interface configuration mode
ip rip authentication mode { text| md5}
Sets the authentication method; the no ip rip
no ip rip authentication mode [text|
authentication mode [text| md5] command
md5]
cancels the authentication action.
ip rip authentication string <text>
no ip rip authentication string
Sets the authentication key; the no ip rip
authentication string command means no key
is needed.
ip rip authentication key-chain
Sets the key chain used in authentication, the no
<name-of-chain>
ip
no ip rip authentication key-chain
[<name-of-chain>] command means the key
[<name-of-chain>]
chain is not used.
ip rip authentication cisco-compatible
no ip rip authentication
ci sco-compatible
rip
authentication
key-chain
After configure this command, configure MD5
authentication, then can receive RIP packet of
cisco, the no command resores the defaule
configuration.
Global mode
key chain <name-of-chain>
no key chain < name-of-chain >
Enter keychain mode, and configure a key
chain, the no key chain < name-of-chain >
command delet es the key chain.
35-4
Keychain mode
Enter the keychain-key mode and configure a
key <keyid>
no key <keyid>
key of the keychain; the no key <keyid>
command delet es one key.
Keychain-key mode
key-string <text>
no key-string <text>
accept-lifetime <start-time>
{<end-time>| duration< seconds> |
infinite}
no accept-lifetime
Configure the password used by the key, the no
key-string
<text>
command
deletes
the
password.
Configure a key on the key chain and accept it
as an authorized time; the no accept-lifetime
command delet es it.
send-lifetime <start-time> {<end-time>|
Configure the transmitting period of a key on the
duration< seconds> | infinite}
key chain; the no send-lifetime command
no send-lifetime
deletes the send-lifetime.
3)Configure the route deviation
Command
Explanation
Rout er configuration mode
offset-li st <acce ss-li st-num ber |
Configure that provide a deviation value to the
access-li st-name> {in | out } <number>
route met ric value when the port sends or
[<ifname>]
receives RIP data packet; the no offset-li st
no offset-li st <acce ss-li st-num ber
<access-li st-number
|acce ss-li st-name>
{in|out } <number >[<ifname>] command
{in|out }<number >[<ifname>]
removes the deviation table.
|acce ss-li st-name>
4)Configure and apply the rout e filtering
Command
Explanation
Rout er configuration mode
distribute-li st {< access-li st-number
Configure and apply the access table and prefix
|access-li st-name >|prefix<prefix-li st-n
table to filter the routes. The no di stribute-list
ame>}{in|out} [<ifname> ]
{<
no distribute-li st {< access-li st-number
|access-li st-name> |prefix<prefix-list-name>}{
|access-li st-name >|prefix<prefix-li st-n
in|out} [<ifname> ]command means do not use
ame>}{in|out} [<ifname> ]
the access table and prefix table.
35-5
access-li st-number
5)Configure the split horizon
Command
Explanation
Interface configuration mode
Configure that take the split horizon when the
ip rip split-horizon [poi soned]
port sends data packets; poisoned for poison
no ip rip split-horizon
reverse the no ip rip split-horizon command
cancels the split horizon.
(3)Configure other RIP protocol parameters
1)Configure RIP routing priority
2)Configure the RIP route capacity limit in route table
3)Configure timer for RIP update, timeout and hold-down
4)Configure RIP UDP rec eiving buffer size
Command
Explanation
Rout er configuration mode
distance <number> [<A.B.C.D/M> ]
[<access-li st-nam e|access-li st-number
>]
no distance [<A.B.C.D/M> ]
Specify the rout e administratively distance of
RIP protocol; the no distance
[<A.B.C.D/M> ]
command restore the default value 120.
maximum-prefix
Configure the maximum of RIP route; the no
<maximum-prefix>[<threshold>]
maximum-prefix <maximum-prefi x >
no maximum-prefix <maximum-prefi x >
no maximum-prefix command canc els the
no maximum-prefix
limit.
timers ba sic <update> <invalid>
Adjust
<garbage>
collection time, the no timers basi c command
no timers ba sic
restores the default configuration.
recv-buffer-size <size>
no recv-buffer-size
the
update,
timeout
and
garbage
The command configures the UDP receiving
buffer size of the RIP; the no recv-buffer-size
command restores the system default values.
3. Configure RIP-I/RIP-II toggling
(1)Configure the RIP version to be used in all ports
Command
Explanation
RIP configuration mode
Configure the versions of all the RIP data
version { 1 | 2 }
no version
packets transmitted/received by the Layer 3
switch port sending/receiving the no version
command restores the default configuration,
version 2.
35-6
(2)Configure the RIP version to send/receive in all ports.
(3)Configure whether to enable RIP packets sending/receiving for ports
Command
Explanation
Interface configuration mode
ip rip send version { 1 | 1-compatible |
2}
no ip rip send version
Sets the version of RIP packets to send on all
ports; the no ip rip send version command set
the version to the one configured by the version
command.
Sets the version of RIP packets to receive on all
ip rip receive version {1 | 2 | }
ports; the no action of this command set the
no ip rip receive version
version to the one configured by the version
command.
ip rip receive-packet
no ip rip receive-packet
ip rip send-packet
no ip rip send-packet
Enables receiving RIP packets on the interface;
the no ip rip receive-packet command close
data receiving on this port.
Enables sending RIP packets on the interface;
the “no ip rip send-packet” command disables
sending RIP packets on the interface.
4. Delete the specified route in RIP route table
Command
Explanation
Admin Mode
clear ip rip route
{<A.B.C.D/M>|kernel|static|connected|r
ip|ospf|i si s|bgp|all}
The command deletes a specified route from the
RIP route table.
5. Configure the RIP routing aggregation
(1) Configure IPv4 aggregation route globally
Command
Explanation
Rout er Configuration Mode
ip rip aggregate-address A.B.C.D/M
To configure or delete IP v4 aggregation route
no ip rip aggregate-address A.B.C.D/M
globally.
(2) Configure IPv4 aggregation route on interface
Command
Explanation
Interface Configuration Mode
ip rip aggregate-address A.B.C. D/M
no ip rip aggregate-address
A.B.C. D/M
To configure or delete IP v4 aggregation route
on interface.
(3) Display IPv4 aggregation route information
Command
Explanation
Admin Mode and Configuration Mode
show ip rip aggregate
To display aggregation rout e information.
35-7
6. Configure redistribution of OSPF routing to RIP
(1) Enable Redistribution of OSPF routing to RIP
Command
Explanation
Rout er RIP Configuration Mode
redistribute ospf [ <proce ss-id> ] [metric
<value> ] [route-map <word> ]
no redistribute ospf [ <proce ss-id> ]
To enable or disable the redistribution
of
OSPF routing to RIP.
(2) Di splay and debug the information about configuration of redistribution of OSPF routing to RIP
Command
Explanation
Admin Mode and Configuration Mode
To display the information about configuration
show ip rip redistribute
of redistribute from other routing.
Admin Mode
debug rip redistribute message send
To enable or disable debugging messages
no debug rip redistribute message send
sent by RIP for redistribution of OSPF routing.
debug rip redistribute route receive
To enable or disable debugging messages
no debug rip redistribute route receive
received from NSM.
35.3 RIP Examples
35.3.1 Typical RIP Examples
Interface
Interface
vlan1:10. 1.1.1/24
vlan1:10. 1.1.2/24
SWITCHB
SWITCHC
SWITCHA
Interface
Interface
vlan2:20. 1.1.1/24
vlan1:20. 1.1.2/24
Figure 35-3-1 RIP example
In the figure shown above, a network consists of three Layer 3 switches, in which S witchA connected with
SwitchB and SwitchC, and RIP routing protocol is running in all of the three s witches. SwitchA (interface
vlan1:10.1.1.1,interface vlan2:20.1.1.1)exchanges Layer 3 switch update messages only with SwitchB
(interfac e vlan1:10.1. 1.2), but not with SwitchC(interface vlan 2: 20.1. 1.2).
SwitchA, SwitchB, SwitchC configurations are as follows:
a)
Layer 3 SwitchA:
35-8
Configure the IP address of interface vlan 1
SwitchA#config
SwitchA(config)# interface vlan 1
SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0
SwitchA(config-if-Vlan1)#
Configure the IP address of interface vlan 2
SwitchA(config)# vlan 2
SwitchA(Config-Vlan2)# switchport interface ethernet 1/2
Set the port Ethernet 1/1 access vlan 2 successfully
SwitchA(Config-Vlan2)# exit
SwitchA(config)# interface vlan 2
SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0
Initiate RIP protocol and configure the RIP segments
SwitchA(config)#router rip
SwitchA(config-router)#net work vlan 1
SwitchA(config-router)#net work vlan 2
SwitchA(config-router)#exit
Configure that the interface vlan 2 do not transmit RIP messages to SwitchC
SwitchA(config)#router rip
SwitchA(config-router)#passive-interface vlan 2
SwitchA(config-router)#exit
SwitchA(config) #
b)
Layer 3 SwitchB
Configure the IP address of interface vlan 1
SwitchB#config
SwitchB(config)# interface vlan 1
SwitchB(Config-if-Vlan1)# ip address 10.1.1.2 255.255.255.0
SwitchB(Config-if-Vlan1)exit
Initiate RIP protocol and configure the RIP segments
SwitchB(config)#router rip
SwitchB(config-router)#net work vlan 1
SwitchB(config-router)#exit
c)
Layer 3 SwitchC
Configure the IP address of interface vlan 1
SwitchC#config
SwitchC(config)# interface vlan 1
Configure the IP address of interface vlan 1
SwitchC(Config-if-Vlan1)# ip address 20.1. 1.2 255.255.255.0
SwitchC(Config-if-Vlan1)#exit
Initiate RIP protocol and configure the RIP segments
SwitchC(config)#router rip
35-9
SwitchC(config-router)#network vlan 1
SwitchC(config-router)#exit
35.3.2 Typical Examples of RIP aggregation function
The application topology as follows:
S1
vlan1:192.168.10.1
192.168.20.0/22
192.168.21.0/24
vlan1:192.168.10.2
192.168.22.0/24
S2
192.168.23.0/24
192.168.24.0/24
Figure 35-3-2 Typical application of RIP aggregation
As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet
routers of S2, which are 192.168.21.0/ 24, 192.168.22.0/ 24, 192.168.23.0/ 24, 192.168.24. 0/24. S2 supports
route aggregation, and to configure aggregation route 192.168.20.0/ 22 in interface vlan1 of S2, after that,
sending router messages to S1 through vlan1, and put the four subnet routers aggregated to one router as
192.168.20.0/22, and send to S1, and not send subnet to neighbor. It can reduce the router table of S1, save
the memory.
S1 configuration li st:
S1(config)#rout er rip
S1(config-router) #network vlan 1
S2 configuration list:
S2(config)#rout er rip
S2(config-router) #network vlan 1
S2(config-router) #exit
S2(config)#in vlan 1
S2(Config-if-Vlan1)# ip rip agg 192. 168.20.0/22
35-10
35.4 RIP Troubleshooting
The RIP protocol may not be working properly due to errors such as physical connection, configuration error
when configuring and using the RIP protoc ol. So users should pay attention to following:
 Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable which is not
required in the application. So it is not recommended to enable dot 1q-t unnel on Trunk port
except the
VLAN-translation is in operation .
 Configuring in port-c hannel is not supported.
 Enabled with S TP/MS TP is not supported.
 Enabled with PVLA N is not supported.
 If MAC address binding cannot be enabled for a port, make sure the port is not enabling port
aggregation and is not configured as a Trunk port. MAC address binding is exclusive to such
configurations. If MAC address binding is to be enabled, the functions mentioned above must be
disabled first.
 If a secure address is set as static address and deleted, that secure address will be unusable even
though it exists. For this reason, it is recommended to avoid static address for ports enabling MAC
address.
 DHCP option 82 is implemented as a sub-function module of DHCP Relay Agent. Before using it, users
should make sure that the DHCP Relay Agent is configured correctly.
 DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the task of
allocating IP addresses. The DHCP server should set allocating policy correctly depending on t he
network topology of the DHCP Relay Agent, or, even the Relay Agent can operate normally, the
allocation of addresses will fail. When there is more than one kind of Relay Agent, please pay attention
to the retransmitting policy of the interface DHCP request messages.
 To implement the option 82 function of DHCP Relay Agent, the “debug dhcp relay packet” command
can be used during the operating procedure, including adding the contents of option 82, the
retransmitting policy adopt ed, the option 82 cont ents of the server peeled by the Relay Agent and etc.,
such information can help users to do troubleshooting.
 To implement the option 82 function of DHCP server, the “debug ip dhcp server packet” command c an
be used during the operating procedure to display the procedure of data packets processing of the
server, including dis playing the identified option 82 information of the request message and the option
82 information returned by the reply message.
 First ensure the physic connection is correct
 Second, ens ure the interfac e and chain protocol are UP (use show interface command)
 Then initiate the RIP protocol (use router rip command) and configure the segment (use network
command) and set RIP protocol parameter on corres ponding interfaces, such as the option bet ween
RIP -I and RIP -II
 After that, one feature of RIP protoc ol should be noticed ---t he Layer 3 switch running RIP protocol
sending route updating messages to all neighboring Lay er 3 switches every 30 seconds. A Layer 3
switch is considered inaccessible if no route updating messages from the switch is received within 180
seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted.
Therefore, if to delet e a RIP route, this route item is assured to be deleted from rout e table after 300
seconds. When exchanging routing messages with CE using RIP protocol on the PE router, we should
first create corresponding VPN routing/transmitting examples to associate with corresponding
35-11
interfaces. Then enter the RIP address family mode configuring corresponding parameters. If the RIP
routing problem remains unresolved, please use debug rip command to record the debug message in
three minutes, and send them to our technical service center.
35-12
Chapter 36 RIPng
36.1 Introduction to RIPng
RIP ng is first introduc ed in ARPA NET, this is a protocol dedicated to small, simple networks. RIP ng is a
distance vector routing protocol based on the Bellman-Ford algorithm. Net work devices running vector routing
protocol send 2 kind of information to the neighboring devices regularly:
• Number of hops to reach the destination network, or met rics to use or number of networks to pass.
• What is the next hop, or the director (vector) to use to reac h the destination network.
Distance vector layer3 switches send all their route selecting tables to the neighbor layer3 switches at regular
interval. A layer3 switch will build their own route selecting information table based on the information received
from the neighbor lay er3 switches. Then, it will send this information to its own neighbor layer3 switches. As a
result, the route selection table is built on sec ond hand information, route beyond 15 hops will be deemed as
unreachable.
RIP ng is an optional routing protocol bas ed on UDP. Hosts using RIP ng send and receive packets on UDP
port 521. All layer3 switches running RIP send their route table to all neighbor layer3 switches every 30
seconds for update. If no information from the partner is received in 180 seconds, then the device is deemed
to have failed and the net work connected to that device is considered t o be unreachable. However, the route
of that layer3 switch will be kept in the route table for another 120 seconds before deletion.
As layer3 switches running RIP ng build route table wit h second hand information, infinite count may occur.
For a network running RIPng routing protoc ol, when a RIPng route becomes unreachable, the neighboring
RIP ng layer3 switch will not send rout e update packets at once, instead, it waits until the update interval
timeout (every 30 seconds) and sends the update packets containing that route. If before it receives the
updated packet, its neighbors send packets containing the information about the failed neighbor, “infinite
count” will be resulted. In other words, the route of unreachable layer3 switch will be selected with the met rics
increasing progressively. This greatly affects the route selection and rout e aggregation time.
To avoid “infinit e count”, RIP ng provides mechanism such as “split horizon” and “triggered updat e” to solve
route loop. “Split horiz on” is done by avoiding sending to a gateway routes leaned from that gateway. There
are two split horizon methods: “simple split horizon” and “poison reverse split horizon”. Simple split horizon
deletes from the route to be sent to the neighbor gateways the routes learnt from the neighbor gateways;
poison reverse split horizon not only deletes the abovementioned routes, but set the costs of those routes to
infinit e. “Triggering update” mechanism defines whenever rout e metric changed by the gateway, the gateway
advertise the update packets immediately other than wait for the 30 sec timer.
So far the RIP ng protocol has got only one version----Version1: RIPng prot ocol is introduced in RFC 2080.
RIP ng transmits updating data packet by multicast data packet (multicast address FF02::9)
Each layer3 switch running RIPng has a rout e database, which contains all route ent ries for reachable
destination, and route table is built based on this databas e. When a RIPng layer3 switch sent route update
packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large
network, routing data to be trans ferred and processed for each layer3 switch is quite large, causing degraded
network performance.
36-1
Besides the above mentioned, RIP ng protocol allows IP v6 route information discovered by the other routing
protocols to be introduced to the route table.
The operation of RIP ng protocol is shown below:
1.
Enable RIP ng The switch sends request packets to the neighbor layer3 switches by broadc asting; on
receiving the request, the neighbor devices reply with the packets containing their local routing
information.
2.
The Lay er3 switch modifies its local route table on receiving the reply packets and sends triggered
update packets to the neighbor devices to advertise route update information. On receiving the
triggered update packet, the neighbor lay3 s witches send triggered update packets to their neighbor
lay3 switches. After a s equence of triggered update packet broadcast, all layer3 switches get and
maintain the latest route information.
In addition, RIPng layer3 switches will advertise its local route table to their neighbor devices every 30
seconds. On receiving the packets, neighbor devices maintain their local route table, select the best route and
advertise the updated information to their own neighbor devices, so that the updated routes are globally valid.
Moreover, RIP uses a timeout mechanism for outdated route, that is, if a switch does not receive regular
update packets from a neighbor within a certain interval (invalid timer interval), it considers the route from that
neighbor invalid, after holding the route fro a certain interval (garbage collect timer interval), it will delet e that
route.
As a result of continuous development of IP v6 network, it has the network environment of nonsupport IP v6
sometimes, so it needs to do the IP v6 operation by tunnel. Therefore, our RIPng supports configuration on
configure tunnel, and passes through nonsupport IP v6 network by unicast packet of IP v4 encapsulation.
36.2 RIPng Configuration Task List
RIP ng Configuration Task List:
1.
2.
Enable RIPng protoc ol (required)
(1)
Enable/disable RIPng protocol
(2)
Configure the interfaces running RIPng protocol
Configure RIPng protocol parameters (optional)
(1)
1)
(2)
1)
Configure RIPng sending mechanism
Configure specified RIP ng packets transmission address
Configure RIP routing parameters
Configure route introduction (default route metric, configure routes of the other prot ocols to be
introduced in RIP ng)
3.
2)
Configure the route deviation
3)
Configure and apply rout e filter
4)
Configure split horizon
Configure other RIPng paramet ers
(1) Configure timer for RIPng update, timeout and hold-down
4.
Delet e the specified route in RIP ng route table
5.
Configure RIPng route aggregation
(1)
Configure aggregation route of IP v6 route mode
(2)
Configure aggregation route of IP v6 interface configuration mode
(3)
Display IP v6 aggregation route information
36-2
6.
Configure redistribution of OSPFv3 routing to RIP ng
(1)
Enable redistribution of OSPFv3 routing to RIPng
(2)
Display and debug the information about configuration of redistribution of OSPFv3 routing t o
RIP ng
1. Enable RIPng protocol
Applying RIPng route prot ocol with basic configuration in switch is simple. Normally you only have to open the
RIP ng switch and configure the segments running RIPng, namely send and receive the RIP ng data packet by
default RIPng configuration.
Command
Explanation
Global mode
[no] router IPv6 rip
Enables the RIP ng protocol; the [no] rout er IP v6
rip command shuts the RIPng protocol.
Interface configuration mode
Configure the interface to run RIP ng protocol;
[no] IPv6 router rip
the [no] IPv6 router rip command set the
interface not run RIP ng protocol.
2. Configure RIPng protocol parameters
(1)Configure RIPng sending mechanism
1)Configure the RIPng data packets point-t ransmitting
Command
Explanation
Rout er configuration mode
Specify the IP v6 Link-local address and interface
[no] neighbor <IPv6-address>
<ifname>
of
the
neighboring
point-t ransmitting;
the
route
[no]
needs
neighbor
<IPv6-address> <ifname> command cancels
the appointed router.
Block the RIPng multicast on specified port and
the RIPng data packet is only transmittable
[no] pa ssive-interface <ifname>
among Layer 3 switch configured with neighbor.
the [no] passive-interface <ifname> command
cancels the function.
(2)Configure RIP routing parameters
1)Configure route introduction (default route metric, configure routes of the other protocols to be introduced in
RIP )
Command
Explanation
Rout er configuration mode
default-metric <value>
no default-metric
Configure the default metric of distributed route;
the no default-metric command restores the
default configuration 1.
36-3
Redistribute the routes distributed in other route
[no]redi stribute {kernel |connected|
static| ospf| i si s| bgp}
[metric<value> ] [route-map<word>]
protocols into the RIP ng data packet; the
[no]redi stribute {kernel |connected| static|
ospf|
isi s|
bgp}
[route-map<word> ]
[metric<value>]
command
cancels
the
distributed route of corresponding protocols.
Generat e a default route to the RIPng protocol;
[no]default-information originate
the
[no]
default-information
originate
command cancels the feature.
2)Configure the route offset
Command
Explanation
Rout er configuration mode
Configure that provide a deviation value to the
[no] offset-list <acce ss-li st-number
|acce ss-li st-name> {in|out}
<number > [<ifname>]
route met ric value when the port sends or
receives RIP ng data packet; the [no] offset-li st
<access-li st-number
|access-li st-name>
{in|out} <number > [<ifname>] command
removes the deviation table.
3)Configure and apply route filter and route aggregation
Command
Explanation
Rout er configuration mode
[no] di stribute-li st
{<access-li st-number
|access-li st-name> |
prefix<prefix-li st-name>} {in|out}
[<ifname>]
Set to filter the route when the interface sends
and rec eives RIPng data packets. The [no]
distribute-li st
{<
access-li st-number
|access-li st-name
>
|
prefix<prefix-li st-name>} {in|out} [<ifname>]
command means do not set the route filter.
[no]aggregate-address
<IPv6-address>
Configure
route
aggregation,
the
[no]
aggregate-address < IPv6-address command
cancels the rout e aggregation.
4)Configure split horizon
Command
Explanation
Interface configuration mode
Configure that take the split-horizon when the
IPv6 rip split-horizon [poi soned]
port sends data packets, poisoned means with
poison reverse.
no IPv6 rip split-horizon
Canc el the split-horizon.
36-4
3. Configure other RIPng protocol parameters
(1) Configure timer for RIPng update, timeout and hold-down
Command
Explanation
Rout er configuration mode
timers ba sic <update> <invalid>
Adjust the renew, timeout and garbage recycle
<garbage>
RIP ng timer, the no timers basic command
no timers ba sic
restore the default configuration.
4. Delete the specified route in RIPng route table
Command
Explanation
Admin Mode
clear IPv6 rip route
{<IPv6-address> |kernel|static|conn
ected|rip|ospf|i si s|bgp|all}
the command deletes a specified route from the
RIP route table.
5. Configure RIPng route aggregation
(1) Configure IPv6 aggregation route globally
Command
Explanation
Rout er Configuration Mode
ipv6 rip aggregate-address
X:X::X:X/M
To configure or delet e IP v6 aggregation rout e
no ipv6 rip aggregate-address
globally.
X:X::X:X/M
(2) Configure IPv6 aggregation route on interface
Command
Explanation
Interface Configuration Mode
ipv6 rip aggregate-address
X:X::X:X/M
To configure or delet e IP v6 aggregation rout e
no ipv6 rip aggregate-address
on interface.
X:X::X:X/M
(3) Di splay IPv6 aggregation route information
Command
Explanation
Admin Mode and Configuration Mode
To display IP v6 aggregation route information,
show ipv6 rip aggregate
such as aggregation interface, metric, numbers
of aggregation route, times of aggregation.
6. Configure redistribution of OSPFv3 routing to RIPng
(1)Enable redistribution of OSPFv3 routing to RIPng
36-5
Command
Explanation
Rout er IP v6 RIP Configuration Mode
redistribute ospf [<process-tag> ]
To enable or disable redistribution of OSPFv3
[metric<value> ] [route-map<word>]
routing for RIPng.
no redistribute ospf [<process-tag> ]
(2)Di splay and debug the information about configuration of redi stribution of OSPFv3 routing to
RIPng
Command
Explanation
Admin Configuration Mode
To
show ipv6 rip redistribute
display
RIPng
routing
which
is
redistributed from other routing prot ocols.
Admin Mode
debug ipv6 rip redistribute message
send
To enable or disable debugging messages
no debug ipv6 rip redistribute
sent by RIP ng for redistribution of OSPFv3
message send
routing.
debug ipv6 rip redistribute route
To enable or disable debugging route
receive
messages received from NSM.
no debug ipv6 rip redistribute route
receive
36.3 RIPng Configuration Examples
36.3.1 Typical RIPng Examples
Interface VLAN1:
Interface VLAN1:
2000:1:1::1/64
2000:1:1::2/64
SwitchC
SwitchB
SwitchA
Interface VLAN2:
Interface VLAN1:
2001:1:1::1/64
2001:1:1::2/64
Figure 36-3-1 RIPng Example
As shown in the above figure, a network consists of three layer 3 switches. SwitchA and SwitchB connect to
SwitchC through interface vlan1 and vlan2. All the three switches are running RIPng. Assume SwitchA
(VLAN1:2001:1:1::1/64 and VLAN2:2001:1:1::1/64)exchange update information with SwitchB(VLA N1:
2001:1:1::2/64) only, update information is not exchanged between SwitchA and SwitchC(V LAN1:
2001:1:1::2/64).
The configuration for S witchA, SwitchB and SwitchC is shown below:
36-6
Layer 3 SwitchA
Enable RIPng protocol
SwitchA(config)#router IP v6 rip
SwitchA(config-router)#exit
Configure the IP v6 address in vlan1 and configure vlan1 to run RIP ng
SwitchA#config
SwitchA(config)# interface Vlan1
SwitchA(config-if-Vlan1)# IP v6 address 2000:1:1::1/64
SwitchA(config-if-Vlan1)#IP v6 rout er rip
SwitchA(config-if-Vlan1)#exit
Configure the IP v6 address in vlan2 and configure vlan2 to run RIP ng
SwitchA(config)# interface Vlan2
SwitchA(config-if-Vlan2)#IP v6 address 2001:1:1::1/64
SwitchA(config-if-Vlan2)#IP v6 rout er rip
SwitchA(config-if-Vlan2)#exit
Configure the interface vlan1 do not send RIPng messages to SwitchC
SwitchA(config)#
SwitchA(config-router)#passive-interface Vlan1
SwitchA(config-router)#exit
Layer 3 S witchB
Enable RIPng protoc ol
SwitchB (config)#router IP v6 rip
SwitchB (config-router-rip)#exit
Configure the IP v6 address and interfaces of Ethernet port vlan1 to run RIP ng
SwitchB#config
SwitchB(config)# interface Vlan1
SwitchB(config-if)# IP v6 address 2001:1:1::2/64
SwitchB(config-if)#IP v6 router rip
SwitchB(config-if)exit
Layer 3 SwitchC
Enable RIPng protocol
SwitchC(config)#router IP v6 rip
SwitchC(config-router-rip)#exit
Configure the IP v6 address and interfaces of Ethernet port vlan1 to run RIP ng
SwitchC#config
SwitchC(config)# interface Vlan1
SwitchC(config-if)# IP v6 address 2000:1:1::2/64
SwitchC(config-if)#IP v6 router rip
SwitchC(config-if)exit
36-7
36.3.2 RIPng Aggregation Route Function Typical Examples
The application topology as follows:
S1
VLAN1
2001:1::1:1
2001:1::20:0/110
VLAN1
2001:1::20:0/112
2001:1::1:2
2001:1::21:0/112
S2
2001:1::22:0/112
2001:1::23:0/112
Figure 36-3-2 Typical application of RIP ng aggregation
As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet
routers of S 2, which are 2001:1::20:0/112, 2001: 1::21:0/112, 2001:1::22: 0/112, 2001:1::23:0/112. S2 supports
route aggregation, and to configure aggregation route 2001:1::20:0/110 in interface vlan1 of S2, after that,
sending router messages to S2 through vlan1, and put the four subnet routers aggregated to one router as
2001:1::20:0/110, and send to S1, and not send subnet to neighbor. It can reduce the router table of S1, save
the memory.
S1 configuration li st:
S1(config)#rout er ipv6 rip
S1(config-router) #network vlan 1
S2 configuration list:
S2(config)#rout er ipv6 rip
S2(config-router) #network vlan 1
S2(config-router) #exit
S2(config)#in vlan 1
S2(Config-if-Vlan1)# ipv6 rip agg 2001:1::20:0/ 110
36-8
36.4 RIPng Troubleshooting
The RIPng protocol may not be working properly due to errors such as physic connection, configuration error
when configuring and using the RIPng prot ocol. So users should pay attention to the following:
 First ensure the physic connection is correct and the IP Forwarding command is open
 Second, ens ure the interfac e and link layer protocol are UP (use show interface command)
 Then initiate the RIPng protocol (use router IPv6 rip command) and configure the port (use IPv6
router command), and set RIP ng protocol parameter on corresponding interfaces.
 After that, a RIP ng protocol feature should be noticed ---the Layer 3 switch running RIPng transmits the
route updating messages every 30 seconds. A Layer 3 switch is considered inaccessible if no route
updating messages from the switch are received within 180 seconds, then the route to the switch will
remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIP ng route, this
route item is assured to be deleted from route table after 300 seconds.
36-9
Chapter 37 OSPF
37.1 Introduction to OSPF
OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous
system based on link-state. The prot ocol creates a link-state database by exchanging link-states among
layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that
database.
Autonomous system (AS) is a self-managed interc onnected network. In large networks, such as the Internet,
a giant interconnected network is broken down to autonomous systems. Big enterprise net works connecting
to the Internet are independent AS, since the other hosts on the Internet are not managed by those AS and
they don’t share interior routing information with the layer3 switches on the Internet.
Each link-state Layer3 switch can provide information about the topology with its neighboring Layer3
switches.
• The network segment (link) connecting to the lay er3 switch
• State of the connecting link
Link-state information is flooded throughout the network so that all Layer3 switches can get firsthand
information. Link-state Layer3 switches will not broadcast all information contained in their route tables;
instead, they only send changed link-state information. Link-state Layer3 switches establish neighborhood by
sending “HE LLO” to their neighbors, then link-state advertisements (LSA) will be sent among neighboring
Layer3 switches. Neighboring Layer3 switch copy the LSA to their routing table and trans fer the information to
the rest part of the network. This process is referred to as “flooding”. In this way, firsthand information is sent
throughout the network to provide accurate map for creating and updating routes in the network. Link-state
routing protocols use cost instead of hops to decide the route. Cost is assigned automatically or manually.
According to t he algorithm in link-state protocol, cost can be used to calculate t he hop number for packets to
pass, link bandwidth, and current load of the link. The administrator can even add weight for better
assessment of the link-state.
1) When a link-state layer3 switch enters a link-state interconnected net work, it sends a HELLO packet to
get to know its neighbors and establis h neighborhood.
2) The neighbors respond with information about the links they are connecting and the related costs.
3) The originate layer3 switch uses this information to build its own routing table
4) Then, as part of the regular update, layer3 switch send link-state advertisement (LSA) packets to its
neighboring layer3 switches. The LSA include links and related costs of that layer3 switch.
5) Each neighboring lay er3 switch copies the LSA packet and passes it to the next neighbor (i.e. flooding).
6) Since routing database is not recalculated before layer3 switch forwards LSA flooding, the converging
time is greatly reduced.
One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is
because of the way link-state routing protoc ols build up their routing table. The second advantage is that
converging in a link-state interc onnected net work is very fast, once the routing topology changes, updates will
be flooded throughout the net work very soon. Those advantages release some lay er3 switch resources, as
the process ability and bandwidth used by bad rout e information are minor.
37-1
The features of OSPF protocol include the following: OSPF supports networks of various scales, several
hundreds of layer3 switches can be supported in an OSPF network. Routing topology changes can be quickly
found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state information is
used in shortest path algorithm for route calculation, eliminating loop route. OSPF divides the autonomous
system into areas, reducing database size, bandwidth occupation and calculation load. (According to the
position of layer3 switches in the autonomous system, they can be grouped as internal area switches, area
border switches, AS border switches and backbone switches). OSPF supports load balance and multiple
routes to the same destination of equal costs. OSPF supports 4 level routing mechanisms (process routing
according to the order of intra-area path, inter-area pat h, type 1 external path and type 2 external path). OSPF
supports IP subnet and redistribution of routes from the other routing protocols, and interface-based packet
verification. OSPF supports sending packets in multicast.
Each OSPF layer3 switch maintains a database describing the topology of the whole autonomous system.
Each layer3 switch gat hers the local status information, such as available int erface, reachable neighbors, and
sends link-state advertisement (sending out link-state information) to exchange link -state information with
other OSPF layer3 s witches to form a link-state database describing the whole autonomous system. Each
layer3 switch builds a short est path tree rooted by itself according to the link-state database, this tree provides
the routes to all nodes in an autonomous system. If two or more layer3 s witches exist (i.e. multi-access
network), "designat ed lay er3 s witch” and “backup designated layer3 switch” will be selected. Designated
layer3 switch is responsible for spreading link-state of the network. This concept helps reducing the traffic
among the Layer3 switches in multi-access network.
OSPF protoc ol requires the autonomous system to be divided into areas. That is to divide the autonomous
system into 0 area (backbone area) and non-0 areas. Routing information between areas are further
abstracted and summarized to reduce the bandwidth required in t he network. OSPF uses four different kinds
of routes; they are int ra-area route, inter-area route, type 1 external route and type 2 external route, in the
order of highest priority to lowest. The route inside an area and bet ween areas describes the internal network
structure of an autonomous system, while external routes describe how to select the routing information to
destination outside the autonomous system. The first type of exterior route corresponds to the information
introduced by OSPF from the other interior routing protoc ols, the costs of those routes are comparable with
the costs of OSPF routes; the second type of exterior route corresponds to the information introduced by
OSPF from the other exterior routing prot ocols, but the costs of those routes are far greater than that of OSPF
routes, so OSPF route cost is ignored when calculating route costs.
OSPF areas are centered wit h the Backbone area, identified as Area 0, all the other areas must be connected
to Area 0 logically, and Area 0 must be continuous. For this reason, the concept of virtual link is introduc ed to
the backbone area, so that physically separated areas still have logical connectivity to the backbone area.
The configurations of all the layer3 switches in the same area must be the same.
In conclusion, LSA can only be transferred between neighboring Layer3 switches, OSPF protocol includes 5
types of LSA: router LSA, net work LSA, net work summary LSA to the other areas, ASBR summary LSA and
AS external LSA. They can also be called type1 LSA, type2 LSA, type3 LSA, type4 LSA, and type5 LSA.
Rout er LSA is generated by each lay er3 s witch inside an OSPF area, and is sent to all the other neighboring
layer3 s witches in the same area; network LSA is generated by the designat ed layer3 s witch in the OSPF
area of multi-access network, and is sent to all other neighboring layer3 switches in t his area. (In order to
reduce traffic on layer3 switches in the multi-access network, “designated layer3 switch” and “backup
designated layer3 switch” should be selected in the multi-access network, and the network link-state is
broadcasted by the designated layer3 switch); network summary LSA is generated by border switches in an
37-2
OSPF area , and is transferred among area border layer3 switches; AS external LSA is generated by layer3
switches on external border of AS, and is trans ferred throughout the AS.
As to autonomous systems mainly advertises exterior link-state, OSPF allow some areas to be configured as
STUB areas to reduce the size of the topology database. Type4 LSA (ASBR summary LSA) and type5 LSA
(AS external LSA) are not allowed to flood into/through S TUB areas. STUB areas must use the default routes,
the layer3 switches on S TUB area edge advertise the default routes to STUB areas by type 3 summary LSA,
those default routes only floods inside S TUB area and will not get out of S TUB area. Each S TUB area has a
corresponding default route, the route from a S TUB area to AS exterior destination must rely on the default
route of that area.
The following simply outlines the route calculation process of OSPF protocol:
1) Each OSPF-enabled layer3 switch maintains a database (LS database) describing the link-state of
the topology structure of the whole autonomous system. Each layer3 switch generates a link-state
advertisement according to its surrounding network topology structure (router LSA ), and sends the
LSA to other layer3 switches through link-state update (LS U) packets. Thus each layer3 switches
receives LSAs from other layer3 switches, and all LSAs are combined to the link-state database.
2) Since a LSA is the description of the network topology structure around a layer3 switch, the LS
database is the description of the network topology structure of the whole network. The layer3
switches can easily create a weighted vector map according to the LS database. Obviously, all layer3
switches in the same autonomous system will have the same network topology map.
3) Each layer3 switch uses the shortest path first (SPF) algorithm to calculate a tree of shortest path
rooted by itself. The tree provides the route to all the nodes in the autonomous system, leaf nodes
consist of the exterior route information. The exterior route can be marked by the layer3 switch
broadcast it, so that additional information about the aut onomous system can be recorded. As a
result, the route table of each layer3 switch is different.
OSPF protocol is developed by the IE TF, the OSPF v2 widely used now is fulfilled according to the content
described in RFC2328.
37.2 OSPF Configuration Task List
The OSPF configuration for XGS3 series switches may be different from the configuration procedure to
switches of the other manufacturers. It is a two-step process:
1、
Enable OSPF in the Global Mode; 2、Configure OSPF area for the interfaces. The configuration task
list is as follows:
1.
2.
Enable OSPF protocol (required)
(1)
Enable/disable OSPF protocol (required)
(2)
Configure the ID number of the layer3 switch running OSPF (optional)
(3)
Configure the network scope for running OSPF (optional)
(4)
Configure the area for the interface (required)
Configure OSPF protocol parameters (optional)
(1)
Configure OSPF packet sending mechanism parameters
1)
Configure OSPF packet verification
37-3
2)
Set the OSPF interface to receive only
3)
Configure the cost for sending packets from the interface
4)
Configure OSPF packet sending timer paramet er (timer of broadcast interface sending
HELLO packet to poll, timer of neighboring layer3 switch invalid timeout, timer of LSA
transmission delay and timer of LSA ret ransmission.
(2)
Configure OSPF route introduction paramet ers
1)
Configure default parameters (default type, default tag value, default cost)
2)
Configure the routes of the other protocols to introduce to OSPF.
(3)
Configure OSPF importing the routes of ot her OSPF proc esses
1)
Enable the function of OSPF importing the routes of other OSPF processes
2)
Display relative information
3)
Debug
(4)
3.
Configure other OSPF protocol parameters
1)
Configure OSPF routing protoc ol priority
2)
Configure cost for OSPF S TUB area and default route
3)
Configure OSPF virtual link
4)
Configure the priority of the interface when electing designat ed layer3 switch
5)
Configure to keep a log for OSPF adjacency changes or not
(DR).
Disable OSPF protocol
1. Enable OSPF protocol
Basic configuration of OSPF routing protocol on switch is quite simple, usually only enabling OSPF and
configuration of the OSPF area for the interface are required. The OSPF protocol parameters can use the
default settings. If OSPF protocol parameters need to be modified, please refer to “2. Configure OSPF
protocol parameters”.
Command
Explanation
Global Mode
Enables OSPF protocol; the “no router
[no] router ospf [proce ss <id>]
ospf” command dis ables OSPF protocol.
(required)
OSPF Protocol Configuration Mode
Configures the ID number for the layer3
router-id <router_id>
no router-id
switch running OSPF; the “no router id”
command cancels the ID number. The IP
address of an interface is selected to be the
layer3 switch ID. (optional)
Configure certain segment to certain area,
[no] network {<network> <mask> |
<network>/<prefix>} area <area_id>
the no [no] network {<network> <mask> |
<network>/<prefix>}
command
(required)
2. Configure OSPF protocol parameters
37-4
cancels
area
this
<area_id>
configuration.
(1)Configure OSPF packet sending mechanism parameters
1)Configure OSPF packet verification
2)Set the OSPF interface to receive only
3)Configure the cost for sending packets from the interfac e
Command
Explanation
Interface Configuration Mode
ip ospf authentication
{ message-digest | null}
no ip ospf authentication
Configures the authentication method by the
interface to accept OSPF packets; the no ip
ospf authentication command restores the
default settings.
Configure the key of the authentication process
ip ospf authentication-key LINE
of
no ip ospf authentication-key
interfaces; the no action of this command
OSPF
data
packets
receiving
for
the
restores the default settings.
Sets an interfac e to receive only, the no
[no] pa ssive-interface {IFNAME |
passive-interface
{IFNAME
ethernet IFNAME | Vlan <ID>}
IFNAME | Vlan <ID>} command cancels this
|
ethernet
configuration.
ip ospf cost <cost >
no ip ospf cost
Sets the cost for running OSPF on t he interface;
the “no ip ospf cost” command restores the
default setting.
4)Configure OSPF packet sending timer parameter (timer of broadcast interface sending HELLO packet to
poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay and timer of LSA
retransmission.
Command
Explanation
Interface Configuration Mode
ip ospf hello-interval <time>
no ip ospf hello-interval
Sets interval for sending HELLO packets; the
“no ip ospf hello-interval” command restores
the default setting.
Sets the interval before regarding a neighbor
ip ospf dead-interval <time >
layer3
switch
invalid;
the
“no
no ip ospf dead-interval
dead-interval” command restores the default
ip
ospf
setting.
ip ospf transit-delay <time>
no ip ospf transit-delay
Sets the delay time before sending link-state
broadcast; the “no ip ospf transmit-delay”
command restores the default setting.
Sets the interval for retransmission of link-state
ip ospf retransmit <time>
advertisement among neighbor layer3 switches;
no ip ospf retransmit
the “no ip ospf retransmit” command restores
the default setting.
37-5
(2)Configure OSPF route introduction parameters
Configure the routes of the other protocols to introduce to OSPF.
Command
Explanation
OSPF Protocol Configuration Mode
redistribute { bgp | connected | static |
Distribute other prot ocols to find routing and
rip | kernel} [ metric-type { 1 | 2 } ] [ tag
static routings as external routing messages
<tag> ] [ metric <cost_value> ]
the no redistribute {bgp | connected |
[router-map <WORD>]
static | rip | kernel} command cancels the
no redistribute { bgp | connected |
distributed external messages.
static | rip | kernel }
(3)Configure OSPF importing the route s of other OSPF processe s
1)Enable the function of OSPF importing the routes of other OSPF processes
Command
Explanation
Rout er OSPF Mode
redistribute ospf [<process-id> ]
[metric<value> ] [metric-type
Enable or disable the function of OSPF
{1|2}][route-map<word>]
importing
no redistribute ospf [<process-id> ]
the
routes
of
ot her
OSPF
processes.
[metric<value> ] [metric-type
{1|2}][route-map<word>]
2)Display relative information
Command
Explanation
Admin Mode or Configure Mode
Display the configuration information of the
show ip ospf [<process-i d>]
OSPF
redistribute
process
importing other outside
routes.
3)Debug
Command
Explanation
debug ospf redistribute message send
Enable or disable debugging of sending
no debug ospf redistribute message
command from OSPF process redistributed
send
to other OSPF process routing.
debug ospf redistribute route receive
Enable or disable debugging of received
no debug ospf redistribute route
routing message from NSM
receive
process.
Admin Mode
(4)Configure other OSPF protocol parameters
1)Configure how to calculate OSPF SPF algorithm time
2)Configure the LSA limit in the OSPF link state database
37-6
for OSPF
3)Configure various OSPF parameters
Command
Explanation
OSPF Protocol Configuration Mode
Configure the SPF timer of OSPF; the
timers spf <interval>
no timers spf command restores the
no timers spf
default settings.
overflow database {<max-LSA> [hard | soft]
Configure the LSA limit in current OSPF
| external <max-LSA> <recover time>}
process database; the no overflow
no overflow database [external
database [external < max-LSA > <
<max-LSA > < recover time >]
recover time >] command restores the
default settings.
area <id> {authentication [message-digest]
| default-cost <cost> | filter-li st {acce ss |
Configure the parameters in OSPF area
prefix} <WORD> {in | out} | nssa
(STUB area, NSSA area and virtual
[default-information-originate |
links); the no area <id> {authentication
no-redi stribution | no-summary |
| default-cost | filter-list {acce ss |
translator-role] | range <range> | stub
prefix} <WORD> {in | out} | nssa
[no-summary] | virtual-link <neighbor>}
[default-information-originate
|
no area <id> {authentication | default-cost |
no-redi stribution
|
filter-list {acce ss | prefix} <WORD> {in |
translator-role] | range <range> | stub
out} | nssa [default-information-originate |
[no-summary]
no-redi stribution | no-summary |
<neighbor>} command restores the
translator-role] | range <range> | stub
default settings.
|
no-summary
|
virtual-link
[no-summary] | virtual-link <neighbor>}
4)Configure the priority of the interfac e when electing designated layer3 XGS3-42000R(DR).
Command
Explanation
Interface Configuration Mode
ip ospf priori ty <priority>
no ip ospf priori ty
Sets the priority of the interface in “designated
layer3 switch” election; the no ip ospf priority
command restores the default setting.
5)Configure to keep a log for OSPF adjacency changes or not
Command
Explanation
OSPF Protocol Configuration Mode
log-adjacency-change s detail
Configure to keep a log for OSPF adjacency
no log-adjacency-change s detail
changes or not.
3. Di sable OSPF protocol
Command
Explanation
Global Mode
no router ospf [proce ss <id>]
Disables OSPF routing protocol.
37-7
37.3 OSPF Examples
37.3.1 Configuration Example of OSPF
Scenario 1: OSPF autonomous system.
This scenario takes an OSPF autonomous system consists of five switch for example.
SwitchA
E1/1:100.1.1.1
vlan2
SwitchE
E1/2:30.1.1.1
vlan3
SwitchD
E1/2:10.1.1.1
E1/1:100.1.1.2
E1/1:30.1.1.2
vlan1
vlan2
vlan3
Area 0
E1/1:10.1.1.2
vlan1
E1/1:20.1.1.2
vlan3
E1/2:20.1.1.1
SwitchB
SwitchC
vlan3
Area 1
Figure 37-3-1 Network topology of OSPF autonomous system
The configuration for lay er3 S witch1 and Switch5 is shown below:
Layer 3 Switch1
Configuration of the IP address for interface vlan1
Switch1#config
Switch1(config)# interface vlan 1
Switch1(config-if-vlan1)# ip address 10.1.1.1 255.255.255.0
Switch1(config-if-vlan1)#exit
Configuration of the IP address for interface vlan2
Configure the IP address of interface vlan2
Switch1(config)# interface vlan 2
Switch1(config-if-vlan2)# ip address 100.1. 1.1 255.255.255.0
Switch1 (config-if-vlan2)#exit
Enable OSPF protocol, configure the area number for interface vlan1 and vlan2.
Switch1(config)#router ospf
Switch1(config-rout er)#network 10.1.1. 0/24 area 0
Switch1(config-rout er)#network 100.1.1.0/24 area 0
Switch1(config-rout er)#exit
Switch1(config)#exit
Switch1#
Layer 3 Switch2:
37-8
Configure the IP address for interface vlan1 and vlan2.
Switch2#config
Switch2(config)# interface vlan 1
Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0
Switch2(config-if-vlan1)#no shutdown
Switch2(config-if-vlan1)#exit
Switch2(config)# interface vlan 3
Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.0
Switch2(config-if-vlan3)#no shutdown
Switch2(config-if-vlan3)#exit
Enable OSPF protocol, configure the OSPF area interfac es vlan1 and vlan3 in
Switch2(config)#router ospf
Switch2(config-rout er)# net work 10.1.1.0/24 area 0
Switch2(config-rout er)# net work 20.1.1.0/24 area 1
Switch2(config-rout er)#exit
Switch2(config)#exit
Switch2#
Layer 3 Switch3:
Configuration of the IP address for interface vlan3.
Switch3#config
Switch3(config)# interface vlan 3
Switch3(config-if-vlan1)# ip address 20.1.1.2 255.255.255.0
Switch3(config-if-vlan3)#no shutdown
Switch3(config-if-vlan3)#exit
Initiate the OSPF protocol, configure the OSPF area to which int erface vlan3 belongs
Switch3(config)#router ospf
Switch3(config-rout er)# net work 20.1.1.0/24 area 1
Switch3(config-rout er)#exit
Switch3(config)#exit
Switch3#
Layer 3 Switch4:
Configuration of the IP address for interface vlan3
Switch4#config
Switch4(config)# interface vlan 3
Switch4(config-if-vlan3)# ip address30.1.1. 2 255. 255. 255. 0
Switch4(config-if-vlan3)#no shutdown
Switch4(config-if-vlan3)#exit
Enable OSPF protocol, configure the OSPF area interfac es vlan3 resides in. Switch4(config)#router ospf
37-9
Switch4(config-rout er)# net work 30.1.1.0/24 area 0
Switch4(config-rout er)#exit
Switch4(config)#exit
Switch4#
Layer 3 Switch5:
Configuration of the IP address for interface vlan2
Switch5#config
Switch5(config)# interface vlan 2
Switch5(config-if-vlan2)# ip address 100.1. 1.2 255.255.255.0
Switch5(config-if-vlan2)#no shutdown
Switch5(config-if-vlan2)#exit
Configuration of the IP address for interface vlan3
Switch5(config)# interface vlan 3
Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0
Switch5(config-if-vlan3)#no shutdown
Switch5(config-if-vlan3)#exit
Enable OSPF protocol, configure the number of the area in which interface vlan2 and vlan3 reside in.
Switch5(config)#router ospf
Switch5(config-rout er)# net work 30.1.1.0/24 area 0
Switch5(config-rout er)# net work 100.1. 1.0/24 area 0
Switch5(config-rout er)#exit
Switch5(config)#exit
Switch5#
37-10
Scenario 2: Typical OSPF protocol complex topology.
N11
N1
N12
N13
SwitchD
SwitchA
N3
N2
SwitchB
SwitchE
SwitchF
SwitchC
Area1
N4
Area0
N10
N14
SwitchK
SwitchI
N8
SwitchJ
N7
Area2
N9
N15
SwitchL
Area3
SwitchG
N5
SwitchH
N6
Figure 37-3-2 Typical complex OSPF autonomous system
This scenario is a typical complex OSPF autonomous system network topology. Area1 include network N1-N4
and layer3 S witchA-SwitchD, area2 include net work N8-N10, host H1 and layer3 S witchH, area3 include
N5-N7 and layer3 S witchF, SwitchG SwitchA0 and Switch11, and network N8-N10 share a summary route
with host H1(i.e. area3 is defined as a S TUB area). Layer3 SwitchA, SwitchB, SwitchD, S witchE, SwitchG,
SwitchH, Switch12 are in-area layer3 s witches, SwitchC, SwitchD, SwitchF, Switch10 and Switch11 are edge
layer3 switches of the area, SwitchD and SwitchF are edge layer3 switches of the autonomous system.
To area1, layer3 switches SwitchA and SwitchB are both in-area switches, area edge switches SwitchC and
SwitchD are responsible for reporting distance cost to all destination outside the area, while they are also
responsible for reporting the position of the AS edge layer3 switches SwitchD and SwitchF, AS exterior
link-state advertisement from SwitchD and S witchF are flooded throughout the whole autonomous system.
When ASE LSA floods in area 1, those LSAs are included in the area 1 database to get the routes to network
N11 and N15.
In addition, layer3 SwitchC and SwitchD must summary the topology of area 1 to the backbone area (area 0,
all non-0 areas must be connected via area 0, direct connections are not allowed), and advertise the net works
in area 1 (N1-N4) and the costs from SwitchC and SwitchD to those networks. As the backbone area is
required to keep connected, there must be a virtual link bet ween backbone layer3 Switch10 and S witch11.
The area edge layer3 switches exchange summary information via the backbone layer3 s witch, each area
edge layer3 switch listens to the summary information from the other edge layer3 s witches.
Virtual link can not only maintain the connectivity of the backbone area, but also strengthen the backbone
area. For example, if the connection between backbone layer3 SwitchG and Switch10 is cut down, the
backbone area will become incontinuous. The backbone area can become more robust by establishing a
virtual link between backbone layer3 switches SwitchF and Switch10. In addition, the virtual link bet ween
SwitchF and S witch10 provide a short path from area 3 to layer3 S witchF.
Take area 1 as an ex ample. Assume the IP address of layer3 SwitchA is 10.1.1.1, IP address of layer3
SwitchB interface VLAN2 is 10.1.1.2, IP address of layer3 SwitchC interfac e VLAN2 is 10.1.1.3, IP address of
37-11
layer3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface
VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP
address 20.1.2.1); SwitchC is connecting to net work N4 through Ethernet interface VLA N3 (IP address
20.1.3.1). All the three addresses belong to area 1. SwitchC is connecting to layer3 SwitchE through Ethernet
interface VLA N1 (IP address 10.1.5.1); SwitchD is connecting to layer3 SwitchD through Ethernet interface
VLAN1 (IP address 10.1.6.1); both two addresses belong to area 1. Simple authentication is implemented
among layer3 switches in area1, edge layer3 switches of area 1 authenticate with the area 0 backbone layer3
switches by MD5 authentication.
The followings are just configurations for all layer3 switches in area 1, configurations for layer3 switches of the
other areas are omitted. The following are the configurations of SwitchA SwitchB.SwitchC and SwitchD:
1)SwitchA:
Configure IP address for int erface vlan2
SwitchA#config
SwitchA(config)# interface vlan 2
SwitchA(config-If-Vlan2)# ip address 10.1. 1.1 255.255.255.0
SwitchA(config-If-Vlan2)#exit
Enable OSPF protocol, configure the area number for interface vlan2.
SwitchA(config)#router ospf
SwitchA(config-router)#net work 10.1.1.0/24 area 1
SwitchA(config-router)#exit
Configure simple key authentication.
SwitchA(config)#int erface vlan 2
SwitchA(config-If-Vlan2)#ip ospf authentication
SwitchA(config-If-Vlan2)#ip ospf authentication-key DCS
SwitchA(config-If-Vlan2)exit
Configure IP address and area number for interfac e vlan1.
SwitchA(config)# interface vlan 1
SwitchA(config-If-Vlan1)#ip address 20.1.1.1 255.255.255.0
SwitchA(config-If-Vlan1)#exit
SwitchA(config)#router ospf
SwitchA(config-router)#net work 20.1.1.0/24 area 1
SwitchA(config-router)#exit
2)SwitchB:
Configure IP address for int erface vlan2
SwitchB#config
SwitchB(config)# interface vlan 2
SwitchB(config-If-Vlan2)# ip address 10.1. 1.2 255.255.255.0
SwitchB(config-If-Vlan2)#exit
37-12
Enable OSPF protocol, configure the area number for interface vlan2.
SwitchB(config)#router ospf
SwitchB(config-router)#net work 10.1.1.0/24 area 1
SwitchB(config-router)#exit
SwitchB(config)#int erface vlan 2
Configure simple key authentication.
SwitchB(config)#int erface vlan 2
SwitchB(config-If-Vlan2)#ip ospf authentication
SwitchB(config-If-Vlan2)#ip ospf authentication-key DCS
SwitchB(config-If-Vlan2)#exit
Configure IP address and area number for interfac e vlan1.
SwitchB(config)# interface vlan 1
SwitchB(config-If-Vlan1)#ip address 20.1.2.1 255.255.255.0
SwitchB(config-If-Vlan1)#exit
SwitchB(config)#router ospf
SwitchB(config-router)#net work 20.1.2.0/24 area 1
SwitchB(config-router)#exit
SwitchB(config)#exit
3)SwitchC:
Configure IP address for int erface vlan2
SwitchC#config
SwitchC(config)# interface vlan 2
SwitchC(config-If-Vlan2)# ip address 10.1.1.3 255. 255.255.0
SwitchC(config-If-Vlan2)#exit
Enable OSPF protocol, configure the area number for interface vlan2
SwitchC(config)#router ospf
SwitchC(config-router)#network 10.1. 1.0/24 area 1
SwitchC(config-router)#exit
Configure simple key authentication
SwitchC(config)#interface vlan 2
SwitchC(config-If-Vlan2)#ip ospf authentication
SwitchC(config-If-Vlan2)#ip ospf authentication-key DCS
SwitchC(config-If-Vlan2)#exit
Configure IP address and area number for interfac e vlan3
SwitchC(config)# interface vlan 3
37-13
SwitchC(config-If-Vlan3)#ip address 20.1. 3.1 255.255.255.0
SwitchC(config-If-Vlan3)#exit
SwitchC(config)#router ospf
SwitchC(config-router)#network 20.1. 3.0/24 area 1
SwitchC(config-router)#exit
Configure IP address and area number for interfac e vlan 1
SwitchC(config)# interface vlan 1
SwitchC(config-If-Vlan1)#ip address 10.1. 5.1 255.255.255.0
SwitchC(config-If-Vlan1)#exit
SwitchC(config)#router ospf
SwitchC(config-router)#network 10.1. 5.0/24 area 0
SwitchC(config-router)#exit
Configure MD5 key authentication.
SwitchC(config)#interface vlan 1
SwitchC (config-If-Vlan1)#ip ospf authentication message-digest
SwitchC (config-If-Vlan1)#ip ospf authentication-key DCS
SwitchC (config-If-Vlan1)#exit
SwitchC(config)#exit
SwitchC#
4)SwitchD:
Configure IP address for int erface vlan2
SwitchD#config
SwitchD(config)# interface vlan 2
SwitchD(config-If-Vlan2)# ip address 10.1.1.4 255. 255.255.0
SwitchD(config-If-Vlan2)#exit
Enable OSPF protocol, configure the area number for interface vlan2.
SwitchD(config)#router ospf
SwitchD(config-router)#network 10.1. 1.0/24 area 1
SwitchD(config-router)#exit
Configure simple key authentication.
SwitchD(config)#interface vlan 2
SwitchD(config-If-Vlan2)#ip ospf authentication
SwitchD(config-If-Vlan2)#ip ospf authentication-key DCS
SwitchD(config-If-Vlan2)#exit
Configure the IP address and the area number for the int erface vlan 1
SwitchD(config)# interface vlan 1
37-14
SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255. 255.255.0
SwitchD(config-If-Vlan1)exit
SwitchD(config)#router ospf
SwitchD(config-router)#network 10.1. 6.0/24 area 0
SwitchD(config-router)#exit
Configure MD5 key authentication
SwitchD(config)#interface vlan 1
SwitchD(config-If-Vlan1)#ip ospf authentication message-digest
SwitchD(config-If-Vlan1)#ip ospf authentication-key DCS
SwitchD(config-If-Vlan1)exit
SwitchD(config)#exit
SwitchD#
Scenario 3: The function of OSPF importing the rout ers of other OSPF processes
As shown in the following graph, a switch running the OSPF routing protocol connects two networks: network
A and network B. Because of some reason, it is required that network A should be able to learn the routers of
network B, but network B should not be able to learn the routers of network A. According to that, two OSPF
processes can be started respectively on interface vlan 1 and interface vlan 2. the OSPF process which
interface vlan 1 belongs to is configured to import the routers of t he OSPF process which interface vlan 2
belongs to, while the OSPF process which interface vlan 2 belongs to should not be configured to import the
routers of the OSPF process which interface vlan 1 belongs to.
Network A
Vlan1
1.1.1.1
Vlan2
2.2.2.2
Network B
Figure 37-3-3 Function of OSPF importing the routers of other OSPF processes example
We can configure as follows:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 1.1.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip address 2.2.2.2 255.255.255.0
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#router ospf 10
37-15
XGS 3-42000R(config-router)#network 2.2.2.0/24 area 1
XGS 3-42000R(config-router)#exit
XGS 3-42000R(config)#router ospf 20
XGS 3-42000R(config-router)#network 1.1.1.0/24 area 1
XGS 3-42000R(config-router)#redistribute ospf 10
XGS 3-42000R(config-router)#exit
37.3.2 Configuration Examples of OSPF VPN
Interface
Interface
vlan1:10. 1.1.1/24
vlan1:10. 1.1.2/24
SWITCHB
SWITCHC
SWITCHA
Interface
Interface
vlan2:20. 1.1.1/24
vlan1:20. 1.1.2/24
Figure 37-3-4 OSPF VPN Example
The above figure shows that a network consists of three Layer 3 switches in which the switchA as PE,
SwitchB and S witchC as CE1 and CE 2. The PE is connected t o CE 1 and CE 2 through vlan1 and vlan2. The
routing messages are exchanged between PE and CE through OSPF protocol.
a)
SwitchA, the Layer 3 switch as P E
Configure VPN route/transmitting examples vpnb and vpnc
SwitchA#config
SwitchA(config)#ip vrf vpnb
SwitchA(config-vrf)#
SwitchA(config-vrf)#exit
SwitchA#(config)
SwitchA(config)#ip vrf vpnc
SwitchA(config-vrf)#
SwitchA(config-vrf)#exit
Associate the vlan 1 and vlan 2 respectively with vpnb and vpnc while configuring IP address
SwitchA(config)#in vlan1
SwitchA(config-if-Vlan1)#ip vrf forwarding vpnb
SwitchA(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0
SwitchA(config-if-Vlan1)#exit
SwitchA(config)#in vlan2
SwitchA(config-if-Vlan2)#ip vrf forwarding vpnc
SwitchA(config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0
37-16
SwitchA(config-if-Vlan2)#exit
Configure OSPF examples associated wit h vpnb and vpnc respectively
SwitchA(config)#
SwitchA(config)#router ospf 100 vpnb
SwitchA(config-router)#net work 10.1.1.0/24 area 0
SwitchA(config-router)#redistribute bgp
SwitchA(config-router)#exit
SwitchA(config)#router ospf 200 vpnc
SwitchA(config-router)#net work 20.1.1.0/24 area 0
SwitchA(config-router)#redistribute bgp
b)
The Layer 3 SwitchB of CE1:
Configure the IP address of Ethernet E 1/2
SwitchB#config
SwitchB(config)# interface Vlan1
SwitchB(config-if-vlan1)# ip address 10.1. 1.2 255.255.255.0
SwitchB (config-if-vlan1)exit
Enable OSPF protocol and configuring OSPF segments
SwitchB(config)#router ospf
SwitchB(config-router-rip)#net work 10.1.1.0/24 area 0
SwitchB(config-router-rip)#exit
c)
The Layer 3 SwitchC of CE2
Configure the IP address of Ethernet E 1/2
SwitchC#config
SwitchC(config)# interface Vlan1
SwitchC(config-if-vlan1)# ip address 20.1.1.2 255. 255.255.0
SwitchC(config-if-vlan1)#exit
Initiate OSPF protoc ol and configuring OSPF segments
SwitchC(config)#router ospf
SwitchC(config-router)#network 20.1. 1.0/24 area 0
SwitchC(config-router)#exit
37-17
37.4 OSPF Troubleshooting
The OSPF protoc ol may not be working properly due to errors such as physic connection, configuration error
when configuring and using the OSPF protocol. So users should pay attention to following:
 First ensure the physic connection is correct
 Second, ens ure the interfac e and link protocol are UP (use show interface command)
 Configure different IP address from different segment on each interface
 Then initiate OSPF protoc ol (use router-ospf command) and configure the OSPF area on
corresponding interface
 After that, a OSPF protocol feature should be checked---the OSPF backbone area should be
continuous and apply virtual link to ensure it is continuous. if not; all non 0 areas should only be
connected to other non 0 area through 0 area; a border Layer 3 switch means that one part of the
interfaces of this switch belongs to 0 area, the other part belongs to non 0 area; Layer 3 switch DR
should be specified for multi-access network such as broadcast net work.
37-18
Chapter 38 OSPFv3
38.1 Introduction to OSPFv3
OSPFv3(Open Shortest Path First) is the third version for Open Shortest Path First, and it is the IPv6 version
of OSPF Protocol. It is an interior dynamic routing protocol for autonomous system based on link-state. The
protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the
Shortest Path First algorithm to generate a route table basing on that database.
Autonomous system (AS) is a self-managed interc onnected network. In large networks, such as the Internet,
a giant interconnected network is broken down to autonomous systems. Big enterprise net works connecting
to the Internet are independent AS, since the other hosts on the Internet are not managed by those AS and
they don’t share interior routing information with the layer3 switches on the Internet.
Each link-state layer3 switch can provide information about the topology with its neighboring layer3 switches.
• The network segment (link) connecting to the lay er3 switch
• State of the connecting link
Link-state information is flooded throughout the network so that all layer3 switches can get first hand
information. Link-state lay er3 s witches will not broadcast all information contained in their route tables;
instead, they only send changed link-state information. Link -state layer3 switches establish neighborhood by
sending “HE LLO” to their neighbors, then link-state advertisements (LSA) will be sent among neighboring
layer3 s witches. Neighboring layer3 switch copy the LSA t o their routing table and transfer the information to
the rest part of the network. This process is referred to as “flooding”. In this way, firsthand information is sent
throughout the network to provide accurate map for creating and updating routes in the network. Link-state
routing protocols use cost instead of hops to decide the route. Cost is assigned automatically or manually.
According to t he algorithm in link-state protocol, cost can be used to calculate t he hop number for packets to
pass, link bandwidth, and current load of the link, the administrat or can even add weight for better
assessment of the link-state.
1) When a link-state layer3 switch enters a link-state interconnected net work, it sends a HELLO packet to
get to know its neighbors and establis h neighborhood.
2) The neighbors respond with information about the links they are connecting and the related costs.
3) The originate layer3 switch uses this information to build its own routing table.
4) Then, as part of the regular update, layer3 switch send link-state advertisement (LSA) packets to its
neighboring layer3 switches. The LSA include links and related costs of that layer3 switch.
5) Each neighboring lay er3 switch copies the LSA packet and passes it to the next neighbor (i.e. flooding).
6) Since routing database is not recalculated before layer3 switch forwards LSA flooding, the converging
time is greatly reduced.
One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is
because of the way link-state routing protoc ols build up their routing table. The second advantage is that
converging in a link-state interc onnected net work is very fast, once the routing topology changes, updates will
be flooded throughout the net work very soon. Those advantages release some lay er3 switch resources, as
the process ability and bandwidth used by bad rout e information are minor.
38-1
The features of OSPFv3 protocol include the following: OSPFv3 supports networks of various scales, several
hundreds of layer3 switches can be supported in an OSPFv3 net work. Routing topology changes can be
quickly found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state
information is used in shortest path algorithm for rout e calculation, eliminating loop route. OSPFv3 divides the
autonomous system intro areas, reducing database size, bandwidth occupation and calculation load.
(According to the position of layer3 switches in the autonomous system, they can be grouped as internal area
switches, area edge s witches, AS edge switches and backbone switches). OSPFv3 supports load balance
and multiple routes to the same destination of equal costs. OSPFv3 supports 4 level routing mechanisms
(process routing according to the order of route inside an area, route bet ween areas, type 1 external route
and type 2 external rout e). OSPFv3 support IP subnet and redistribution of routes from the other routing
protocols, and interface-based packet verification. OSPFv3 supports sending packets in multicast.
Each OSPFV3 layer3 switch maintains a database describing the topology of the whole aut onomous system.
Each layer3 switch gat hers the local status information, such as available int erface, reachable neighbors, and
sends link-state advertisement (sending out link-state information) to exchange link -state information with
other OSPFv3 layer3 s witches to form a link-state database describing the whole autonomous system. Each
layer3 switch builds a shortest path tree rooted by itself according to the link-state database, this tree provide
the routes to all nodes in an autonomous system. If two or more layer3 s witches exist (i.e. multi-access
network), "designat ed lay er3 s witch” and “backup designated layer3 switch” will be selected. Designated
layer3 switch is responsible for spreading link-state of the network. This concept helps reducing the traffic
among the Layer3 switches in multi-access network.
OSPFv3 protocol requires the autonomous system to be divided int o areas. That is to divide the autonomous
system into 0 area (backbone area) and non-0 areas. Routing information between areas are further
abstracted and summarized to reduce the bandwidth required in the network. OSPFv3 uses four different
kinds of routes: they are the route inside the area, route between areas, type 1 external route and type 2
external route, in the order of highest priority to lowest. The route inside an area and between areas describe
the internal net work structure of an autonomous system, while external routes describe external routes
describe how to select the routing information to destination outside the autonomous system. The first type of
exterior route corres ponds to the information introduced by OSPFv3 from the other interior routing protoc ols,
the costs of those routes are comparable with the costs of OSPFv3 rout es; the second type of exterior route
corresponds to the information introduced by OSPFv3 from the other exterior routing protocols, but the costs
of those routes are far greater than that of OSPFv3 routes, so OSPFv3 route cost is ignored when calculating
route costs.
OSPFv3 areas are centered with the Backbone area, identified as the Area 0, all the other areas must be
connected to Area 0 logically, and Area 0 must be continuous. For this reason, the concept of virt ual link is
introduced to t he backbone area, so that physically separated areas still have logical connectivity to the
backbone area. The configurations of all the layer3 switches in the same area must be the same.
In one word, LSA
can only be transferred between neighboring Lay er3 switches,
and OSPF v3 protocol
includes seven kinds of LSA: link LSA, internal-area prefix LSA, router LSA, network LSA, inter-area prefix
LSA, inter-area router LSA
and autonomic system exterior LSA. Router LSA is generated by each Lay er 3
38-2
switch in an OSPF area, and is sent to all other neighboring Layer 3 switch in this area; network LSA is
generated by designated Layer 3 switch in the OSPF area of multi-access network and is sent to all other
neighboring layer3 switches in this area.(To reduce data traffic among each Layer 3 switches in the
multi-access network, “designat ed layer3 switch” and “backup designated layer3 switch” should be selected in
the multi-access network, and the network link-state is broadcasted by designat ed Layer 3 switch); the
inter-area prefix LSA and inter-area router LSA are generated by OSPF area border Layer 3 s witches and
transferred among those s witches. The autonomic system exterior LSA is generated by autonomic system
exterior border Layer 3 switches and trans ferred in the whole autonomic system. Link LSA is generat ed by
Layer 3 switch on the link and sent to other Layer 3 switches on the link. Internal-area prefix LSA is generated
by designated layer3 switch of each link in this area, and flooded to the whole area.
For autonomous system focused on exterior link-state announcement, OSPFv3 allow some areas to be
configured as STUB areas in order to reduce the size of topological databas e. Router LSA, network LSA,
inter-area prefix LSA, link LSA, internal-area prefix LSA are permitted to advertise to STUB area. Default route
must be used in S TUB area, Layer 3 switches on the area border of S TUB area announces to default routes
of S TUB area by inter-area prefix LSA; these default routes only flood in S TUB area, not outside of S TUB
area. Each STUB area has a corresponding default route, the route from S TUB area to AS exterior
destination depends only on default route of this area.
The following simply outlines the route calculation process of OSPFv3 protocol:
1.
Each OSPF-enabled layer3 switch maintains a database (LS database) describing the link-state of the
topology structure of the whole autonomous system. Each layer3 switch generates a link-state
advertisement according to its surrounding network topology structure (router LSA), and sends the LSA
to other layer3 switches through link-state update (LSU) packets. Thus, each layer3 switches receives
LSAs from ot her lay er3 switches, and all LSAs combined to the link-state databas e.
2.
Since a LSA is the description of the network topology structure around a layer3 switch, the LS database
is the description of the network topology structure of the whole network. The layer3 switches can easily
create a weighted vector map according to the LS database. Obviously, all layer3 switches in the s ame
autonomous system will have the same net work topology map.
3.
Each layer3 switch uses the shortest path first (SPF) algorithm to calculate a tree of shortest path root ed
by itself. The tree provides the route to all the nodes in the autonomous system, leaf nodes consist of the
exterior route information. The exterior route can be mark ed by the layer3 s witch broadcast it, so that
additional information about the autonomous system can be recorded. As a result, the route table of
each layer3 switch is different.
OSPFv3 protocol is developed by the IE TF, the OSPF v3 used now is fulfilled according to the content
described in RFC2328 and RFC2740.
As a result of continuous development of IP v6 network, it has the network environment of nonsupport IP v6
sometimes, so it needs to do the IP v6 operation by tunnel. Therefore, our OSPFv3 supports configuration on
configure tunnel, and passes through nonsupport IP v6 network by unicast packet of IP v4 encapsulation.
38-3
38.2 OSPFv3 Configuration Task List
OSPFv3 Configuration Task List:
1.
2.
Enable OSPFv3 (required)
(1)
Enable/disable OSPFv3(required)
(2)
Configure the router-id number of the layer3 switch running OSPFv3 (optional)
(3)
Configure the network scope for running OSPFv3 (optional)
(4)
Enable OSPFv3 on the interface (required)
Configure OSPFv3 auxiliary parameters (optional)
(1)
Configure OSPFv3 packet sending mec hanism parameters
1)
Set the OSPFv3 int erface to receive only
2)
Configure the cost for sending packets from the interface
3)
Configure OSPFv3 packet sending timer parameter (timer of broadcast interface sending HELLO
packet to poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay
and timer of LSA retransmission.
(2)
1)
Configure default parameters (default type, default tag value, default cost)
2)
Configure the routes of the other protocols to introduce to OSPFv3
(3)
Configure OSPFv3 importing the routes of other OSPFv3 processes
1)
Enable the function of OSPFv3 importing the routes of other OSPFv3 processes
2)
Display relative information
3)
Debug
(4)
3.
Configure OSPFv3 route introduction paramet ers
Configure other OSPFv3 protocol parameters
1)
Configure OSPFv3 routing prot ocol priority
2)
Configure cost for OSPFv3 S TUB area and default route
3)
Configure OSPFv3 virtual link
4)
Configure the priority of the interface when electing designat ed layer3 switch
Close OSPFv3 Protocol
1. Enable OSPFv3 Protocol
It is very simple to run the basic configurations of OSPFv3 routing protocol on the Layer 3 switch of XGS 3
series switch, normally only enabling OSPFv3, implement OSPFv3 int erface, the default value is defined to
OSPFv3 protocol parameters. Refer to 2. Configure OSPF auxiliary parameters, if the OSPFv3 protocol
parameters need to be modified.
Commands
Explanation
Global Mode
The command initializes OSPFv3 routing
process
[no] router IPv6 ospf <tag>
and
enter
OSPFv3
mode
to
configure OSPFv3 routing process. The [no]
router IPv6 ospf <tag> command stops
relative process. (required)
OSPFv3 Protocol Configure Mode
38-4
Configure router for OSPFv3 process. The
router-id <router_id>
no router-id
no router-id
command returns ID to
0.0.0.0 .(required)
Configure an interface receiving without
sending.
[no] pa ssive-interface<ifname>
The
[no]
passive-interface<ifname>command
cancels configuration.
Interface Configuration Mode
Implement OSPFv3 routing on the interface.
[no] IPv6 router ospf {area <area-id>
The [no] IPv6 router ospf {area <area-id>
[instance-id <instance-id> | tag <tag>
[instance-id <instance-id> | tag <tag>
[instance-id <instance-id>]] | tag <tag>
[instance-id <instance-id>]] | tag <tag>
area <area-id> [instance-id
area
<instance-id>]}
<instance-id>]}
<area-id>
command
[instance-id
c ancels
configuration.
2. Configure OSPFv3 parameters
(1)Configure OSPFv3 packet sending mechanism parameters
1)Set the OSPF interface to receive only
2)Configure the cost for sending packets from the interfac e
Commands
Explanation
Interface Configuration Mode
IPv6 ospf cost <cost> [instance-id
Appoint interface to implement required cost of
<id>]
OSPFv3 protocol. The no IPv6 OSPF cost
no IPv6 ospf cost [instance-id <id>]
[instance-id <id>] restores the default setting.
3)Configure OSPFv3 packet sending timer parameter (timer of broadcast interface sending HELLO packet to
poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay and timer of LSA
retransmission.
Commands
Explanation
Interface Configuration Mode
IPv6 ospf hello-interval <time>
[instance-id <id>]
no IPv6 ospf hello-interval
[instance-id <id>]
Sets interval for sending HELLO packets; the
“no
IPv6 ospf hello-interval
[instance-id
<id>]” command restores the default setting.
IPv6 ospf dead-interval <time>
Sets the interval before regarding a neighbor
[instance-id <id>]
layer3 switch invalid;
no IPv6 ospf dead-interval
dead-interval [instance-id <id>]” command
[instance-id <id>]
restores the default setting.
IPv6 ospf transit-delay <time>
Sets the delay time before sending link-state
[instance-id <id>]
broadcast; the “no IPv6 ospf transit-delay
no IPv6 ospf transit-delay
[instance-id
[instance-id <id>]
default setting.
38-5
the “no
IPv6 ospf
<id>]” command restores
the
IPv6 ospf retransmit <time>
.Sets the interval for ret ransmission of link-state
[instance-id <id>]
advertisement among neighbor layer3 switches;
no IPv6 ospf retransmit [instance-id
the “no IPv6 ospf retransmit [instance-id
<id>]
<id>]” command restores the default setting.
(2)Configure OSPFv3 route introduction parameters
Configure OSPFv3 route introduction paramet ers
Commands
Explanation
OSPF Protocol Mode
Introduces other protocol discovery routing
and static routing regarded as external
[no]redi stribute {kernel |connected|
routing message. The [no] redistribute
static| rip| i si s| bgp} [metric<value>]
{kernel |connected| static| rip| i si s| bgp}
[metric-type {1|2}][route-map<word>]
[metric<value> ]
[metric-type
{1|2}][route-map<word>]
command
cancels imported external routing message.
(3)Configure OSPFv3 importing the routes of other OSPFv3 proce sse s
1)Enable the function of OSPFv3 importing the rout es of other OSPFv3 processes
Command
Explanation
Rout er IP v6 OSPF Mode
redistribute ospf [<process-id> ]
[metric<value> ] [metric-type
{1|2}][route-map<word>]
no redistribute ospf [<process-id> ]
[metric<value> ] [metric-type
Enable or disable the function of OSPFv3
importing the rout es of ot her OSPFv3
processes.
{1|2}][route-map<word>]
2)Display relative information
Command
Explanation
Admin Mode or Configure Mode
show ipv6 ospf [<process-id> ]
redistribute
Display the configuration information of the
OSPFv3 process importing other outside
routes.
3)Debug
Command
Explanation
Admin Mode
38-6
debug ipv6 ospf redistribute message
send
Enable or disable debugging of sending
no debug ipv6 ospf redistribute
command from OSPFv3 process redistributed
message send
to other OSPFv3 process routing.
debug ipv6 ospf redistribute route
Enable or disable debugging of received
receive
routing message from NSM for OSPFv3
no debug ipv6 ospf redistribute route
process.
receive
(4) Configure Other Parameters of OSPFv3 Protocol
1) Configure OSPFv3 S TUB Area & Default Routing Cost
2) Configure OSPFv3 Virtual Link
Commands
Explanation
OSPFv3 Protocol Configuration Mode
Configure OSPFv3 SPF timer. The no
timers spf < spf-delay> <spf-holdtime>
timers spf command recovers default
no timers spf
value.
area <id> stub [no-summary]
no area <id> stub [no-summary]
area <id> default-cost <cost>
Configure parameters in OSPFv3 area
no area <id> default-cost
area <id> virtual-link A.B.C.D
(STUB
[instance-id
area,
Virtual
link).
The no
command restores default value.
<instance-id> INTERVAL]
no area <id> virtual-link A.B.C.D
[|I NTERV AL]
4)Configure the priority of the interfac e when electing designated layer3 XGS3-42000R(DR).
Commands
Explanation
Interface Configuration Mode
IPv6 ospf priority <priority>
Sets the priority of the interface in “designated
[instance-id <id>]
layer3 switch” election; the “no IPv6 ospf
no IPv6 ospf priority [instance-id
priority [instance-id <id>]” command restores
<id>]
the default setting.
3. Di sable OSPFv3 Protocol
Commands
Explanation
Global Mode
no router IPv6 ospf ospf [<tag>]
Disable OSPFv3 Routing Protocol.
38.3 OSPFv3 Examples
Examples 1: OSPF aut onomous system.
This scenario takes an OSPF autonomous system consists of five s witch for example, where layer3 S witchA
38-7
and SwitchD make up OSPF area 0,
layer3 Switch2 and Switch3 form OSPF area 1 (assume vlan1 interface
of layer3 S witchA belongs to area 0), layer3 SwitchD forms OSPF area2 (assume vlan2 interface of layer3
SwitchD belongs to area 0). Swtich1 and SwitchD are backbone layer3 switches, Swtich2 and SwitchD are
area edge layer3 switches, and Switch3 is the in-area layer3 switch.
SwitchA
E1/2 :2010:1:1 ::1/64
vlan1
Area 0
E1/1 :2100:1:1 ::1/64
vlan2
E1/1 : 2010:1:1 ::2/64
vlan1
SwitchB
E1/2 : 2020:1:1 ::1/64
vlan3
SwitchE
SWITCHD
E1/1 :2100:1:1 ::2/64
vlan2
Area 1
SwitchC
E1/1 : 2020:1:1 ::2/64
vlan3
E1/2 :2030:1:1 ::1
vlan3
E1/1 : 2030:1:1 ::2/64
vlan3
SwitchD
Area 2
Figure 38-3-1 Network topology of OSPF autonomous system
The configuration for lay er3 S witchA and SwitchE is shown below:
Layer3 SwitchA:
Enable OSPFv3 protocol, configure router ID
SwitchA(config)#router IP v6 ospf
SwitchA (config-router)#router-id 192.168.2.1
Configure interface vlan1 IP v6 address and affiliat ed OSPFv3 area
SwitchA#config
SwitchA(config)# interface vlan 1
SwitchA(config-if-vlan1)# IP v6 address 2010: 1:1::1/64
SwitchA(config-if-vlan1)# IP v6 router ospf area 0
SwitchA(config-if-vlan1)#exit
Configure interface vlan2 IP address and affiliated OSPFv3 area
SwitchA(config)# interface vlan 2
SwitchA(config-if-vlan2)# IP v6 address 2100: 1:1::1/64
SwitchA(config-if-vlan2)# IP v6 router ospf area 0
SwitchA (config-if-vlan2)#exit
SwitchA(config)#exit
SwitchA#
38-8
Layer 3 SwitchB:
Enable OSPFv3 protocol, configure router ID
SwitchB(config)#router IP v6 ospf
SwitchB (config-router)#router-id 192.168.2.2
Configure interface vlan1 address, VLAN2 IP v6 address and affiliated OSPFv3 area
SwitchB#config
SwitchB(config)# interface vlan 1
SwitchB(config-if-vlan1)# IP v6 address 2010: 1:1::2/64
SwitchB(config-if-vlan1)# IP v6 router ospf area 0
SwitchB(config-if-vlan1)#exit
SwitchB(config)# interface vlan 3
SwitchB(config-if-vlan3)# IP v6 address 2020: 1:1::1/64
SwitchB(config-if-vlan3)# IP v6 router ospf area 1
SwitchB(config-if-vlan3)#exit
SwitchB(config)#exit
SwitchB#
Layer 3 SwitchC:
Enable OSPFv3 protocol, configure router ID
SwitchC(config)#router IP v6 ospf
SwitchC(config-router)#rout er-id 192.168.2.3
Configure interface vlan3 IP v6 address and affiliat ed OSPFv3 area
SwitchC#config
SwitchC(config)# interface vlan 3
SwitchC(config-if-vlan3)# IP v6 address 2020:1:1::2/64
SwitchC(config-if-vlan3)# IP v6 router ospf area 1
SwitchC(config-if-vlan3)#exit
SwitchC(config)#exit
SwitchC#
Layer 3 SwitchD:
Enable OSPFv3 protocol, configure router ID
SwitchD(config)#router IP v6 ospf
SwitchD(config-router)#rout er-id 192.168.2.4
Configure interface vlan3 IP v6 address and affiliat ed OSPFv3 area
SwitchD#config
SwitchD(config)# interface vlan 3
SwitchD(config-if-vlan3)# IP v6 address 2030:1:1::2/64
SwitchD(config-if-vlan3)# IP v6 router ospf area 0
38-9
SwitchD(config-if-vlan3)#exit
SwitchD(config)#exit
SwitchD#
Layer 3 SwitchE:
Startup OSPFv3 protocol, configure router ID
SwitchE(config)#router IP v6 ospf
SwitchE(config-router)#router-id 192.168.2.5
Configure interface IP v6 address and affiliated OSPFv3 area
SwitchE#config
SwitchE(config)# interface vlan 2
SwitchE(config-if-vlan2)# IP v6 address 2100: 1:1::2/64
SwitchE(config-if-vlan2)# IP v6 router ospf area 0
SwitchE(config-if-vlan2)#exit
Configure interface VLAN3 IP v6 address and affiliated area
SwitchE(config)# interface vlan 3
SwitchE(config-if-vlan3)# IP v6 address 2030: 1:1::1/64
SwitchE(config-if-vlan3)# IP v6 router ospf area 0
SwitchE(config-if-vlan3)#exit
SwitchE(config)#exit
SwitchE#
38.4 OSPFv3 Troubleshooting
In the process of configuring and implementing OSPFv3, physical connection, configuration false probably
leads to OSPFv3 protocol doesn’t work. Therefore, the customers should give their attention to it:
 First of all, to ensure correct physical connection;
 Secondly, to ensure interface and link prot ocol are UP (execute show interface instruction);
 And configure IP v6 address of the different net segment on every interface.
 To startup OSPFv3 protocol (execute router IPv6 OSPF instruction), and configure affiliated OSPFv3
area on relative interface.
 And then, consider OSPFv3 protocol characteristic —— OSPFv3 backbone area (area 0) must be
continuous. If it doesn’t ensure that virt ual link is implemented continuously, all of not area 0 only can be
connected by area 0 and ot her not area 0, not directly connected by not area 0; The border Layer 3
switch is a part of this Lay er 3 switch interface belongs to area 0, and another part of interface belongs
to not area 0; for multi-access net etc like broadcast, Layer 3 switch DR needs vote and appoint; for
each OSPFv3 process must not configure router ID of 0. 0.0.0 address.
38-10
Chapter 39 BGP
39.1 Introduction to BGP
BGP stands for a Border Gateway Protocol. It’s a dynamic routing prot ocol inter-aut onomous system. Its basic
function is automatically exchanging routing information without loops. By exchanging routing reachable
information with autonomous number of AS sequence attributes, BGP could create autonomous topological
map to eliminat e routing loop and implement policies configured by users. Generally, the switches in an AS
may use several IGPs (Interior Gat eway Protocol) in order to exchange routing information in the AS, such as
RIP and OSPF which are IGPs; and exchange information among ASes with EGP (Exterior Gateway
Protocol). For example, BGP is one kind of EGP. The AS is usually established on a single administrative
department. BGP is often used on the switches among ISPs or the departments of Multi-national Corporation.
BGP has been used since1989, its earliest three versions are RFC1105(BGP-1)、RFC1163(BGP -2)and
RFC1267(B GP-3).Currently, the most popular one is RFC1771(BGP-4). The switch supports BGP-4.
1.Characteristics of BGP -4
BGP-4 is suitable for the distributed structure and supports Classless Int erDomain Routing (CIDR). BGP -4 is
becoming the virtual exterior routing prot ocol standard used for the global Internet. The features of BGP-4 are
as follows.

BGP is an exterior routing protocol, unlike interior routing protocol, such as OSPF and RIP, BGP
can’t discovery and calculate routes, but it can control the transmission of routes and select the best
route.

By carrying AS routing information in the updating route, the problem of Routing Loops can be
resolved

BGP uses TCP on port 179 as its transport protocol, this could enhance the reliability of the protocol.

BGP-4 supports CIDR (Classless InterDomain Routing), which is an important improvement to
BGP-3. CIDR has a brand new way to look on IP address; it doesn’t distinguish class A , Class B
and class C network. For instance, an illegal class C address 192.213.0.0 255.255.0.0 can be
represented as 192.213.0.0/16 by CIDR which is a legal super network. /16 represents that the
network number is formed by 16 bits from the beginning left of the address. The introduction of CIDR
abbreviates the route aggregation. The route aggregation is the process of combining several
different routes. So notifying several rout es can be changed to notify only one route which
decreases the route table.

When updating route, BGP send only incremental route. The bandwidt h occupied by BGP
transmission is reduced greatly and it is suitable for the mass routing information transmitted on the
internet

For political and economical reasons, each AS expects to filter and control the route, BGP-4
provides abundant rout e policies which make BGP-4 more extendable to encourage the internet
development.
2. The Overview of BGP-4 operation
39-1
Unlike RIP and OSPF protoc ols, BGP protoc ol is connection oriented. BGP switches must establish
connection to exchange routing information. The operation of BGP protocol is driven by messages and the
messages can be divided into four kinds:
Open message----It’s the first message which is sent after a TCP connection is established. It is used to
create BGP connecting relation among BGP peers. Some parameters in Open Message are used to negotiate
if a connection could be established among BGP peers.
Keepalive Message ----- it’s the message to check connection availability. It’s usually sent periodically to keep
BGP connection. If this message or Update message is not received within holdtime time, BGP connection is
closed.
Update Message----- it’s the most important message in the BGP system. It’s used to exchange routing
information among peers. The switches exchange not only updated routing information, but also unavailable
or canceled routing information. It consists of t hree parts:
unreachable route,
NLRI(Network
LayerReachability Information) and Path Attributes.
Notification Message------it’s the mistake notification message. When a BGP speaker rec eives this message,
it shutdowns the BGP connections with its neighbors
BGP-4 is connection oriented. BGP acts as higher protocol and runs on the particular equipments. When
detecting a neighbor, a TCP session is established and maintained. Then the exchanging and synchronization
of the route table will be carried out. By sending the whole BGP route table the routing information is
exchanged only when the system initiates. After that, the routing information is exchanged only when the
updated routing information is available. Only incremental update message is exchanged. BGP-4 maintains
links and sessions periodically through keep alive message. That is sending and receiving keep alive
message periodically to check if the connections are normal.
The switches that participate the BGP session are called B GP speaker. It continuously receives or generates
new routing information and advertises it to other BGP speakers. When a BGP speaker receives a new
routing notification from other AS, if this route is better than the presently known rout e or there is no
acceptable route, it sends this route to all the other BGP speakers of the AS. A BGP speaker calls other
speakers that exchange route information with it as neighbors or peers. Several relevant neighbors can
constitute a peer group. BGP operates on the switches in the following two manners:

IBGP:Internal BGP

EBGP:External BGP
When BGP runs in the same AS, it’s called IB GP. When in the different AS, it’s called EB GP. Generally, the
outer neighbors are connected physically and the inner neighbors can be in any place of the AS. The
differenc e is finally shown in the dealing manner of BGP to routing information. The equipments may check
the AS numbers of the Open Message from neighbors to decide treating the neighbor switches as the exterior
neighbor or as the interior neighbor.
IBGP are used in the AS. It sends message to all the BGP neighbors in the AS. IBGP exchanges AS routing
39-2
information in a big organization. Attention, the switches in the AS needn’t be connected physically. Only if the
switches are in the same AS, they can be neighbors each other. Because BGP can’t detect route, the route
tables of ot her inner route protocols (such as static route, direct route, OSPF and RIP) need contain neighbor
IP addresses and these routes are used to exchange information among BGPs. In order to avoid routing
loops, when a BGP speaker receives a route notification from inner neighbor, it would not notify this route to
other inner neighbors.
EBGP is used among the AS, and it transmits routing information to the BGP neighbors of out er ASes. EBGP
need physical connection and share the same medium. Because EBGP need physical connection, the
boundary equipments between two AS are usually running EBGP. When a BGP speaker receives routing
information from outer neighbors, it notifies these routes to other inner neighbors.
3. Route attribute
BGP-4 can share and query inner IP route table through relevant mechanisms, but it has its own route table.
In the BGP route table, each route has a network number, AS listing information (also called AS path) that it
passed and some routing attributes (such as origin). The routing attribute that BGP-4 used is very complex,
this attribute can be used as metrics to select path.
4. Route-selecting policy of BGP
When rec eiving BGP notification about a same route from several neighbors, selecting the best rout e need to
be take into account after routing filtering. This process is called BGP route selecting process. BGP route
selecting process will start only when the following conditions are fulfilled:

The switch’s rout e must be next hop reachable. That is in the route table there is the route that can
reach the next hop.

BGP must be synchronized with IGP (unless asynchronism is configured; only restricted to IBGP )
BGP route selecting proc ess is based on the BGP attribute. When there are several routes that indicate the
same destination, BGP need select the best route to the destination. The decision-making process is as the
following:
1.Select the route with the most weight first;
2. If the weights are the same, select the route with the most local preference;
3. If the local preferences are the same, select the route generated by local switch.
4. If the local preferences are the same and there is no route generated by local switch, select the rout e
with the shortest AS path;
5. If the AS paths are the same, select the route with the lowest “origin” type (IGP<EGP< INCOMPLE TE);
6. If the “origin” types are the s ame, select the rout e with the lowest MED attribute. Unless activating
command “bgp always-compare-med”, this comparison is only available among the routes from the same
neighbor AS.
7. If the ME D attributes are the same, EBGP is preferable to outer confederation and outer confederation is
preferable to IB GP.
8. If it’s still the same by now, BGP router ID (router ID)is used to break the balance. The best route is the
one from the least router ID.
9. If it’s still the same by now, BGP router ID (router ID)is used to break the balance. The best route is the
39-3
one from the least router ID.
39.2 BGP Configuration Task List
The BGP configuration tasks include basic and advanced tasks. Basic BGP configuration tasks include the
following:
1. Enable BGP Routing (required)
2. Configure BGP Neighbors (required)
3. Administrate the change of routing policy
4. Configure BGP Weights
5. Configure BGP Route Filtering policy basing on Neighbors
6. Configure Next-Hop of BGP
7. Configure Multi-Hop of EGBP
8. Configure BGP Session Identifier
9. Configure BGP Version
Advanced BGP configuration tasks include the following:
1. Use Route Maps to Modify Route
2. Configure Route Aggregation
3. Configure BGP Community Filtering
4. Configure BGP Confederation
5. Configure a Route Reflector
6. Configure Peer Groups
7. Configure Neighbors and Peer Groups’ Parameters
8. Adjust BGP Timers
9. Adjust BGP Announcement Interval
10. Configure the default Local Priority
11. Allow to Transfer Default Rout e
12. Configure BGP’s MED Value
13. Configure BGP Routing Redistribution
14. Configure BGP Route Dampening
15. Configure BGP capability Negotiation
16. Configure Routing Server
17. Configure Path-S elected Rule
18. Configure redistribution of OSPF routing to BGP
(1)
Enable redistribution of OSPF routing to BGP
(2)
Display and debug the information about configuration of redistribution of OSPF routing to BGP
Ⅰ. Basic BGP configuration tasks
1. Enable BGP Routing
Command
Explanation
Global mode
39-4
router bgp <as-id>
Enable
BGP,
the
“no
router
bgp
no router bgp <as-id>
<as-id>”command disenable BGP process.
Rout er configuration mode
network <ip-address/M>
no network <ip-address/M>
Set the network that BGP will announc e, the no
network <ip-address/M> command cancels the
network that will be announced.
2. Configure BGP Neighbors
Command
Explanation
Rout er configuration mode
neighbor {<ip-address> |<TAG>}
remote-as <as-id>
no neighbor {<ip-address> |<TAG>}
[remote-as <as-id>]
Specify a BGP neighbor, the no neighbor
{<ip-address> |<TAG>}
[remote-a s
<as-id>] command deletes the neighbor.
3. Administrate the change of routing policy
(1)Configure hard reconfiguration.
Command
Explanation
Admin Mode
clear ip bgp {<*>|<as-id> |
external|peer-group
Configure hard reconfiguration.
<NAME>|<ip-address>}
(2) Configure outbound soft reconfiguration.
Command
Explanation
Admin Mode
clear ip bgp {<*>|<as-id> |
external|peer-group
Configure out bound soft reconfiguration.
<NAME> |<ip-address>} soft out
(3)Configure inbound soft reconfiguration.
Command
Explanation
BGP configuration mode
This command can store routing
information from neighbors and
neighbor { <ip-address> | <TAG> }
peers;
soft-reconfiguration inbound
{
no neighbor { <ip-address> | <TAG> }
the
no
<ip-address>
|
soft-reconfiguration
soft-reconfiguration inbound
neighbor
<TAG>
}
inbound
command cancels the storage of
routing information.
Admin Mode
clear ip bgp {<*>|<as-id> | external|peer-group
Configure
<NAME>|<ip-address>} soft in
reconfiguration.
39-5
BGP
inbound
soft
4. Configure BGP Weights
Command
Explanation
BGP configuration mode
Configure BGP neighbor weights;
neighbor { <ip-address> | <TAG> } weight
the no neighbor { <ip-addre ss> |
<weight>
<TAG> } command recovers default
no neighbor { <ip-address> | <TAG> }
weights.
5. Configure BGP Rout e Filtering policy based on neighbor
Command
Explanation
BGP configuration mode
Filter
neighbor
routing
updating information. The no
neighbor {<ip-address> |<TAG>} di stribute-list
neighbor
{<1-199> |<1300-2699> |<WORD>} {in|out}
{<ip-address>
<TAG>}
no neighbor {<ip-address> |<TAG>} di stribute-list
|
distribute-li st
{<1-199> |<1300-2699> |
{<1-199> |<1300-2699> |<WORD>} {in|out}
<WORD>} {in|out} command
cancels routing filter.
6. Configure Next-Hop
1) Set Next-Hop as the switch’s address
Command
Explanation
BGP configuration mode
neighbor { <ip-address> | <TAG> }
While sending route Next-Hop s et Next-Hop
next-hop-self
as the switch’s address; the no neighbor
no neighbor { <ip-address> | <TAG> }
{ <ip-address> | <TAG> } next-hop-self
next-hop-self
command cancels the setting.
2)Cancel default Next-Hop through route map
Command
Explanation
Rout e mapped configuration command
set ip next-hop <ip-address>
no set ip next-hop
Set the Next-Hop attribute of outbound
route. The no set ip next-hop command
cancels this setting.
7. Configure EGBP Multi-Hop
If the connections with outer neighbors are not direct, the following command can configure neighbor
Multi-Hop.
Command
Explanation
BGP configuration mode
neighbor {<ip-address> |<TAG>} ebgp-multihop
Configure the allowance of EBGP
[<1-255> ]
connection with other networks
no neighbor {<ip-address> |<TAG>}
that are not connected directly;
ebgp-multihop [<1-255>]
the
39-6
no
neighbor
{<ip-address> |<TAG>}
ebgp-multihop
[<1-255>]
command cancels the setting.
8. Configure BGP session identifier
Command
Explanation
BGP configuration mode
bgp router-id <ip-address>
no bgp router-id
Configure the router-id value; the no bgp
router-id command recovers the default
value.
9. Configure the BGP Version
Command
Explanation
BGP configuration mode
Set the version used by BGP
neighbor {<ip-address> | <TAG>} version
<value>
no neighbor {<ip-address> | <TAG>} version
neighbors;
the
no
neighbor
{<ip-address> | <TAG>} version
command
recovers
default
setting. Presently only supporting
th
version 4 .
Ⅱ.Advanced BGP configuration tasks
1.Use Route Maps to Modify Route
Command
Explanation
BGP configuration mode
Apply a route map to incoming or
neighbor { <ip-address> | <TAG> } route-map
outgoing routes; the no neighbor
<map-nam e > {in | out}
{
no neighbor { <ip-address> | <TAG> }
route-map <map-name > {in |
route-map <map-name > {in | out}
out}
<ip-address>
|
command
<TAG>
cancels
}
the
settings of routing maps.
2.Configure Route Aggregation
Command
Explanation
BGP configuration mode
Create an aggregate ent ry in the
aggregate-address <ip-address/M>
BGP
routing
table;
[summary-only] [a s-se t]
aggregate-address
no aggregate-address <ip-address/M>
<ip-address/M>
[summary-only] [a s-se t]
[as-set]
command
cancels
3.Configure BGP Community Filtering
Explanation
39-7
no
[summary-only]
aggregate entry.
Command
the
the
BGP configuration mode
neighbor {<ip-address> | <TAG>}
Allow the
routing
updates
community
attributes
wit h
sending to
BGP neighbors; the no neighbor
send-community
{<ip-address>
no neighbor {<ip-address> | <TAG>}
|
<TAG>}
send-community
send-community
enables
command
the
route
without
community attributes.
4.Configure BGP Confederation
Command
Explanation
BGP configuration mode
Configure
a
BGP
AS
confederation identifier;
the
bgp confederation identifier <as-id>
no
bgp
confederation
no bgp confederation identifier <as-id>
identifier
<as-id>
deletes
the
command
BGP
AS
confederation identifier.
Configure the AS affiliated to the
AS confederation; the no bgp
bgp confederation peers <as-id> [<as-id>..]
confederation peers <as-id>
no bgp confederation peers <as-id> [<as-id>..]
[<as-id>..]command
the
AS
from
deletes
the
AS
confederation.
5.Configure a Route Reflector
(1)
The following commands can be used to configure route reflector and its clients.
Command
Explanation
BGP configuration mode
Configure the current switch as
route reflector and specify a
neighbor <ip-address> route-reflector-client
no neighbor <ip-address> route-reflector-client
client.
the
no
neighbor
<ip-address>
route-reflector-client
commands
format
deletes
a
client.
(2)
If there are more than one route reflectors in the cluster, the following commands can
configure cluster-id
Command
Explanation
BGP configuration mode
bgp cluster-id <cluster-id>
no bgp cluster-id
Configure cluster id; format “no” of the no
bgp
cluster-id
command
cluster id configuration.
39-8
cancels
the
(3)
If the route reflector from clients to clients i s needed, the following commands can be used.
Command
Explanation
BGP configuration mode
Configure the allowance
of
the
route
bgp client-to-client reflection
reflector from clients to clients; the no bgp
no bgp client-to-client reflection
client-to-client reflection command forbids
this allowance.
6.Configure Peer Groups
(1)
Create peer groups
Command
Explanation
BGP configuration mode
Create peer groups; the no neighbor
neighbor <TAG> peer-group
<TAG> peer-group command deletes
no neighbor <TAG> peer-group
(2)
peer groups.
Add neighbors to peers groups
Command
Explanation
BGP configuration mode
neighbor <ip-address> peer-group
Make a neighbor a member of the peer group.
<TAG>
The no neighbor <ip-address> peer-group
no neighbor <ip-address> peer-group
<TAG>
<TAG>
member.
command
cancels
the
specified
7.Configure neighbors and peer Groups’ parameters
Command
Explanation
BGP configuration mode
neighbor {<ip-address> | <TAG>} remote-a s
Specify a BGP neighbor; format “no”
<as-id>
of the no neighbor {<ip-address> |
no neighbor {<ip-address> | <TAG>} remote-a s
<TAG>}
<as-id>
command delet es the neighbor.
neighbor { <ip-address> | <TAG> } description
<.LINE>
remote-as
Associate a description
neighbor;
the
{<ip-address>
no neighbor { <ip-address> | <TAG> }
<as-id>
no
|
with a
neighbor
<TAG>}
description command deletes this
description
description.
Permit to send the default route
neighbor { <ip-address> | <TAG> }
0.0.0.0;
the
default-originate [route-map <NAME>]
{
no neighbor { <ip-address> | <TAG> }
default-originate
default-originate [route-map <NAME>]
<NAME>]
<ip-address>
no
|
command
neighbor
<TAG>
}
[route-map
cancels
sending default rout e.
neighbor { <ip-address> | <TAG> }
Configure the community attributes
39-9
send-community
sent to the neighbor.
no neighbor { <ip-address> | <TAG> }
send-community
Configure a particular neighbor’s
neighbor { <ip-address> | <TAG> } timers <keep
keep-alive and hold-time timer; the
alive> <holdtime>
no
no neighbor { <ip-address> | <TAG> } timers
<TAG>} timers command recovers
neighbor
{<ip-address>
|
the default value.
Configure
the
min
interval
of
neighbor {<ip-address> | <TAG>}
sending BGP routing information;
advertisement-interval <seconds>
the no neighbor {<ip-address> |
no neighbor {<ip-address> | <TAG>}
<TAG>}
advertisement-interval
advertisement-interval
command
recovers
the
default
value.
Configure the allowance of EBGP
neighbor {<ip-address> | <TAG>} ebgp-multihop
connections
with
networks
[<1-255> ]
connected
no neighbor {<ip-address> | <TAG>}
neighbor {<ip-address> | <TAG>}
ebgp-multihop
ebgp-multihop command cancels
indirectly;
the
no
this setting.
neighbor { <ip-address> | <TAG> } weight
<weight>
no neighbor { <ip-address> | <TAG> } weight
Configure BGP neighbor weights;
the no neighbor { <ip-address> |
<TAG>
}
weight
command
recovers the default weights.
Filter neighbor route update; format
neighbor { <ip-address> | <TAG> } distribute-list
“no”
of
the
no
{ <access-li st-number> | <name> } { in | out }
{
no neighbor { <ip-address> | <TAG> }
distribute-li st
distribute-li st { <access-li st-number> | <name> }
{
{ in | out }
<name> } { in | out } command
<ip-address>
|
neighbor
<TAG>
<access-li st-number>
}
|
cancels route filtering.
Configure the current switch as
neighbor { <ip-address> | <TAG> }
route reflector and specify a client;
route-reflector-client
the no neighbor { <ip-address> |
no neighbor { <ip-address> | <TAG> }
<TAG>
route-reflector-client
}
route-reflector-client
command delet es a client.
When
sending
route,
configure
neighbor { <ip-address> | <TAG> } next-hop-self
Next-Hop as its address; the no
no neighbor { <ip-address> | <TAG> }
neighbor
next-hop-self
<TAG> } next-hop-self command
{
<ip-address>
|
cancels the setting.
neighbor { <ip-address> | <TAG> } version
Specify
<value>
communicating
no neighbor { <ip-address> | <TAG> } version
neighbors;
39-10
the
the
BGP
with
no
version
BGP
neighbor
{ <ip-address> | <TAG> } version
command recovers default setting.
Apply a route map to incoming or
neighbor { <ip-address> | <TAG> } route-map
outgoing routes; the no neighbor
<map-nam e> {in | out}
{
no neighbor { <ip-address> | <TAG> } route-map
route-map <map-name> {in | out}
<map-nam e> {in | out}
command cancels the setting of
<ip-address>
|
<TAG>
}
route reflector.
Store the route information from
neighbor { <ip-address> | <TAG> }
neighbor or peers; the no neighbor
soft-reconfiguration inbound
{
no neighbor { <ip-address> | <TAG> }
<ip-address>
|
<TAG>
soft-reconfiguration
soft-reconfiguration inbound
}
inbound
command cancels the storage.
Shutdown B GP neighbor or peers;
neighbor { <ip-address> | <TAG> } shutdown
no neighbor { <ip-address> | <TAG> } shutdown
the no neighbor { <ip-address> |
<TAG>
}
shutdown
command
activates the closed BGP neighbor
or peers.
8.Adjust BGP Timers
(1)
Configure the BGP timer of all the neighbors
Command
Explanation
BGP configuration mode
timers bgp <keep alive> <holdtime>
no timers bgp
(2)
Configure the B GP
timers
of all
the
neighbors; the no timer bgp command
recovers the default value.
Configure the timer value of a particular neighbor
Command
Explanation
BGP configuration mode
Configure the keep alive and
neighbor { <ip-address> | <TAG> } timers <keep
alive> <holdtime>
no neighbor { <ip-address> | <TAG> } timers
holdtime timer of a particular
neighbor;
the
no
{ <ip-address>
9.Adjust BGP announcement Interval
Explanation
BGP configuration mode
39-11
| <TAG>
}
timers command recovers the
default value.
Command
neighbor
Configure the minimum int erval among
neighbor {<ip-address> | <TAG>}
BGP routes update information; the no
advertisement-interval <seconds>
neighbor
no neighbor {<ip-address> | <TAG>}
{<ip-address>
|
advertisement-interval
advertisement-interval
<TAG>}
command
recovers the default setting.
10. Configure the Local Preference Value
Command
Explanation
BGP configuration mode
bgp default local-preference <value>
no bgp default local-preference
Change default local preference; the no bgp
default
local-preference
command
recovers the default value.
11. Enable sending default route
Command
Explanation
BGP configuration mode
Permit sending default route 0.0.0.0;
neighbor { <ip-address> | <TAG> }
the no neighbor { <ip-address> |
default-originate
<TAG>
no neighbor { <ip-address> | <TAG> }
}
default-originate
command cancels sending default
default-originate
route.
12. Configure BGP’s MED Value
(1)
Configure MED value
Command
Explanation
Rout e map configuration command
(2)
set metric <metri c-value>
Configure metric value; the no set metric
no set metric
command recovers the default value.
Apply route selection based on MED according to the path from different AS
Command
Explanation
BGP configuration mode
bgp always-compare-med
no bgp always-compare-med
Permit the MED comparison from different
AS; the no bgp always-compare-med
command forbids the comparison.
13. Configure BGP routing redistribution
Command
Explanation
BGP configuration mode
redistribute { connected | static | rip |
Redistribute IGP routes to BGP and may
ospf} [metric <metric>] [route-map
specify the redistributed metric and route
<NAME>]
reflector; the no redistribute { connected |
39-12
no redistribute { connected | static | rip
static | rip | ospf} command cancels the
| ospf}
redistribution.
14. Configure Route Dampening
Command
Explanation
BGP configuration mode
bgp dampening [<1-45>] [< 1-20000>
<1-20000> <1-255>] [<1-45>]
no bgp dampening
Enable BGP rout e dampening and apply the
specified
dampening
paramet ers;
the
command
no
stops
bgp
route
dampening
15. Configure BGP capability Negotiation
Command
Explanation
BGP configuration mode
neighbor {<ip-address> |<TAG>}
capability {dynamic | route-refre sh}
no neighbor {<ip-address> |<TAG>}
capability {dynamic | route-refre sh}
neighbor {<ip-address> |<TAG>}
capability orf prefix-list
{<both>|< send> |<receive>}
no neighbor {<ip-address> |<TAG>}
capability orf prefix-list
{<both>|< send> |<receive>}
neighbor {<ip-address> |<TAG>}
dont-capability-negotiate
no neighbor {<ip-address> |<TAG>}
dont-capability-negotiate
neighbor {<ip-address> |<TAG>}
override-capability
no neighbor {<ip-address> |<TAG>}
override-capability
BGP
provides
capability
negotiation
regulation and carry out this capability match
while establishing connection. The currently
supported capabilities include route update,
dynamic capability, outgoing route filtering
capability and the address family’s capability
of supporting the negotiation. Use these
command to enable these capabilities, its
format “no” close these capabilities .It can
also be configured by commands to not do
capability negotiation, do strict capability
negotiation or not care about the negotiation
results.
neighbor {<ip-address> |<TAG>}
strict-capability-match
no neighbor {<ip-address> |<TAG>}
strict-capability-match
16. Configure Routing Server
Command
Explanation
BGP configuration mode
neighbor {<ip-address> |<TAG>}
Rout e server may configure BGP neighbors
route-server-client
under EBGP environment to reduce the
no neighbor {<ip-address> |<TAG>}
number of peers that every client has
route-server-client
configured; format “no” of t he command
39-13
configures this router as route server and
specify
the
clients
neighbor
it
serves,
the
no
{<ip-address> |<TAG>}
route-server-client command can delete
clients.
17. Configure Path-selected rules
Command
Explanation
BGP configuration mode
bgp always-compare-med
no bgp always-compare-med
bgp bestpath as-path ignore
no bgp bestpath as-path ignore
bgp bestpath compare-confed-a spath
no bgp bestpath
compare-confed-a spath
bgp bestpath compare-routerid
no bgp bestpath compare-routerid
bgp bestpath med {[confed]
[missing-i s-worst]}
no bgp bestpath med {[confed]
BGP may change some path-select rules by
configuration to change the best selection
and
compare
environment
MED
through
under
these
EBGP
c ommand,
ignore the AS-PATH length, compare the
confederation as-path length, compare the
route
identifier
and
confederation ME D etc.
compare
the
Its format “no”
recovers the default route pat h-selected
rules.
[missing-i s-worst]}
18. Configure redistribution of OSPF routing to BGP
(1) Enable redistribution of OSPF routing to BGP
Command
Explanation
Rout er BGP Configuration Mode
redistribute ospf [<process-id> ]
[route-map<word> ]
no redistribute ospf [<proce ss-id> ]
To enable or disable the redistribution of
OSPF routing to BGP.
(2)Display and debug the information about configuration of redistribution of OSPF routing to BGP
Command
Explanation
Admin Mode and Configuration Mode
show ip bgp redistribute
To enable or disable the redistribution of
OSPF routing to BGP.
Admin Mode
debug bgp redistribute message send
no debug bgp redistribute message
send
debug bgp redistribute route receive
no debug bgp redistribute route
receive
To enable or disable debugging messages
sent by BGP for redistributing OSPF routing.
To enable or disable debugging messages
received from NSM for redistributing OSPF
routing.
39-14
39.3 Configuration Examples of BGP
39.3.1 Examples 1: configure BGP neighbor
SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100. SwitchA and SwitchB share the same
network segment. SwitchB and SwitchD are not connected physically.
SwitchC
Vlan1: 12.1.1.3
Vlan1:11.1.1.1
Vlan1:11.1.1.2
SwitchA
Vlan2: 13.1.1.3
Vlan2: 12.1.1.2
Vlan1: 13.1.1.4
SwitchB
SwitchD
AS200
AS100
Figure 39-3-1 BGP Net work Topologic al Map
The configurations of SwitchA are as following:
SwitchA(config)#router bgp 100
SwitchA(config-router-bgp)#neighbor 11.1.1.2 remote-as 200
SwitchA(config-router-bgp)#exit
The configurations of SwitchB are as following:
SwitchB(config)#router bgp 200
SwitchB(config-router-bgp)#network 11.0. 0.0
SwitchB(config-router-bgp)#network 12.0. 0.0
SwitchB(config-router-bgp)#network 13.0. 0.0
SwitchB(config-router-bgp)#neighbor 11.1.1.1 remote-as 100
SwitchB(config-router-bgp)#neighbor 12.1.1.3 remote-as 200
SwitchB(config-router-bgp)#neighbor 13.1.1.4 remote-as 200
SwitchB(config-router-bgp)#exit
The configurations of SwitchC are as following:
SwitchC(config)#router bgp 200
SwitchC(config-router-bgp)#network 12.0.0.0
SwitchC(config-router-bgp)#network 13.0.0.0
SwitchC(config-router-bgp)#neighbor 12.1. 1.2 remote-as 200
SwitchC(config-router-bgp)#neighbor 13.1. 1.4 remote-as 200
SwitchC(config-router-bgp)#exit
The configurations of SwitchD are as following:
39-15
SwitchD(config)#router bgp 200
SwitchD(config-router-bgp)#network 13.0.0.0
SwitchD(config-router-bgp)#neighbor 12.1. 1.2 remote-as 200
SwitchD(config-router-bgp)#neighbor 13.1. 1.3 remote-as 200
SwitchD(config-router-bgp)#exit
Presently, the connection between SwitchB and SwitchA is EBGP, and other connections with SwitchC and
SwitchD are IBGP. SwitchB and SwitchD may have BGP connection without physical connection. But there is
a precondition that these two switches must have reachable route to each other. This route can be attained
through static route or IGP.
39.3.2 Examples 2: configure BGP aggregation
In this sample, configure route aggregation. Firstly, enable command redistribute to redistribute static route to
BGP route table:
SwitchB(config)#ip rout e 193.0.0.0/24 11.1.1
SwitchB(config)#router bgp 100
SwitchB(config-router-bgp)#redistribute static
When there is at least one route affiliat ed to the specified range, the following configuration will create an
aggregation route in t he BGP route table. The aggregation route will be regarded as the AS from itself. More
detailed route information about 193. 0.0.0 will be announced.
SwitchB(config#router bgp 100
SwitchB(config-router-bgp)#aggregate 193.0.0.0/ 16
At the same time, the aggregation command above can be modified as following, then this switch only
announce aggregation route 193.0.0.0 and forbid to announce more specified route to all the neighbors.
SwitchB(config-router-bgp)#aggregate 193.0.0.0/ 16 summary-only
39.3.3 Examples 3: configure BGP community attributes
In the following sample, “route map set-community” is used for the outgoing update to neighbor 16.1.1.6. By
accessing to route in table 1 to configure special community value to “1111”, other can be announced
normally.
XGS 3-42000R(config)#router bgp 100
XGS 3-42000R(config-router-bgp)#neighbor 16.1.1.6 remote-as 200
XGS 3-42000R(config-router-bgp)#neighbor 16.1.1.6 rout e-map set-community out
XGS 3-42000R(config-router-bgp)#exit
XGS 3-42000R(config)#route-map set-community permit 10
XGS 3-42000R(config-route-map)#match address 1
XGS 3-42000R(config-route-map)#set community 1111
39-16
XGS 3-42000R(config-route-map)#exit
XGS 3-42000R(config)#route-map set-community permit 20
XGS 3-42000R(config-route-map)#match address 2
XGS 3-42000R(config-route-map)#exit
XGS 3-42000R(config)#access-list 1 permit 11.1. 0.0 0.0.255.255
XGS 3-42000R(config)#access-list 2 permit 0.0.0.0 255.255.255.255
XGS 3-42000R(config)#exit
XGS 3-42000R#clear ip bgp 16.1.1.6 soft out
In the following sample, configure the MED local preference of the routes from neighbor 16.1.1.6 selectively
according to the route community value. All the routes that match the community list will set MED as 2000,
community list com1 permits the route with community value “100 200 300”or”900 901” to pass. This route
may have other community attributes. All the routes that pass community list com2 will set the local
preference as 500. But the route that can’t pass both com1 and com2 will be rejected.
XGS 3-42000R(config)#router bgp 100
XGS 3-42000R(config-router-bgp)#neighbor 16.1.1.6 remote-as 200
XGS 3-42000R(config-router-bgp)#neighbor 16.1.1.6 rout e-map match-c ommunity in
XGS 3-42000R(config-router-bgp)#exit
XGS 3-42000R(config)#route-map match-community permit 10
XGS 3-42000R(config-route-map)#match community com1
XGS 3-42000R(config-route-map)#set metric 2000
XGS 3-42000R(config-route-map)#exit
XGS 3-42000R(config)#route-map match-community permit 20
XGS 3-42000R(config-route-map)#match community com2
XGS 3-42000R(config-route-map)#set local-preference 500
XGS 3-42000R(config-route-map)#exit
XGS 3-42000R(config)#ip community-list com1 permit 100 200 300
XGS 3-42000R(config)#ip community-list com1 permit 900 901
XGS 3-42000R(config)#ip community-list com2 permit 88
XGS 3-42000R(config)#ip community-list com2 permit 90
XGS 3-42000R(config)#exit
XGS 3-42000R#clear ip bgp 16.1.1.6 soft out
39.3.4 Examples 4: configure BGP confederation
The following is the configuration of an AS. As the picture illustrated, S witchB and S witchC establish IBGP
connection. SwitchD is affiliated to AS 20.SwitchB and SwitchC establish EBGP of inner AS confederation.
AS10 and AS20 form AS confederation with the AS number AS200; SwitchA belongs to AS100, SwitchB may
create EBGP connection by AS200.
39-17
SwitchA
vlan1 :11.1.1.1
AS100
AS300
SwitchB
vlan1 :11.1.1.2
vlan3 :12.1.1.2
vlan1 :12.1.1.3
Vlan2:13.1.1.2
vlan1 :13.1.1.4
SwitchC
AS10
AS20
AS200
Figure 39-3-2 Confederation configuring topology
The configurations are as following:
SwitchA:
SwitchA(config)#router bgp 100
SwitchA(config-router-bgp)#neighbor 11.1.1.2 remote-as 200
SwitchB:
SwitchB(config)#router bgp 10
SwitchB(config-router-bgp)#bgp confederation identifier 200
SwitchB(config-router-bgp)#bgp confederation peers 20
SwitchB(config-router-bgp)#neighbor 12.1.1.3 remote-as 10
SwitchB(config-router-bgp)#neighbor 13.1.1.4 remote-as 20
SwitchB(config-router-bgp)#neighbor 11.1.1.1 remote-as 100
SwitchC:
SwitchC(config)#router bgp 10
SwitchC(config-router-bgp)#bgp confederation identifier 200
SwitchC(config-router-bgp)#bgp confederation peers 20
SwitchC(config-router-bgp)#neighbor 12.1. 1.2 remote-as 10
39-18
SwitchD
SwitchD:
SwitchD(config)#router bgp 20
SwitchD(config-router-bgp)#bgp confederation identifier 200
SwitchD(config-router-bgp)#bgp confederation peers 10
SwitchD(config-router-bgp)#neighbor 13.1. 1.2 remote-as 10
39.3.5 Examples 5: configure BGP route reflector
The following is the configuration of a route reflector. As the picture illustrated, SwitchA, SwitchB, SwitchC,
SwitchD, SWE, SWF and SWG establish IBGP connection which is affiliated to AS100. SwitchC creates
EBGP connection with AS200. SwitchA creates EBGP connection with AS300. SwitchC, SwitchD and SWG
make route reflectors.
AS200
SwitchH
vlan1 :8.8.8.8
SwitchG(RR)
AS100
vlan1 :7.7.7.7
SwitchD(RR)
vlan1 :3.3.3.4
vlan1 :3.3.3.3
SwitchC(RR)
SwitchE
vlan1 :1.1.1.1
vlan1 :6.6.6.6
vlan1 :5.5.5.5
vlan1 :2.2.2.2
SwitchA
SwitchF
SwitchB
AS300
SwitchI
vlan1 :9.9.9.9
Figure 39-3-3 the Topologic al Map of Route Reflector
39-19
The configurations are as following:
The configurations of SwitchC:
SwitchC(config)#router bgp 100
SwitchC(config-router-bgp)#neighbor 1.1.1.1 remote-as 100
SwitchC(config-router-bgp)#neighbor 1.1.1.1 route-reflector-client
SwitchC(config-router-bgp)#neighbor 2.2.2.2 remote-as 100
SwitchC(config-router-bgp)#neighbor 2.2.2.2 route-reflector-client
SwitchC(config-router-bgp)#neighbor 7.7.7.7 remote-as 100
SwitchC(config-router-bgp)#neighbor 3.3.3.4 remote-as 100
SwitchC(config-router-bgp)#neighbor 8.8.8.8 remote-as 200
The configurations of SwitchD:
SwitchD(config)#router bgp 100
SwitchD(config-router-bgp)#neighbor 5.5.5.5 remote-as 100
SwitchD(config-router-bgp)#neighbor 5.5.5.5 route-reflector-client
SwitchD(config-router-bgp)#neighbor 6.6.6.6 remote-as 100
SwitchD(config-router-bgp)#neighbor 6.6.6.6 route-reflector-client
SwitchD(config-router-bgp)#neighbor 3.3.3.3 remote-as 100
SwitchD(config-router-bgp)#neighbor 7.7.7.7 remote-as 100
The configurations of SwitchA:
SwitchA(config)#router bgp 100
SwitchA(config-router-bgp)#neighbor 1.1.1.2 remote-as 100
SwitchA(config-router-bgp)#neighbor 9.9.9.9 remote-as 300
The SwitchA at this time needn’t to create IBGP connection with all the switches in the AS100 and could
receive BGP route from other switches in the AS.
39.3.6 Examples 6: configure MED of BGP
The following is the configuration of a ME D. As illustrated, SwitchA is affiliated to AS100, SwitchB is affiliated
to AS400, SwitchC and S witchD belong to AS300.
39-20
Metric=0
AS100
SwitchA
vlan2 :2.2.2.2
vlan1 :4.4.4.4
Set metric 50
vlan1 :4.4.4.3
vlan3 :3.3.3.3
AS400
SwitchB
Set metric 200
Set metric 120
vlan1 :2.2.2.1
SwitchC
vlan1 :3.3.3.2
vlan2 :1.1.1.2
vlan2 :1.1.1.1
Figure 39-3-4 MED Configuring Topological Map
The configurations of SwitchA:
SwitchA(config)#router bgp 100
SwitchA(config-router-bgp)#neighbor 2.2.2.1 remote-as 300
SwitchA(config-router-bgp)#neighbor 3.3.3.2 remote-as 300
SwitchA(config-router-bgp)#neighbor 4.4.4.3 remote-as 400
The configurations of SwitchC:
SwitchC(config)#router bgp 300
SwitchC (config-rout er-bgp)#neighbor 2.2.2.2 remote-as 100
SwitchC (config-rout er-bgp)#neighbor 2.2.2.2 route-map set-metric out
SwitchC (config-rout er-bgp)#neighbor 1.1.1.2 remote-as 300
SwitchC (config-rout er-bgp)#exit
SwitchC (config)#route-map set-metric permit 10
SwitchC (Config-Router-RouteMap)#set metric 120
The configurations of SwitchD
SwitchD (config)#router bgp 300
SwitchD (config-rout er-bgp)#neighbor 3.3.3.3 remote-as 100
SwitchD (config-rout er-bgp)#neighbor 3.3.3.3 route-map set-metric out
39-21
AS300
SwitchD
SwitchD (config-rout er-bgp)#neighbor 1.1.1.1 remote-as 300
SwitchD (config-rout er-bgp)#exit
SwitchD (config)#route-map set-metric permit 10
SwitchD (Config-Router-RouteMap)#set metric 200
The configurations of SwitchB
SwitchB (config)#router bgp 400
SwitchB (config-router-bgp)#neighbor 4.4.4.4 remote-as 100
SwitchB (config-router-bgp)#neighbor 4.4.4.4 route-map set-metric out
SwitchB (config-router-bgp)#exit
SwitchB (config)#route-map set-metric permit 10
SwitchB (Config-Router-RouteMap)#set metric 50
After the configuration above, SwitchB, SwitchC and SwitchD are assumed to send a rout e 12.0.0.0 to
SwitchA. According to the comparison of BGP route strategy; there is an assumption that the routes sent by
the three switches above have the same attribute value before the comparison of metric attribute. At this time,
the route with lower value is the better route. But the comparison of metric attribute will only be done with the
routes from the same AS. For SwitchA, the routes passed S witchC are preferable to the one passed SwitchD.
Because SwitchC and S witchB are not locat ed in the same AS, the SwitchA will not do metric comparison
between t he two switches. If the metric comparison between different AS is needed, the command” bgp
always-compare-med” will be used. If this command is configured, the routes passed S witchB are the best to
SwitchA. At this time, the following command may be added on S witchA:
SwitchA (config-router-bgp)#bgp always-compare-med
39.3.7 Examples 7: example of BGP VPN
For the configuration of MPLS VPN, BGP is part of the core routing system and it is also an important utility to
support ILM and FTN entries on t he edge devices. For OS, the BGP protocol together with the LDP protocol,
constructs the foundation of the MPLS VPN application. The LDP protocol works at the WLAN side and for the
routers which are not on the edge of the net work, the BGP protocol does not function.
39-22
Figure 39-3-5 Example of MP LS VPN
As the figure shows, for a typical MPLS VPN application, the public net work region consists of PE1, P and
PE2, which MP LS is applied for packet transmission. VPN-A consists of CE-A1 and CE -A2, and VP N-B
consists of CE-B1 and CE-B2. These two VPNs are isolated from each ot her. PE1 and PE2 are edge routers
which are provided by the operators. CE -A1, CE -A2, CE -B1 and CE-B 2 are the access switches on the user
side. PC1-P C4 indicate the net work users. BGP runs at both the public and private network region. For the
public network region, VPN routing should be support ed and the LOOPBACK int erface should be used for
connections.
The sample configurations are listed as below.
Configurations on CE-A1:
CE-A1#config
CE-A1(config)#interface vlan 2
CE-A1(config-if-Vlan2)#ip address 192.168.101.2 255. 255.255.0
CE-A1(config-if-Vlan2)#exit
CE-A1(config)#interface vlan 1
CE-A1(config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0
CE-A1(config-if-Vlan2)#exit
CE-A1(config)#rout er bgp 60101
39-23
CE-A1(config-router)#neighbor 192.168.101.1 remote-as 100
CE-A1(config-router)#exit
Configurations on CE-A2:
CE-A2#config
CE-A2(config)#interface vlan 2
CE-A2(config-if-Vlan2)#ip address 192.168.102.2 255. 255.255.0
CE-A2(config-if-Vlan2)#exit
CE-A2(config)#interface vlan 1
CE-A2(config-if-Vlan2)#ip address 10.1.2.1 255.255.255.0
CE-A2(config-if-Vlan2)#exit
CE-A2(config)#rout er bgp 60102
CE-A2(config-router)#neighbor 192.168.102.1 remote-as 100
CE-A2(config-router)#exit
Configurations on CE-B1:
CE-B1#config
CE-B1(config)#interface vlan 2
CE-B1(config-if-Vlan2)#ip address 192.168.201.2 255. 255.255.0
CE-B1(config-if-Vlan2)#exit
CE-B1(config)#interface vlan 1
CE-B1(config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0
CE-B1(config-if-Vlan2)#exit
CE-B1(config)#rout er bgp 60201
CE-B1(config-router)#neighbor 192.168.201.1 remote-as 100
CE-B1(config-router)#exit
Configurations on CE-BE2:
CE-B2#config
CE-B2(config)#interface vlan 2
CE-B2(config-if-Vlan2)#ip address 192.168.202.2 255. 255.255.0
CE-B2(config-if-Vlan2)#exit
CE-B2(config)#interface vlan 1
CE-B2(config-if-Vlan2)#ip address 20.1.2.1 255.255.255.0
CE-B2(config-if-Vlan2)#exit
CE-B2(config)#rout er bgp 60202
CE-B2(config-router)#neighbor 192.168.202.1 remote-as 100
CE-B2(config-router)#exit
Configurations on PE1:
PE1#config
PE1(config)#ip vrf VRF-A
39-24
PE1(config-vrf)#rd 100:10
PE1(config-vrf)#route-target both 100:10
PE1(config-vrf)#exit
PE1(config)#ip vrf VRF-B
PE1(config-vrf)#rd 100:20
PE1(config-vrf)#route-target both 100:20
PE1(config-vrf)#exit
PE1(config)#int erface vlan 1
PE1(config-if-Vlan1)#ip vrf forwarding VRF-A
PE1(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.0
PE1(config-if-Vlan1)#exit
PE1(config)#int erface vlan 2
PE1(config-if-Vlan2)#ip vrf forwarding VRF-B
PE1(config-if-Vlan2)#ip address 192.168.201.1 255.255.255.0
PE1(config-if-Vlan2)#exit
PE1(config)#int erface vlan 3
PE1(config-if-Vlan3)#ip address 202.200.1. 2 255. 255. 255. 0
PE1(config-if-Vlan3)#label-s witching
PE1(config-if-Vlan3)#exit
PE1(config)#int erface loopback 1
PE1(Config-if-Loopback1)# ip address 200.200.1.1 255.255.255.255
PE1(config-if-Vlan3)#exit
PE1(config)#rout er bgp 100
PE1(config-router)#neighbor 200.200.1. 2 remote-as 100
PE1(config-router)#neighbor 200.200.1. 2 update-s ource 200. 200. 1.1
PE1(config-router)#address-family vpnv4 unicast
PE1(config-router-af)#neighbor 200.200.1.2 activate
PE1(config-router-af)#exit-address-family
PE1(config-router)#address-family ipv4 vrf VRF-A
PE1(config-router-af)# neighbor 192.168.101. 2 remote-as 60101
PE1(config-router-af)#exit-address-family
PE1(config-router)#address-family ipv4 vrf VRF-B
PE1(config-router-af)# neighbor 192.168.201. 2 remote-as 60201
PE1(config-router-af)#exit-address-family
Configurations on PE2:
PE2#config
PE2(config)#ip vrf VRF-A
PE2(config-vrf)#rd 100:10
PE2(config-vrf)#route-target both 100:10
PE2(config-vrf)#exit
PE2(config)#ip vrf VRF-B
PE2(config-vrf)#rd 100:20
PE2(config-vrf)#route-target both 100:20
39-25
PE2(config-vrf)#exit
PE2(config)#int erface vlan 1
PE2(config-if-Vlan1)#ip vrf forwarding VRF-A
PE2(config-if-Vlan1)#ip address 192.168.102.1 255.255.255.0
PE2(config-if-Vlan1)#exit
PE2(config)#int erface vlan 2
PE2(config-if-Vlan2)#ip vrf forwarding VRF-B
PE2(config-if-Vlan2)#ip address 192.168.202.1 255.255.255.0
PE2(config-if-Vlan2)#exit
PE2(config)#int erface vlan 3
PE2(config-if-Vlan3)#ip address 202.200.2. 2 255. 255. 255. 0
PE2(config-if-Vlan3)#label-s witching
PE2(config-if-Vlan3)#exit
PE2(config)#int erface loopback 1
PE2(Config-if-Loopback1)# ip address 200.200.1.2 255.255.255.255
PE2(config-if-Vlan3)#exit
PE2(config)#rout er bgp 100
PE2(config-router)#neighbor 200.200.1. 1 remote-as 100
PE2(config-router)#address-family vpnv4 unicast
PE2(config-router-af)#neighbor 200.200.1.1 activate
PE2(config-router-af)#exit-address-family
PE2(config-router)#address-family ipv4 vrf VRF-A
PE2(config-router-af)# neighbor 192.168.102. 2 remote-as 60102
PE2(config-router-af)#exit-address-family
PE2(config-router)#address-family ipv4 vrf VRF-B
PE2(config-router-af)# neighbor 192.168.202. 2 remote-as 60202
PE2(config-router-af)#exit-address-family
The sample configurations which are listed above is the most typical one. To enable communication bet ween
VRF, the route-target should be modified. And if the BGP AS number duplicates for the ends, the “neighbor
<ip-addr> as-override” command should be configured to avoid the duplication of AS numbers.
Also, only BGP related configuration are listed above, to run LDP on the public net work region, please refer to
the LDP configuration sample.
39.4 BGP Troubleshooting
In the process of configuring and implementing BGP protocol, physical connection, configuration false
probably leads to BGP protocol doesn’t work. Therefore, the customers should give their attention to points as
follow:
 First of all, to ensure correct physical connection;
 Secondly, to ensure interface and link prot ocol are UP (execute show interface instruction);
 And startup BGP protoc ol (use router bgp command), configure affiliated IB GP and EBGP neighbors
(use neighbor remote-as command).
 Notice BGP protocol itself can’t detect route, needs to import other rout es to create BGP route. Only it
39-26
enables these rout es to announce IB GP and EBGP neighbors by importing routes. Direct-link rout es,
static route, and IGP route (RIP and OSPF) are included in these imported routes. network and
redistribute (BGP) command are the ways of import ed routes.
 For BGP, pay attention to the difference bet ween the behaviors of IBGP and EBGP.
 After configuration finishes, the command of show ip bgp summary can be used to observe
neighbor’s connections, so that all of the neighbors keep BGP connection situation. And use show ip
bgp command to observe BGP routing table.
 If BGP routing problem still can’t be solved by debugging, please use debug instructions like debug
ip bgp packet/events etc, and copy DEBUG information in 3 minutes, then send them to
ourTechnology Service Center.
39-27
Chapter 40 MBGP4+
40.1 Introduction to MBGP4+
MBGP4+ is multi-protocol B GP (Multi-protocol Border Gateway Protocol) extension to IP v6, referring to BGP
protocol chapter about BGP protocol introduction in this manual.
Different from RIP ng and OSPFv3, BGP
has no corresponging independent protoc ol for IP v6, instead,it takes extensions to address families on the
original BGP. The extensions to BGP by MBGP4+ are mostly embodied:
a. neighbor address configured can be IP v6 address;
b. Increase IP v6 unicast address family configuration.
40.2 MBGP4+ Configuration Task List
MBGP4+ Configuration Task List::
1.
Configure IP v6 neighbor
2.
Configure and enable IP v6 address family
3.
Configure redistribution of OSPFv3 routing to MBGP 4+
1)
Enable redistribution of OSPFv3 routing to MBGP 4+
2)
Display and debug the information about configuration of redistribution of OSPFv3 routing to
MBGP4+
1. Configure IPv6 neighbor
Command
Explanation
BGP Protocol Configuration Mode
neighbor <X:X::X:X> remote-as
<as-id>
Configure IP v6 neighbor.
2. Configure and activate IPv6 address family
Command
Explanation
BGP Protocol Configuration Mode
address-family IPv6 unicast
Enter IP v6 unicast address family.
BGP protocol address family
comfiguration mode
neighbor <X:X::X:X> activate
Configure IP v6 neighbor to activate/inactivate
no neighbor <X:X::X:X> activate
the address family.
exit-address-family
Exit address family configuration mode.
3. Configure redistribution of OSPFv3 routing to MBGP 4+
(1) Enable redistribution of OSPFv3 routing to MBGP 4+
Command
Explanation
40-1
Rout er IP v6 BGP Configuration Mode
redistribute ospf [<process-tag> ]
[route-map<word> ]
To enable or disable redistribution of OSPFv3
no redistribute ospf
routing to MBGP4+.
[<process-tag>]
(2) Display and debug the information about configuration of redistribution of OSPFv3 routing to MBGP4+
Command
Explanation
Admin Mode and Configuration Mode
To
display
configuration
information
about
MBGP4+ routing which is redistributed from
show ipv6 bgp redistribute
other routing protocols.
Admin Mode
debug ipv6 bgp redistribute
message send
no debug ipv6 bgp redistribute
message send
debug ipv6 bgp redistribute route
receive
no debug ipv6 bgp redistribute
To enable or disable debugging messages sent
by
MBGP4+
for redistribution of OSPFv3
routing.
To enable or disable debugging messages
received from NSM.
route receive
40.3 MBGP4+ Examples
SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100. SwitchA and SwitchB share the same
network segment. SwitchB and SwitchD are not connected physically.
SwitchC
vlan1 :2002::3
vlan1 :2001::1
vlan1 :2001::2
vlan2 :2003::3
vlan2 :2002::2
vlan1 :2003::4
SwitchB
SwitchA
AS200
AS100
Figure 40-3-1 BGP Net work Topologic al Map
Accordingly SwitchA configuration as follows:
SwitchA(config)#router bgp 100
SwitchA(config-router)#bgp router-id 1.1.1. 1
SwitchA(config-router)#neighbor 2001::2 remote-as 200
SwitchA(config-router)#address-family IP v6 unicast
40-2
SwitchD
SwitchA(config-router-af)#neighbor 2001::2 activate
SwitchA(config-router-af)#exit-address-family
SwitchA(config-router-bgp)#exit
SwitchA(config)#
SwitchB configuration as follows:
SwitchB(config)#router bgp 200
SwitchA(config-router)#bgp router-id 2.2.2. 2
SwitchB(config-router)#neighbor 2001::1 remote-as 100
SwitchB(config-router)#neighbor 2002::3 remote-as 200
SwitchB(config-router)#neighbor 2003::4 remote-as 200
SwitchB(config-router)#address-family IP v6 unicast
SwitchB(config-router-af)#neighbor 2001::1 activate
SwitchB(config-router-af)#neighbor 2002::3 activate
SwitchB(config-router-af)#neighbor 2003::4 activate
SwitchB(config-router-af)#exit-address-family
SwitchB(config-router)#exit
SwitchB(config)#
SwitchC configuration as follows:
SwitchC(config)#router bgp 200
SwitchA(config-router)#bgp router-id 2.2.2. 2
SwitchC(config-router)#neighbor 2002::2 remote-as 200
SwitchC(config-router)#neighbor 2003::4 remote-as 200
SwitchC(config-router)#address-family IP v6 unicast
SwitchC(config-router-af)#neighbor 2002::2 activate
SwitchC(config-router-af)#neighbor 2003::4 activate
SwitchC(config-router-af)#exit-address-family
SwitchC(config-router-bgp)#exit
SwitchD configuration as follows:
SwitchD(config)#router bgp 200
SwitchA(config-router)#bgp router-id 2.2.2. 2
SwitchD(config-router)#neighbor 2003::3 remote-as 200
SwitchD(config-router)#neighbor 2002::2 remote-as 200
SwitchD(config-router)#address-family IP v6 unicast
SwitchD(config-router-af)#neighbor 2002::2 activate
SwitchD(config-router-af)#neighbor 2003::3 activate
SwitchD(config-router-af)#exit-address-family
SwitchD(config-router)#exit
Here the connection between SwitchB and S witchA is EBGP, and the connection between SwitchC and
40-3
SwitchD is IBGP. The BGP connection can be processed bet ween SwitchB and SwitchD wit hout physical link,
but the premise is a route which reaches from one switch to the other switch. The route can be obtained by
static routing or IGP.
40.4 MBGP4+ Troubleshooting
It is the same as corresponding section of BGP.
40-4
Chapter 41 Black Hole Routing Manual
41.1 Introduction to Black Hole Routing
Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule.
41.2 IPv4 Black Hole Routing Configuration Task
1. Configure IPv4 Black Hole Routing
Command
Explaination
Global Configuration Mode
ip route {<ip-prefix>
<mask>|<ip-prefix>/<prefix-length>}
null0 [<distance>]
no ip route {<ip-prefix>
<mask>|<ip-prefix>/<prefix-length>}
To configure the static Black Hole Routing. The no
form of this command will remove the specified
Black Hole Routing configuration.
null0
41.3 IPv6 Black Hole Routing Configuration Task
1.
Enable the IP v6 function
2.
Configure the IP v6 Black Hole Routing
1. Enable the IPv6 function
Command
Explaination
Global Configuration Mode
ipv6 enable
To enable the IP v6 function on the switch.
2. Configure IPv6 Black Hole Routing
Command
Explaination
Global Configuration Mode
ipv6 route
To configure static IP v6 Black Hole Routing.
<ipv6-prefix/prefix-length> null0
no form of t his command will remove t he specified
[<precedence> ]
configuration.
no ipv6 route
<ipv6-prefix/prefix-length> null0
41.4 Black Hole Routing Configuration Exmaples
Example 1: IP v4 Black Hole Routing function.
41-1
The
192.168.0.1/ 21
SWITCH1
192.168.0.2/ 21
SWITCH2
192.168.1.0/ 24
………
192.168.7.0/ 24
Figure 41-4-1 IP v4 Black Hole Routing Configuration Example
As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for
access interfaces. The net work addresses are 192.168. 1.0/24 ~ 192.268.7.0/24.
A default routing is
configured on Switch 2 to connect to Switch 1. And a backward default routing is configured on Switch 1 to
Switch 2, whose net work address is 192.168.0.0/21. Commonly, this configuration will work well. However, if
one of the Layer 3 interfaces in Switch 2 goes down, for example, the interface belonged to 192. 168.1. 0/24.
When datagrams arrives at VLAN1 in S witch 2, there will be no routing rules for these datagrams. The switch
then will forward these datagrams according to the default routing, back to Switch 1. When Switch 1 receives
these datagrams, it will forward them back to Switch 2. Thus, loopback exists. To solve this problem, Black
Hole Routing can be introduced on S witch 2.
ip route 192. 168. 0.0/21 null0 50
Then S witch 2 will drop the datagrams from interface V LAN1 that match the Black Hole Routing rule. And
loopback routing is prevented.
Configuration steps are listed as below:
XGS 3-42000R#config
XGS 3-42000R(config)#ip route 192.168.0.0/21 null0 50
41-2
Example 2: IP v6 Black Hole Routing function.
2004:1:2:3::1/64
SWITCH1
2004:1:2:3::2/64
SWITCH2
2004:1:2:3:1::/80
………
2004:1:2:3:7::/80
Figure 41-4-2 IP v6 Black Hole Routing Configuration Example
As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for
access interfaces. The network addresses are 2004: 1:2:3:1/80~2004:1:2:3:7/ 80. A default routing is
configured on Switch 2 to connect to Switch 1. And a backward default routing is configured on Switch 1 to
Switch 2, whose net work address is 2004:1: 2:3::/64. Commonly, this configuration will work well. However, if
one of t he Layer 3 interfaces in S witch 2 goes down, for example, the int erface belonged to 2004:1:2:3: 1/80.
When datagrams arrives at VLAN1 in S witch 2, there will be no routing rules for these datagrams. The switch
then will forward these datagrams according to the default routing, back to Switch 1. When Switch 1 receives
these datagrams, it will forward them back to Switch 2. Thus, loopback exists. To solve this problem, Black
Hole Routing can be introduced on S witch 2.
ipv6 rout e 2004:1:2:3::/64 null0 50
Then S witch 2 will drop the datagrams from interface V LAN1 that match the Black Hole Routing rule. And
loopback routing is prevented.
Configuration steps are listed as below:
XGS 3-42000R#config
XGS 3-42000R(config)#ipv6 route 2004:1:2:3::/64 null0 50
41.5 Black Hole Routing Troubleshooting
When configuring the Black Hole Routing function, the configuration may not work due to some reasons such
as incorrect network address mask, and incorrect management distanc e. Attention should be paid to the
following items:

IP v6 should be enabled before IP v6 Black Hole Routing can work.

It is suggested that the length of the network address mask should be longer than that of normal routing
configuration, in order to prevent the Black Hole Routing from intervening other routing configuration.

When the net work address mask of Black Hole Routing configuration is the same with some other
configuration, it is suggested that the distance of Black Hole Routing is set lower.
For problems that cannot be fixed through above methods, please issue the command show ip route distance
41-3
and show ip route fib, and show l3. And copy and paste the output of the commands, and send to the
technical service center of our company.
41-4
Chapter 42 ECMP Configuration
42.1 Introduction to ECMP
ECMP (Equal-cost Multi-path Routing) works in the network environment where there are many different links
to arrive at the same destination address. If using the traditional routing technique, only a link can be used to
send the data packets to the destination address, other links at the backup state or the invalidation state, and
it needs some times to process the mutual switchover under t he static routing environment. However, ECMP
protocol can use multi-links under such network environment, it not only implements the load balance,
increases the trans port bandwidth, but also can completely backup the data transport of the invalidation links
without delay and packet loss.
Figure 42-1-1 the application environment of ECMP
As it is shown in the figure, there are two paths can be selected from R1 to R4, they are R1-R2-R4 and
R1-R3-R4. If the route type and the cost are same, then it can forms two rout es from R1 to R4, but the next
hop is different. If two routes are selected as the best, then they form the equal-cost route.
42.2 ECMP Configuration Task List
1. Configure the max number of equal-cost route
Command
Explanation
Global mode
maximum-paths <1-32>
no maximum-paths
Configure the max number of equal-cost route.
42-1
42.3 ECMP Typical Example
Figure 42-3-1 the application environment of ECMP
As it is shown in the figure, the R1 connect to R2 and R3 with the interface address 100.1.1.1/24 and
100.1. 2.1/24. The R2 and R3 connect to R1 with the interface address 100.1.1.2/24 and 100.1.2. 2/24. The R4
connect to R2 and R3 with interfac e address 100. 2.1.1/24 and 100.2.2.1/24. The R2 and R3 connect to R4
with the interface address 100.2.1.2/24, 100.2.2.2/24. The loopback address of R4 is 5.5.5.5/32.
42.3.1 Static Route Implements ECMP
R1(c onfig)#ip route 5.5.5.5/32 100. 1.1.2
R1(c onfig)#ip route 5.5.5.5/32 100. 1.2.2
On R1, show ip route, the following is displayed:
R1(c onfig)#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidat e default
C
1.1.1.1/32 is directly connected, Loopback1 tag:0
S
5.5.5.5/32 [1/0] via 100.1. 1.2, Vlan100
tag:0
[1/0] via 100.1.2.2, Vlan200
tag:0
C
100.1.1.0/24 is directly connected, Vlan100 tag: 0
C
100.1.2.0/24 is directly connected, Vlan200 tag: 0
C
127.0.0.0/8 is directly connected, Loopback tag:0
Total routes are : 6 item(s)
42-2
42.3.2 OSPF Implements ECMP
R1 configuration:
R1(c onfig)#interface Vlan100
R1(Config-if-Vlan100)# ip address 100.1.1.1 255.255.255.0
R1(c onfig)#interface Vlan200
R1(Config-if-Vlan200)# ip address 100.1.2.1 255.255.255.0
R1(c onfig)#interface loopback 1
R1(Config-if-loopback1)# ip address 1.1.1.1 255.255.255.255
R1(c onfig)#router ospf 1
R1(c onfig-router)# ospf router-id 1. 1.1.1
R1(c onfig-router)# network 100.1.1.0/24 area 0
R1(c onfig-router)# network 100.1.2.0/24 area 0
R2 configuration:
R2(c onfig)#interface Vlan100
R2(Config-if-Vlan100)# ip address 100.1.1.2 255.255.255.0
R2(c onfig)#interface Vlan200
R2(Config-if-Vlan200)# ip address 100.2.1.2 255.255.255.0
R2(c onfig)#interface loopback 1
R2(Config-if-loopback1)# ip address 2.2.2.2 255.255.255.255
R2(c onfig)#router ospf 1
R2(c onfig-router)# ospf router-id 2. 2.2.2
R2(c onfig-router)# network 100.1.1.0/24 area 0
R2(c onfig-router)# network 100.2.1.0/24 area 0
R3 configuration:
R3(c onfig)#interface Vlan100
R3(Config-if-Vlan100)# ip address 100.1.2.2 255.255.255.0
R3(c onfig)#interface Vlan200
R3(Config-if-Vlan200)# ip address 100.2.2.2 255.255.255.0
R3(c onfig)#interface loopback 1
R3(Config-if-loopback1)# ip address 3.3.3.3 255.255.255.255
R3(c onfig)#router ospf 1
R3(c onfig-router)# ospf router-id 3. 3.3.3
R3(c onfig-router)# network 100.1.2.0/24 area 0
R3(c onfig-router)# network 100.2.2.0/24 area 0
R4 configuration:
R4(c onfig)#interface Vlan100
R4(Config-if-Vlan100)# ip address 100.2.1.1 255.255.255.0
42-3
R4(c onfig)#interface Vlan200
R4(Config-if-Vlan200)# ip address 100.2.2.1 255.255.255.0
R4(c onfig)#interface loopback 1
R4(Config-if-loopback1)# ip address 5.5.5.5 255.255.255.255
R4(c onfig)#router ospf 1
R4(c onfig-router)# ospf router-id 4. 4.4.4
R4(c onfig-router)# network 100.2.1.0/24 area 0
R4(c onfig-router)# network 100.2.2.0/24 area 0
On R1, show ip route, the following is displayed:
R1(c onfig)#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidat e default
C
1.1.1.1/32 is directly connected, Loopback1 tag:0
O
5.5.5.5/32 [110/3] via 100.1.1.2, Vlan100, 00:00:05
tag:0
[110/3] via 100.1.2.2, Vlan200, 00:00:05
tag:0
C
100.1.1.0/24 is directly connected, Vlan100 tag: 0
C
100.1.2.0/24 is directly connected, Vlan200 tag: 0
O
100.2.1.0/24 [110/2] via 100. 1.1.2, Vlan100, 00: 02:25 tag:0
O
100.2.2.0/24 [110/2] via 100. 1.2.2, Vlan200, 00: 02:25 tag:0
C
127.0.0.0/8 is directly connected, Loopback tag:0
Total routes are : 8 item(s)
42-4
Chapter 43 IPv4 Multicast Protocol
43.1 IPv4 Multicast Protocol Overview
This chapter will give an introduction to the configuration of IP v4 Multicast Protocol. All IPs in this chapter are
IP v4.
43.1.1 Introduction to Multicast
Various transmission modes can be adopted when the destination of packet (including data, sound and video)
transmission is the minority users in the network. One way is to use Unicast mode, i.e. to set up a separate
data transmission path for each user; or, to use Broadcast mode, which is to send messages to all users in
the net work, and they will receive the Broadcast messages no matter t hey need or not. For example, if t here
are 200 users in a network who want to receive the same packet, then the traditional solution is to send this
packet for 200 times separately via Unicast to guarantee the users who need the data can get all data wanted,
or send the data in the entire domain via Broadcast. Trans ferring the data in the whole range of network .The
users who need these data can get directly from the network. Both modes waste a great deal of valuable
bandwidth resource, and furthermore, Broadcast mode goes against the security and secrecy.
The emergence of IP Multicast technology solved this problem in time. The Multicast source only sends out
the message once, Multicast Routing Protocol sets up tree-routing for Multicast data packet, and then the
transferred packet just starts to be duplicated and distributed in the bifurcate crossing as far as possible. Thus
the packet can be sent to every user who needs it accurately and effectively.
It should be noticed t hat it is not necessary for Multicast source to join in Multicast group. It sends data to
some Multicast groups, but it is not necessarily a receiver of the group itself. There can be more than one
source sending packets to a Multicast group simultaneously. There may exist routers in the network which do
not support Multicast, but a Multicast router can encapsulate the Multicast packets into Unicast IP packets
with tunnel mode t o send t hem to the Multicast router next to it, which will take off t he Unicast IP header and
continue the Multicast transmission process, thus a big alteration of network structure is avoided. The primary
advantages of Multicast are:
1.
Enhance efficiency: reduce net work traffic, lighten the load of server and CP U
2.
Optimize performance: reduce redundant traffic
3.
Distributed application: Enable Multipoint Application
43.1.2 Multicast Address
The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to
239.255.255.255. D class address can not appear in t he source IP address field of an IP message. In the
process of Unicast data transmission, the transmission path of a data packet is from source address routing to
destination address, and the transmission is performed with hop-by-hop principle. However, in IP Multicast
environment, the destination addresses is a group instead of a single one, they form a group address. All
message receivers will join in a group, and once they do, the data flowing to the group address will be sent to
the receivers immediately and all members in the group will receive the dat a packets. The members in a
43-1
Multicast group are dynamic, the hosts can join and leave the Multicast group at any time.
Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned
officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed
but its member structure can vary within. The member amount of Permanent Multicast Group can be arbit rary,
even zero. The IP Multicast addresses which are not kept for use by Permanent Multicast Group can be
utilized by temporary Multicast groups.
224.0. 0.0~224.0.0. 255 are reserved Multicast addresses (Permanent Group Address), address 224.0.0.0 is
reserved but not assigned, and other addresses are used by Routing Prot ocol; 224.0.1.0~238.255.255.255
are Multicast addresses available to users(Temporary Group Address) and are valid in the entire domain of
the net work; 239.0.0.0~239.255.255.255 are local management Multicast addresses, which are valid only in
specific local domain. Frequently used reserved multicast address list is as follows:
Benchmark address (reserved)
224.0. 0.1 Address of all hosts
224.0. 0.2 Address of all Multicast Routers
224.0. 0.3 Unassigned
224.0. 0.4 DVMRP Router
224.0. 0.5 OSPF Router
224.0. 0.6 OSPF DR
224.0. 0.7 ST Router
224.0. 0.8 ST host
224.0. 0.9 RIP-2 Router
224.0. 0.10 IGRP Router
224.0. 0.11 Active Agent
224.0. 0.12 DHCP Server/Relay Agent
224.0. 0.13 All PIM Routers
224.0. 0.14 RSVP Encapsulation
224.0. 0.15 All CB T Routers
224.0. 0.16 Specified SBM
224.0. 0.17 All SBMS
224.0. 0.18 VRRP
224.0. 0.22 IGMP
When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC
address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more,
but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is
corresponding to Multicast IP address. It is prescribed in IANA (Internet Assigned Number Authority) that the
higher 25 bits in Multicast MAC address is 0x01005e, and the lower 23bits in MAC address is the lower 23bits
in Multicast IP address.
Since only 23bits out of the lower 28bits in IP Multicast address are mapped into MA C address, therefore
there are 32 IP Multicast addresses which are mapped into the same MA C address.
43-2
43.1.3 IP Multicast Packet Transmission
In Multicast mode, the source host sends packets to the host group indic ated by the Multicast group address
in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be
forwarded t o a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast
transmission procedure is more complicat ed than Unicast transmission procedure.
In order to guarant ee that all Multicast packets get to the router via the shortest pat h, the receipt interfac e of
the Multicast packet must be checked in some certain way based on Unicast rout er table; this checking
mechanism is the basis for most Multicast Routing P rotocol to forward in Multicast mode --- RPF (Reverse
Path Forwarding) check. Multicast router makes use of the impressed packet source address to query Unicast
Rout er Table or independent Multicast Router Table to determine if the packet ingress interface is on the
shortest path from receipt site to source address. If short est path Tree is used, then the source address is the
address of source host which sends Multicast Data Packets; if Shared Tree is used, then the s ource address
is the address of the root of the S hared-Tree. When Multicast data packet gets to the router, if RPF check
passes, then the data packet is forwarded according to Multicast forward item, and the data packet will be
discarded else wise.
43.1.4 IP Multicast Application
IP Multicast technology has effectively solved the problem of sending in single point and receiving in
multipoint. It has achieved the effective data transmission from a point to multiple points, saved a great deal of
network bandwidt h and reduc ed network load. Making use of the Multicast property of net work, some new
value-added operations can be s upplied conveniently. In Information S ervice areas such as online living
broadcast, net work TV, remote education, remote medicine, real time video/audio meeting, the following
applications may be supplied:
1)
Application of Multimedia and Streaming Media
2)
Data repository, finance application (stock) etc
3)
Any data distribution application of “one point to multiple points”
In the situation of more and more multimedia operations in IP network, Multicast has tremendous market
potential and Multicast operation will be generalized and popularized.
43.2 PIM-DM
43.2.1 Introduction to PIM-DM
PIM-DM(Protocol Independent Multicast, Dense Mode)is a Multicast Routing Protocol in dense mode which
applies to small network. The members of multicast group are relatively dense under this kind of network
environment.
The working process of PIM-DM can be summarized as: Neighbor Discovery, Flooding & Prune, and Graft.
1. Neigh hour Di scovery
After PIM-DM router is enabled, Hello message is required to discover neighbors. The net work nodes whic h
43-3
run P IM-DM use Hello message to contact each other. PIM-DM Hello message is sent periodically.
2. Flooding & Prune of proce ss
PIM-DM assumes all hosts on the network are ready to receive Multicast data. When some Multicast
Source begins to send data to a Multicast Group G, after receiving the Multicast packet, the router will make
RPF check first according to the Unicast table. If the check passes, the router will create a (S, G) table entry
and transmit the Multicast packet to all downstream PIM-DM nodes on the network (Flooding). If the RP F
check fails, i.e. the Multicast packet is input from the incorrect interfac e, and then the message is discarded.
After this procedure, in the PIM-DM Multicast domain, every node will create a (S, G) table entry. If there is
no Multicast group member in the downstream nodes, then a Prune message is sent to upstream nodes to
notify them not to transmit data of this Multicast group any more. After receiving P rune message, the
upstream nodes will delete the corresponding interface from the output interface list to which their Multicast
transmission table entry (S, G) corresponds. Thus a SPT(Shortest Path Tree, SPT) tree with source S as
root is created. The Prune process is initiated by leaf rout er first.
The process above is called Flooding & Prune process. Each pruned node also provides time-out
mechanics at the same time. When Prune is timed-out, the router will restart Flooding & Prune process.
The PIM-DM Flooding & Prune is periodically processed.
3. RPF Check
With RPF Check, PIM-DM makes use of existing Unicast routing table to establish a Multicast transmission
tree initiating from data source. When a Multicast packet arrives, the router will determine whether the
coming path is correct first. If the arrival interface is the interface connected to Multicast source indicated by
Unicast routing, then this Multicast packet is considered to be from the correct path. Otherwis e the Multicast
packet is to be discarded as redundant message. The Unicast routing message used as path judgment can
root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any
specific Unicast Routing Protocol.
4. Assert Mechanism
If eac h of two Multicast routers A and B on the same LA N segment has a receiving route respectively and
both will transmit the Multicast packet to the LAN after receiving the Multicast data packet sent by the
Multicast Source S, then the downstream node Multicast router C will rec eive two exactly same Multicast
packets. The router needs to choose a unique transmitter through Assert mechanism after it detects this
situation. An optimal transmission path is selected through sending out Assert packet. If the priority and cost
of two or more path are same, then the node with larger IP address is taken as the upstream neighbor of the
(S, G) entry and in charge of the transmission of the (S, G) Multicast packet.
5. Graft
When the pruned downstream node needs to recover to transmission status, this node uses Graft Packet to
notify upstream nodes to restore multicast data transmission.
43-4
43.2.2 PIM-DM Configuration Task List
1.
Enable PIM-DM (Required)
2.
Configure static multicast routing entries (Optional)
3.
Configure additional PIM-DM parameters(Optional)
a) Configure the interval for PIM-DM hello messages
b) Configure the interval for state-refresh messages
c) Configure the boundary interfaces
d) Configure the management boundary
4.
Disable P IM-DM protocol
1. Enable the PIM-DM protocol
When configuring the PIM-DM protocol on XGS 3 series Layer 3 switches, PIM multicasting should be enabled
globally, then PIM-DM can be enabled for specific interfac es.
Command
Explanation
Global Mode
To enable PIM-DM globally for all the interfaces
ip pim multicast-routing
(However, in order to make PIM-DM work for
no ip pim multicast-routing
specific
interfaces,
the following command
should be issued).
And then turn on PIM-SM switch on the interface
Command
Explanation
Interface Configuration Mode
To enable P IM-DM protocol for t he specified
ip pim dense-mode
interface.(Required)
2. Configure static multica st routing entries
Command
Explanation
Global Configuration Mode
ip mroute
<A.B.C.D>
<A.B.C.D>
<ifname> <.ifname>
no ip mroute
<A.B.C.D>
<A.B.C.D> [<ifname> <.ifname>]
To configure a static multicast routing entry. The
no form of this command will remove the
specified entry.
3. Configure additional PIM-DM parameters
a)
Configure the interval for PIM-DM hello messages
Command
Explanation
Interface Configuration Mode
ip pim hello-interval < interval>
no ip pim hello-interval
To configure the interval for PIM-DM hello
messages. The no form of this command will
restore the interval to the default value.
43-5
b)
Configure the interval for state-refresh messages
Command
Explanation
Interface Configuration Mode
ip pim state-refresh
origination-interval
no ip pim state-refresh
origination-interval
c)
To configure the interval for sending PIM-DM
state-refresh packets. The no form of this
command will restore the default value.
Configure the boundary interfaces
Command
Explanation
Interface Configuration Mode
To configure the interface as the boundary of
PIM-DM protocol. On the boundary interface,
ip pim bsr-border
BSR messages will not be sent or received. The
no ip pim bsr-border
network connected the interface is considered
as directly connected network. The no form of
this command will remove the configuration.
d)
Configure the management boundary
Command
Explanation
Interface Configuration Mode
To configure PIM-DM management boundary for
the interface and apply ACL for the management
ip pim scope-border
<1-99 > |<acl_name>
no ip pim scope-border
boundary. With default settings, 239.0.0.0/8 is
considered as the scope of the management
group. If ACL is configured, then the scope
specified by ACL permit command is the scope
of the management group. The no form of this
command will remove the configuration.
4. Di sable PIM-DM protocol
Command
Explanation
Interface Configuration Mode
no ip pim dense-mode
To disable the PIM-DM protocol for the interface.
Global Configuration Mode
no ip pim multicast-routing
To disable PIM-DM globally.
43-6
43.2.3 PIM-DM Configuration Examples
As shown in the following figure, add the Ethernet interfaces of S witch A and Switch B to corresponding vlan,
and enable PIM-DM Protocol on each vlan interfac e.
SwitchB
SwitchA
Vlan 1
Vlan 2
Vlan 1
Vlan 2
Figure 43-2-1 PIM-DM Typical Environment
The configuration procedure for SwitchA and SwitchB is as follows:
(1) Configure SwitchA:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 10.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip pim dense-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan2
XGS 3-42000R(config-if-Vlan2)# ip address 12.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip pim dense-mode
(2) Configure SwitchB:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 12.1.1. 2 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip pim dense-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)# ip address 20.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip pim dense-mode
At the same time, you should pay attention to the configuration of Unicast Routing Protocol, assure that each
devic e can communicate wit h each other in the network layer, and be able to implement dynamic routing
update in virtue of Unicast Routing Prot ocol.
43-7
43.2.4 PIM-DM Troubleshooting
In configuring and using PIM-DM Protocol, PIM-DM Protocol might not operate normally caused by physical
connection or incorrect configuration. Therefore, the user should pay attention to the following issues:
 To assure that physical connection is correct
 To assure the Protocol of Int erface and Link is UP (use show interface command)
 To assure PIM Protocol is enabled in Global Mode (us e ipv6 pim multicast-routing )
 Enable PIM-DM Protocol on the interface (use ipv6 pim dens e-mode command)
 Multicast Protocol requires RPF Check using Unicast routing; therefore the correctness of Unicast
routing must be assured beforehand
If all attempts including Check are made but the problems on PIM-DM can’t be solved yet, then use debug
commands such as debug pim please, and then copy DEBUG information in 3 minutes and send to
Technology Service Center.
43.3 PIM-SM
43.3.1 Introduction to PIM-SM
PIM-SM(Prot ocol Independent Multicast, Sparse Mode)is Protocol Independent Multicast Sparse Mode. It is
a Multicast Routing Protocol in Spars e Mode and mainly used in big scale net work wit h group members
distributed relatively sparse and wide-spread. Unlik e the Flooding & Prune of Dense Mode, PIM-SM Protocol
assumes no host needs receiving Multicast data packets. PIM-SM router transmits Multicast Data Packets to
a host only if it presents explicit requirement.
By setting RP (Rendez vous Point) and BSR (Bootstrap Rout er), PIM-SM announce Multicast packet to all
PIM-SM routers and establish RPT (RP -rooted shared tree) based on RP using Join/Prune message of
routers. Consequently the network bandwidth occupied by data packets and message control is cut down and
the transaction cost of routers decreases. Multicast data get to the network segment where the Multicast
group members are located along the shared t ree flow. When the data traffic reac hes a certain amount,
Multicast data stream can be s witched to the shortest path tree SP T based on the source to reduce network
delay. PIM-SM doesn’t rely on any specific Unicast Routing Protocol but make RPF Check using existing
Unicast routing table.
1. PIM-SM Working Principle
The central working proc esses of P IM-SM are: Neighbor Discovery, Generation of RP Shared Tree (RP T),
Multicast source registration, SPT Switch, etc. We won’t describe the mechanism of Neighbor Discovery here
since it is same as that of PIM-DM.
(1)
Generation of RP Shared Tree (RP T)
When a host joins a Multicast Group G, the leaf router that is connected to this host directly finds out
through IGMP message that there is a receiver of Multicast Group G, then it works out the
corresponding Rendez vous Point RP for Multicast Group G, and send join message to upper lever
nodes in RP direction. E very router on the way from the leaf router to RP will generat e a (*, G) table
entry, where a message from any source t o Multicast group applies to this entry. When RP receives
the message sent to Multicast Group G, the message will get to the leaf router along the set up pat h
and reach the host. In this way the RPT with RP as root is generated.
(2)
Multicast Source Registration
When a Multicast Source S sends a Multicast packet to Multicast Group G, the PIM-SM Multicast
43-8
router connected to it directly will take charge of encaps ulating the Multicast packet into registered
message and unicast it to corresponding RP. If there are more than one PIM-SM Multicast routers on
a network segment, then DR (Designated Router) takes charge of sending the Multicast packet.
(3)
SPT Switch
When the Multicast router finds that the rate of the Multicast packet from RP with destination address
G exceeds threshold, the Multicast router will send Join message to the next upper lever nodes in
the source direction, which results in the switch from RPT to SPT.
2. Preparation before PIM-SM configuration
(1)
Configuration Candidate RP
More than one RPs (candidate RP) can exist in PIM-SM network and each C-RP (Candidat e RP )
takes charge of transmitting Multicast packets with destination address in a certain range. To
configure more than one candidate RPs can implement RP load share. No master or slave is
differentiated among RPs. All Multicast routers work out the RP corresponding to some Multicast
group based on the same algorithm after receiving the candidate RP message announced by BSR.
Note that one RP can serve more than one Multicast groups and all Multicast groups. Each Multicast
group can only correspond to one unique RP at any moment. It can’t correspond to more than one
RP at the same time.
(2)
Configure BSR
BSR is the management center of P IMSM network. It is in charge of collecting messages sent by
candidate RPs and broadcast them.
Only one BSR can exist within a network, but more than one C-BS R (Candidate-BSR) can be
configured. In this way, if some BSR goes wrong, it can switch to another. C-BS Rs elect BSR
automatically.
43.3.2 PIM-SM Configuration Task List
1.
Enable PIM-SM (Required)
2.
Configure static multicast routing entries (Optional)
3.
Configure additional paramet ers for PIM-SM (Optional)
(1)
(2)
Configure parameters for PIM-SM interfac es
1)
Configure the interval for PIM-SM hello messages
2)
Configure the hold time for P IM-SM hello messages
3)
Configure ACL for PIM-SM neighbors
4)
Configure the interface as the boundary interface of the P IM-SM protocol
5)
Configure the interface as the management boundary of the PIM-SM protocol
Configure global PIM-SM paramet ers
1)Configure the switch as a candidate BSR
2)Configure the switch as a candidate RP
3)Configure static RP
4.
Disable P IM-SM Protocol
1. Enable PIM-SM Protocol
The P IM-SM prot ocol can be enabled on XGS3 series Lay er 3 s witches by enabling P IM in global
43-9
configuration mode and then enabling P IM-SM for specific interfaces in the interface configuration mode.
Command
Explanation
Global Mode
To enable the PIM-SM protocol for all the
interfaces (However, in order to make PIM-SM
ip pim multicast-routing
work
for specific
interfaces,
the
following
command should be issued).(Required)
And then turn on PIM-SM switch on the interface
Command
Explanation
Interface Configuration Mode
Enable PIM-SM
ip pim sparse-mode
Prot ocol
of the interface.
(Required).
2. Configure static multica st routing entries
Command
Explanation
Global Configuration Mode
ip mroute
<A.B.C.D>
<A.B.C.D>
<ifname> <.ifname>
no ip mroute
<A.B.C.D>
<A.B.C.D> [<ifname> <.ifname>]
To configure a static multicast routing entry. The
no form of this command will remove the
specified static multicast routing entry.
3. Configure additional parameters for PIM-SM
(1) Configure parameters for PIM-SM interfaces
1) Configure the interval for PIM-SM hello messages
Command
Explanation
Interface Configuration Mode
ip pim hello-interval <interval>
no ip pim hello-interval
To configure the interval for PIM-SM hello
messages. The no form of this command
restores the interval to the default value.
2) Configure the hold time for P IM-SM hello messages
Command
Explanation
Interface Configuration Mode
To configure the value of the holdtime field in the
ip pim hello-holdtime <value>
PIM-SM hello messages. The no form of this
no ip pim hello-holdtime
command will restore the hold time to the default
value.
3) Configure ACL for PIM-SM neighbors
Command
Explanation
Interface Configuration Mode
43-10
ip pim
neighbor-filter{<access-li st-number
>}
To configure ACL to filter PIM-SM neighbors. If
session to the neighbor has been denied by
ACL, then the sessions that have been set up
no ip pim
neighbor-filter{<access-li st-number
>}
will be discarded immediately and new sessions
will not be set up.
4) Configure the interface as the boundary interface of the P IM-SM protocol
Command
Explanation
Interface Configuration Mode
To configure the interface as the boundary of
PIM-SM protoc ol. On the boundary interface,
ip pim bsr-border
BSR messages will not be sent or received. The
no ip pim bsr-border
network connected the interface is considered
as directly connected network. The no form of
this command will remove the configuration.
5) Configure the interface as the management boundary of the PIM-SM protocol
Command
Explanation
Interface Configuration Mode
To configure PIM-SM management boundary for
the interface and apply ACL for the management
boundary. With default settings, 239.0.0.0/8 is
ip pim scope-border <1-99 > |
considered as the scope of the management
<acl_nam e>
group. If ACL is configured, then the scope
no ip pim scope-border
specified by ACL permit command is the scope
of the management group. acl_name should be
standard IP v4 ACL name. The no form of this
command will remove the configuration.
(2) Configure global PIM-SM parameter
1)
Configure the switch as a candidate BSR
Command
Explanation
Global Configuration Mode
This command is the global candidate BS R
ip pim bsr-candidate {vlan
configuration command,
<vlan-id>|
configure the information of PIM-SM candidate
<ifname>}[ <mask-length> ][ <priorit
BSR so that it can compete for BSR router with
y> ]
other
no ip pim bsr-candidate
bsr-candidate”
candidate
BSR.
The
command
configuration of BSR.
43-11
which is
“no
used to
ip
cancels
pim
the
2)
Configure the switch as a candidate RP
Command
Explanation
Global Configuration Mode
This command is the global candidate RP
ip pim rp-candidate { vlan
<vlan-id>| lookback<index>
<ifname>} [<A.B.C.D> ][<priority>]
no ip pim rp-candiate
configuration command,
which is
used to
configure the information of PIM-SM candidate
RP so that it can compete for RP router with
other
candidat e
rp-candidate”
RP.
The
command
“no
ip
pim
cancels
the
configuration of RP.
3)
Configure static RP
Command
Explanation
Global Configuration Mode
ip pim rp-address <A.B.C.D>
[<A.B.C.D/M>]
no ip pim rp-address <A.B.C.D>
{<all>|<A.B.C.D/M>}
The
command
is
configuration static
the
multicast
RP of the globally
or
multicast address range. The no form of this
command will remove the configuration for the
static RP.
4. Di sable PIM-SM Protocol
Command
Explanation
Interface Configuration Mode
no ip pim sparse-mode | no ip pim
multicast-routing(Global
group
To disable the P IM-SM protocol.
configuration mode)
43-12
43.3.3 PIM-SM Configuration Examples
As shown in the following figure, add the Ethernet interfaces of S witchA, SwitchB, SwitchC and S witchD to
corresponding VLAN, and enable PIM-SM Protocol on each VLA N interface.
SwitchB
SwitchA
Vlan 2
Vlan 1
Vlan 1
Vlan 2 rp
Vlan 2 bsr
SwitchC
Vlan 2
SwitchD
Vlan 3
Vlan 1
Vlan 1
Vlan 3
Figure 43-3-1 PIM-SM Typical Environment
The configuration procedure for SwitchA, SwitchB, SwitchC and SwitchD is as follows:
(1) Configure SwitchA:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 12.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)# ip address 13.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip pim sparse-mode
(2) Configure SwitchB:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 12.1.1. 2 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)# ip address 24.1.1. 2 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan2)# exit
XGS 3-42000R(config)# ip pim rp-candidate vlan2
43-13
(3) Configure SwitchC:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 34.1.1. 3 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)# ip address 13.1.1. 3 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-if-Vlan3)# ip address 30.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan3)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan3)# exit
XGS 3-42000R(config)# ip pim bsr-candidate vlan2 30 10
(4) Configure SwitchD:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 34.1.1. 4 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)# ip address 24.1.1. 4 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-if-Vlan3)# ip address 40.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan3)# ip pim sparse-mode
At the same time, you should pay attention to the configuration of Unicast Routing Protocol, assure that each
devic e can communicate wit h each other in the network layer, and be able to implement dynamic routing
update in virtue of Unicast Routing Prot ocol.
43.3.4 PIM-SM Troubleshooting
In configuring and using PIM-SM Protocol, PIM-SM Prot ocol might not operate normally caused by physical
connection or incorrect configuration. Therefore, the user should pay attention to the following issues:
 Assure that physical connection is correct;
 Assure the Protocol of Interface and Link is UP (use show interface command);
 Assure that PIM Protoc ol is enabled in Global Mode (use ip pim multicast-routing);
 Assure that PIM-SM is configured on the interface (use ip pim sparse-mode);
 Multicast Protocol requires RPF Check using unicast routing; therefore the correctness of unicast
routing must be assured beforehand;
43-14
 PIM-SM Protocol requires supports by RP and BSR, therefore you should use show ip pim bsr-router
first to see if there is BSR information. If not, you need to check if there is unicast routing leading to
BSR.
 Use show ip pim rp-hash command to check if RP information is correct; if there is not RP information,
you still need to check unicast routing.
If all attempts including Check are made but the problems on PIM-SM can’t be solved yet, then use debug
commands such debug pim/debug pim BSR please, and then copy DEB UG information in 3 minutes and
send to Technology Service Center.
43.4 MSDP Configuration
43.4.1 Introduction to MSDP
MSDP – Multicast Source Discovery Protocol, is a protocol that can learn information about multicast source
in other P IM-SM domain. The RP on which MS DP is configured will advertise the information about the
multicast sources in its domain to all the other MS DP entities through SA messages. Thus, all the information
about multicast sources in one PIM-SM domain is spread to another. In MS DP, inter-domain information tree
is used other than the shared tree. It is required that the multicast routing protocol used for in-domain routing
must be PIM-SM.
 The work flow for RP in PIM-SM protocol
1 PIM Register
Packet
RP
3 The
multicast
date is
deliveried
through the
shared tree
Multicast
Application Server
4 Switching to the
shortest path tree
and do the delivery
2 The subscriber
join the group
Subscriber
43-15
43.4.2 Brief Introduction to MSDP Configuration Tasks
1.
2.
3.
4.
Configuration of MS DP Basic Function
1)
Enabling MSDP (Required)
2)
Configuring MS DP entities (Required)
3)
Configuring the Connect-S ourc e interface
4)
Configuring static RPF entities
5)
Configuring Originator RP
6)
Configuring TTL value
Configuration of MS DP entities
1)
Configuring the Connect-S ourc e interface
2)
Configuring the descriptive information for MSDP entities
3)
Configuring the AS number
4)
Configuring the specified mesh group of MSDP
5)
Configuring the maximum size for the cache
Configurations on delivery of SA packets
1)
Configuring filter policies for creation of SA packets
2)
Configuring filter rules on how to receive and forward SA packets
3)
Configuring SA request packets
4)
Configuring filter policies for SA-Request packets
Configuration of parameters of SA-cache
1)
Configuring SA packets cache
2)
Configuring the aging time for entries in SA packets cache
3)
Configuring the maximum size for the cache
43.4.3 Configuration of MSDP Basic Function
All the commands in this section are configured for RP in the P IM-SM domain. These RP will function as the
other peer of the MSDP entities.
43.4.3.1 Prerequisites of MSDP Configuration
Before the MSDP basic functions can be configured, the following tasks should be done:

At least one single cast routing protocol should be configured, in order to connect the network inside the
domain and outside

Configure PIM-SM in order to implement multicast inside the domain
When configuring MSDP basic function, the following information should be ready:

The IP address of MSDP entities

Filter policy table
Pay attention: MSDP can not use wit h Any-cast RP at same time, but configure Any-cast RP of based MSDP
protocol.
43-16
43.4.3.2 Enabling MSDP
MSDP should be enabled before various MSDP functions can be configured.
1.
Enable the MSDP function
2.
Configure MSDP
1. Enabling MSDP
Commands
Explanation
Global Configuration Mode
router m sdp
To enable MSDP.
The no form of this
no router m sdp
command will disable MSDP globally.
2. Configuration of MSDP parameters
Commands
Explanation
MSDP Configuration Mode
To configure the Connect-Source interface for
connect-source <interface-type>
MSDP Peer. The no form of this command
<interface-number>
will remove the configured Connect-Source
no connect-source
interface.
default-rpf-peer <peer-address> [ rp-policy
To configure static RPF Peer. The no form of
<acl-li st-number> | <word> ]
this command will remove the configured
no default-rpf-peer
RPF Peer.
originating-rp <interface-type>
To configure Originator-RP. The no form of
<interface-number>
this command will remove the configured
no originating-rp
Originator-RP.
ttl-thre shold <ttl>
no ttl-thre shold
To configure the TTL value. The no form of
this command will remove the configured TTL
value.
43.4.4 Configuration of MSDP Entities
43.4.4.1 Creation of MSDP Peer
Commands
Explanation
MSDP Configuration Mode
peer <peer-address>
no peer <peer-address>
To create a MSDP Peer. The no form of this
command will remove the configured MSDP
Peer.
43-17
43.4.4.2 Configuration of MSDP parameters
Commands
Explanation
MSDP Peer Configuration Mode
To configure the Connect-Source interface for
connect-source <interface-type>
MSDP Peer. The no form of this command will
<interface-number>
remove
no connect-source
the
configured
Connect-Source
interface.
To configure the descriptive information about
description <text>
the MSDP entities. The no form of this
no description
command
will
remove
the
configured
description.
To configure the AS number for MSDP Peer.
remote-as <as-num>
The no form of this command will remove the
no remote-as <as-num>
configured AS number of MSDP Peer.
To configure an MSDP Peer to join the
mesh-group <name>
specified mesh group. The no form of this
no mesh-group <name>
command will remove the MSDP Peer from
the specified mesh group.
43.4.5 Configuration of Delivery of MSDP Packet
Commands
Explanation
MSDP Configuration Mode
To configure the filter rules for creation of SA
redistribute [list <acl-li st-number
packets.
|acl-nam e>]
The no form of this command will remove the
no redistribute
configured.
MSDP Configuration Mode or MSDP Peer
Configuration Mode
sa-filter(in|out)[ list <acl-number |
acl-name> | rp-list <rp-acl-number |
To configure the filter rules for receiving and
rp-acl-nam e>]
no sa-filter(in|out)[[ li st <acl -number |
forwarding SA packets.
acl-name> | rp-list <rp-acl-number |
configured rules.
The no form of this command will remove the
rp-acl-nam e>]
MSDP Peer Configuration Mode
To configure sending of SA request packets.
sa-reque st
The no form of this command will disable
no sa-reque st
sending of SA request packets.
MSDP Configuration Mode
sa-reque st-filter [li st <access-li st-number |
To configure filter rules for receiving SA
access-li st-nam e>]
request
43-18
packets.
The
no
form
of
this
no sa-reque st-filter [li st
command will remove the configured filter
<access-li st-number | access-li st-name>]
rules for SA request packets.
43.4.6 Configuration of Parameters of SA-cache
Commands
Explanation
MSDP Configuration Mode
cache-sa-state
To enable the SA packet cache.
no cache-sa-state
To disable the SA packets cache.
MSDP Configuration Mode
cache-sa-holdtime <150-3600>
no cache-sa-holdtime
The aging time for entries in the SA cache.
To
restore
the
default
aging
time
configuration.
MSDP Configuration Mode or MSDP Peer
Configuration Mode
To configure the maximum size for the SA
cache-sa-maximum <sa-limit>
cache.
no cache-sa-maximum
To restore the size of the SA cache to the
default value.
43.4.7 MSDP Configuration Examples
Example 1: MSDP basic function.
Multicast Configuration:
1.
2.
Suppose the multicast server is sending multicast datagram at 224.1.1.1;
The designated router – DR, which is connected to the multicast server, encapsulate the multicast
datagram in the Register packets and send them to the RP(RP1) in the local domain;
3.
The RP unwraps the packets and sends them to all the domain members through the shared tree. The
members in the domain can be configured to be or not to be in the shared tree;
4.
At the same time, the source RP in the domain, generates a SA – Source Active message, and send it
to the MSDP entity – RP2.
5.
If there’s another member in the same domain with the MS DP entity which is named as RP3, RP3 will
distribute the multicast datagram encapsulated in the SA messages to the members of the shared tree,
and send join messages to the multicast source. That means RP creates an ent ry (S, G), and send join
messages for (S, G) hop by hop, so that (S, G) can reach the SPT which takes the multicast source as
the root across the PIM-SM domain.
If there no members in the same domain wit h MSDP entity – RP 2, RP2 will not create the (S, G) entry
nor it will join the SPT which takes the multicast source as the root.
6.
When the reverse route has been set up, the multicast datagram from t he source will be directly
delivered to RP 3, and RP will forward the datagram to the shared tree. At this time, the router which is
closest to the domain members can determine itself whether or not to switch to SPT.
43-19
DomainB
Rout erB
RP2
DomainC
RP3
Rout erA
Receiver
DomainA
Source
RP1
Figure 43-4-1 Network Topology for MSDP Entry
Configuration tasks are listed as below:
Prerequisite s:
Enable the single cast routing protoc ol and P IM prot ocol on every router, and make sure that the inter-domain
routing works well and multicasting inside the domain works well.
Suppose the multicast server S in Domain A offers multicast programs at 224.1.1.1. A host in Domain C
named R subscribes this program. Before MSDP is configured C cannot subscribe the multicast program.
However, with the following configuration, R is able to receive programs offered by S.
RP1 in Domain A:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 10.1.1.2
Router A in Domain A:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2
255. 255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip address 20.1.1.2
255. 255.255.0
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 10.1.1.1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 20.1.1.1
43-20
Router B in Domain B:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip address 20.1.1.1
255. 255.255.0
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-if-Vlan3)#ip address 30.1.1.1
255. 255.255.0
XGS 3-42000R(config-if-Vlan3)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 20.1.1.2
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 30.1.1.2
RP2 in Domain B:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-if-Vlan3)#ip address 30.1.1.2
255. 255.255.0
XGS 3-42000R(config)#interface vlan 4
XGS 3-42000R(config-if-Vlan4)#ip address 40.1.1.2
255. 255.255.0
XGS 3-42000R(config-if-Vlan4)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 30.1.1.1
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 40.1.1.1
RP3 in Domain C:
XGS 3-42000R(config)#interface vlan 4
XGS 3-42000R(config-if-Vlan1)#ip address 40.1.1.1
255. 255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 40.1.1.2
Example 2: Application of MSDP Mesh-Group.
Mesh-Group can be used to reduce flooding of SA messages. The Peers whic h are meshed in the same
domain can be configured as a Mesh-Group. All the members in the same mesh group use a unique group
name.
As it is shown in Figure, when Mesh-Group is configured for the four meshed Peers in the same domain,
flooding of SA messages reduced remarkably.
43-21
SA
Peer
Peer
Peer
PIM SM 1
Peer
Peer
Peer
Figure 43-4-2 Flooding of SA messages
Mesh
Group
SA
RA
Peer
RD
Peer
Peer
PIM SM 1
Peer
RC
RB
Peer
Peer
Figure 43-4-3 Flooding of SA messages with mesh group configuration
Configuration steps are listed as below:
Router A:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip address 20.1.1.1
255. 255.255.0
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
43-22
XGS 3-42000R(config-if-Vlan3)#ip address 30.1.1.1
255. 255.255.0
XGS 3-42000R(config-if-Vlan3)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 10.1.1.2
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 20.1.1.4
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 30.1.1.3
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
Router B:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2
255. 255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 4
XGS 3-42000R(config-if-Vlan4)#ip address 40.1.1.2
255. 255.255.0
XGS 3-42000R(config-if-Vlan4)#exit
XGS 3-42000R(config)#interface vlan 6
XGS 3-42000R(config-if-Vlan6)#ip address 60.1.1.2
255. 255.255.0
XGS 3-42000R(config-if-Vlan6)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 10.1.1.1
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 40.1.1.4
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 60.1.1.3
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
Router C:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 4
XGS 3-42000R(config-if-Vlan4)#ip address 40.1.1.4
255. 255.255.0
XGS 3-42000R(config-if-Vlan4)#exit
XGS 3-42000R(config)#interface vlan 5
XGS 3-42000R(config-if-Vlan5)#ip address 50.1.1.4
255. 255.255.0
XGS 3-42000R(config-if-Vlan5)#exit
XGS 3-42000R(config)#interface vlan 6
43-23
XGS 3-42000R(config-if-Vlan6)#ip address 60.1.1.4
255. 255.255.0
XGS 3-42000R(config-if-Vlan6)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 20.1.1.1
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 40.1.1.4
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 60.1.1.2
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
Router D:
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip address 20.1.1.4 255.255.255.0
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 4
XGS 3-42000R(config-if-Vlan1)#ip address 40.1.1.4
255. 255.255.0
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 5
XGS 3-42000R(config-if-Vlan5)#ip address 50.1.1.4
255. 255.255.0
XGS 3-42000R(config-if-Vlan5)#exit
XGS 3-42000R(config)#router msdp
XGS 3-42000R(rout er-msdp)#peer 20.1.1.1
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 40.1.1.2
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
XGS 3-42000R(msdp-peer)#exit
XGS 3-42000R(rout er-msdp)#peer 50.1.1.3
XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1
43.4.8 MSDP Troubleshooting
When MSDP is being configured, it may not function because of the physical link not working or configuration
mistakes. Attention should be paid to the following items in order to make MS DP work:
 Make sure the physical link works well
 Make sure inner-domain and inter-domain routing works
 Make sure PIM-SM is applied in every domain as the inner-domain routing protocol, and configuration
for PIM-SM works well
 Make sure MS DP is enabled, and the link status of the MSDP enabled Peer is UP
 Use the command show msdp global to check whether the MSDP configuration is correct
43-24
If the MSDP problems cannot be solved through all the methods provided above, please issue the
command debug msdp to get the debugging messages within three minutes, and send them to the technical
service cent er of our company.
43.5 ANYCAST RP Configuration
43.5.1 Introduction to ANYCAST RP
Anycast RP is a technology based on PIM protocol, which provides redundancy in order to recover as soon as
possible onc e an RP becomes unusable.
The kernel concept of A nycast RP is that the RP addresses configured all over the whole net work exist on
multiple multicast servers (the most common situation is that every device providing A NYCAS T RP uses
LOOPBACK int erface, and using the longest mask to configures RP addresses on this interface), while the
unicast routing algorithm will make sure that PIM routers can always find the nearest RP, thus , providing a
shorter and faster way to find RP in a larger network., Once an RP being used becomes unusable, the unicast
routing algorit hm will ensure that the P IM router can find a new RP path fast enough to recover the multicast
server in time. Multiple RP will cause a new problem that is if the multicast source and the receivers are
registered to different RP, some receivers will not be able to receive data of multicast source (obviously, the
register messages only prefer the nearest RP). So, in order to keep the communication between all RP,
Anycast RP defines that the nearest RP to the multicast source should forward the source register messages
to all the other RP to guarantee that all joiners of the RP can find the multicast source.
The method to realize the PIM-protocol-based Anycast RP is that: maintaining an ANY CAS T RP list on every
switch configured with Anycast RP and using another address as the label to identify each other. When one
Anycast RP device receives a register message, it will send the register message to other Anycast RP
devic es while using its own address as the source address, to notify all the other devices of the original
destination.
43.5.2 ANYCAST RP Configuration Task
1. Enable A NYCAS T RP v4 function
2. Configure ANY CAST RP v4
1. Enable ANYCAST RP v4 function
Command
Explanation
Global Configuration Mode
ip pim anycast-rp
no ip pim anycast-rp
Enable ANY CAST RP function. (necessary)
No operation will globally disable A NYCAS T
RP function.
2. Configure ANYCAS T RP v4
(1) Configure the RP candidate
43-25
Command
Explanation
Global Configuration Mode
Now, the P IM-SM has allowed the Loopback
interface to be a RP candidate.(necessary )
Please pay attention to that, ANYCAST RP
protocol can configure the Loopback interface
ip pim rp-candidate {vlan<vlan-id>
|loopback<index> |<ifname>} [<A.B.C. D>]
[<priority>]
or a regular three-layer VLAN interface to be
the RP candidat e. In make sure that P IM
routers in the network can find where the RP
no ip pim rp-candidate
locates, the RP candidat e interface should be
added into the router.
No operation will cancel the RP candidate
configuration on this rout er.
(2) Configure self-rp-address (the RP address of this router)
Command
Explanation
Global Configuration Mode
Configure the self-rp-address of this router
(as a RP). This address can be used to
exclusively
identify
this
rout er
when
communicating with other RP.
the effect of self-rp-addre ss refers to two
respects:
1 Once this router (as a RP) receives the
register message from DR unicast, it needs to
forward t he register message to all the other
RP in the network, notifying them of the state
of source (S.G). While forwarding the register
message, this router will change the source
ip pim anycast-rp self-rp-addre ss A. B.C.D
no ip pim anycast-rp self-rp-addre ss
address of it into self-rp-address.
2 Once this router(as a RP) receives a
register message from other RP unicast, such
as a register message whose destination is
the self-rp-address of this router, it will create
(S,G) state and send back a register-stop
message, whose destination address is the
source address of the register message.
Pay attention: self-rp-address has to be the
address of a three-layer interface on this
router, but the configuration is allowed to be
done with the absence of the interface. The
self-rp-address should be unique.
No operation will cancel the self-rp-address
which is used t o communicate with other RPs
43-26
by this router (as a RP).
(3) Configure other-rp-address (other RP communication addresses)
Command
Explanation
Global Configuration Mode
Configure anycast-rp-addr on this router (as a
RP). This unicast address is actually the RP
address configured on multiple RP in the
network, in accordance with the address of
RP
candidate
interface
(or
Loopback
interface).
The effect of anyca st-rp-addr includes:
1 Although more than one anycast-rp-addr
addresses are allowed to be configured, only
the one having the same address with the
currently configured RP candidate address
will take effect. Only after that, can the
other-rp-address in accordance with this
anycast-rp-addr take effect.
2 The configuration is allowed to be done with
the absence of the interface in accordance
with the anycast-rp-addr.
ip pim anycast-rp <anycast-rp-addr>
Configure on this rout er (as a RP ) the
<other-rp-addr>
other-rp-addresses
no ip pim anycast-rp <anycast-rp-addr>
communicating with it. This unicast address
<other-rp-addr>
identifies other RP and is used in the
of
other
RP
communication with local routers.
The effect of other-rp-addre ss refers to two
respects:
1 Once this router (as a RP) receives the
register message from a DR unicast, it should
forward it to other RP in the network to notify
all the RP in the network of the source (S.G)
state. While forwarding, the rout er will change
the destination
address
of the
register
message into ot her-rp-address.
2
Multiple
configured
ot her-rp-addresses
in
accordance
can
with
be
one
anycast-rp-addr, Once t he register message
from a DR is received, it should be forwarded
to all of these ot her RP one by one.
No operation will cancel an other-rp-address
communicating with this router.
43.5.3 ANYCAST RP Configuration Examples
43-27
VLAN1:10.1.1.1
Multicast Server
DR
VLAN2:192.168.2.5
VLAN2:192.168.2.1
RP1
VLAN1:192.168.1.4
………
VLAN2:192.168.3.2
receiver
RP2
VLAN2:2. 2.2.2
receiver
receiver
Figure 43-5-1 The A NY CAST RP v4 function of the router
As shown in the Figure, the overall net work environment is PIM-SM, which provides two routers supporting
ANYCAS T RP, RP1 and RP2. Onc e multicast data from the multicast source server reaches the DR, the DR
will send a multicast source register message to the nearest RP unicast according to the unicast routing
algorithm, which is RP1 in this example. When RP1 rec eives the register message from the DR, besides
redistributing to the shared tree according to the orderers who already join it, it will forward the multicast
register message to RP2 to guarantee that all orders that already join RP2 can find the multicast source.
Since there is an ANY CAST list maintained on router RP1 that has been configured with A NYCAS T RP, and
since this list contains the unicast addresses of all the other RP in the network, when the RP1 receives the
register message, it can use the self-r-address, which identifies itself as the sourc e address to forward the
register message to RP 2. The cloud in the Figure repres ents the PIM-SM network operation between RP1
and RP2.
The following is the configuration steps:
RP1 Configuration:
XGS 3-42000R#config
XGS 3-42000R(config)#interface loopback 1
XGS 3-42000R(config-if-Loopback1)#ip address 1.1.1.1 255. 255. 255. 255
XGS 3-42000R(config-if-Loopback1)#exit
XGS 3-42000R(config)#ip pim rp-candidate loopback1
XGS 3-42000R(config)#ip pim bsr-candidate vlan 1
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#ip pim anycast-rp
XGS 3-42000R(config)#ip pim anycast-rp self-rp-address 192.168.2.1
XGS 3-42000R(config)#ip pim anycast-rp 1.1. 1.1 192.168.3.2
43-28
RP2 Configuration:
XGS 3-42000R#config
XGS 3-42000R(config)#interface loopback 1
XGS 3-42000R(config-if-Loopback1)#ip address 1.1.1.1 255. 255. 255. 255
XGS 3-42000R(config-if-Loopback1)#exit
XGS 3-42000R(config)#ip pim rp-candidate loopback1
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#ip pim anycast-rp
XGS 3-42000R(config)#ip pim anycast-rp self-rp-address 192.168.3.2
XGS 3-42000R(config)#ip pim anycast-rp 1.1. 1.1 192.168.2.1
43.5.4 ANYCAST RP Troubleshooting
When configuring and using A NYCAS T RP function, the A NYCAS T RP might work abnormally because of
faults in physical connections, configurations or something others. So, the users should pay attention to the
following points:
 The physical connections should be guaranteed to be correct
 The PIM-SM protocol should be guaranteed to operat e normally
 The ANY CAS T RP should be guaranteed to be enabled in Global configuration mode
 The self-rp-address should be guarant eed to be configured correctly in Global configuration mode
 The other-rp-address should be guaranteed to be configured correctly in Global configuration mode
 All the interface routers should be guaranteed to be correctly added, including the loopback interface
as a RP
 Use “show ip pim anycast rp status” command to check whether the configuration information of
ANYCAS T RP is correct
If t he problems of A NYCAS T still cannot be solved after checking, please use debug commands like “debug
pim anycast-rp”, then copy the DEBUG information within t hree minutes and send it to the technical service
center of our company.
43-29
43.6 PIM-SSM
43.6.1 Introduction to PIM-SSM
Source Specific Multicast (PIM-SSM) is a new kind of multicast service protocol. With PIM-SSM, a multicast
session is distinguished by the multicast group address and multicast source address. In SSM, hosts can be
added into the multicast group manually and efficiently like the traditional PIM-SM, but leave out the shared
tree and RP management in PIM-SM. In SSM, SPT tree will be constructed wit h (S, G). G for the multicast
group address and S for the sourc e address of the multicast which sends datagram to G. (S, G) in a pair is
named as a channel of SSM. SSM serves best for the application of multicast service which is from one
station to many ones, for example, the network sports video channel, and the news channel. By default, the
multicast group address of SSM is limited between 232.0.0.0 and 232.255.255.255. However t his address
range can be extended according to actual situations.
43.6.2 PIM-SSM Configuration Task List
Command
Explanation
Global Configuration Mode
ip multicast ssm {default|range
To configure the address range for pim-ssm. The
<access-li st-number >}
no form command will disable the configuration.
no ip multicast ssm
43.6.3 PIM-SSM Configuration Examples
As the figure shows, ethernet interfaces from SwitchA, SwitchB, SwitchC, and SwitchD are configured to be in
separate VLANs. And PIM-SSM is enabled globally by enabling the PIM-SM or PIM-DM protocol on the VLAN
interfaces. Take PIM-SM for example.
43-30
Figure 46-3-1 PIM-SSM typical environment
Configurations of SwitchA, SwitchB, SwitchC, and S witchD are shown as below.
(1) Configuration of Switch A
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan2)#exit
XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0. 0.255
XGS 3-42000R(config)#ip multicast ssm range 1
(2) Configuration of Switch B
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan2)# exit
XGS 3-42000R(config)# ip pim rp-candidate vlan2
XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0. 0.255
XGS 3-42000R(config)#ip multicast ssm range 1
43-31
(3) Configuration of Switch C
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-If-Vlan3)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan3)# exit
XGS 3-42000R(config)# ip pim bsr-candidate vlan2 30 10
XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0. 0.255
XGS 3-42000R(config)#ip multicast ssm range 1
(4) Configuration of Switch D
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-If-Vlan3)# ip pim sparse-mode
XGS 3-42000R(config-If-Vlan3)#exit
XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0. 0.255
XGS 3-42000R(config)#ip multicast ssm range 1
43.6.4 PIM-SSM Troubleshooting
In configuring and using P IM-SSM P rotocol, P IM-SSM P rotocol might not operate normally caused by
physical connection or incorrect configuration. Therefore, the us er should pay attention to the following
issues:
 Assure that physical connection is correct;
 Assure the Protocol of Interface and Link is UP (use show interface command);
 Assure that PIM Protoc ol is enabled in Global Mode (use ip pim multicast-routing);
 Assure that PIM-SSM is configured on the int erface (use ip pim sparse-mode);
 Assure that SSM is configured in Global Mode;
 Multicast Protocol requires RPF check using unicast routing, therefore the correctness of unicast
routing must be assured beforehand.
If all attempts including check are made but the problems on PIM-SSM can’t be solved yet, then use debug
43-32
commands such debug pim event/debug pim packet please, and then copy DEBUG information in 3
minutes and send to Technology Service Cent er.
43.7 DVMRP
43.7.1 Introduction to DVMRP
DVMRP Protoc ol, namely, is “Distance Vector Multicast Routing Protocol”. It is a Multicast Routing Protocol in
dense mode, whic h sets up a Forward Broadcast Tree for each source in a manner similar to RIP, and sets up
a Truncation Broadcast Tree, i.e. the Shortest Path Tree to the source, for each source through dynamic
Prune/Graft.
Some of the important features of DVMRP are:
1.
The routing exchange used to determine reverse path checking information is based on distance
vector (in a manner similar to RIP)
2.
Routing exchange update occurs periodically (the default is 60 seconds)
3.
TTL upper limit = 32 hops (and that RIP is 16)
4.
Routing update includes net mask and supports CIDR
In comparison wit h Unicast routing, Multicast routing is a kind of reverse routing (that is, what you are
interested in is where the packets are from but not where they go), thus the information in DVMRP routing
table is used to determine if an input Multicast packet is received at the correct interface. Otherwise, the
packet will be discarded to prevent Multicast circulation.
The check which determines if the packet gets to the correct interfac e is called RPF check. When some
Multicast data packets get to some interface, it will determine the reverse pat h to the sourc e network by
looking up DVMRP router table. If the interface data packets get to is the one which is used to send Unicast
message to the source, then the reverse path check is correct, and the data packets are forwarded out from
all downstream interfac es. If not, then probably there is failure, and the Multicast packet is discarded.
Since not all s witches support Multicast, DVMRP supports tunnel multicast communication, tunnel is a
method to send multicast data report among DVMRP switches separated by switches which don’t support
multicast routing. Multicast data packets are encapsulated in unicast data packets and directly sent to the next
switch which supports multicast. DVMRP Protocol treats tunnel interface and general physical interface
equally.
If t wo or more s witches are connected to a multi-entrance network, it is likely to transmit more than one copy
of a data packet to the sub-net work. Thus a specified transmitter must be appointed. DVMRP achieves this
goal by making use of routing exchange mechanism; when two switches on the multi-entrance network
exchange routing information, they will be aware of the routing distance from each other to the source network,
thus the switch with the shortest distance to the source network will become the specified transmitter of the
sub-network. If some have the same distance, then the one with the lowest IP prevails.
After some int erface of the s witch is configured to Function DVMRP Protocol, the s witch will multicast Probe
message to other DVMRP switches on this interfac e, which is used to find neighbors and detect the
capabilities of each other. If no P robe message from t he neighbor is received until the neighbor is timed out,
then this neighbor is considered missing.
43-33
In DVMRP, source network routing selection message are exchanged in a basic manner same to RIP. That is,
routing report message is transmitted among DVMRP neighbors periodically (the default is 60 seconds). The
routing information in DVMRP routing selection table is used t o set up source distribution tree, i.e. to
determine by which neighbor it passes to get to the source t ransmitting multicast packet; the interface to this
neighbor is called upstream interface. The routing report includes source net work (use net mask) address and
the hop entry for routing scale.
In order to finish transmission correctly, every DVMRP switch needs to know which downstream switches
need to receive multicast packet from some specific source network through it. After receiving packets from
some specific source, DVMRP switch firstly will broadcast these multicast packets from all downstream
interfaces, i.e. the interfaces on which there are other DVMRP switches which have dependenc e on the
specific source. After rec eiving Prune message from some downstream switch on the interface, it will prune
this switch. DVMRP switch makes use of poison reverse to notify the upstream switch for some specific
source: “I am your downstream.” By adding infinity (32) to the routing distance of some specific source it
broadcasts, DVMRP switch responds to the source upstream exchange to fulfill poison reverse. This means
distance correct value is 1 t o 2* infinity (32) -1 or 1 to 63, 1 to 63 means it can get to sourc e net work, 32
means source network is not arrival, 33 to 63 means the switch which generat es the report message will
receive multicast packets from specific source depending on upstream router.
43.7.2 DVMRP Configuration Task List
1. Globally enable and disable DVMRP (Required)
2. Configure Enable and Disable DVMRP Protoc ol at the interface (Required)
3. Configure DVMRP Sub-paramet ers (Optional)
Configure DVMRP interface parameters
1) Configure the delay of transmitting report message on DVMRP interface and the message number
each time it transmits
2) Configure metric value of DVMRP interface
3) Configure if DVMRP is able to set up neighbors with DVMRP routers which can not Prune/Graft
4. Configure DVMRP tunnel
1. Globally enable DVMRP Protocol
The basic configuration to function DVMRP routing protocol on XGS3 series Layer 3 switch is very simple.
Firstly it is required to turn on DVMRP switch globally.
Command
Explanation
Global Mode
Globally enable DVMRP Protocol, the “no ip
[no] ip dvmrp multica st-routing
dvmrp multica st-routing” command disables
DVMRP Prot ocol globally. (Required)
43-34
2. Enable DVMRP Protocol on the interface
The basic configuration to function DVMRP routing protocol on XGS3 series Layer 3 switch is very simple.
After globally enabling DVMRP Protocol, it is required to t urn on DVMRP switch under corresponding
interface.
Command
Explanation
Interface Configuration Mode
ip dvmrp
no ip dvmrp
Enable DVMRP Protocol on the interface, the
“no ip dvmrp” command disables DVMRP
Protocol on the interface.
3. Configure DVMRP Sub-parameters
(1)Configure DVMRP Int erface Parameters
1) Configure the delay of transmitting report message on DVMRP interface and the message number
each time it transmits
2) Configure metric value of DVMRP interface
3) Configure if DVMRP is able to set up neighbors with DVMRP routers which can not Prune/Graft
43-35
Command
Explanation
Interface Configuration Mode
Configure the delay of transmitting DVMRP
ip dvmrp output-report-delay
report message on interface and the message
<delay_val> [<burst_siz e>]
number each time it transmits, the “no ip dvmrp
no ip dvmrp output-report-delay
output-report-delay” command restores default
value.
ip dvmrp metric <metric_val>
no ip dvmrp metric
Configure interface DVMRP report message
metric
value;
the
“no
ip
dvmrp
metric”
command restores default value.
Configure the interface rejects to set up neighbor
ip dvmrp reject-non-pruners
no ip dvmrp reject-non-pruners
relationship with non pruning/grafting DVMRP
router. The “no ip dvmrp reject-non-pruners”
command restores to being able to set up
neighbor ship.
4. Configure DVMRP Tunnel
Command
Explanation
Interface Configuration Mode
ip dvmrp tunnel <index>
<src-ip>
<dst-ip>
no ip dvmrp tunnel {<index>
|< src-ip> <dst-ip>}
This command configures a DVMRP tunnel; the
“no
ip
dvmrp
tunnel {<index>
|<src-ip>
<dst-ip>}” command deletes a DVMRP tunnel.
43-36
43.7.3 DVMRP Configuration Examples
As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding VLAN,
and enable DVMRP on each VLAN int erface.
SwitchA
SwitchB
Vlan 1
Vlan 1
Vlan 2
Figure 43-7-1 DVMRP Net work Topology Diagram
The configuration procedure for SwitchA and SwitchB is as follows:
(1) Configure SwitchA:
XGS 3-42000R(config)#ip dvmrp multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 10.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip dvmrp enable
(2) Configure SwitchB:
XGS 3-42000R(config)#ip dvmrp multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)# ip address 12.1.1. 2 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan1)# ip dvmrp enable
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)# ip address 20.1.1. 1 255. 255. 255. 0
XGS 3-42000R(config-if-Vlan2)# ip dvmrp
Since DVMRP itself does not rely on Unicast Routing Protocol, it is not necessary to configure Unicast
Routing Prot ocol. This is the difference from PIM-DM and PIM-SM.
43.7.4 DVMRP Troubleshooting
In configuring and using DVMRP Protocol, DVMRP Protocol might not operate normally caused by physical
connection or incorrect configuration. Therefore, the user should pay attention to the following issues:
 Firstly to assure that physical connection is correct;
43-37
 Next, to assure the Prot ocol of Interface and Link is UP (use show interface command);
 Please check if the correct IP address is configured on the interface (use ip address c ommand);
 Afterwards, enable DVMRP Protoc ol on the interface (use ip dvmrp command and ip dv
multicast-routing command);
 Multicast Protocol requires RPF Check using unicast routing; therefore the correctness of unicast
routing must be assured beforehand. (DVMRP uses its own unicast table, pleas e use show ip dvmrp
route command to look up).
If all attempts including Check are made but the problems on DVMRP can’t be solved yet, then please use
commands such as debug DVMRP, and then copy DEBUG information in 3 minutes and send to Tec hnology
Service Center.
43.8 DCSCM
43.8.1 Introduction to DCSCM
DCS CM (Destination control and source control multicast) technology mainly includes three aspects, i.e.
Multicast Packet Source Cont rollable, Multicast User Controllable and Service-Oriented Priority Strategy
Multicast.
The Multicast Packet Source Controllable technology of Security Controllable Multicast technology is mainly
processed in the following manners:
1. On the edge switch, if source under-control multicast is configured, then only multicast data from
specified group of specified source can pass.
2. For RP switch in the core of P IM-SM, for RE GIS TE R information out of s pecified source and
specified group, REGIS TER_STOP is transmitted directly and table entry is not allowed to set up.
(This task is implemented in PIM-SM model).
The implement of Multicast User Controllable technology of
based on the control over IGMP report message sent
Security Controllable Multicast technology is
out by the user, thus the model being controlled is
IGMP snooping and IGMP model, of which the control logic includes the following three, i.e. to take control
based on VLAN+MA C address transmitting packets, to take control based on IP address of transmitting
packets and to take control based on the port where messages enter, in which IGMP snooping can use the
above three methods to take control simultaneously, while since IGMP model is located at layer 3, it only
takes control over the IP address transmitting packets .
The Service-Oriented Priority Strategy Multicast of Security Cont rollable technology adopts the following
mode: for multicast data in limit range, set the priority specified by the user at the join-in end so that data can
be sent in a higher priority on TRUNK port, consequently guarantee t he transmission is processed in
user-specified priority in the entire network.
43-38
43.8.2 DCSCM Configuration Task List
1.
Source Cont rol Configuration
2.
Destination Control Configuration
3.
Multicast Strategy Configuration
1. Source Control Configuration
Source Control Configuration has three parts, of which the first is to enable source cont rol. The command of
source control is as follows:
Command
Explanation
Global Configuration Mode
Enable source control globally, the “no ip
multicast source-control” command disables
source cont rol globally. It is noticeable that, after
[no] ip multica st source-control
(Required)
enabling source control globally, all multicast
packets are discarded by default. All source
control configuration can not be processed until
that it is enabled globally, while source control
can not be disabled until all configured rules are
disabled.
The next is to configure the rule of source control. It is configured in the same manner as for A CL, and uses
ACL number of 5000-5099, every rule number can be used to configure 10 rules. It is noticeable that these
rules are ordered, the front one is the one which is configured the earliest. Once the configured rules are
matched, the following rules won’t take effect, so rules of globally allow must be put at the end. The
commands are as follows:
Command
Explanation
Global Configuration Mode
[no] acce ss-li st <5000-5099>
{deny|permit} ip {{< source>
<source-wildcard>}|{host-source
<source-host-ip>}|any-source}
{{<destination>
<destination-wildcard>}|{host-de sti
nation
The rule used to configure source control. This
rule does not take effect until it is applied to
specified port. Using the NO form of it can delete
specified rule.
<destination-host-ip>}|any-de stinat
ion}
The last is to configure the configured rule to specified port.
Note: If the rules being configured will occupy the table entries of hardware, configuring too many rules will
result in configuration failure caused by bottom table entries being full, so we suggest user to use the simplest
rules if possible. The configuration rules are as follows:
43-39
Command
Explanation
Port Configuration Mode
[no] ip multica st source-control
Used to configure the rules source control uses
access-group <5000-5099>
to port, the NO form cancels the configuration.
2. Destination Control Configuration
Like source cont rol configuration, destination control configuration also has three steps.
First, enable destination control globally. Since destination control need to prevent unauthorized us er from
receiving multicast data, the switch won’t broadcast the multicast data it received after configuring global
destination control. Therefore, It should be avoided to connect two or more other Layer 3 switches in the
same VLAN on a switch on which destination cont rol is enabled. The configuration commands are as follows:
Command
Explanation
Global Configuration Mode
Globally
enable
IP v4
and
IP v6
destination control. The no operation
of this command will globally disable
destination control. All of the other
[no] multica st de stination-control
(required)
configuration can only take effect after
globally
enabled.
The
next
is
configuring destination cont rol rules,
which are similar.
Next is to configure destination control rule. It is similar to s ource control, except to use A CL No. of
6000-7999.
Command
Explanation
Global Configuration Mode
[no] acce ss-li st <6000-7999> {deny|permit} ip
{{< source> < source-wildcard>}|{host-source
<source-host-ip>}|any-source}
The rule used to configure destination
control. This rule does not take effect
until it is applied to source IP or
{{<destination>
<destination-wildcard>}|{host-de stination
<destination-host-ip>}|any-de stination}
VLAN-MA C and port. Using the NO
form of it can delete specified rule.
The last is to configure the rule to specified source IP, source VLA N MAC or specified port. It is noticeable that,
due to the above situations, these rules can only be used globally in enabling IGMP -SNOOPING.
And if
IGMP -SNOOPING is not enabled, then only source IP rule can be used under IGMP Protocol. The
configuration commands are as follows:
Command
Explanation
Port Configuration Mode
Used to configure the rules destination
[no] ip multica st de stination-control
control uses to port, the NO form
access-group <6000-7999>
cancels the configuration.
Global Configuration Mode
43-40
[no] ip multica st de stination-control
Used to configure the rules destination
<1-4094> <macaddr> acce ss-group
control uses to specify VLAN-MAC, the
<6000-7999>
NO form cancels the configuration.
Used to configure the rules destination
[no] ip multica st de stination-control
control uses to specified IP address/net
<IPA DDRESS/M> access-group
mask,
<6000-7999>
the
NO
form
cancels
the
configuration.
3. Multicast Strategy Configuration
Multicast Strategy uses the manner of specifying priority for specified multicast data to achieve and guarantee
the effects the specific user requires. It is noticeable that multicast data can not get a special care all along
unless the data are transmitted at TRUNK port. The configuration is very simple, it has only one command, i.e.
to set priority for the specified multicast. The commands are as follows:
Command
Explanation
Global Configuration Mode
[no] ip multica st policy <IPA DDRESS/M>
<IPA DDRESS/M> cos <priority>
Configure multicast strategy, specify
priority for sources and groups in
specific range, and the range is <0-7>.
43.8.3 DCSCM Configuration Examples
1. Source Control
In order to prevent an Edge Switch from putting out multicast data ad asbitsium, we configure Edge Switch so
that only the switch at port Ethernet 1/5 is allowed to transmit multicast, and the data group must be 225.1.2.3.
Also, switch connected up to port Ethernet1/10 can transmit multicast data without any limit, and we can make
the following configuration.
EC(config)#access-list 5000 permit ip any host 225.1.2.3
EC(config)#access-list 5001 permit ip any any
EC(config)#ip multicast source-control
EC(config)#interface ethernet1/5
EC(Config-If-Ethernet1/5)#ip multicast source-control access-group 5000
EC(config)#interface ethernet1/10
EC(Config-If-Ethernet1/10)#ip multicast source-cont rol access-group 5001
2. Destination Control
We want to limit users with address in 10.0.0.0/8 network segment from entering the group of 238.0.0.0/8, so
we can make the following configuration:
Firstly enable IGMP snooping in the VLA N it is located (Here it is assumed to be in VLA N2)
EC(config)#ip igmp snooping
EC(config)#ip igmp snooping vlan 2
After that, configure relative destination control access-list, and configure specified IP address to use that
access-list.
43-41
XGS 3-42000R(config)#access-list 6000 deny ip any 238.0.0. 0 0.255.255.255
XGS 3-42000R(config)#access-list 6000 permit ip any any
XGS 3-42000R(config)#multicast destination-cont rol
XGS 3-42000R(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000
In this way, users of this network segment can only join groups other than 238.0.0.0/8.
3. Multicast strategy
Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can c onfigure on its join-in
switch as follows:
XGS 3-42000R(config)#ip multicast policy 210.1.1. 1/32 239.1.2.3/ 32 cos 4
In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible
one is protocol data; if higher priority is set, when there is too many multicast data, it might cause abnormal
behavior of the switch protocol) when it gets to other switches through this switch.
43.8.4 DCSCM Troubleshooting
The effect of DCSCM module itself is similar to ACL, and the problems occurred are usually related to
improper configuration. Please read the descriptions above c arefully. If you still can not determine the cause
of the problem, please send your configurations and the effects you expect to the after-sale service staff of our
company.
43.9 IGMP
43.9.1 Introduction to IGMP
IGMP (Internet Group Management Protoc ol) is the protocol in TCP/IP protocol family which is responsible for
IP multicast member management. It is used to set up and maintain multicast group member relationship
between IP host and its neighbor multicast switches. IGMP does not include the spread and maintenanc e of
relation information of group members among multicast switches, this work is accomplished by each multicast
routing protocol. All hosts participating in multicast must implement IGMP prot ocol.
Hosts participating IP multicast can join in and exit multicast group at any location, any time and wit hout limit
of member total. Multicast switch does not need and not likely to save all relationships of all hosts. It only gets
to know if there are receivers of some multicast group, i.e. group member, on the network segment each
interface connects to. And the host only needs to save which multicast groups it joined.
IGMP is asymmetric between host and rout er: the host needs to respond the IGMP query messages of
multicast switches, i.e. to report message response in membership; the switch sends out membership query
messages periodically, and then determine if there are hosts of some specific group joining in the sub-network
it belongs to based on the received response message, and send out query of specific group (IGMP version2)
when receiving the report of a host exiting the group to determine if there exists no member in some specific
43-42
group.
Up to now, there are three versions of IGMP: IGMP version1 (defined by RFC1112), IGMP version2 (defined
by RFC2236) and IGMP version3 (defined by RFC3376).
The main improvements of IGMP version2 over version1 are:
1. The election mechanism of multicast switches on the shared network segment
Shared network segment is the situation of there is more than one multicast switch on a network segment.
Under this kind of situation, since all switches which runs IGMP under this network segment can get
membership report message from the host, therefore, only one switch is required to transmit membership
query message, so an exchange election mechanism is required to determine a s witch as query machine.
In IGMP version1, the selection of query machine is determined by Multicast Routing Prot ocol; IGMP
version2 made an improvement for it, it prescribed that when there are more than one multicast switches on
the same network segment, the multicast switch with the lowest IP address will be elected as the query
machine.
2. IGMP version2 added Leave Group Mechanism
In IGMP version 1, the host leaves the multicast group silently without sending any notification to any
multicast switch. This causes that the multicast switch can only determine the leave of multicast member by
multicast group response time-out. But in version2, when a host decides to leave a multicast group, if it is
the host which gives respons e to the latest membership query message, then it will send out a message
implying it is leaving.
3. IGMP version 2 added the query to specific group
In IGMP version1, a query of multicast switch is for all multicast groups on the network segment. This query
is called general group query. In IGMP version2, query of specific group is added besides general group
query. The destination IP address of this kind of query message is the IP address of the multicast group,
the group address field part of the message is also the IP address of the multicast group. Thus it is
prevented that hosts which are other multicast group members transmit response message.
4. IGMP version2 added the biggest response time field
IGMP version2 added the biggest response time field to dynamically adjust the response time of the host to
group query message.
The main features of version3 is allowing the host to choose receiving from or rejecting a certain source,
which is the basis of SSM(Source-Specific Multicast)
multicast. For example, when a host is sending a report
of INCLUDE{10.1.1.1, 10.1.1.2} to some group G, that means the host needs the router to forward the flux
from 10.1. 1.1 and 10.1. 1.2; when a host is sending a report of E XCLUDE{192.168. 1.1} to some group G, that
means the host needs the flux from all sources of group G except 192.168.1.1. This makes a great difference
from the previous IGMP.
The main improvements of IGMP Version3 over IGMP Version1 and Version2 are:
1.
The status to be maintained is group and source list, not only the groups in IGMP v2.
2.
The interoperations with IGMP v1 and IGMP v2 are defined in IGMP v3 status.
3.
IP service int erface is modified to allow specific sourc e list thereby.
4.
The queried includes his/her Robustness Variable and Query Interval in query group to allow the
synchronization with these variables of non-queries.
5.
Max Response Time in Query Message has an exponential range, with maximum value from 25.5
secs of v2 to 53 mins, which can be used in links of great capacity.
43-43
6.
In order to increase strength, the host retransmits State-Change message.
7.
Additional data is defined to adapt future extension.
8.
Report group is sent to 224.0.0.22 to help with IGMP Snooping of Layer 2 Switch.
9.
Report group can include more than one group record, and it allows using small group to report
complete current status.
10. The host does not restrain operation any more, which simplifies the implement and allows direct
membership trace.
11. In querying messages, the new rout er side restraint process (S sign) modified the existing strength
of IGMP v2.
43.9.2 IGMP Configuration Task List
1. Enable IGMP (Required)
2. Configure IGMP sub-parameters (Optional)
(1)Configure IGMP group parameters
1) Configure IGMP group filtering conditions
2) Configure IGMP to join in group
3) Configure IGMP to join in static group
(2)Configure IGMP query parameters
1) Configure the interval of IGMP sending query message
2) Configure the maximum response time of IGMP query
3) Configure time-out of IGMP query
(3)Configure IGMP version
3. Disable IGMP Protocol
1.
Enable IGMP Protocol
There are not specific commands for enabling IGMP Protocol on the Layer 3 switch. Enabling any multicast
protocol under corresponding interface will automatically enable IGMP.
Command
Explanation
Global Mode
To enable global multicast protocol is the
ip dvmrp multicast-routing | ip pim
multicast-routing
prerequisite to enable IGMP prot ocol, the “no ip
dvmrp
multica st-routing
|
no
ip
pim
multicast-routing” c ommands disable multicast
protocol and IGMP protocol. (Required)
Command
Explanation
Interface Configuration Mode
Enable
IGMP
Prot ocol,
corresponding
ip dvmrp enable| ip pim
commands “no ip dvmrp enable| no ip pim
dense-mode | ip pim sparse-mode
dense-mode | no ip pim sparse-mode” disable
IGMP Protoc ol. (Required)
2.
the
Configure IGMP Sub-parameters
43-44
(1)Configure IGMP group parameters
1) Configure IGMP group filtering conditions
2) Configure IGMP to join in group
3) Configure IGMP to join in static group
Command
Explanation
Interface Configuration Mode
ip igmp access-group {<acl _num |
Configure the filtering conditions of the interface
acl_name>}
to IGMP group; the “no ip igmp acce ss-group”
no ip igmp access-group
command cancels the filtering condition.
ip igmp join-group <A.B.C.D >
no ip igmp join-group <A.B.C.D >
ip igmp static-group <A.B.C.D >
no ip igmp static-group <A.B.C.D>
Configure the interface to join in some IGMP
group, the “no ip igmp join-group <A.B.C.D >”
command cancels the join.
Configure the interface to join in some IGMP
static group; the “no ip igmp static-group
<A.B.C.D >” command cancels the join.
(2)Configure IGMP Query parameters
1) Configure interval for IGMP to send query messages
2) Configure the maximum response time of IGMP query
3) Configure the time-out of IGMP query
Command
Explanation
Interface Configuration Mode
Configure the interval of IGMP query messages
ip igmp query-interval <time_val>
sent
periodically;
no ip igmp query-interval
query-interval”
the
“no
command
ip
igmp
restores
default
value.
ip igmp query-max-response-time
Configure the maximum response time of the
<time_val>
interface for IGMP query; the “no ip igmp
no ip igmp
query-max-response -time” command restores
query-max-response -time
default value.
ip igmp query-timeout <time_val>
no ip igmp query-timeout
Configure the time-out of the interface for IGMP
query;
the
“no
ip
igmp
query-timeout”
command restores default value.
(3)Config IGMP version
Command
Explanation
Global Mode
ip igmp version <version>
no ip igmp version
3.
Configure IGMP version on the interface; the “no
ip igmp version” command restores the default
value.
Di sable IGMP Protocol
Command
Explanation
Interface Configuration Mode
43-45
no ip dvmrp | no ip pim
dense-mode | no ip pim
sparse-mode | no ip dvmrp
Disable IGMP Protocol.
multicast-routing | no ip pim
multicast-routing
43.9.3 IGMP Configuration Examples
As shown in the following figure, add the Ethernet ports of Switch A and Switch B to corresponding VLAN, and
start PIM-DM on eac h VLAN interface.
SwitchB
SwitchA
Ethernet1/1
vlan1
Ethernet1/1
vlan1
Ethernet1/2
vlan2
Figure 43-9-1 IGMP Network Topology Diagram
The configuration procedure for SwitchA and SwitchB is as follows:
(1) Configure SwitchA:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip address 12.1.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#ip pim dense-mode
(2) Configure SwitchB:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan1
XGS 3-42000R(config-if-Vlan1)#ip address 12.1.1.2 255.255.255.0
XGS 3-42000R(config-if-Vlan1)#ip pim dense-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan2
XGS 3-42000R(config-if-Vlan1)#ip address 20.1.1.1 255.255.255.0
XGS 3-42000R(config-if-Vlan2)#ip pim dense-mode
XGS 3-42000R(config-if-Vlan2)#ip igmp version 3
43-46
43.9.4 IGMP Troubleshooting
In configuring and using IGMP Protocol, IGMP Protocol might not operate normally caused by physical
connection or incorrect configuration. Therefore, user should pay attention to the following issues:

Firstly to assure that physical connection is correct;

Next, to assure the Prot ocol of Interface and Link protocol is UP (use show interface command);

Afterwards, to assure to start a kind of multicast protocol on the interface;

Multicast Protocol requires RPF Check using unicast routing; therefore the correctness of unicast
routing must be assured beforehand.
43.10 IGMP Snooping
43.10.1 Introduction to IGMP Snooping
IGMP (Int ernet Group Management Protocol) is a protocol us ed in IP multicast. IGMP is used by multicast
enabled network device (such as a router) for host membership query, and by hosts that are joining a
multicast group to inform the router to accept packets of a c ertain multicast address. All those operations are
done through IGMP message exchange. The router will use a multicast address (224.0. 0.1) that can address
to all hosts to send an IGMP host membership query message. If a host wants to join a multicast group, it will
reply to the multicast address of that a multicast group with an IGMP host membership reports a message.
IGMP Snooping is also referred to as IGMP listening. The switch prevents multicast traffic from flooding
through IGMP Snooping, multicast traffic is forwarded to ports associated to multicast devices only. The
switch listens to the IGMP messages between the multicast router and hosts, and maintains multicast group
forwarding table based on t he listening result, and can then decide to forward multicast packets according to
the forwarding table.
Switch provides IGMP Snooping and is able to send a query from the switch so that the user can use switch in
IP multicast.
43.10.2 IGMP Snooping Configuration Task List
1. Enable IGMP Snooping
2. Configure IGMP Snooping
1. Enable IGMP Snooping
Command
Explanation
Global Mode
ip igmp snooping
Enables IGMP Snooping. The no operation
no ip igmp snooping
disables IGMP Snooping function.
2. Configure IGMP Snooping
Command
Explanation
Global Mode
43-47
Enables IGMP S nooping for specified VLA N.
ip igmp snooping vlan <vlan-id>
The no operation disables IGMP Snooping for
no ip igmp snooping vlan <vlan-id>
specified VLAN.
ip igmp snooping vlan < vlan-id > limit
Configure the max group count of vlan and
{group <g_limit> | source <s_limit>}
the max source count of every group. The “no
no ip igmp snooping vlan < vlan-id > limit
ip igmp snooping vlan <vlan-id> limit”
command cancels this configuration.
Set this vlan to layer 2 general querier. It is
ip igmp snooping vlan <vlan-id>
recommended t o configure a layer 2 general
l2-general-querier
querier on a segment. The “no ip igmp
no ip igmp snooping vlan <vlan-id>
snooping
l2-general-querier
l2-general-querier”command
vlan
<vlan-id>
cancels
this
configuration.
ip igmp snooping vlan <vlan-id>
Configure the version number of a general
l2-general-querier-version <version>
query from a layer 2 general querier.
ip igmp snooping vlan <vlan-id>
Configure the source address of a general
l2-general-querier-source < source>
query from a layer 2 general querier.
ip igmp snooping vlan <vlan-id>
mrouter-port interface <interface –name>
no ip igmp snooping vlan <vlan-id>
Configure static mrout er port of vlan. The no
mrouter-port interface <interface –name>
form
of
the
command
cancels
this
configuration.
ip igmp snooping vlan <vlan-id> mrpt
Configure this survive time of mrouter port.
<value >
The “no ip igmp snooping vlan <vlan-id>
no ip igmp snooping vlan <vlan-id> mrpt
mrpt” command restores the default value.
ip igmp snooping vlan <vlan-id>
Configure this query interval. The “no ip igmp
query-interval <value>
snooping vlan <vlan-id> query-interval”
no ip igmp snooping vlan <vlan-id>
command restores the default value.
query-interval
ip igmp snooping vlan <vlan-id>
Enable the IGMP fast leave function for the
immediately-leave
specified VLA N: the “no ip igmp snooping
no ip igmp snooping vlan <vlan-id>
vlan <vlan-id> immediate-leave” command
immediately-leave
disables the IGMP fast leave function.
ip igmp snooping vlan <vlan-id>
Configure the maximum
query-mrsp <value>
period. The “no ip igmp snooping vlan
no ip igmp snooping vlan <vlan-id>
<vlan-id> query-mrsp” command restores to
query-mrsp
the default value.
ip igmp snooping vlan <vlan-id>
Configure the query robustness. The “no ip
query-robustne ss < value>
igmp
no ip igmp snooping vlan <vlan-id>
query-robustne ss” command restores to the
query-robustne ss
default value.
43-48
snooping
query response
vlan
<vlan-id>
ip igmp snooping vlan <vlan-id>
Configure the suppression query time. The
suppre ssion-query-time <value>
“no ip igmp
no ip igmp snooping vlan <vlan-id>
suppre ssion-query-time” command restores
suppre ssion-query-time
to the default value.
snooping
vlan <vlan-id>
ip igmp snooping vlan <vlan-id>
static-group <A.B.C.D> [source
<A.B.C.D>] interface [ethernet |
port-channel] <IFNAME>
no ip igmp snooping vlan <vlan-id>
static-group <A.B.C.D> [source
Configure static-group on specified port of the
VLAN. The no form of the command cancels
this configuration.
<A.B.C.D>] interface [ethernet |
port-channel] <IFNAME>
ip igmp snooping vlan <vlan-id> report
source-addre ss <A.B.C. D>
no ip igmp snooping vlan <vlan-id>
report source-address
Configure forwarding IGMP packet source
address, the no operation cancels the packet
source address.
43-49
43.10.3 IGMP Snooping Examples
Scenario 1: IGMP Snooping function
Multicast router
Multicast Server 1
Multicast Server 2
Multicast port
IGMP Snooping
Group 1
Group 1
Group 1
Group 2
Figure 43-10-1 Enabling IGMP Snooping function
Example: As shown in the above figure, a VLA N 100 is configured in the switch and includes ports 1, 2, 6, 10
and 12. Four hosts are connected to port 2, 6, 10, 12 respectively and the multicast router is connected to port
1. As IGMP Snooping is disabled by default either in the switch or in the VLA Ns, If IGMP Snooping should be
enabled in VLAN 100, the IGMP Snooping should be first enabled for the switch in Global Mode and in VLA N
100 and set port 1 of VLA N 100 to be the mrouter port.
The configuration steps are listed below:
XGS 3-42000R(config)#ip igmp snooping
XGS 3-42000R(config)#ip igmp snooping vlan 100
XGS 3-42000R(config)#ip igmp snooping vlan 100 mrouter int erface ethernet 1/1
Multicast Configuration
Suppose two programs are provided in the Multicast Server using multicast address Group1 and Group2,
three of four hosts running multicast applications are connected to port 2, 6, 10 plays program1, while the host
is connected to port 12 plays program 2.
IGMP Snooping listening resul t:
The multicast table built by IGMP Snooping in VLA N 100 indicates ports 1, 2, 6, 10 in Group1 and ports 1, 12
in Group2.
All the four hosts can receive the program of their choice: ports 2, 6, 10 will not receive the traffic of program 2
43-50
and port 12 will not receive the traffic of program 1.
Scenario 2: L2-general-querier
Multicast
Server
Group 1
Group 2
Switch A
IGMP Snooping
L2 general querier
Multicast port
Group 1
Group 1
Switch B
IGMP Snooping
Group 1
Group 2
Figure 43-10-1 The switches as IGMP Queries
The configuration of S witch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast
Rout er in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 6, 10 and 12. Port
1 connects to the multicast server, and port 2 connects to Switch2. In order to send Query at regular interval,
IGMP query must enabled in Global mode and in VLA N60.
The configuration steps are listed below:
SwitchA#config
SwitchA(config)#ip igmp snooping
SwitchA(config)#ip igmp snooping vlan 60
SwitchA(config)#ip igmp snooping vlan 60 L2-general-querier
SwitchB#config
SwitchB(config)#ip igmp snooping
SwitchB(config)#ip igmp snooping vlan 100
SwitchB(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/1
Multicast Configuration
The same as scenario 1
IGMP Snooping listening resul t:
Similar to scenario 1
43-51
Scenario 3: To run in cooperation with lay er 3 multicast prot ocols.
SWITCH which is used in Scenario 1 is replaced with ROUTE R with specific configurations remains the same.
And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To configure
PIM-SM on ROUTE R, and enable PIM-SM on vlan 100 (use the same PIM mode with the connected multicast
router)
Configurations are listed as below:
XGS 3-42000R#config
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 100
XGS 3-42000R(config-if-vlan100)#ip pim sparse-mode
IGMP snooping does not distribute entries when layer 3 multicast protocol is enabled. It only does the
following tasks.

Remove the layer 2 multicast entries.

Provide query functions to the layer 3 with vlan, S, and G as the parameters.

When layer 3 IGMP is disabled, re-enable distributing layer 2 multicast entries.
By looking up the lay er 3 IPMC entries, it can be found that ports can be indicated by the layer 3 multicast
entries. This ensures the IGMP snooping can work in cooperation with the layer 3 multicast protocols.
43.10.4 IGMP Snooping Troubleshooting
On IGMP Snooping function configuration and usage, IGMP Snooping might not run properly bec ause of
physical connection or configuration mistakes. So the users should note that:

Make sure correct physical connection

Activate IGMP Snooping on whole configuration mode (use ip igmp snooping)

Configure IGMP Snooping at VLAN on whole configuration mode ( use ip igmp snooping vlan
<vlan-id>)

Make sure one VLA N is configured as L2 common checker in same mask, or make sure configured
static mrouter

Use show ip igmp snooping vlan <vid> command check IGMP Snooping information
43.11 IGMP Proxy Configuration
43.11.1 Introduction to IGMP Proxy
IGMP/MLD proxy which is introduced in rfc4605, is a simplified multicast protocol running at edge boxes. The
edge boxes which runs the IGMP/MLD proxy protocol, does not need to run complicated multicast routing
protocols such as PIM/DVMRP. However they work with multicast protocol enabled net work through
IGMP/MLD proxy. They can simplify the implementation of multicasting on edge devices.
43-52
The IGMP/MLD proxy works between the multicast router and the client, it works as both the multicast host
and router. Upstream and downstream ports should be specified in the IGMP/MLD proxy configuration. The
host protocol runs at upstream ports, while the router protocol runs at downstream ports. The s witch collects
the join and leave messages received from downstream ports and forward them to the multicast router
through upstream ports.
The IGMP proxy configuration is exclusive with P IM and DVMRP configuration.
43.11.2 IGMP Proxy Configuration Task List
1. Enable IGMP Proxy function
2. Enable configurations for bot h downstream and upstream ports for the IGMP Proxy in different
interfaces
3. Configure IGMP Proxy
1. Enable IGMP Proxy function
Command
Explanation
Global Mode
ip igmp proxy
Enable IGMP Proxy function. The “no ip
no ip igmp proxy
igmp proxy” disables this function.
2. Enable configurations for both downstream and upstream ports for the IGMP Proxy in different
interfaces
Command
Explanation
Interface Configuration Mode
ip igmp proxy upstream
Enable IGMP Proxy upstream function. The “no ip
no ip igmp proxy upstream
igmp proxy upstream” disables this function.
ip igmp proxy downstream
no ip igmp proxy downstream
Enable IGMP Proxy downstream function. The “no
ip
igmp
proxy downstream” disables
this
function.
3. Configure IGMP Proxy assi stant parameter
Command
Explanation
Global Mode
To configure the maximum number of groups
ip igmp proxy limit {group <1-500>| source
that
upstream
ports
can join,
and the
<1-500>}
maximum number of sources in a single
no ip igmp proxy limit
group. The no form of this command will
restore the default value.
ip igmp proxy unsolicited-report interval
To configure how often the upstream ports
<1-5>
send out unsolicited report. The no form of
no ip igmp proxy unsolicited-report
this
interval
configuration.
ip igmp proxy unsolicited-report
To configure the retry times of upstream ports’
43-53
command
will
restore
the
default
robustness <2-10>
sending unsolicited reports. The no form of
no ip igmp proxy unsolicited-report
this command will restore the default value.
robustness
To configure non-query downstream ports to
ip igmp proxy aggregate
be able to aggregate the IGMP operations.
no ip igmp proxy aggregate
The no form of this command will restore the
default configuration.
ip multicast ssm range <1-99>
To configure the address range for IGMP
ip multicast ssm default
proxy ssm multicast groups; The no form of
no ip mulitcast ssm
this command will remove the configuration.
To configure the port as downstream ports for
ip igmp proxy multicast-source
the source of multicast datagram; The no
no ip igmp proxy multicast-source
from
of this
command will
disable the
configuration.
43.11.3 IGMP Proxy Examples
Example 1: IGMP Proxy function.
Multicast
Rout er
Multicast
Multicast
Server
Rout er
IGMP PROXY
Switch 1
IGMP PROXY
Switch 2
IGMP PROXY
Switch 3
Figure 43-11-1 IGMP Proxy Topology Diagram
As it is show in the figure above, the switch functions as IGMP Proxy in a net work of topology of tree, the
switch aggregates the multicast dataflow from upstream port and redistributes them to the downstream ports,
while the IGMP membership reports flow from downstream ports to upstream ports. Three IGMP Proxy
enabled switches which are connected in tree topology, respectively have one port connected to multicast
routers, and no less than one ports connected to hosts or upstream ports from other IGMP Proxy enabled
43-54
switches.
43-55
The configuration steps are listed below:
XGS 3-42000R#config
XGS 3-42000R(config)#ip igmp proxy
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip igmp proxy upstream
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip igmp proxy downstream
Multicast Configuration:
Suppose the multicast server offers some programs through 224.1. 1.1. Some hosts subscribe that program at
the edge of the net work. The IGMP multicast members report themselves to the downstream ports of IGMP
Proxy enabled Switch 2 and S witch 3. Switch 2 and S witch 3 then aggregate the group membership
information and send them through the upstream ports. Switch 1 finally forward these membership
information to the multicast router when receiving the group membership information through upstream ports,
and deliver the multicast dataflow through downstream ports.
Example2: IGMP Proxy for multicast sources from downstream ports.
Multicast
Rout er
Multicast
Multicast
Server
Rout er
IGMP PROXY
Switch 2
IGMP PROXY
Switch 1
IGMP PROXY
Switch 3
Figure 43-11-2 IGMP Proxy for multicast sources from downstream ports
As it is show in the figure above, IGMP Proxy enabled switches connected to the network in tree topology. The
multicast source server connects to the downstream port of Switch1, the multicast dataflow is distributed
through the upstream port and other downstream ports. Three IGMP Proxy enabled switches which are
connected in tree topology, respectively have one port connected to multicast routers, and no less than one
ports connected to hosts or upstream ports from other IGMP proxy enabled switches.
43-56
The configuration steps are listed below:
IGMP PROXY Switch1 configuration:
XGS 3-42000R#config
XGS 3-42000R(config)#ip igmp proxy
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip igmp proxy upstream
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ip igmp proxy downstream
XGS 3-42000R(config-if-Vlan2)#ip igmp proxy multicast-source
Rout e1 configuration:
XGS 3-42000R#config
XGS 3-42000R(config)#ip pim multicast
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ip pim sparse-mode
XGS 3-42000R(config-if-Vlan1)#ip pim bsr-border
Multicast Configuration:
Suppose the server provides programs through the multicast address 224.1. 1.1, and some hosts subscribe
that program on the edge of the network. The host reports their IGMP multicast group members hip to Switch 2
and S witch 3 through downstream ports. Switch 2 and Switch 3 then aggregate and forward them to Switch 1
which then forwards the information to multicast router. When multicast dataflow arrives, the IGMP Proxy
enabled switches re-distribute the group members hip through upstream ports and downstream ports. When
the multicast router receives the multicast dataflow from IGMP proxy, it will consider the multicast data source
is directly connected to the router, and determine the identity of DR and ORIGINATOR. The multicast dataflow
will be redistributed according to the PIM protocol.
43.11.4 IGMP Proxy Troubleshooting
When IGMP Proxy function configuration and usage, IGMP Proxy might not run properly because of physical
connection or configuration mistakes. So the users should note that:

Make sure physical connection correctly;

Activate IGMP Proxy on whole Global mode (use ip igmp proxy);

Make sure configure one upstream port and at least one downstream port under int erface configuration
mode (Use ip igmp proxy upstream, ip igmp proxy downstream);

Use show ip igmp proxy command to check if the IGMP Proxy information is correct.
If the IGMP Proxy problem remains unsolved, please use debug IGMP Proxy and ot her debugging command
and copy the DEBUG message within three minutes, send the recorded message to the technical service
center of our company.
43-57
Chapter 44 IPv6 Multicast Protocol
44.1 PIM-DM6
44.1.1 Introduction to PIM-DM6
PIM-DM6(P rotocol Independent Multicast, Dense Mode)is the IP v6 version of Protocol Independent Multicast
Dens e Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members
of multicast group are relatively dense under this kind of net work environment. There is no difference
compared with the IP v4 version PIM-DM except that the addresses it uses are IP v6 addresses. Thus we don’t
differentiate between PIM-DM and PIM-DM6 in this chapter. All PIM-DM in the text without specific
explanation refers to IP v6 version PIM-DM.
As a result of continuous development of IP v6 network, it has the network environment of nonsupport IP v6
multicast sometimes, so it needs to do the IPv6 multicast operation by tunnel. Therefore, our PIM -DM6
supports configuration on configure tunnel, and passes through nons upport IP v6 multicast network by single
cast packet of IP v4 encapsulation.
The working process of PIM-DM can be summarized as: Neighbor Discovery, Flooding-P rune, and Graft.
1. Neigh hour Discovery
When PIM-DM router is started at beginning, Hello message is required to discover neighbors. The network
nodes running PIM-DM use Hello message to contact each other. PIM-DM Hello message is sent
periodically.
2. Flooding-P rune
PIM-DM assumes that all hosts on the network are ready to receive multicast data. When certain multicast
source S begins to send data to a multicast group G, after rec eiving the multicast packet, the router will
make RPF examination first according to the unicast table. If the check passes, the router will creat e a (S, G)
table item and forward the multicast packet to all downstream PIM -DM nodes (Flooding). If the RP F
examination fails, i.e. the multicast packet is inputted from the incorrect interfac e, and t hen the message is
discarded. After this procedure, every node will create an (S, G) item in the P IM-DM multicast domain. If
there is no multicast group member in the downstream nodes, then a Prune message is sent to upstream
nodes notifying not to forward data to this multicast group any more. After receiving Prune message, the
corresponding interfaces will be delet ed from the out put interface list corresponding with the
multicast-forwarding item (S, G). Through this process, a SPT (Shortest Path Tree) is established wit h
source S as root. Prune process is started by a sub-router.
The process above is called Flooding-Prune process. Each pruned node also provides overtime
mechanism at the same time. In case of overtime of prune, the router will restart flooding-prune process.
Flooding-prune of PIM-DM is conducted periodically
3. RPF examination
Adopting RPF examination, PIM-DM establishes a multicast forwarding tree initiating from data source,
using existing unicast routing table. When a multicast packet arrives, the router will determine the
correctness of its coming path first. If the arrival interface is the interface connected to multicast source
indicated by unicast routing, then this multicast packet is considered to be from the correct path; otherwis e
44-1
the multicast packet will be discarded as redundant message. The unicast routing message used as path
judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t
rely on any specific unicast routing protocol.
4. Assert Mechanism
If two multicast router A and B in the same LAN segment have their own receiving paths to multicast source
S, they will respectively forward multicast data packet to LAN after receiving the packet from multicast
source S. Then downstream nodes multicast router C will receive two multicast packets that are exactly the
same. Once router detects such circumstance, a unique forwarder will be selected through “assert ”
mechanism. The optimized forwarding path is selected through “assert” packet. If the priority and costs of
two or more than two paths are same, the node with a larger IP address will be selected as the upstream
neighbor of item (S, G), which will be responsible for forwarding the (S, G) multicast packet.
5. Graft
When the pruned downstream node needs to recover to forwarding status, this node uses Graft Message to
notify upstream nodes to res ume multicast data forwarding.
44.1.2 PIM-DM6 Configuration Task List
1. Enable PIM-DM (Required)
2. Configure static multicast routing entries (Optional)
3. Configure additional PIM-DM parameters (Optional)
(1)
Configure parameters for PIM-DM interfac es
1) Configure the interval for PIM-DM hello messages
2) Configure the interval for PIM-DM state-refresh messages
3) Configure the boundary interfaces
4) Configure the management boundary
4. Disable PIM-DM protocol
1. Enable the PIM-DM protocol
On XGS3 series switches, PIM-DM can be enabled through two steps. Firstly PIM multicast routing should be
enabled in global configuration mode, then P IM-DM should be configured for the specific interfaces.
Command
Explanation
Command configuration mode
To enable P IM-DM multicast routing global.
ipv6 pim multicast-routing
However, in order to enable PIM-DM for specific
interfaces, the following command must be
issued.
Enable PIM-SM for the specific interface:
Command
Explanation
Interface configuration mode
ipv6 pim dense-mode
To enable PIM-DM for the specified interface
(required).
44-2
Configure static multica st routing entrie s
Command
Explanation
Global configuration mode
ipv6 mroute
<X:X::X:X>
<X:X::X:X> <ifname> <.ifname>
no ipv6 mroute
<X:X::X:X>
<X:X::X:X> [<ifname> <.ifname>]
To configure IP v6 static multicast routing entries.
The no form of this command will remove the
specified routing entry.
3. Configure additional PIM-DM parameters
(1)Configure parameters for P IM-DM interfaces
1) Configure the interval for PIM-DM hello messages
Command
Explanation
Interface Configuration Mode
ipv6 pim hello-interval <interval>
no ipv6 pim hello-interval
To configure the interval for PIM-DM hello
messages. The no form of this command will
restore the default value.
2) Configure the int erval for P IM-DM state-refresh messages
Command
Explanation
Interface Configuration Mode
ipv6 pim state-refre sh
origination-interval
no ipv6 pim state-refre sh
origination-interval
To configure the interval for sending PIM-DM
state-refresh packets. The no form of this
command will restore the default value.
3) Configure the boundary interfaces
Command
Explanation
Interface Configuration Mode
To configure the interface as the boundary of
PIM-DM6 protocol. On the boundary interface,
ipv6 pim bsr-border
no ipv6 pim bsr-border
STATE REFRESH messages will not be sent or
received. The network connected the interfac e is
considered as directly connected net work. The
no form of this command will remove the
configuration.
4) Configure the management boundary
Command
Explanation
Interface Configuration Mode
44-3
To configure PIM-DM6 management boundary
for the interface and apply
ACL for the
management boundary. With default settings,
ipv6 pim scope-border
<500-599>|<acl_name>
no ipv6 pim scope-border
ffx0::/13 is considered as the scope of the
management group. If ACL is configured, then
the scope specified by ACL permit command is
the scope of the management group. acl_name
should be standard IP v6 ACL name. The no
form
of
this
command
will
remove
the
configuration.
4. Di sable PIM-DM protocol
Command
Note s
Interface Configuration Mode
no ipv6 pim dense-mode
To disable PIM-DM for the specified interface.
Global Configuration Mode
no ipv6 pim multicast-routing
To disable PIM-DM globally.
44.1.3 PIM-DM6 Typical Application
As shown in the following figure, add the Ethernet interfaces of S witch A and Switch B to corresponding vlan,
and start PIM-DM Protocol on each vlan int erface.
Figure 44-1-1 PIM-DM Typical Environment
The configuration procedure for SwitchA and SwitchB is as below:
(1) Configure SwitchA:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:10:1:1::1/64
XGS 3-42000R(config-if-Vlan1)#ipv6 pim dense-mode
44-4
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan2
XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64
XGS 3-42000R(config-if-Vlan2)#ipv6 pim dense-mode
(2) Configure SwitchB:
XGS 3-42000R(config)#ip pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64
XGS 3-42000R(config-if-Vlan1)#ipv6 pim dense-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:20:1:1::1/64
XGS 3-42000R(config-if-Vlan2)#ipv6 pim dense-mode
44.1.4 PIM-DM6 Troubleshooting
When configuring and using PIM-DM protocol, PIM-DM protocol may fail to work normally due to physical
connections, incorrect configuration and so on. So, users shall note the following points:

Assure the physical connection is correct.

Assure the Protocol of Interface and Link is UP (use show interface command);

Assure PIM Prot ocol is turned on in Global Mode (use ipv6 pim multicast-routing command )

Start PIM-DM Prot ocol on the int erface (use ipv6 pim dense-mode command)
Unicast rout e shall be used to carry out RPF ex amination for multicast prot ocol. So the correctness of unicast
route shall be guaranteed above all. If all attempts fail to solve t he problems on P IM-DM, then use debug
commands such as debug ipv6 pim, copy DEBUG information in 3 minutes and send to Technology Service
Cent er.
44.2 PIM-SM6
44.2.1 Introduction to PIM-SM6
PIM-SM6(Protocol Independent Multicast, Spars e Mode)is the IP v6 version of Protocol Independent
Multicast Sparse Mode. It is a multicast routing protocol in sparse mode and mainly used in large network with
group members distributed relatively sparse and wide. It is no difference from the IP v4 version PIM-SM
except the addresses it uses are IP v6 addresses. Thus we don’t differentiat e between PIM -SM and PIM-SM6
in this chapter. All PIM-SM in the text without specific explanation is IP v6 version PIM -SM. Unlike the
Flooding-Prune of Dense Mode, PIM-SM Protocol assumes no host needs receiving multicast data packets.
PIM-SM router forwards multicast data packets to a host only on definite request.
By setting RP (Rendez vous Point) and BSR (Bootstrap Rout er), PIM-SM announce multicast packet to all
PIM-SM routers and establish, using Join/Prune message of routers, RP T (RP-root ed shared tree) based on
44-5
RP. Consequently the network bandwidth occupied by data packets and control messages is cut down and
the transaction cost of routers is reduced. Multicast data get to the network segment where the multicast
group members are located along the shared t ree flow. When the data traffic reac hes a certain amount,
multicast data stream can be switched to source-based SPT (S hort est Path Tree) to shorten network delay.
PIM-SM doesn’t rely on any specific unicast routing protoc ol but make RPF examination using existing
unicast routing table.
1. PIM-SM Working Principle
The working process of P IM-SM mainly includes neighbor discovery, creation of RP T, registration of
multicast source, SPT switch and so on. The neighbor discovery mechanism is the same with the
mechanism of PIM-DM. We won’t introduce any more.
(1) Creation of RP Shared Tree (RP T)
When a host joins a multicast group G, the leaf router directly connected with the host finds out through
IGMP message that there is a receiver of multicast group G, then it works out the corresponding
Rendez vous Point RP for multicast group G, and send join message to upper level nodes in RP
direction. E very router on the way from the leaf router to RP will create a (*, G) table item, indicating the
message from any source to multicast group G is suitable for this item. When RP receives the
message sent to multicast group G, the message will get to the leaf router along the established path
and then reach the host. In this way, the RP T with RP as root is created.
(2) Multicast Source Registration
When multicast source S sends a multicast packet to multicast group G, the PIM-SM multicast router
directly connected to it will take charge of sealing the multicast packet into registered message and
unicast it to corresponding RP. If there are more than one PIM-SM multicast routers on a network
segment, then DR (Designated Router) takes charge of forwarding the multicast packet.
(3) SP T Switch
Once the multicast router finds that the rate of the multicast packet from RP with destination address G
exceeds threshold, the multicast router will send Join message to the upper lever nodes in the source
direction, which results in the switch from RPT to SPT.
2. Preparation before PIM-SM configuration
(1) Configuration Candidate RP
More than one RPs (candidat e RP ) are permitted in P IM-SM network and each C-RP (Candidate RP )
takes charge of forwarding multicast packets with destination address in a certain range. To configure
more than one candidate RPs can achieve RP load balancing. There is no master or slave difference
among RPs. All multicast routers work out the RP corresponded with certain multicast group based on
the same algorithm after receiving the candidat e RP message announced by BSR.
Note that one RP can serve more than one multicast groups, even all multicast groups. But each
multicast group can only correspond with one unique RP at any moment. It can’t correspond with more
RPs at the same time.
(2) BSR Configuration
As the management core of P IMSM net work, BSR is in charge of collecting messages sent by
candidate RPs and broadcast them..
There may be only one BSR within a network. However, there may be several candidat e BSRs to be
configured. With such arrangement, once a BSR fails, another may be switched to. C-BSR determines
44-6
BSR through automatic selection.
44.2.2 PIM-SM6 Configuration Task List
1. Enable PIM-SM (Required)
2. Configure static multicast routing entries (Optional)
3. Configure additional paramet ers for PIM-SM (Optional)
(1)
Configure parameters for PIM-SM interfaces
1) Configure the interval for PIM-SM hello messages
2) Configure the holdtime for P IM-SM hello messages
3) Configure ACL for PIM-SM6 neighbors
4) Configure the interface as the boundary interface of the P IM-SM6 protocol
5) Configure the interface as the management boundary of the PIM-SM6 protocol
(2)
Configure global PIM-SM parameters
1) Configure the switch as a candidate BSR
2) Configure the switch as a candidate RP
3) Configure static RP
4. Disable the PIM-SM protocol
1. Enable PIM-SM protocol
The PIM-SM protocol can be enabled on XGS 3 series Layer 3 switches by enabling PIM6 in global
configuration mode and then enabling P IM-SM for specific interfaces in the interface configuration mode.
Command
Explanation
Global Configuration Mode
To enable the PIM-SM6 protoc ol for all the
[no] ipv6 pim multicast-routing
interfaces (However, in order to make PIM-SM
work
for specific
interfaces,
the
following
command should be issued). (required)
Make the PIM-SM protocol work for specific interfaces
Command
Explanation
Interface Configuration Mode
[no] ipv6 pim sparse-mode
[passi ve]
To enable PIM-SM for the specified interface.
The no form of this command will disable the
PIM-SM protocol (required).
2.Configure static multica st routing entries
Command
Explanation
Global Configuration Mode
44-7
ipv6 mroute
<X:X::X:X>
<X:X::X:X> <ifname> <.ifname>
no ipv6 mroute
<X:X::X:X>
<X:X::X:X> [<ifname> <.ifname>]
To configure a static multicast routing entry. The
no form of this command will remove the
specified static multicast routing entry.
3. Configure the additional parameters for PIM-SM
(1)Configure parameters for PIM-SM interfaces
1) Configure the interval for PIM-SM hello messages
Command
Explanation
Interface Configuration Mode
ipv6 pim hello-interval <interval>
no ipv6 pim hello-interval
To configure the interval for PIM-SM hello
messages. The no form of this command
restores the interval to the default value.
2) Configure the hold time for PIM-SM6 hello messages
Command
Explanation
Interface Configuration Mode
To configure the value of the holdtime field in the
ipv6 pim hello-holdtime <value>
PIM-SM hello messages. The no form of this
no ipv6 pim hello-holdtime
command will restore the hold time to the default
value.
3) Configure A CL for PIM-SM6 neighbors
Command
Explanation
Interface Configuration Mode
ipv6 pim neighbor-filter
<acess-li st-name>
no ipv6 pim neighbor-filter
<acess-li st-name>
To configure ACL to filter PIM-SM6 neighbor. If
session to the neighbor has been denied by
ACL, then the sessions that have been set up
will be discarded immediately and new sessions
will not be set up.
4) Configure the interfac e as the boundary interface of the PIM-SM6 protocol
Command
Explanation
Interface Configuration Mode
To configure the interface as the boundary of
PIM-SM6 protoc ol. On the boundary interface,
ipv6 pim bsr-border
BSR messages will not be sent or received. The
no ipv6 pim bsr-border
network connected the interface is considered
as directly connected network. The no form of
this command will remove the configuration.
5) Configure the interfac e as the management boundary of the PIM-SM6 protocol
Command
Explanation
44-8
Interface Configuration Mode
To configure PIM-SM6 management boundary
for the interface and apply
ACL for the
management boundary. With default settings,
ipv6 pim scope-border
<500-599>|<acl_name>
no ipv6 pim scope-border
ffx0::/13 is considered as the scope of the
management group. If ACL is configured, then
the scope specified by ACL permit command is
the scope of the management group. acl_name
should be standard IP v6 ACL name. The no
form
of
this
command
will
remove
the
configuration.
(2)Configure global PIM-SM6 parameter
1) Configure the switch as a candidate BSR
Command
Explanation
Global Configuration Mode
ipv6 pim bsr-candiate {vlan
<vlan_id>|<ifname> | tunnel
This command is the global candidate BS R
<1-50>}[ha sh-ma sk-length]
configuration command,
[priority]
configure the information of PIM-SM candidate
no Ipv6 pim bsr-candiate {vlan
BSR so that it can compete for BSR router with
<vlan_id>|<ifname> | tunnel
other candidate BSR. The no operation is to
<1-50>}[ha sh-ma sk-length]
cancel the configuration of BSR.
which is
used to
[priority]
2) Configure the switch as a candidate RP
Command
Explanation
Global Configuration Mode
ipv6 pim rp-candiate
{vlan<vlan-id>|
loopback<index> |<ifname>}
[<group range>] [<priority>]
no ipv6 pim rp-candiate
This command is the global candidate RP
configuration command,
which is
used to
configure the information of PIM-SM candidate
RP so that it can compete for RP router with
other candidate RP. The no operation is to
cancel the configuration of RP.
3) Configure static RP
Command
Explanation
Global Configuration Mode
ipv6 pim rp-address <rp-address>
[<group-range>]
no ipv6 pim rp-address
<rp-address> {all|<group-range>}
To configure the address of the candidate RP.
The no form of this command will remove the
configuration for the candidate RP.
44-9
4. Di sable PIM-SM protocol
Command
Explanation
Interface Configuration Mode
no ipv6 pim sparse-mode
To disable the P IM-SM6 protocol.
Global Configuration Mode
no ipv6 pim sparse-mode
To disable PIM-DM globally.
44.2.3 PIM-SM6 Typical Application
As shown in the following figure, add the Ethernet interfaces of S witchA, SwitchB, SwitchC and S witchD to
corresponding VLAN, and start PIM-SM Protocol on each VLAN interface.
SwitchB
SwitchA
Vlan 2
Vlan 1
vlan 1
Vlan 2 rp
Vlan 2 bsr
SwitchC
Vlan 2
SwitchD
Vlan 3
Vlan 1
Vlan 1
Vlan 3
Figure 44-2-1 PIM-SM Typical Environment
The configuration procedure for SwitchA, SwitchB, SwitchC and SwitchD is as below:
(1) Configure SwitchA:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:12:1:1::1/64
XGS 3-42000R(config-if-Vlan1)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:13:1:1::1/64
XGS 3-42000R(config-if-Vlan2)#ipv6 pim spars e-mode
(2) Configure Switch B:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
44-10
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64
XGS 3-42000R(config-if-Vlan1)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ipv6 address2000:24:1:1::2/64
XGS 3-42000R(config-if-Vlan2)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#ipv6 pim rp-candidate vlan2
(3) Configure SwitchC:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:34:1:1::3/64
XGS 3-42000R(config-if-Vlan1)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:13:1:1::3/64
XGS 3-42000R(config-if-Vlan2)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-if-Vlan3)#ipv6 address 2000:30:1:1::1/64
XGS 3-42000R(config-if-Vlan3)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan3)#exit
XGS 3-42000R(config)#ipv6 pim bs r-candidate vlan2 30 10
(4) Configure SwitchD:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:34:1:1::4/64
XGS 3-42000R(config-if-Vlan1)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:24:1:1::4/64
XGS 3-42000R(config-if-Vlan2)#ipv6 pim spars e-mode
XGS 3-42000R(config-if-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-if-Vlan3)#ipv6 address 2000:40:1:1::1/64
XGS 3-42000R(config-if-Vlan3)#ipv6 pim spars e-mode
44-11
44.2.4 PIM-SM6 Troubleshooting
When configuring and using PIM-SM prot ocol, PIM-SM prot ocol may fail to work normally due to physical
connections, incorrect configuration and so on. So, users shall note the following points:

Assure the physical connection is correct.

Assure the Protocol of Interface and Link is UP (use show interface command);

Unicast route shall be used to carry out RPF examination for multicast protocol. So the correctness of
unicast route shall be guaranteed above all.

PIM-SM P rotocol requires supports of RP and BS R, therefore you should use show ipv6 pim bs r-router
first to see if there is BSR information. If not, you need to check if there is unicast routing leading to BSR.

Use show ipv6 pim rp-hash command to check if RP information is correct; if there is no RP information,
you still need to check unicast routing;
If all attempts fail t o solve the problems on PIM-SM, then use debug commands such as debug ipv6 pim/
debug ipv6 pim bsr, copy DEBUG information in 3 minutes and send to Technology Service Center.
44.3 ANYCAST RP v6 Configuration
44.3.1 Introduction to ANYCAST RP v6
Anycast RP v6 is a technology based on PIM protocol, which provides redundancy in order to recover as soon
as possible once an RP bec omes unusable.
The kernel concept of A nycast RP v6 is that the RP addresses configured all over the whole net work exist on
multiple multicast servers (the most common situation is that every device providing A NYCAS T RP uses
LOOPBACK int erface, and using the longest mask to configures RP addresses on this interface), while the
unicast routing algorithm will make sure that PIM routers can always find the nearest RP, thus , providing a
shorter and faster way to find RP in a larger network., Once an RP being used becomes unusable, the unicast
routing algorit hm will ensure that the P IM router can find a new RP path fast enough to recover the multicast
server in time. Multiple RP will cause a new problem that is if the multicast source and the receivers are
registered to different RP, some receivers will not be able to receive data of multicast source (obviously, the
register messages only prefer the nearest RP). So, in order to keep the communication between all RP,
Anycast RP defines that the nearest RP to the multicast source should forward the source register messages
to all the other RP to guarantee that all joiners of the RP can find the multicast source.
The method to realize the PIM-protocol-based Anycast RP is that: maintaining an ANY CAS T RP list on every
switch configured with Anycast RP and using another address as the label to identify each other. When one
Anycast RP device receives a register message, it will send the register message to other Anycast RP
devic es while using its own address as the source address, to notify all the other devices of the original
destination.
44.3.2 ANYCAST RP v6 Configuration Task
44-12
1. Enable A NYCAS T RP v6 function
2. Configure ANY CAST RP v6
1. Enable ANYCAST RP v6 function
Command
Explanation
Global Configuration Mode
ipv6 pim anycast-rp
no ipv6 pim anycast-rp
Enable ANY CAST RP function. (necessary)
The no operation will globally disable the
ANYCAS T RP function.
2. Configure ANYCAS T RP v6
(1) Configure RP candidate
Command
Explanation
Global Configuration Mode
Now, the PIM-SM has allowed the Loopback
interface to be a RP candidate.(necessary )
Please pay attention to that, ANYCAS T RP
ipv6 pim rp-candidate {vlan<vlan-id>
|loopback<index> |<ifname>}
[<A:B::C:D>][<priori ty>]
no ipv6 pim rp-candidate
protocol can configure the Loopback interface
or a regular three-layer VLA N interface to be
the RP candidate. In mak e sure that P IM
routers in the network can find where the RP
locates, the RP candidat e interface should be
added into the router.
No operation will cancel the RP candidate
configured on this router.
(2) Configure self-rp-address (the RP communication address of this router)
Command
Explanation
Global Configuration Mode
Configure the self-rp-address of this router (as a
RP). This address can be used to exclusively
identify this router when communicating with
other RP.(necessary)
the effect of self-rp-addre ss refers to two
ipv6 pim anycast-rp self-rp-addre ss
A:B::C:D
no ipv6 pim anycast-rp self-rp-addre ss
respects:
1 Once this router (as a RP) receives the register
message from a DR unicast, it needs to forward
the register message to all the other RP in the
network, notifying them of the state of source
(S.G). While forwarding the register message,
this router will change the source address of it
into self-rp-address.
2 Once this router(as a RP) rec eives a register
44-13
message from other RP unicast, such as a
register message whose destination is the
self-rp-address of this router, it will create (S,G)
state and send back a register-t erminating
message, whose destination address is the
source address of the register message.
Pay attention: self-rp-address has to be the
address of a t hree-layer interfac e on this router,
but the configuration is allowed to be done with
the absence of the interface. The self-rp-address
should be unique.
No operation will cancel the self-rp-address
which is used to communicat e with other RP by
this router.
(3) Configure other-rp-address (other RP communication addresses)
Command
Explanation
Global Configuration Mode
Configure anycast-rp-addr on this router (as a
RP). This unic ast address is actually the RP
address configured on multiple RP in the network,
in accordance with the address of RP candidate
interface (or Loopback interface).
The effect of anyca st-rp-addr includes:
1 Although more than
one anycast-rp-addr
addresses are allowed to be configured, only the
one having the same address with the currently
configured RP candidate address will take effect.
ipv6 pim anycast-rp <anycast-rp-addr>
<other-rp-addr>
no ipv6 pim anycast-rp <anycast-rp-addr>
<other-rp-addr>
Only aft er that, can the other-rp-address in
accordance with this anycast-rp-addr take effect.
2 The configuration is allowed to be done with the
absence of the interfac e in accordance with the
anycast-rp-addr. Configure on this router (as a
RP)
the
other-rp-addresses
of
other
RP
communicating with it. This unicast address
identifies
other
RP
and
is
used
in
the
communication wit h local routers. The effect of
other-rp-address refers to two respects:
1 Once this router (as a RP) receives the register
message from a DR unicast, it should forward it to
other RP in the net work to notify all the RP in the
network
of
the
source
(S.G)
state.
While
forwarding, the router will change the destination
44-14
address
of
the
register
message
into
other-rp-address.
2 Multiple other-rp-addresses can be configured in
accordance with one anycast-rp-addr, Once the
register message from a DR is received, it should
be forwarded to all of this RP one by one.
No
operation
will
cancel
other-rp-address
communicating with this router.
44.3.3 ANYCAST RP v6 Configuration Examples
VLAN1:2000::100
Multicast Server
DR
VLAN2:2001::1
VLAN2:2001::2
RP1
VLAN1:2003::1
………
VLAN2:2004::2
receiver
RP2
VLAN1:2005::2
receiver
receiver
Figure 44-3-1 The ANYCAST RP v6 function of a router
The following is the configuration steps:
RP1 Configuration:
XGS 3-42000R#config
XGS 3-42000R(config)#interface loopback 1
XGS 3-42000R(config-if-Loopback1)#ipv6 address 2006::1/128
XGS 3-42000R(config-if-Loopback1)#exit
XGS 3-42000R(config)#ipv6 pim rp-candidate loopback1
XGS 3-42000R(config)#ipv6 pim bs r-candidate vlan 1
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#ipv6 pim anycast-rp
XGS 3-42000R(config)#ipv6 pim anycast-rp self-rp-address 2003::1
44-15
XGS 3-42000R(config)#ipv6 pim anycast-rp 2006::1 2004::2
RP2 Configuration:
XGS 3-42000R#config
XGS 3-42000R(config)#interface loopback 1
XGS 3-42000R(config-if-Loopback1)#ipv6 address 2006::1/128
XGS 3-42000R(config-if-Loopback1)#exit
XGS 3-42000R(config)#ipv6 pim rp-candidate loopback1
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#ipv6 pim anycast-rp
XGS 3-42000R(config)#ipv6 pim anycast-rp self-rp-address 2004::2
XGS 3-42000R(config)#ipv6 pim anycast-rp 2006::1 2003::1
Please pay attention to that, for promulgating loopback interface router, if use MBGP4+ protocol, then can use
network command; or use RIPng protocol, then can use route command.
44.3.4 ANYCAST RP v6 Troubleshooting
When configuring and using A NYCAS T RP v6 function, the ANY CAS T RP might work abnormally because of
faults in physical connections, configurations or something others. So, the users should pay attention to the
following points:

The physical connections should be guaranteed to be correct

The PIM-SM6 protocol should be guaranteed to operate normally

The ANY CAS T RP should be guaranteed to be enabled in Global configuration mode

The self-rp-address should be guarant eed to be configured correctly in Global configuration mode

The other-rp-address should be guaranteed to be configured correctly in Global configuration mode

All the interface routers should be guaranteed to be correctly added, including the loopback interface as
a RP

Use “show ipv6 pim anycast rp status” command to check whether the configuration information of
ANYCAS T RP is correct
If the problems of ANYCAS T still cannot be solved after checking, please use debug commands like “debug
ipv6 pim anycast-rp”, then copy the DEBUG information within three minutes and send it to the technical
service cent er of our company.
44.4 PIM-SSM6
44.4.1 Introduction to PIM-SSM6
Source Specific Multicast (PIM-SSM6) is a new kind of multicast service protocol. With PIM-SSM6, a multicast
session is distinguished by the multicast group address and multicast source address. In SSM6, hosts can be
added int o the multicast group manually and efficiently like the traditional P IM-SM6, but leave out the shared
tree and RP management in P IM-S 6M. In SSM6, SPT tree will be constructed with (S,G). G for the multicast
44-16
group address and S for the source address of the multicast which sends datagram to G. (S,G) in a pair is
named as a channel of SSM6. SSM6 serves best for the application of multicast service which is from one
station to many ones, for example, the network sports video channel, and the news channel. By default, the
multicast group address of SSM6 is limited to ff3x::/32. However this address range can be extended
according to actual situations.
PIM-SSM6 can be supported in the PIM-DM6 environment.
44.4.2 PIM-SSM6 Configuration Task List
Command
Explanation
Global configuration mode
ipv6 pim ssm {default|range <access-li st-number>}
To configure address range for
no ipv6 pim ssm
pim-ssm multicast group. The
no
prefix
will
disable
this
command.
44.4.3 PIM-SSM6 Configuration Example
As it is shown in the below figure, ethernet interfaces of switchA, switchB, switchC, and switchD are
separated into different vlan. And PIM-SM6 or P IM-DM6 is enabled on all the vlan int erfaces. Take
configuration of P IM-SM6 for example.
Figure 44-4-1 PIM-SSM typical environment
Configurations of switchA , switchB, switchC and switchD are listed as below:
(1) Configuration of switchA:
44-17
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ipv6 address 2000:12:1: 1::1/64
XGS 3-42000R(config-If-Vlan1)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ipv6 address 2000:13:1: 1::1/64
XGS 3-42000R(config-If-Vlan2)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan2)#exit
XGS 3-42000R(config)#ipv6 access-list 500 permit ff1e::1/64
XGS 3-42000R(config)#ip pim ssm range 500
(2)Configuration of switchB:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ipv6 address 2000:12:1: 1::2/64
XGS 3-42000R(config-If-Vlan1)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ipv6 address2000:24:1:1::2/64
XGS 3-42000R(config-If-Vlan2)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan2)# exit
XGS 3-42000R(config)# ipv6 pim rp-candidate vlan2
XGS 3-42000R(config)#ipv6 access-list 500 permit ff1e::1/64
XGS 3-42000R(config)#ip pim ssm range 500
(3) Configuration of SwitchC:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ipv6 address 2000:34:1: 1::3/64
XGS 3-42000R(config-If-Vlan1)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ipv6 address 2000:13:1: 1::3/64
XGS 3-42000R(config-If-Vlan2)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-If-Vlan3)# ipv6 address 2000:30:1: 1::1/64
XGS 3-42000R(config-If-Vlan3)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan3)# exit
XGS 3-42000R(config)# ipv6 pim bsr-candidat e vlan2 30 10
XGS 3-42000R(config)#ipv6 access-list 500 permit ff1e::1/64
44-18
XGS 3-42000R(config)#ip pim ssm range 500
(4) Configuration of SwitchD:
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)# ipv6 address 2000:34:1: 1::4/64
XGS 3-42000R(config-If-Vlan1)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan1)#exit
XGS 3-42000R(config)#interface vlan 2
XGS 3-42000R(config-If-Vlan2)# ipv6 address 2000:24:1: 1::4/64
XGS 3-42000R(config-If-Vlan2)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan2)#exit
XGS 3-42000R(config)#interface vlan 3
XGS 3-42000R(config-If-Vlan3)# ipv6 address 2000:40:1: 1::1/64
XGS 3-42000R(config-If-Vlan3)# ipv6 pim sparse-mode
XGS 3-42000R(config-If-Vlan3)#exit
XGS 3-42000R(config)#ipv6 access-list 500 permit ff1e::1/64
XGS 3-42000R(config)#ip pim ssm range 500
44.4.4 PIM-SSM6 Troubleshooting
When configuring the PIM-SSM6 prot ocol, it may fail to work bec ause of the failure of physical connection or
the mis-configurations. To debug these errors, attention should be paid to the following lists.

Make sure the physical links are connected correctly.

Make sure the state of the data link layer has become UP. (Use show interface command).

Make sure P IM6 is enabled in global configuration mode (Refer to the command ipv6 pim
multicast-routing).

Make sure P IM-SM6 is configured on the interfac e (Refer to the command ipv6 pim sparse-mode)

Make sure SSM6 is configure in global configuration mode.

The multicast protocol uses the unicast routing to make RPF check. Hence, single-cast routing should
be verified firstly.
If problems could not be fixed with the above check list, please enable the command of debug ipv6 pim
event and debug ipv6 pim packet, and save the debug information for 3 minut es, and send if to Technology
Service Center.
44.5 IPv6 DCSCM
44.5.1 Introduction to IPv6 DCSCM
The technology of IP v6 DCS CM (Destination Control and Source Control Multicast) includes three aspects:
the multicast source control, the multicast user control and the service-priority-oriented policy multicast.
44-19
IP v6 DCSCM Cont rollable Multicast technology proceeds as the following way:
1. If source controlled multicast is configured on the edge switches, only the multicast data of the
specified group from the specified source can pass.
2. The RP switches which are the core of PIM-SM will directly send REGIS TE R_S TOP as response to
the REGIS TE R messages not from the specified source and specified group, and no entry is allowed to
be creat ed. (This task is implemented in the PIM-SM module).
The control of multicast users of IP v6 DCS CM technology is implemented on the basis of cont rolling the MLD
message sent from the users, so the control module is MLD snooping and the MLD module, the c ontrol logic
of which includes the following three methods: controlling according to the VLAN+MAC sending the message,
controlling according to the IP address sending the message, and controlling according to the input port of the
message. MLD snooping can adopts all the three methods at the same time, while the MLD module, at the
third layer, can only control the IP address sending the message.
The service-priority-oriented policy multicast of IP v6 DCS CM technology adopts the following met hod: for the
confined multicast data, the user-specified priority will be set at the access point, enabling the data can be
sent at a higher priority through TRUNK, and guaranteeing that the data can be sent through the whole net at
the user-specified priority.
44.5.2 IPv6 DCSCM Configuration Task Sequence
1. The source control configuration
2. The destination cont rol configuration
3. The multicast policy configuration
1. The source control configuration
The source control configuration has three steps, first is globally enabling the source c ontrol, the following is
the command of globally enabling the source control:
Command
Explanation
Global Configuration Mode
Globally enable the source control, the no
operation of this command will globally
disable the source control. What should be
paid attention to is that, once globally enable
ipv6 multica st source-control (necessary)
the
sourc e
control,
all
the
multicast
no ipv6 multica st source-control
messages will be dropped by default. All the
source control configurations can only be
done after globally enabled, and only when
all the configured rules are disabled, the
source control can be disabled globally.
The next is configuring the source cont rol rules, which adopts the same met hod as configuring ACL, using
44-20
ACL number from 8000 to 8099, while each rule number can configure 10 rules. What should be paid
attention to is that these rules have orders, the earliest configured rule is at the front. Once a rule is matched,
the following ones will not take effect, so the globally enabled rules should be the last to configure. The
following is the command:
Command
Explanation
Global Configuration Mode
[no] ipv6 access-li st <8000-8099>
{deny|permit}
Used to configure the source control rules,
{{< source/M>}|{host-source
the rules can only take effect when applied
<source-host-ip>}|any-source}
to the specified port. The no operation of this
{{<destination/M> }|{host-de stination
command can delete the specified rule.
<destination-host-ip>}|any-de stination}
The last is to configure the rules to the specified port.
Pay attention: since the configured rules will take up ent ries of hardware, configuring too many rules might
cause failure if the underlying entries are full, so it is recommended that users adopt rules as simple as
possible. The following is the configuration command:
Command
Explanation
Port Configuration Mode
[no] ipv6 multica st source-control
access-group <8000-8099>
Used to configure the source c ontrol rule to a
port,
he
no
operation
will
cancel
this
configuration.
2. The configuration of de stination control
The configuration of destination cont rol is similar to that of source control, and also has three steps:
First, globally enable the destination control, since destination control needs to avoid the unauthorized users
from receiving multicast data, once it is enabled globally, the s witch will stop broadcasting received multicast
data, so if a switch has enabled destination control, users should not connect two or more other Layer three
switches within the same VLAN where it locates. The following is the configuration command:
Command
Explanation
Global Configuration Mode
Globally
enable
IPV4
and
IP v6
destination control, the no operation of
multicast destination-control (necessary)
this command will globally disable
destination control. All of the other
configuration can only take effect after
globally enabled.
The next is configuring destination control rules, which are similar to that of source cont rol, but using A CL
number from 9000 to 10099 instead.
Command
Explanation
44-21
Global Configuration Mode
Used to configure destination control
[no] ipv6 access-li st <9000-10099>
{deny|permit} {{< source/M>}|{host-source
<source-host-ip>}|any-source}
rules, these rules can only take effect
when applied to specified source IP,
VLAN-MA C or port. The no operation
{{<destination/M>}|{host-de stination
<destination-host-ip>}|any-de stination}
of this rule will delete the specified
rule.
The last step is to configure the rules to the specified source IP, sourc e VLAN MAC or the specified port. What
should be paid attention to is that only when the MLD-SNOOPING is enabled, these rules can be globally
used, or, only rules of sourc e IP can be us ed in MLD protocol. The following is the configuration command:
Command
Explanation
Port Mode
Used to configure the destination control
[no] ipv6 multicast de stination-control
rule t o a port, the no operation of this
access-group <9000-10099>
command will cancel the configuration.
Global Configuration Mode
Used to configure the destination control
[no] ipv6 multicast de stination-control
rules to the specified VLA N-MA C, the no
<1-4094> <macaddr> acce ss-group
operation of this command will cancel
<9000-10099>
the configuration.
Used to configure the destination control
[no] ipv6 multicast de stination-control
rules to the s pecified source IP v6
<IPA DDRESS/M> access-group
address/MASK, the no operation of this
<9000-100999>
command will cancel the configuration.
3. The configuration of multica st policy
The multicast policy adopts the met hod of specifying a priority for the specified multicast data to meet the
user’s particular demand, what should be paid attention to is that only when multicast data is transmitted in
TRUNK, can it be taken special care of. The configuration is quite simple, for only one command is needed,
that is set priority for the specified multicast, the following is the command:
Command
Explanation
Global Configuration Mode
[no] ipv6 multicast policy <IPADDRESS/M>
<IPA DDRESS/M> cos <priority>
Configure multicast policy, set priority
for sources and groups in a specified
range, the priority valid range is 0 to 7.
44-22
44.5.3 IPv6 DCSCM Typical Examples
1. Source control
In order to prevent an edge switch sends multicast data at will, we configure on the edge switch that only the
switch whose port is Ethernet1/5 can send multicast data, and the group of data should be ff1e::1. The uplink
port Ethernet 1/25 can forward multicast data without being restricted, so we can configure as follows.
XGS 3-42000R(config)#ipv6 access-list 8000 permit any-source ff1e::1
XGS 3-42000R(config)#ipv6 access-list 8001 permit any any
XGS 3-42000R(config)#ipv6 multicast source-control
XGS 3-42000R(config)#interface Ethernet1/ 5
XGS 3-42000R(config-If-Ethernet1/5)#ipv6 multicast source-cont rol access-group 8000
XGS 3-42000R(config)#interface Ethernet1/ 25
XGS 3-42000R(config-If-Ethernet1/25)#ipv6 multicast source-control access-group 8001
2. Destination control
We want to confine that the users of the segment whose address is fe80::203: fff:fe01: 228a/64 can not join the
ff1e::1/64 group, so we can configure as follows:
First, enable MLD Snooping in the VLAN where it locates (in this example, it is VLAN2).
XGS 3-42000R(config)#ipv6 mld snooping
XGS 3-42000R(config)#ipv6 mld snooping vlan 2
Then configure relative destination control access list and configure specified IP v6 address to use this access
list.
XGS 3-42000R(config)#ipv6 access-list 9000 deny any ff1e::1/64
XGS 3-42000R(config)#ipv6 access-list 9000 permit any any
XGS 3-42000R(config)#multicast destination-cont rol
XGS 3-42000R(config)#ipv6 multicast destination-control fe80::203:fff:fe01:228a/64 access-group 9000
Thus, the users of this segment can only join groups other than 2ff1e::1/64.
3.Multicast policy
Server 2008::1 is sending important multicast data in group ff1e::1, we can configure on its access switch as
follows:
XGS 3-42000R(config)#ipv6 multicast policy 2008::1/128 ff1e::1/128 cos 4
Thus this multicast flow will have a priority of 4, when it passes the TRUNK port of this switch to another
XGS 3-42000R(generally speaking, it is a relatively high priority, the data with higher priority might be protocol
data, if a higher priority is set, when there is too much multicast data, the switch protocol might operate
abnormally).
44-23
44.5.4 IPv6 DCSCM Troubleshooting
IP v6 DCSCM module acts like ACL, so most problems are caused by improper configuration. Please read the
instructions above carefully.
44.6 MLD
44.6.1 Introduction to MLD
MLD (Multicast Listener Discovery) is the multicast group member (receiver) discovery protocol serving IP v6
multicast. It is similar to IGMP Protocol in IP v4 multicast application. Correspondingly, MLD Protocol version1
is similar to IGMP Protocol version2, and MLD Prot ocol version2 is similar to IGMP Protocol version3. Current
firmware
supports MLDv1/ MLDv2.
The IP v6 multicast hosts can join or leave from multicast group at any location, any time, regardless of the
total number of group members. It is unnecessary and impossible for multicast switch to store the relationship
among all host members. Multicast switch simply finds out via MLD protoc ol if there are receivers of certain
multicast group on the net work segment connected to each port. The only thing host need to do is to keep the
record of which multicast groups it joined.
MLD is unsymmetrical between host and switch: the host needs to respond the MLD query message of
multicast switch with members hip report message; the switch periodically sends members hip query message
and determines if there is host joining a specific group in its subnet works according to the response message
received, and after it receives the report of a host quitting from the group, it sends out the query for the group
to confirm if there is no member left in it.
There are three types of prot ocol messages of MLD Protocol, that is, Query, Report and Done (which is
corresponding to Leave of IGMP v2). Like IGMPV 2, the Query messages include General Query and Specific
Group Query. General Query uses the multicast address FF02::1 of hosts as destination address, the group
address is 0; and Specific Group Query use its group address as destination address. The multicast
addresses of MLD use 130, 131 and 132 as data types denoting the three kinds of messages mentioned
above. Other logic is basically same as IGMP v2.
MLD protocol version2 use FF02::16 as destination address of membership report, and 143 as data type. The
other logic of MLD Protocol version2 is similar to IGMP Protocol version3.
44.6.2 MLD Configuration Task List
1、 Start MLD (Required)
2、 Configure MLD auxiliary parameters (Required)
(1)Configure MLD group paramet ers
1)Configure MLD group filter conditions
(2)Configure MLD query parameters
44-24
1)Configure the interval of MLD sending query message
2)Configure the maximum response time of MLD query
3)Configure overtime of MLD query
3、 Shut down MLD Protoc ol
1.
Start MLD Protocol
There is no special command for starting MLD Protoc ol on EDGECORE series layer 3 switches. MLD
Protocol will aut omatically start up as long as any IP v6 multicast protocol is started on corresponding
interface.
Command
Explanation
Global Mode
To start Global IP v6 Multicast Protocol, the
Ipv6 pim multicast-routing
precondition of starting MLD Protoc ol. The NO
operation of corresponding command shuts ipv6
multicast protocol and MLD Protocol. (Required)
Command
Explanation
Port Configuration Mode
ipv6 pim dense-mode | ipv6 pim
sparse-mode
2.
Start MLD Protocol. The NO operation of
corresponding command shuts MLD Protocol.
(Required)
Configure MLD auxiliary parameters
(1)Configure MLD group parameters
1) Configure MLD group filter conditions
Command
Explanation
Port Configuration Mode
ipv6 mld access-group
<acl_nam e>
no ipv6 mld access-group
Configure the filter conditions of interface for
MLD group; the NO operation of t his command
cancels filter conditions.
(2)Configure MLD Query parameters
1)Configure interval time for MLD to send query messages
2)Configure the maximum response time of MLD query
3)Configure the overtime of MLD query
Command
Explanation
Port Configuration Mode
ipv6 mld query-interval <time_val>
no ipv6 mld query-interval
Configure the interval of MLD query messages
sent periodically; the NO operation of this
command restores the default value.
44-25
ipv6 mld query-max-response-time
Configure the maximum response time of the
<time_val>
interface for MLD query; the NO operation of this
no ipv6 mld
command restores the default value.
query-max-response -time
ipv6 mld query-timeout <time_val>
no ipv6 mld query-timeout
3.
Configure the overtime of the interface for MLD
query; the NO operation of this command
restores the default value.
Shut down MLD Protocol
Command
Explanation
Port Configuration Mode
no ipv6 pim dense-mode | no ipv6
pim sparse-mode | no ipv6 pim
Shut down MLD Protoc ol
multicast-routing (Global Mode)
44.6.3 MLD Typical Application
As shown in the following figure, add the Ethernet interfaces of S witch A and S witch B to corresponding vlan,
and start PIM6 on each vlan interface.
SwitchA
SwitchB
Vlan 1
Vlan 1
Figure 44-6-1 Network Topology Diagram
The configuration procedure for SwitchA and SwitchB is as below:
(1) Configure SwitchA:
XGS 3-42000R(config) #ipv6 pim multicast-routing
XGS 3-42000R(config) #ipv6 pim rp-address 3FFE::1
XGS 3-42000R(config) #interfac e vlan 1
XGS 3-42000R(Config-if-Vlan1) #ipv6 address 3FFE::1/64
XGS 3-42000R(Config-if-Vlan1) #ipv6 pim sparse-mode
(2) Configure SwitchB:
44-26
Vlan 2
XGS 3-42000R(config) #ipv6 pim multicast-routing
XGS 3-42000R(config) #ipv6 pim rp-address 3FFE::1
XGS 3-42000R(config) #interfac e vlan1
XGS 3-42000R(Config-if-Vlan1) #ipv6 address 3FFE::2/64
XGS 3-42000R(Config-if-Vlan1) #ipv6 pim sparse-mode
XGS 3-42000R(Config-if-Vlan1) #exit
XGS 3-42000R(config) #interfac e vlan2
XGS 3-42000R(Config-if-Vlan2) #ipv6 address 3FFA::1/64
XGS 3-42000R(Config-if-Vlan2) #ipv6 pim sparse-mode
XGS 3-42000R(Config-if-Vlan2) #ipv6 mld query-timeout 150
44.6.4 MLD Troubleshooting Help
When configuring and using MLD protocol, MLD protocol may fail to work normally due to physical
connections, incorrect configuration and so on. So, users shall note the following points:

Assure the physical connection is correct.

Assure the protocol of interface and link is UP (use show interface command)

Assure to start one kind of multicast protocol on the interface

Assure the time of the timers of each router on the same network segment is consistent; usually we
recommend the default setting.

Unicast route shall be used to carry out RPF examination for multicast protocol. So the correctness of
unicast route shall be guaranteed above all.
If all attempts fail to solve the problems on MLD, please use debug commands such as debug ipv6 MLD
event/packet, and copy DEB UG information in 3 minutes and send to Tec hnology Service Center.
44.7 MLD Snooping
44.7.1 Introduction to MLD Snooping
MLD, the Multicast Listener Discovery Protoc ol, is used to realize multicasting in the IP v6. MLD is used by the
network equipments such as rout ers which supports multicast for multicast listener discovery, also used by
listeners looking forward to join certain multicast group informing the router to receive data packets from
certain multicast address, all of which are done through MLD message exchange. First the router send an
MLD Multicast listener Query message through a multicast address which can address all the listeners
(namely ff02::1). Once there is a listener who wishes to join the multicast address, it will send a MLD Multicast
listener Report back through the multicast address.
MLD S nooping is namely the MLD listening. The switch restricts the multicast traffic from flooding through
MLD Snooping, and forward the multicast traffic to ports associated to multicast devices only. The switch
listens to the MLD messages bet ween multicast routers and listeners, and maintains the multicast group
forwarding list bas ed on the listening result. The switches forwards multicast packets according to the
multicast forwarding list
44-27
The switch realizes the MLD Snooping function while supporting MLD v2. This way, the user can acquire IP v6
multicast with the switch.
44-28
44.7.2 MLD Snooping Configuration Task
1. Enable the MLD S nooping function
2. Configure the MLD Snooping
1. Enable the MLD Snooping function
Command
Explanation
Global Mode
ipv6 mld snooping
no ipv6 mld snooping
Enable global MLD S nooping, the “no ipv6
mld snooping” command disables the
global MLD snooping.
2. Configure MLD Snooping
Command
Explanation
Global Mode
ipv6 mld snooping vlan <vlan-id>
no ipv6 mld snooping vlan <vlan-id>
ipv6 mld snooping vlan <vlan-id> limit {group
<g_limit> | source <s_limit>}
no ipv6 mld snooping vlan <vlan-id> limit
Enable MLD Snooping on specific VLA N. The “no”
form of this command disables MLD Snooping on
specific VLAN.
Configure the number of t he groups in which the MLD
Snooping c an join, and the maximum number of
sources in each group. The “no” form of this command
restores to the default.
ipv6 mld snooping vlan <vlan-id>
Set the VLAN level 2 general querier, which is
l2-general-querier
recommended on each segment. The “no” form of this
no ipv6 mld snooping vlan <vlan-id>
command cancels
l2-general-querier
configuration.
ipv6 mld snooping vlan <vlan-id> mrouter-port
interface <interface –nam e>
no ipv6 mld snooping vlan <vlan-id>
mrouter-port interface <interface –name>
the level
2 general
querier
Configure the static mrouter port in specific vlan. The
“no” form of this command cancels the mrouter port
configuration.
ipv6 mld snooping vlan <vlan-id> mrpt <value>
Configure the keep-alive time of the mrouter port. The
no ipv6 mld snooping vlan <vlan-id> mrpt
“no” form of this command restores to the default.
ipv6 mld snooping vlan <vlan-id> query-interval
<value>
Configure the query interval. The “no” form of this
no ipv6 mld snooping vlan <vlan-id>
command restores to the default.
query-interval
ipv6 mld snooping vlan <vlan-id>
Configure immediate leave multicast group function for
immediate-leave
the MLD Snooping of specific VLAN. The “no” form of
no ipv6 mld snooping vlan <vlan-id>
this
immediate-leave
configuration.
44-29
command
cancels
the
immediate
leave
ipv6 mld snooping vlan <vlan-id> query-mrsp
Configure the query maximum res ponse period. The
<value>
no ipv6 mld snooping vlan <vlan-id> query-mrsp
“no” form of this command restores to the default.
ipv6 mld snooping vlan <vlan-id>
query-robustne ss < value>
Configure the query robustness, the “no” form of this
no ipv6 mld snooping vlan <vlan-id>
command restores to the default.
query-robustne ss
ipv6 mld snooping vlan <vlan-id>
suppre ssion-query-time <value>
Configure the suppression query time. The “no” form
no ipv6 mld snooping vlan <vlan-id>
of this command restores to the default
suppre ssion-query-time
Ipv6 mld snooping vlan <vlan-id> static-group
<X:X::X:X> [source <X:X::X :X>] interface
Configure static-group on specified port of the V LAN.
[ethernet | port-channel] <IFNAME>
The
no ipv6 mld snooping vlan <vlan-id>
no
form
of
the
command
cancels
this
configuration.
static-group <X:X::X :X> [source <X:X::X:X>]
interface [ethernet | port-channel] <IFNAME>
44.7.3 MLD Snooping Examples
Scenario 1: MLD Snooping Function
Multicast Router
Mrout er Port
MLD Snooping
Switch
Group1
Group1 Group1
Group2
Figure 44-7-1 Open the switch MLD Snooping Function figure
As shown above, the vlan 100 configured on the switch consists of ports 1, 2, 6, 10, 12. Four hosts are
respectively connected to 2, 6, 10, 12 while t he multicast router on port 1. S uppose we need MLD S nooping
on VLAN 100, however by default, the global MLD Snooping as well as the MLD Snooping on each VLAN are,
therefore first we have to enable the global MLD Snooping at the same time enable the MLD Snooping on
VLAN 100, furthermore we need to set the port 1 of VLAN 100 as a mrouter port.
Configuration procedure is as follows.
44-30
XGS 3-42000R#config
XGS 3-42000R(config)#ipv6 mld snooping
XGS 3-42000R(config)#ipv6 mld snooping vlan 100
XGS 3-42000R(config)#ipv6 mld snooping vlan 100 mrout er-port interface et hernet 1/1
Multicast configuration:
Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program
1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group
addresses respectively the Group 1, Group 2 and Group 3. Concurrently multicast application is operating on
the four hosts. Two hosts connected to port 2 and 5 are playing program 1 while the host connected to port 10
playing program 2, and the one to port 12 playing program 3.
MLD Snooping interception re sults:
The multicast table on vlan 100 shows: port1, 2 and 6 are in (Multicasting Server 1, Group1), port1, 10 are
in (Multicasting Server 1,Group2), and port 1, 12 are in (Multicasting Server 2, Group3)
All the four hosts successfully receive programs they are interested in. port 2, 6 receives no traffic from
program2 and 3; port 10 receives no traffic from program 1 and 3, and port12 receives no traffic from
program1 and 2.
Scenario 2: MLD L2-general-querier
SwitchA
SwitchB
Figure 4-7-2 Switch as MLD Querier Function figure
Configuration of s witch B is the same as the s witches in case 1, and here the switch 1 replaces the Multicast
Rout er in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected
to multicast server, port 2 to s witch2. To send Query periodically, global MLD S nooping has to be enabled
44-31
while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
Configuration procedure is as follows:
SwitchA#config
SwitchA(config)#ipv6 mld snooping
SwitchA(config)#ipv6 mld snooping vlan 60
SwitchA(config)#ipv6 mld snooping vlan 60 l2-general-querier
SwitchB#config
SwitchB(config)#ipv6 mld snooping
SwitchB(config)#ipv6 mld snooping vlan 100
SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface et hernet 1/1
Multicast configuration:
Same as scenario 1
MLD Snooping interception results:
Same as scenario 1
Scenario 3: To run in cooperation with layer 3 multicast protocol s
SWITCH which is used in Scenario 1 is replaced with ROUTE R with specific configurations remains the same.
And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To configure
PIM-SM6 on ROUTE R, and enable P IM-SM6 on vlan 100 (use the same P IM mode with the connected
multicast router), the configurations are listed as below:
XGS 3-42000R#config
XGS 3-42000R(config)#ipv6 pim multicast-routing
XGS 3-42000R(config)#interface vlan 100
XGS 3-42000R(config-if-vlan100)#ipv6 pim sparse-mode
MLD snooping does not distribute entries when layer 3 multicast protocol is enabled. It only does the following
tasks.

To remove the layer 2 multicast entries.

To provide query functions to the layer 3 with vlan, S, and G as the parameters.

When layer 3 MLD is disabled, re-enable distributing layer 2 multicast entries.
By looking up the layer 3 IP6MC entries, it can be found that ports can be indicated by the layer 3 multicast
entries. This ensures the MLD Snooping can work in cooperation with the layer 3 multicast protocols.
44.7.4 MLD Snooping Troubleshooting
In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical
connection failure, wrong configuration, etc. The user should ensure the following:

Ensure the physical connection is correct

Ensure the MLD Snooping is enabled under global mode (using ipv6 mld snooping)

Ensure the MLD Snooping is configured on the vlan under global mode (using ipv6 mld snooping vlan
<vlan-id>)
44-32

Ensure there is a vlan configured as a L2 general querier, or there is a static mrouter configured in a
segment,

Use command to check if the MLD snooping information is correct
Chapter 45 Multicast VLAN
45.1 Introductions to Multicast VLAN
Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a
multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN,
we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled,
users from different VLA N will s hare the same multicast VLAN. The multicast traffic only exists within a
multicast VLAN, so the bandwidth is saved. As the multicast VLAN is absolutely separated from the user
VLAN, security and bandwidt h concerns can be met at the same time, after the multicast VLAN is configured,
the multicast traffic will be continuously sent to the users.
45.2 Multicast VLAN Configuration Task List
1. Enable the multicast VLAN function
2. Configure the IGMP Snooping
3. Configure the MLD Snooping
1. Enable the multicast VLAN function
Command
Explanation
VLAN configuration mode
Configure a VLAN and enable the multicast VLAN
multicast-vlan
no multicast-vlan
multicast-vlan association <vlan-li st>
no multicast-vlan association <vlan-li st>
on it. The “no multica st-vlan” command disables
the multicast function on the VLA N.
Associate a multicast VLAN with several VLANs.
The “no" form of this command deletes the related
VLANs associated with the multicast VLAN.
2. Configure the IGMP Snooping
Command
Explanation
Global Mode
ip igmp snooping vlan <vlan-id>
Enable the IGMP Snooping function on the
no ip igmp snooping vlan <vlan-id>
multicast VLAN. The "no” form of this command
disables the IGMP Snooping on the multicast
VLAN.
ip igmp snooping
no ip igmp snooping
Enable the IGMP Snooping function. The “no” form
of this command disables the IGMP snooping
function.
45-33
3. Configure the MLD Snooping
Command
Explanation
Global Mode
Enable MLD Snooping on multicast VLAN;
ipv6 mld snooping vlan <vlan-id>
the “no” form of this command disables MLD
no ipv6 mld snooping vlan <vlan-id>
Snooping on multicast VLAN.
Enable the MLD Snooping function. The “no”
ipv6 mld snooping
form of this command disables the MLD
no ipv6 mld snooping
snooping function.
45.3 Multicast VLAN Examples
Figure 45-3-1 Function configuration of the Multicast VLAN
As shown in the figure, the multicast server is connected to the lay er 3 switch switchA through port 1/1 which
belongs to the VLAN10 of the switch. The layer 3 switch switchA is connected with layer 2 switches through
the port1/ 10, which configured as trunk port. On the switchB the VLAN100 is configured set to contain
port1/ 15, and VLA N101 to contain port1/20. PC1 and PC2 are res pectively connected to port 1/15 and1/20.
The switchB is connected wit h the switchA through port1/10, which configured as trunk port. VLAN 20 is a
multicast VLAN. By configuring multicast vlan, the PC1 and PC2 will receives the multicast data from the
multicast VLAN.
Following configuration is based on the IP address of the switch has been configured and all the equipment
are connected correctly.
Configuration procedure
SwitchA#config
SwitchA(config)#vlan 10
SwitchA(config-vlan10)#switchport access ethernet 1/1
SwitchA(config-vlan10)exit
SwitchA(config)#int erface vlan 10
XGS 3-42000R(config-if-Vlan10)#ip pim dense-mode
45-34
XGS 3-42000R(config-if-Vlan10)#exit
SwitchA(config)#vlan 20
SwitchA(config-vlan20)#exit
SwitchA(config)#int erface vlan 20
SwitchA(Config-if-Vlan20)#ip pim dense-mode
SwitchA(Config-if-Vlan20)#exit
SwitchA(config)#ip pim multicast
SwitchA(config)# interface ethernet1/10
SwitchA(Config-If-Et hernet1/10)s witchport mode trunk
SwitchB#config
SwitchB(config)#vlan 100
SwitchB(config-vlan100)#S witchport access ethernet 1/15
SwitchB(config-vlan100)exit
SwitchB(config)#vlan 101
SwitchB(config-vlan101)#S witchport access ethernet 1/20
SwitchB(config-vlan101)exit
SwitchB(config)# interface ethernet 1/10
SwitchB(Config-If-Et hernet1/10)#Switchport mode trunk
SwitchB(Config-If-Et hernet1/10)#exit
SwitchB(config)#vlan 20
SwitchB(config-vlan20)#multicast-vlan
SwitchB(config-vlan20)#multicast-vlan association 100,101
SwitchB(config-vlan20)#exit
SwitchB(config)#ip igmp snooping
SwitchB(config)#ip igmp snooping vlan 20
When the multicast VLAN s upports the IP v6 multicast, the usage is the same with IP v4, but the difference is
using with MLD Snooping, so does not give an example.
45-35
Chapter 46 ACL Configuration
46.1 Introduction to ACL
ACL (Access Control List) is an IP packet filtering mechanism employ ed in switches, providing network traffic
control by granting or denying access the switches, effectively safeguarding the security of net works. The
user can lay down a set of rules according to some information specific to packets, each rule describes the
action for a packet with certain information matched: “permit” or “deny”. The user can apply such rules to the
incoming direction of switch ports, so that data streams in the incoming direction of specified ports must
comply with the ACL rules assigned.
46.1.1 Access-list
Access-list is a sequential collection of conditions that corresponds to a specific rule. Each rule consist of filter
information and the action when the rule is matched. Information included in a rule is the effective combination
of conditions such as source IP, destination IP, IP protoc ol number and TCP port, UDP port. Access-lists can
be categorized by the following criteria:

Filter information based crit erion: IP access-list (layer 3 or higher information), MAC access-list
(layer 2 information), and MA C-IP access-list (layer 2 or layer 3 or higher).

Configuration complexity based criterion: standard and extended, the extended mode allows more
specific filtering of information.

Nomenclature based criterion: numbered and named.
Description of an A CL should cover the above three aspects.
46.1.2 Access-group
When a set of access-lists are created, they can be applied to traffic of incoming direction on all ports.
Access-group is the description to the binding of an access-list to the incoming direction on a specific port.
When an access-group is created, all packets from in the incoming direction through the port will be compared
to the access-list rule to decide whether to permit or deny access.
The current firmware only supports ingress ACL configuration.
46.1.3 Access-list Action and Global Default Action
There are two access-list actions and default actions: “permit” or “deny”. The following rules apply:

An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules,
from the first rule to the first matched rule; the rest of the rules will not be processed.

Global default action applies only to IP packets in the incoming direction on the ports.

Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that
port, or no binding ACL matches.
46-1
46.2 ACL Configuration Task List
ACL Configuration Task Sequence:
1. Configuring access-list
(1) Configuring a numbered standard IP access-list
(2) Configuring a numbered extended IP access-list
(3) Configuring a standard IP access-list based on nomenclature
a) Create a standard IP access-list based on nomenclature
b) Specify multiple “permit” or “deny ” rule entries.
c) Exit ACL Configuration Mode
(4) Configuring an extended IP access-list based on nomenclature.
a) Create an extensive IP access-list based on nomenclature
b) Specify multiple “permit” or “deny ” rule entries
c) Exit ACL Configuration Mode
(5) Configuring a numbered standard MAC access-list
(6) Configuring a numbered extended MAC access-list
(7) Configuring a extended MAC access-list based on nomenclat ure
a) Create a extensive MA C access-list based on nomenclature
b) Specify multiple “permit” or “deny ” rule entries.
c) Exit ACL Configuration Mode
(8) Configuring a numbered extended MAC-IP access-list
(9) Configuring a extended MAC-IP access-list based on nomenclature
a) Create a extensive MA C-IP access-list based on nomenclat ure
b) Specify multiple “permit” or “deny ” rule entries.
c) Exit MAC-IP Configuration Mode
(10) Configuring a numbered standard IPV 6 access-list
(11) Configuring a numbered extended IPV6access-list
(12) Configuring a standard IPV6 access-list based on nomenclature
a)
Create a standard IPV6 access-list based on nomenclature
b)
Specify multiple permit or deny rule ent ries
c)
Exit ACL Configuration Mode
(13) Configuring an extended IPV6 access-list based on nomenclature.
a)
Create an extensive IPV6 access-list based on nomenclature
b)
Specify multiple permit or deny rule ent ries.
c)
Exit ACL Configuration Mode
2. Configuring the packet filtering function
(2)
Enable global packet filtering function
(3)
Configure default action.
3. Configuring time range function
(4)
Create the name of the time range
(5)
Configure periodic time range
(6)
Configure absolute time range
4. Bind access-list to a incoming direction of the specified port
46-2
5. Clear the filtering information of the specified port
1. Configuring acce ss-li st
(1) Configuring a numbered standard IP access-li st
Command
Explanation
Global Mode
Creates a numbered standard IP
access-list,
access-li st <num> {deny | permit} {{< sIpAddr>
<sMask>} | any-source | {host-source <sIpAddr>}}
no access-li st <num>
if
the
access-list
already exists, then a rule will
add to the current access-list;
the
“no
acce ss-li st
<num>“ command deletes a
numbered
standard
IP
access-list.
(2) Configuring a numbered extensive IP access-li st
Command
Explanation
Global Mode
access-li st <num> {deny | permit} icmp {{< sIpAddr>
Creates
a
<sMask>} | any-source | {host-source <sIpAddr>}}
extended IP access rule; if t he
{{<dIpAddr> <dMask>} | any-de stination |
numbered extended access-list of
{host-de stination <dIpAddr>}} [<icmp-type>
specified number does not exist,
[<icmp-code>]] [precedence <prec>] [tos
then an access-list will be c reat ed
<tos>][time-range<time-range-name>]
using this number.
access-li st <num> {deny | permit} igmp {{< sIpAddr>
Creates
<sMask>} | any-source | {host-source <sIpAddr>}}
extended IP access rule; if t he
{{<dIpAddr> <dMask>} | any-de stination |
numbered extended access-list of
{host-de stination <dIpAddr>}} [<igmp-type> ]
specified number does not exist,
[precedence <prec>] [tos
then an access-list will be c reat ed
<tos>][time-range<time-range-name>]
using this number.
a
numbered
numbered
ICMP
IGMP
access-li st <num> {deny | permit} tcp {{< sIpAddr>
<sMask>} | any-source | {host-source <sIpAddr>}}
Creates
a
numbered
TCP
[s-port { < sPort> | range <sPortMin> <sPortMax> }]
extended IP access rule; if t he
{{<dIpAddr> <dMask>} | any-de stination |
numbered extended access-list of
{host-de stination <dIpAddr>}} [d-port { <dPort> |
specified number does not exist,
range <dPortMin> <dPortMax> }]
then an access-list will be c reat ed
[ack+fin+psh+rst+urg+ syn] [precedence <prec>] [tos
using this number.
<tos>][time-range<time-range-name>]
access-li st <num> {deny | permit} udp {{< sIpAddr>
Creates
<sMask>} | any-source | {host-source <sIpAddr>}}
extended IP access rule; if t he
[s-port { < sPort> | range <sPortMin> <sPortMax> }]
numbered extended access-list of
{{<dIpAddr> <dMask>} | any-de stination |
specified number does not exist,
{host-de stination <dIpAddr>}} [d-port { <dPort> |
then an access-list will be c reat ed
46-3
a
numbered
UDP
range <dPortMin> <dPortMax> }] [precedence
using this number.
<prec>] [tos <tos>][time-range<time-range-name>]
access-li st <num> {deny | permit} {eigrp | gre | igrp |
ipinip | ip | ospf | <protocol-num>} {{< sIpAddr>
<sMask>} | any-source | {host-source <sIpAddr>}}
{{<dIpAddr> <dMask>} | any-de stination |
{host-de stination <dIpAddr>}} [precedence <prec>]
[tos <tos>][time-range<time-range-name>]
Creates a numbered IP extended
IP access rule for other specific IP
protocol or all IP protocols; if the
numbered extended access-list of
specified number does not exist,
then an access-list will be c reat ed
using this number.
Delet es a numbered extensive IP
no access-li st <num>
access-list.
(3) Configuring a standard IP access-li st ba sing on nomenclature
a. Create a name-based standard IP access-li st
Command
Explanation
Global Mode
Creates
ip access-list standard <name>
a
standard
IP
access-list
based
on
nomenclature;
the
access-li st
no ip access-list standard <name>
“no
ip
standard
<name>“ command deletes the
name-based
standard
IP
access-list.
b. Specify multiple “permit” or “deny” rules
Command
Explanation
Standard IP ACL Mode
Creates
[no] {deny | permit} {{< sIpAddr> <sMask>} |
any-source | {host-source < sIpAddr>}}
a
standard
name-based IP access rule; the
“no” form command deletes the
name-based
standard
IP
access rule.
c. Exit name-based standard IP ACL configuration mode
Command
Explanation
Standard IP ACL Mode
Exits name-based standard IP
exit
ACL configuration mode.
(4) Configuring an name-based extended IP access-li st
a. Create an extended IP access-list ba sing on nomenclature
Command
Explanation
Global Mode
46-4
Creates
an
access-list
nomenclature;
ip access-list extended <name>
access-li st
no ip access-list extended <name>
extended
IP
basing
on
the
“no
ip
extended
<name> “ command deletes
the name-based extended IP
access-list.
b. Specify multiple “permit” or “deny” rules
Command
Explanation
Extended IP ACL Mode
[no] {deny | permit} icmp {{<sIpAddr> < sMask>} |
any-source | {host-source < sIpAddr>}} {{<dIpAddr>
<dMask>} | any-de stination | {host-de stination
<dIpAddr>}} [<icmp-type> [<icmp-code> ]]
[precedence <prec>] [tos
Creates
an
extended
name-based ICMP IP access
rule; the “no” form command
deletes
this
name-based
extended IP access rule.
<tos>][time-range<time-range-name>]
[no] {deny | permit} igmp {{<sIpAddr> < sMask>} |
Creates
an
any-source | {host-source < sIpAddr>}} {{<dIpAddr>
name-based IGMP IP access
<dMask>} | any-de stination | {host-de stination
rule; the “no” form command
<dIpAddr>}} [<igmp-type>] [precedence <prec>] [tos
deletes
<tos>][time-range<time-range-name>]
extended IP access rule.
this
extended
name-based
[no] {deny | permit} tcp {{< sIpAddr> < sMask>} |
any-source | {host-source < sIpAddr>}} [s-port
{ <sPort> | range <sPortMin> <sPortMax> }]
{{<dIpAddr> <dMask>} | any-de stination |
{host-de stination <dIpAddr>}} [d-port { <dPort> |
range <dPortMin> <dPortMax> }]
[ack+fin+psh+rst+urg+ syn] [precedence <prec>] [to s
Creates
an
extended
name-based TCP IP access
rule; the “no” form command
deletes
this
name-based
extended IP access rule.
<tos>][time-range<time-range-name>]
[no] {deny | permit} udp {{< sIpAddr> <sMask>} |
any-source | {host-source < sIpAddr>}} [s-port
Creates
an
{ <sPort> | range <sPortMin> <sPortMax> }]
name-based UDP IP access
{{<dIpAddr> <dMask>} | any-de stination |
rule; the “no” form command
{host-de stination <dIpAddr>}} [d-port { <dPort> |
deletes
range <dPortMin> <dPortMax> }] [precedence
extended IP access rule.
this
extended
name-based
<prec>] [tos <tos>][time-range<time-range-name>]
[no] {deny | permit} {eigrp | gre | igrp | ipinip | ip |
Creates
ospf | <protocol -num>} {{< sIpAddr> < sMask>} |
name-based IP access rule
any-source | {host-source < sIpAddr>}} {{<dIpAddr>
for other IP protoc ols; the “no”
<dMask>} | any-de stination | {host-de stination
form command deletes this
<dIpAddr>}} [precedence <prec>] [tos
name-based
<tos>][time-range<time-range-name>]
access rule.
46-5
an
extended
extended
IP
c. Exit extended IP ACL configuration mode
Command
Explanation
Extended IP ACL Mode
Exits extended name-based
exit
IP ACL configuration mode.
(5) Configuring a numbered standard MAC access-li st
Command
Explanation
Global Mode
Creates a numbered standard
MAC
access-li st<num>{deny|permit}{any-source-mac|{ho
st-source-mac<host_smac>}|{< smac>< sm ac-mask>}
}
access-list,
access-list
if
already
the
exists,
then a rule will add to the
current access-list; the “no
access-li st
no access-li st <num>
<num>“ command deletes a
numbered
standard
MA C
access-list.
(6) Creates a numbered MAC extended access-li st
Command
Explanation
Global Mode
access-li st<num> {deny|permit} {any-source-mac|
Creates a numbered MAC
{host-source-mac<host_sm ac>}|{< sm ac>< smac-ma
extended access-list, if the
sk>}}{any-de stination-mac|{host-destination-mac<h
access-list
ost_dmac>}|{<dmac><dmac-mask>}}[{untagged-eth
then a rule will add to the
2|tagged-eth2|untagged-802-3|tagged-802-3}[ <offset
current access-list; the “no
1> <length1> <value1> [ <offset2> <length2>
access-li st
<value2> [ <offset3> <length3> <value3> [ <offset4>
<num>“ command deletes a
<length4> <value4> ]]]] ]
numbered
no access-li st <num>
access-list.
already
MAC
exists,
extended
(7) Configuring a extended MAC access-li st ba sed on nomenclature
a. Create a extensive MAC acce ss-li st ba sed on nomenclature
Command
Explanation
Global Mode
Creates
an
extended
name-based MAC access rule
mac-access-li st extended <name>
for other IP protoc ols; the “no”
no mac-access-li st extended <name>
form command deletes this
name-based extended MAC
access rule.
46-6
b. Specify multiple “permit” or “deny” rule entries
Command
Explanation
Extended name-based MA C access rule Mode
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-mask>}}
{any-de stination-mac|{host-destination-mac
<host_dmac>} |{<dmac> <dmac-mask>}} [cos
<cos-val> [<cos-bitmask> ] [vlanId <vid-value>
[<vid-mask>][ethertype<protocol>[<protocol-mask>]
]]]
Creates
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-ma sk>}}{any-de stin
ation-mac|{host-de stination-mac<host_dmac>}|{<d
mac><dmac-mask>}}[ethertype<protocol>[<protocol
-mask>]]
an
extended
name-based MAC access rule
matching MAC
frame;
the
“no” form command deletes
this
name-based
extended
MAC access rule.
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-mask>}}{any-de stin
ation-mac|{host-de stination-mac<host_dm ac>}|{<d
mac><dmac-mask>}}[vlanId<vid-value> [<vid-mask> ]
[ethertype<protocol>[<protocol-m ask>]]]
Creates
an
extended
[no]{deny|permit}{any-source-mac|{host-source-ma
name-based MAC access rule
c<host_smac>}|{< smac>< smac-mask>}}{any-de stin
matching untagged ethernet 2
ation-mac|{host-de stination-mac<host_dm ac>}|{<d
frame;
mac><dmac-mask>}}[untagged-eth2 [ethertype
command
<protocol> [protocol-ma sk]]]
name-based extended MAC
the
“no”
form
delet es
this
access rule.
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-mask>}}
{any-de stination-mac|{host-destination-mac
<host_dmac>}|{<dmac><dmac-mask>}}
[untagged-802-3]
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-mask>}}{any-de stin
ation-mac|{host-de stination-mac<host_dm ac>}|{<d
mac><dmac-mask>}}[tagged-eth2 [cos < cos-val>
[<cos-bitmask>]] [vlanId <vid-value> [<vid-mask> ]]
[ethertype<protocol> [<protocol-mask> ]]]
Creates an MA C access rule
matching 802.3 frame; the
“no” form command deletes
this MAC access rule.
Creates an MA C access rule
matching tagged ethernet 2
frame;
the
“no”
form
command deletes this MAC
access rule.
[no]{deny|permit}{any-source-mac|{host-source-ma
Creates an MA C access rule
c <host_smac>}|{< smac>< sm ac-mask>}}
matching tagged 802.3 frame;
46-7
{any-de stination-mac|{host-destination-mac<host_d
the
“no”
form
command
mac>}|{<dmac><dmac-mask>}} [tagged-802-3 [cos
deletes this MAC access rule.
<cos-val> [<cos-bitmask> ]] [vlanId <vid-value>
[<vid-mask>]]]
c. Exit ACL Configuration Mode
Command
Explanation
Extended name-based MA C access configure Mode
Quit
the
name-based
exit
extended
MA C
access
configure mode.
(8) Configuring a numbered extended MAC-IP access-li st
Command
Explanation
Global mode
access-li st<num>{deny|permit} {any-source-mac|
{host-source-mac <host_smac>} | {< sm ac>
<smac-m ask>}} {any-de stination-mac |
Creates
{host-de stination-mac <host_dm ac>} |
{<dmac><dmac-mask>}} icmp {{< source>
<source-wildcard>} |any-source| {host-source
<source-host-ip>}} {{<destination>
<destination-wildcard>} | any-de stination |
{host-de stination <destination-host-ip>}}
[<icmp-type> [<icmp-code>]] [precedence
a
numbered
mac-icmp extended mac-ip
access rule; if the numbered
extended
access-list
of
specified number does not
exist, then an access-list will
be creat ed using this number.
<precedence>] [tos <tos>] [time-range
<time-range-name> ]
access-li st<num>{deny|permit}{any-source-mac|
{host-source-mac<host_sm ac>}|{< sm ac>< smac-ma
sk>}} {any-de stination-mac|{host-de stination-mac
<host_dmac>}|{<dmac><dmac-mask>}}igmp
{{< source>< source-wildcard>}|any-source|
{host-source< source-host-ip>}}
{{<destination><destination-wildcard>}|any-de stinati
on| {host-de stination<destination-host-ip>}}
[<igmp-type>] [precedence <precedence>] [tos
Creates
a
numbered
mac-igmp extended mac-ip
access rule; if the numbered
extended
access-list
of
specified number does not
exist, then an access-list will
be creat ed using this number.
<tos>][time-range<time-range-name>]
access-li st<num>{deny|permit}{any-source-mac|
Creates a numbered mac-ip
{host-source-mac<host_smac>}|{< smac>< smac-ma
extended
sk>}}{any-de stination-mac|{host-destination-mac
rule;
<host_dmac>}|{<dmac><dmac-mask>}}tcp
extended
{{< source>< source-wildcard>}|any-source|
specified number does not
{host-source< source-host-ip>}} [s-port { <port1> |
exist, then an access-list will
46-8
if
mac-tcp
the
access
numbered
access-list
of
range <sPortMin> <sPortMax> }]
be creat ed using this number.
{{<destination><destination-wildcard>}|any-de stinati
on| {host-de stination <destination-host-ip>}} [d-port
{ <port3> | range <sPortMin> <sPortMax> }]
[ack+fin+psh+rst+urg+ syn] [precedence
<precedence>] [tos
<tos>][time-range<time-range-name>]
access-li st<num>{deny|permit}{any-source-mac|
{host-source-mac<host_sm ac>}|{< sm ac>< smac-ma
sk>}}{any-de stination-mac|{host-destination-mac
<host_dmac>}|{<dmac><dmac-mask>}}udp
{{< source>< source-wildcard>}|any-source|
{host-source< source-host-ip>}} [s-port { <port1> |
range <sPortMin> <sPortMax> }]
{{<destination><destination-wildcard>}|any-de stinati
on| {host-de stination<destination-host-ip>}} [d-port
{ <port3> | range <sPortMin> <sPortMax> }]
Creates a numbered mac-udp
extended mac-ip access rule;
if the numbered extended
access-list
of
specified
number does not exist, then
an access-list will be created
using this number.
[precedence <precedence>] [tos
<tos>][time-range<time-range-name>]
access-li st<num>{deny|permit}{any-source-mac|
{host-source-mac<host_sm ac>}|{< sm ac>< smac-ma
Creates
a
sk>}} {any-de stination-mac|{host-de stination-mac
extended mac-ip access rule
<host_dmac>}|{<dmac><dmac-mask>}}
for
{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}}
protocol
{{< source>< source-wildcard>}|any-source|
protocols; if the numbered
{host-source< source-host-ip>}}
extended
{{<destination><destination-wildcard>}|any-de stinati
specified number does not
on| {host-de stination<destination-host-ip>}}
exist, then an access-list will
[precedence <precedence>] [tos
be creat ed using this number.
other
numbered
specific
or
all
mac-ip
mac-ip
access-list
of
<tos>][time-range<time-range-name>]
no access-li st <num>
Delet es
this
extended
MAC-IP
numbered
access
rule.
(9) Configuring a extended MAC-IP access-list based on nomenclature
a. Create a extensive MAC-IP access-list ba sed on nomenclature
Command
Explanation
Global Mode
Creates an extended
name-based MA C-IP access
mac-ip-acce ss-li st extended <name>
rule; the “no” form command
no mac-ip-acce ss-li st extended <name>
deletes this name-based
extended MAC-IP access
rule.
46-9
b. Specify multiple “permit” or “deny” rule entries
Command
Explanation
Extended name-based MA C-IP access Mode
[no]{deny|permit}
{any-source-mac|{host-source-mac
<host_smac>}|{< sm ac>< sm ac-m ask>}}
{any-de stination-mac|{host-destination-mac
Creates an extended
<host_dmac>}|{<dmac><dmac-mask>}}icmp
name-based MA C-ICMP
{{< source>< source-wildcard>}|any-source|
access rule; the “no” form
{host-source< source-host-ip>}}
command delet es this
{{<destination><destination-wildcard>}|any-de stinati
name-based extended
on| {host-de stination <destination-host-ip>}}
MAC-ICMP access rule.
[<icmp-type> [<icmp-code>]] [precedence
<precedence>][tos< tos> ][time-range<time-range-na
me>]
[no]{deny|permit}{any-source-mac|{host-source-ma
c <host_smac>}|{< smac>< sm ac-mask>}}
{any-de stination-mac|{host-destination-mac
Creates an extended
<host_dmac>}|{<dmac><dmac-mask>}}igmp
name-based MA C-IGMP
{{< source>< source-wildcard>}|any-source|
access rule; the “no” form
{host-source< source-host-ip>}}
command delet es this
{{<destination><destination-wildcard>}|any-de stinati
name-based extended
on| {host-de stination <destination-host-ip>}}
MAC-IGMP access rule.
[<igmp-type>] [precedence <precedence>] [tos
<tos>][time-range<time-range-name>]
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-ma sk>}}
{any-de stination-mac|{host-destination-mac
<host_dmac>}|{<dmac><dmac-mask>}}tcp
{{< source>< source-wildcard>}|any-source|
{host-source< source-host-ip>}} [s-port { <port1> |
range <sPortMin> <sPortMax> }]
{{<destination><destination-wildcard>}|any-de stinati
on| {host-de stination <destination-host-ip>}} [d-port
{ <port3> | range <sPortMin> <sPortMax> }]
Creates an extended
name-based MA C-TCP
access rule; the “no” form
command delet es this
name-based extended
MAC-TCP access rule.
[ack+fin+psh+rst+urg+ syn]
[precedence<precedence>][tos<tos>][time-range<ti
me-range-name> ]
[no]{deny|permit}{any-source-mac|{host-source-ma
Creates an extended
c<host_smac>}|{< smac>< smac-mask>}}
name-based MA C-UDP
{any-de stination-mac|{host-destination-mac
access rule; the “no” form
<host_dmac>}|{<dmac><dmac-mask>}}udp
command delet es this
46-10
{{< source>< source-wildcard>}|any-source|
name-based extended
{host-source< source-host-ip>}} [s-port { <port1> |
MAC-UDP access rule.
range <sPortMin> <sPortMax> }]
{{<destination><destination-wildcard>}|any-de stinati
on| {host-de stination <destination-host-ip>}}
[d-port { <port3> | range <sPortMin> <sPortMax> }]
[precedence <precedence>] [tos
<tos>][time-range<time-range-name>]
[no]{deny|permit}{any-source-mac|{host-source-ma
c<host_smac>}|{< smac>< smac-mask>}}
{any-de stination-mac|{host-destination-mac
<host_dmac>}|{<dmac><dmac-mask>}}
{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}}
{{< source>< source-wildcard>}|any-source|
{host-source< source-host-ip>}}
{{<destination><destination-wildcard>}|any-de stinati
on| {host-de stination<destination-host-ip>}}
Creates an extended
name-based access rule for
the other IP protocol; the “no”
form command deletes this
name-based extended access
rule.
[precedence<precedence>][tos<tos>][time-range<ti
me-range-name> ]
c. Exit MAC-IP Configuration Mode
Command
Explanation
Extended name-based MA C-IP access Mode
Quit extended name-based
exit
MAC-IP access mode.
(10) Configuring a numbered standard IPV6 access-li st
Command
Explanation
Global Mode
Creates a numbered standard
IPV6 access-list, if the
ipv6 access-li st <num> {deny | permit} {{< sIPv6Addr>
access-list already exists, then
<sPrefixlen>} | any-source | {host-source
a rule will add to the current
<sIpv6Addr>}}
access-list; the “no
no ipv6 access-li st <num>
access-li st <num>“ command
deletes a numbered standard
IP v6 access-list.
46-11
(11) Configuring a numbered extensive IPV6 access-li st
Command
Explanation
Global Mode
ipv6 access-li st <num-ext> {deny | permit} icmp
{{< sIPv6Prefix/sPrefixlen>} | any-source |
{host-source <sIPv6Addr>}}
{<dIPv6Prefix/dPrefixlen> | any-destination |
{host-de stination <dIPv6Addr>}} [<icmp-type>
[<icmp-code>]] [dscp <dscp>] [flow-label
<flowlabel>] [time-range <time-range-name>]
ipv6 access-li st <num-ext> {deny | permit} tcp
{{< sIPv6Prefix/<sPrefixlen>} | any-source |
{host-source <sIPv6Addr>}} [s-port { < sPort> | range
<sPortMin> < sPortMax> }] {{<
dIPv6Prefix/<dPrefixl en>} | any-destination |
{host-de stination <dIPv6Addr>}} [dPort { <dPort> |
Creates
range <sPortMin> <sPortMax> }] [syn | ack | urg | rst |
extended IPV 6 access-list, if
fin | psh] [dscp <dscp>] [flow-label <flowlabel>]
the access-list already exists,
[time-range <time-range-nam e>]
then a rule will add to the
ipv6 access-li st <num-ext> {deny | permit} udp
current access-list; the no
{{< sIPv6Prefix/<sPrefixlen>} | any-source |
ipv6
{host-source <sIPv6Addr>}} [s-port { < sPort> | range
command
<sPortMin> < sPortMax> }]
numbered
{{<dIPv6Prefix/<dPrefi xlen>} | any-destination |
access-list.
a
numbered
acce ss-li st
deletes
standard
{host-de stination <dIPv6Addr>}} [dPort { <dPort> |
range <sPortMin> <sPortMax> }] [dscp <dscp> ]
[flow-label <flowlabel>] [time-range
<time-range-name> ]
ipv6 access-li st <num-ext> {deny | permit}
<next-header> {<sIPv6Prefix/sPrefixlen> |
any-source | {host-source < sIPv6Addr>}}
{<dIPv6Prefix/dPrefixlen> | any-destination |
{host-de stination <dIPv6Addr>}} [dscp <dscp>]
[flow-label <flowlabel>] [time-range
<time-range-name> ]
no ipv6 acce ss-li st <num>
(12)Configuring a standard IPV6 access-li st ba sed on nomenclature
a. Create a standard IPV6 access-li st based on nomenclature
Command
Explanation
Global Mode
46-12
<num>
a
IPV6
ipv6 access-li st standard <name>
Creates
a
no ipv6 access-li st standard <name>
access-list
nomenclature;
command
standard
IP
based
on
the
no
delete
the
name-based standard IPV6
access-list.
b. Specify multiple permit or deny rules
Command
Explanation
Standard IPV6 ACL Mode
[no] {deny | permit} {{< sIPv6Prefix/sPrefixlen>} |
Creates
a
any-source | {host-source < sIPv6Addr> }}
name-based
standard
IPV6 access
rule; the no form command
deletes
the
name-based
standard IPV6 access rule.
c. Exit name-based standard IP ACL configuration mode
Command
Explanation
Standard IPV6 ACL Mode
exit
Exits name-based standard
IPV6
ACL
configuration
mode.
(13)Configuring an name-based extended IPV6 access-li st
a. Create an extended IPV6 access-li st ba sing on nomenclature
Command
Explanation
Global Mode
ipv6 access-li st extended <name>
Creates an extended IPV6
no ipv6 access-li st extended <name>
access-list
basing
on
the
no
deletes
the
nomenclature;
command
name-based extended IPV6
access-list.
b. Specify multiple permit or deny rules
Command
Explanation
Extended IPV6 ACL Mode
[no] {deny | permit} icmp {{<sIPv6Prefix/sPrefixlen>} |
Creates
any-source | {host-source < sIPv6Addr>}}
name-based
{<dIPv6Prefix/dPrefixlen> | any-destination |
access rule; the no form
{host-de stination <dIPv6Addr>}} [<icmp-type>
command
[<icmp-code>]] [dscp <dscp>] [flow-label <flowlabel>]
name-based extended IP v6
46-13
an
extended
ICMP
deletes
IP v6
this
[time-range <time-range-name>]
access rule.
[no] {deny | permit} tcp {< sIPv6Prefix/sPrefixlen> |
Creates
any-source | {host-source < sIPv6Addr>}} [s-port
name-based
{ <sPort> | range <sPortMin> <sPortMax> }]
access rule; the no form
{<dIPv6Prefix/dPrefi xlen> | any-destination |
command
{host-de stination <dIPv6Addr>}} [dPort { <dPort> |
name-based extended IPV6
range <sPortMin> < sPortMax> }] [syn | ack | urg | rst |
access rule.
an
extended
TCP
deletes
IPV6
this
fin | psh] [dscp <dscp>] [flow-label <flowlabel>]
[time-range <time-range-name>]
[no] {deny | permit} udp {< sIPv6Prefix/sPrefixlen> |
any-source | {host-source < sIPv6Addr>}} [s-port
Creates
an
extended
{ <sPort> | range <sPortMin> <sPortMax> }]
name-based
{<dIPv6Prefix/dPrefi xlen> | any-destination |
access rule; the no form
{host-de stination <dIPv6Addr>}} [d-port { <dPort> |
command
range <sPortMin> <sPortMax> }] [dscp <dscp> ]
name-based extended IPV6
[flow-label <flowlabel>] [time-range
access rule..
UDP
deletes
IPV6
this
<time-range-name>]
[no] {deny | permit} <proto> {< sIPv6Prefix/sP refixlen>
Creates
an
| any-source | {host-source <sIPv6Addr>}}
name-based
{<dIPv6Prefix/dPrefixlen> | any-destination |
rule for other IPV 6 protocols;
{host-de stination <dIPv6Addr>}} [dscp <dscp>]
the
[flow-label <flowlabel>] [time-range
deletes
<time-range-name>]
extended
no
extended
IPV6 access
form
this
command
name-based
IPV6 access rule.
[no] {deny | permit}
{<sIPv6Prefix/sPrefixlen> |
Creates
an
extended
any-source | {host-source < sIPv6Addr>}}
name-based
{<dIPv6Prefix/dPrefixlen> | any-destination |
rule; the no form command
{host-de stination <dIPv6Addr>}} [dscp <dscp>]
deletes
[flow-label <flowlabel>] [time-range
extended IPV 6 access rule.
this
IPV6 access
name-based
<time-range-name>]
c. Exit extended IPv6 ACL configuration mode
Command
Explanation
Extended IPV6 ACL Mode
exit
Exits extended name-based
IPV6
ACL
configuration
mode.
2. Configuring packet filtering function
(1) Enable global packet filtering function
Command
Explanation
Global Mode
46-14
Enables
firewall enable
global
packet
filtering function.
Disables
firewall disable
global
packet
filtering function.
(2) Configure default action.
Command
Explanation
Global Mode
firewall default {permit |deny}[ipv4|ipv6|all]}
Sets
default
action
to
firewall.
3. Configuring time range function
(1)Create the name of the time range
Command
Explanation
Global Mode
Create a time range named
time-range <time_range_name>
time_range_name.
Stop the time range function
no time-range <time_range_name>
named time_range_name.
(2)Configure periodic time range
Command
Explanation
Time range Mode
absolute-periodic {Monday | Tue sday | Wednesday |
Thursday | Friday | Saturday | Sunday} <start_time> to
{Monday | Tue sday | Wednesday | Thursday | Friday |
Saturday | Sunday} <end_time>
periodic {{Monday+Tuesday+Wednesday+Thursday+
Friday+Saturday+Sunday} | daily | weekdays |
Configure the time range for
the request of the week, and
every week will run by the
time range.
weekend} <start_time> to <end_time>
[no] absolute-periodic {Monday | Tue sday |
Wednesday | Thursday | Friday | Saturday | Sunday}
<start_time> to {Monday | Tue sday | Wednesday |
Thursday | Friday | Saturday | Sunday} <end_time>
Stop the function of the time
range in the week.
[no] periodic
{{Monday+Tue sday+Wednesday+Thursday+
Friday+Saturday+Sunday} | daily | weekdays |
weekend} <start_time> to <end_time>
46-15
(3)Configure absolute time range
Command
Explanation
Global Mode
absolute start < start_time> < start_data> [end
Configure
<end_time> <end_data>]
range.
[no] absolute start < start_time> < start_data> [end
Stop the function of the time
<end_time> <end_data>]
range.
absolute
time
4. Bind access-li st to a specific direction of the specified port.
Command
Explanation
Physical Port Mode, VLAN Port Mode
Physical
interface
mode:
Applies an access-list to the
specified direction on the
port;
{ip|ipv6|mac|mac-ip} acce ss-group <acl-nam e>
{in}[traffic-stati stic]
no {ip|ipv6|mac|mac-ip} acce ss-group <acl-nam e>
{in}
the
deletes
no
the
command
access-list
bound to the port.
VLAN
interface
mode:
Applies an access-list to the
specified direction on the
port
of
command
V LAN;
the
deletes
no
the
access-list bound to the port
of VLA N.
5. Clear the filtering information of the specified port
Command
Explanation
Admin Mode
clear access-group stati stic
interface
Clear the filtering information
{ <interface-name> | ethernet <interface-name> }
of the specified port.
46.3 ACL Example
Scenario 1:
The user has the following configuration requirement: port 1/10 of the switch connects to 10.0.0.0/24 segment,
ftp is not desired for the user.
Configuration description:
1. Create a proper A CL
2. Configuring packet filtering function
3. Bind the ACL to the port
46-16
The configuration steps are listed below:
XGS 3-42000R(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
XGS 3-42000R(config)#firewall enable
XGS 3-42000R(config)#firewall default permit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#ip access-group 110 in
XGS 3-42000R(config-If-Ethernet1/10)#exit
XGS 3-42000R(config)#exit
Configuration result:
XGS 3-42000R#show firewall
Firewall status: enable.
Firewall default rule: permit.
XGS 3-42000R#show access-lists
access-list 110(used 1 time(s))
access-list 110 deny tcp 10.0.0.0 0. 0.0.255 any-destination d-port 21
XGS 3-42000R#show access-group interface ethernet 1/10
interface name:Ethernet1/10
the ingress acl use in firewall is 110, traffic-statistics Disable.
Scenario 2:
The configuration requirement is stated as below: The switch should drop all the 802.3 datagram with
00-12-11-23-xx-xx as the source MAC address coming from interfac e 10.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filtering.
3. Bind the ACL to the relat ed interface.
The configuration steps are listed as below.
XGS 3-42000R(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac
untagged-802-3
XGS 3-42000R(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any tagged-802
XGS 3-42000R(config)#firewall enable
XGS 3-42000R(config)#firewall default permit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#mac access-group 1100 in
XGS 3-42000R(config-If-Ethernet1/10)#exit
XGS 3-42000R(config)#exit
46-17
Configuration result:
XGS 3-42000R#show firewall
Firewall Status: Enable.
Firewall Default Rule: Permit.
Switch #show access-lists
access-list 1100(used 1 time(s ))
access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff
any-destination-mac
untagged-802-3
access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff
any-destination-mac
Switch #show access-group int erface ethernet 1/10
interface name:Ethernet1/10
MAC Ingress access-list used is 1100,traffic-statistics Disable.
Scenario 3:
The configuration requirement is stated as below: The MA C address range of the net work connected to the
interface 10 of the switch is 00-12-11-23-xx-xx, and IP network is 10.0.0.0/ 24. FTP should be disabled and
ping requests from outside net work should be disabled.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filtering.
3. Bind the ACL to the relat ed interface.
The configuration steps are listed as below.
XGS 3-42000R(config)#access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp
10.0.0.0 0.0. 0.255 any-destination d-port 21
XGS 3-42000R(config)#access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp
any-source 10.0.0.0 0.0.0.255
XGS 3-42000R(config)#firewall enable
XGS 3-42000R(config)#firewall default permit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#mac-ip access-group 3110 in
XGS 3-42000R(config-Ethernet1/10)#exit
XGS 3-42000R(config)#exit
Configuration result:
XGS 3-42000R#show firewall
Firewall Status: Enable.
Firewall Default Rule: Permit.
XGS 3-42000R#show access-lists
46-18
access-list 3110(used 1 time(s ))
access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff
any-destination-mac
tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10. 0.0.0
0.0.0.255
Switch #show access-group int erface ethernet 1/10
interface name:Ethernet1/10
MAC-IP Ingress access-list used is 3110, traffic-statistics Disable.
Scenario 4:
The configuration requirement is stated as below: IP v6 protocol runs on the interface 600 of the switch. And
the IP v6 network address is 2003:1:1:1::0/64. Users in the 2003:1:1:1:66::0/80 subnet should be disabled
from accessing the outside network.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filting.
3. Bind the ACL to the relat ed interface.
The configuration steps are listed as below.
XGS 3-42000R(config)#ipv6 enable
XGS 3-42000R(config)#ipv6 access-list 600 permit 2003:1:1: 1:66::0/80 any-destination
XGS 3-42000R(config)#ipv6 access-list 600 deny 2003:1:1:1::0/64 any-destination
XGS 3-42000R(config)#firewall enable
XGS 3-42000R(config)#firewall default permit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#ipv6 access-group 600 in
XGS 3-42000R(config-If-Ethernet1/10)#exit
XGS 3-42000R(config)#exit
Configuration result:
XGS 3-42000R#show firewall
Firewall Status: Enable.
Firewall Default Rule: Permit.
XGS 3-42000R#show ipv6 access-lists
Ipv6 access-list 600(used 1 time(s))
ipv6 access-list 600 deny 2003: 1:1:1::0/64 any-source
ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any -sourc e
Switch #show access-group int erface ethernet 1/10
46-19
interface name:Ethernet1/10
IP v6 Ingress access-list used is 600, traffic-statistics Disable.
Scenario 5:
The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with
192.168.0.1 as its IP address should be disabled from accessing the listed interfaces.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filtering.
3. Bind the ACL to the relat ed interface.
The configuration steps are listed as below.
XGS 3-42000R(config)#firewall enable
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(Config-Vlan100)#switchport interface ethernet 1/1;2;5;7
XGS 3-42000R(Config-Vlan100)#exit
XGS 3-42000R(config)#access-list 1 deny host-source 192.168.0.1
XGS 3-42000R(config)#interface vlan 100
XGS 3-42000R(Config-if-Vlan100)#ip access-group 1 in
XGS 3-42000R(Config-if-Vlan100)#exit
Configuration result:
XGS 3-42000R(config)#show access-group interface vlan 100
Interface VLAN 100:
Ethernet1/1:
IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/2:
IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/5:
IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/7:
IP Ingress access-list used is 1, traffic-statistics Disable.
46.4 ACL Troubleshooting

Checking for ent ries in the ACL is done in a top-down order and ends whenever an entry is matched.

Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is
matched.

Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC A CL, one IP v6 A CL (via the
physical interface mode or Vlan interface mode).

When binding four ACL and packet matching several A CL at the same time, the priority relations are as
follows in a top-down order. If the priority is same, then the priority of configuration at first is higher.
 Ingress IP v6 A CL
 Ingress MAC-IP ACL
 Ingress IP ACL
 Ingress MAC A CL
46-20

The number of ACLs that can be successfully bound depends on the content of the A CL bound and the
hardware resource limit. Users will be prompted if an A CL cannot be bound due to hardware res ourc e
limitation.

If an access-list contains same filtering information but conflicting action rules, binding to the port will
fail with an error message. For instance, configuring “permit tcp any any-destination” and “deny tcp any
any-destination” at the same time is not permitted.

Viruses such as “worm. blaster” can be blocked by configuring A CL to block specific ICMP packets or
specific TCP or UDP port packet.

If the physical mode of an interface is TRUNK, ACL can only be configured through physical interfac e
mode.

ACL configured in the physical mode can only be disabled in the physical mode. Those configured in
the VLAN interface configuration mode can only be disabled in the VLAN int erface mode.

When a physical interface is added into or removed from a VLAN (with the trunk interfac es as
exceptions), A CL configured in t he corres ponding VLA N will be bound or unbound respectively. If A CL
configured in the target VLA N, which is configured in VLA N interface mode, conflicts with existing A CL
configuration on t he int erface, which is configured in physical interface mode, the configuration will fail
to effect.

When no physical interfac es are configured in the V LAN, the ACL c onfiguration of the VLA N will be
removed. And it can not recover if new interfaces are added to the VLA N.

When the interface mode is changed from access mode to trunk mode, the ACL configured in VLA N
interface mode which is bound to physical interface will be removed. And when the interface mode is
changed from trunk mode to access mode, ACL configured in VLAN1 interface mode will be bound to
the physical interface. If binding fails, the changing will fail either.

When removing a VLA N configuration, if there are any A CLs bound to the VLA N, the ACL will be
removed from all the physical interfaces belonging to the VLAN, and it will be bound to VLA N 1 A CL(if
ACL is configured in VLAN1). If VLA N 1 ACL binding fails, the VLAN removal operation will fail..
46-21
Chapter 47 802.1x Configuration
47.1 Introduction to 802.1x
The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to
provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802
LAN protocol does not provide access authentication, which means as long as the users can access a LAN
controlling device (s uch as a LA N Switch), they will be able to get all the devices or resources in the LAN.
There was no looming danger in the environment of LAN in those primary enterprise networks.
However, along with the boom of applications like mobile office and service operating networks, the service
providers should control and configure the access from user. The prevailing application of WLA N and LA N
access in telecommunication networks, in particular, make it necessary to control ports in order to implement
the user-level access control. And as a result, IEEE LAN/WAN committee defined a standard, which is 802.1x,
to do Port-B ased Network Access Control. This standard has been widely used in wireless LAN and et hernet.
“Port-B ased Network Access Control” means to authenticate and cont rol the user devices on the level of ports
of LA N access devices. Only when the user devices connected to the ports pass the aut hentication, can they
access the resources in the LAN, otherwis e, the resources in the LA N won’t be available.
47.1.1 The Authentication Structure of 802.1x
The system using 802.1x has a typical Client/Server structure, which contains three entities (as illustrated in
the next figure): Supplicant system, Authenticator system, and Authentication server system.
Figure 47-1-1 The A uthentication Structure of 802.1x

The supplicant system is an entity on one end of the LAN segment, should be authenticated by the
access controlling unit on the other end of the link. A Supplicant system usually is a user terminal
devic e. Users start 802. 1x authentication by starting supplicant system software. A supplicant
system should support EAPOL (Extensible Authentication Protocol over LAN).
47-1

The authenticator system is another entity on one end of the LA N segment to authenticate the
supplicant systems connected. An authenticator system usually is a network device supporting
802,1x prot ocol, providing ports to access the LA N for s upplicant systems. The ports provided can
either be physical or logical.

The authentication server system is an entity to provide authentication service for authenticator
systems. The authentication server system is used t o authenticate and authorize users, as well as
does fee-c ounting, and usually is a RADIUS (Remote Authentication Dial-In User Service) server,
which can store the relative user information, including us ername, password and other parameters
such as the VLAN and ports which the user belongs to.
The three entities above concerns the following basic concepts: PAE of t he port, the c ontrolled ports and the
controlled direction.
1. PAE
PAE (Port Access Entity) is the entity to implement the operation of algorithms and protocols.

The PAE of the supplicant system is supposed to respond t he authentication request from the
authenticator systems and submit user’s authentication information to the authenticator system. It
can also send authentication request and off-line request to authenticator.

The PAE of the authenticator system authenticates the supplicant systems needing to access the
LAN via the aut hentication server system, and deal with the authenticated/unauthenticated state of
the controlled port according to the result of the authentication. The authenticated state means the
user is allowed to access the network resourc es, the unauthenticated state means only the EAPOL
messages are allowed to be received and sent while the user is forbidden to access network
resources.
2. controlled/uncontrolled ports
The aut henticator system provides ports to access the LAN for the supplicant systems. These ports can be
divided into t wo kinds of logical ports: controlled ports and uncontrolled ports.

The uncontrolled port is always in bi-directionally connected status, and mainly used to transmit
EAPOL prot ocol frames, to guarantee that the supplicant systems can always send or receive
authentication messages.

The controlled port is in connected status authenticated to transmit service messages. When
unauthenticated, no message from supplicant systems is allowed to be received.

The cont rolled and uncont rolled ports are t wo parts of one port, which means eac h frame reaching
this port is visible on both the controlled and uncontrolled ports.
3. Controlled direction
In unaut henticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled.

When the port is bi-directionally controlled, the sending and receiving of all frames is forbidden.

When the port is unidirectional controlled, no frames can be received from the supplicant systems
while sending frames to the supplicant systems is allowed.
Note s: At present, this kind of switch only supports unidirectional control.
47-2
47.1.2 The Work Mechanism of 802.1x
IEEE 802.1x authentication system uses EAP (Extensible Authentication P rotocol) to implement exchange of
authentication information bet ween the supplicant system, authenticator system and authentication server
system.
Figure 47-1-2 the Work Mechanism of 802.1x

EAP messages adopt EAPOL encapsulation format bet ween the PAE of the supplicant system and
the PAE of the authenticator system in the environment of LA N.

Between the PAE of the authenticator system and the RADIUS server, there are two methods to
exchange information: one method is that EAP messages adopt EAPOR (EAP over RADIUS )
encapsulation format in RADIUS protocol; the other is that EAP messages terminate with the PAE
of the authenticator system, and adopt the messages containing RAP (Password Authentication
Protocol) or CHAP (Challenge Handshake Authentication P rotocol) attributes to do the
authentication interaction with the RA DIUS server.

When the user pass the authentication, the authentication server system will send the relative
information of the user to authenticator system, the PAE of the authenticator system will decide the
authenticated/unaut henticated status of the controlled port according t o the authentication result of
the RADIUS server.
47.1.3 The Encapsulation of EAPOL Messages
1. The Format of EAPOL Data Packets
EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly used to t ransmit
EAP messages between the supplicant system and the authenticator system in order to allow the
transmission of EAP messages through the LAN. In IEEE 802/Ethernet LAN environment, the format of
EAPOL packet is illustrated in the next figure. The beginning of the EAPOL packet is the Type/Lengt h domain
in MAC frames.
Figure 47-1-3 the Format of EAPOL Data Packet
47-3
PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E.
Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets.
Ty pe: repres ents the type of the EAPOL data packets, including:

EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP
messages. This kind of frame can pass through the authenticator system to transmit EAP
messages bet ween the supplicant system and the authentication server system.

EAPOL-Start (whose value is 0x01): the frame to start authentication.

EAPOL-Logoff (whose value is 0x02): the frame requesting to quit.

EAPOL-Key (whose value is 0x03): the key information frame.

EAPOL-Encapsulated-ASF-Alert (whose value is 0x04): used to support the Alerting messages of
ASF (Alert Standard Forum). This kind of frame is used to encapsulate the relative information of
network management such as all kinds of alerting information, terminated by terminal devices.
Length: represents the lengt h of the data, that is, the length of the “Packet Body”, in byte. There will be no
following data domain when its value is 0.
Packet Body: represents the content of the data, which will be in different formats according to different types.
2. The Format of EAP Data Packets
When the value of Type domain in EAPOL packet is EAP-Packet, the Packet Body is in EAP format
(illustrated in the next figure).
Figure 47-1-4 the Format of EAP Data Packets
Code: specifies the type of the EAP packet. There are four of them in total: Request(1),Response
(2),Success(3),Failure(4).

There is no Data domain in the packets of which the type is Success or Failure, and the value of the
Length domains in such packets is 4.

The format of Data domains in the packets of which the type is Request and Response is illustrated
in the next figure. Type is the authentication type of EAP, the content of Ty pe data depends on the
type. For example, when the value of the type is 1, it means Identity, and is used to query the
identity of the ot her side. When the type is 4, it means MD5-Challenge, like PPP CHAP protocol,
contains query messages.
47-4
Figure 47-1-5 the Format of Data Domain in Request and Response Packets
Identifier: to assist matching the Request and Response messages.
Length: the length of the EAP packet, covering the domains of Code, Identifier, Lengt h and Data, in byte.
Data: the content of the EAP packet, depending on the Code type.
47.1.4 The Encapsulation of EAP Attributes
RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-Aut henticator. Please
refer to the Introduction of RA DIUS protocol in “AAA -RA DIUS-HW TACA CS operation” to check the format of
RADIUS messages.
1. EAP -Me ssage
As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type code is 79, String
domain should be no longer than 253 bytes. If the data length in an EAP packet is larger t han 253 bytes, the
packet can be divided int o fragments, which then will be encapsulated in several EAP-Messages attributes in
their original order.
Figure 47-1-6 the Encapsulation of EAP-Message Attribute
2. Message-Authenticator
As illustrated in the next figure, this attribute is used in the process of using authentication methods like EAP
and CHAP to prevent the access request packets from being eavesdropped. Message-A uthenticator should
be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid
one.
Figure 47-1-7 Message-Authenticator Attribute
47.1.5 Web Authentication Proxy based on 802.1x
The perspective of prior 802.1x aut hentication system abided by IEEE 802.1 x authentication systems on
architecture, working mec hanism, business processes.
47-5
The client authentication pattern of prior
authentication system privately. The devices are layer 2 switch and the authentication server is RA DIUS
server. EAP protocol is used for t he authentication message pattern. EAPOL encapsulation is used bet ween
client and the authentication proxy switch, that is to say, EAP message is encapsulated in the Ethernet frame
to authenticate and communicate, however, EAPOR encapsulation is used between authentication proxy
switch and authentication s erver, that is to say, EAP message is loaded on the Radius protocol to
authenticate and communicate. it can be also forward by the device, transmit the PAP protocol message or
CHAP protocol message based on the RA DIUS protocol between the device and the RA DIUS sever.
In 802.1x authentication system, in order to implement the identity authentication and the net work permission,
user should install the authentication client soft ware, pass client login authentication progress and then
achieve aut henticated communication wit h DCBI server. But some customers do not want to install client
software, and they hope to authenticate by the internet explorer simplified. So in order to satisfy the new
demand from the user and realize the plat forms irrelevance of the authentication client, the Web
authentication function based on 802.1x is designed for authentication.
The Web authentication is still based on IEEE 802.1x authentication system, the Java Applet in internet
explorer is instead of the prior client software, the devises is layer 3 switch, aut hentication server is the
standardized RA DIUS server, and the authentication message is loaded in the EAP message to communicate.
The Ethernet frame can’t be send bec ause of the Java A pplet us ed in client, so EAP message can’t be
encapsulated in the Ethernet frame to send, EAP message should be loaded on the UDP prot ocol instead of
EAPOU, in order to achieve the authentication and communic ation between web client and web
authentication proxy switch. The standardized EAPOR protocol is still used bet ween the authentication proxy
switch and authentication server.
47.1.6 The Authentication Methods of 802.1x
The authentication can either be started by supplicant system initiatively or by devices. When the device
detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity
messages to start authentication. On t he ot her hand, the s upplicant system can send EAPOL-Start message
to the device via supplicant soft ware.
802.1 x systems supports EAP relay method and EAP termination method to implement authentication with
the remote RA DIUS server. The following is the description of the process of thes e two authentication
methods, bot h started by the supplicant system.
47.1.6.1 EAP Relay Mode
EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over
RADIUS, making sure that extended authentication prot ocol messages can reach the authentication server
through complicated networks. In general, EAP relay requires the RADIUS server to support EAP attributes:
EAP-Message and Message-Authenticator.
47-6
EAP is a widely-used aut hentication frame to transmit the actual authentication protocol rather than a special
authentication mechanism. EAP provides some common function and allows the authentication mechanisms
expected in the negotiation, which are called EAP Method. The advantage of EAP lies in that EAP mechanism
working as a bas e needs no adjustment when a new authentication protoc ol appears. The following figure
illustrates the protocol stack of EAP authentication met hod.
Figure 47-1-8 the Protocol Stack of EAP Authentication Method
By now, there are more than 50 EAP aut hentication met hods has been developed, the differences among
which are those in the aut hentication mechanism and the management of keys. The 4 most common EAP
authentication methods are listed as follows:


EAP-MD5
EAP-TLS(Transport Layer Security)

EAP-TTLS (Tunneled Transport Layer Security)

PEAP (Prot ected Extensible Authentication Protocol)
They will be described in detail in the following part.
Attention:

The switch, as the access controlling unit of Pass-through, will not check the content of a particular
EAP method, so can support all the EAP methods above and all the EAP authentication methods
that may be extended in the fut ure.

In EAP relay, if any authentication method in EAP-MD5, EAP-TLS, EAP-TTLS and PEAP is
adopted, the authentication methods of the supplicant system and the RA DIUS server should be
the same.
1. EAP -MD5 Authenti cation Method
EAP-MD5 is an IE TF open standard which providing the least security, since MD5 Hash function is vulnerable
to dictionary attacks.
The following figure illustrated the basic operation flow of the EAP-MD5 authentication met hod.
47-7
Figure 47-1-9 the Authentication Flow of 802.1x EAP-MD5
2. EAP -TLS Authenti cation Method
EAP-TLS is brought up by Mic rosoft based on EAP and TLS protocols. It uses PKI t o protect the id
authentication bet ween the supplicant system and the RADIUS server and the dynamically generated session
keys, requiring both the supplicant system and t he Radius authentication server t o possess digital certificate
to implement bidirectional authentication. It is the earliest EAP authentication method used in wireless LAN.
Since every user should have a digital certificat e, this method is rarely used practically considering the difficult
maintenance. However it is still one of the safest EAP standards, and enjoys prevailing supports from the
vendors of wireless LAN hardware and soft ware.
47-8
The following figure illustrates the basic operation flow of the EAP-TLS authentication method.
Figure 47-1-10 the Authentication Flow of 802.1x EAP-TLS
3. EAP -TTLS Authentication Method
EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as
strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only
request is that the Radius server should have a digital certificate. The authentication of users’ identity is
implemented wit h passwords transmitted in a safely encrypted tunnel established via the certificate of the
authentication server. Any kind of authentication request including EAP, PAP and MS-CHAPV 2 can be
transmitted within TTLS tunnels.
47-9
4.
PEAP Authentication Method
EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long
been utilized in products and provides very good sec urity. Its design of protocol and security is similar to that
of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user
authentication.
The following figure illustrates the basic operation flow of PEAP authentication met hod.
Figure 47-1-11 the Authentication Flow of 802.1x PEAP
47.1.6.2 EAP Termination Mode
In this mode, EAP messages will be terminated in the access control unit and mapped into RA DIUS
messages, which is used to implement the authentication, authorization and fee-counting. The basic
operation flow is illustrated in the next figure.
In EAP termination mode, the access control unit and the RA DIUS server can use PAP or CHAP
authentication method. The following figure will demonstrate the basic operation flow using CHAP
authentication method.
47-10
Figure 47-1-12 the Authentication Flow of 802.1x EAP Termination Mode
47.1.7 The Extension and Optimization of 802.1x
Besides supporting the port- based access authentication method specified by the protocol, devices also
extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.

Supports some applic ations in the case of which one physical port can have more than one users

There are three access control methods (the methods to authenticate users): port -bas ed, MAC-based
and user-based (IP address+ MAC address+ port ).

When the port-based method is used, as long as the first user of this port passes the authentication,
all the other users can access the network resources without being authenticated. However, once
the first user is offline, the net work won’t be available to all the other users.

When the MAC-based method is used, all the users accessing a port should be authenticated
separately, only those pass the authentication can access the network, while the others can not.
When one user becomes offline, the ot her users will not be affected.

When the user-based (IP address+ MAC address+ port) met hod is used, all users can access
limited resources before being authenticated. There are two kinds of control in this method: standard
control and advanc ed cont rol. The user-based standard control will not restrict the access to limited
47-11
resources, whic h means all users of t his port can access limited resources before being
authenticated. The user-based advanced control will restrict the access to limited resources, only
some particular users of the port can access limited resources before being authenticated. Once
those users pass the aut hentication, they can access all resources.
Attention: when using private supplicant systems, user-based advanc ed control is recommended to effectively
prevent ARP cheat.
The maximum number of the authenticated us ers can be 4000, but less than 2000 will be preferred.
47.1.8 The Features of VLAN Allocation
1. Auto VLAN
Auto VLAN feature enables RADIUS server to change the VLA N to which the access port belongs, based on
the user information and the user access device information. When an 802.1x user passes authentication on
the server, the RA DIUS server will send the aut horization information to the device, if the RA DIUS server has
enabled the VLAN-assigning function, then the following attributes should be included in the Access-Accept
messages:

Tunnel-Type = VLAN (13)

Tunnel-Medium-Type = 802 (6)

Tunnel-Private-Group-ID = VLANID
The VLA NID here means the V ID of VLA N, ranging from 1 to 4094. For example, Tunnel-P rivate-Group-ID =
30 means VLAN 30.
When the switch receives the assigned Auto VLAN information, the current Access port will leave the VLAN
set by the user and join Auto VLA N.
Auto VLAN won’t change or affect the port’s configuration. But the priority of Auto VLA N is higher than that of
the user-set VLAN, that is Auto VLAN is the one takes effect when the authentication is finished, while the
user-set VLA N do not work until the user become offline.
Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports
whos e link type is Access.
2. Guest VLAN
Guest VLAN feat ure is used to allow the unauthenticated user to access some specified resources.
The us er authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x
authentication, with the right to access the res ources within this VLAN without authentication. But the
resources in other networks are beyond reach. Once authenticated, the port will leave Guest VLAN, and the
user can access the resources of other net works.
In Guest VLA N, users can get 802.1x supplicant system software, update supplicant system or update some
other applications (s uch as anti-virus software, the patches of operating system). The access device will add
the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time
47-12
because of lacking exclusive authentication supplicant system or the version of the supplicant system being
too low.
Once the 802. 1x feature is enabled and the Guest VLAN is configured properly, a port will be added into
Guest VLAN, just like Auto VLAN, if there is no response message from the supplicant system after the device
sends more authentication-triggering messages than the upper limit (EAP-Request/Identity) from the port.

The authentication s erver assigns an Aut o VLA N, and then the port leaves Guest VLAN and joi ns
the assigned Auto VLAN. When the user becomes offline, the port will be allocat ed to the specified
Guest VLAN again.

The authentication s erver assigns an Aut o VLA N, and then the port leaves Guest VLAN and joins
the specified VLA N. When the user becomes offline, the port will be allocated to the specified
Guest VLAN again.
47.2 802.1x Configuration Task List
802.1x Configuration Task List:
1. Enable IEEE 802. 1x function
2. Configure web aut hentication agent function
3. Access management unit property configuration
1) Configure port authentication status
2) Configure access management met hod for the port: MAC-based or port-based.
3) Configure expanded 802. 1x function
4) Configure IP v6 passthrough function of the port
4. User access devices related property configuration (optional)
1. Enable 802.1x function
Command
Explanation
Global Mode
dot1x enable
Enables the 802. 1x function in the switch and ports; the no
no dot1x enable
command disables the 802. 1x function.
dot1x privateclient enable
no dot1x privateclient enable
dot1x user free-resource
<prefix> <mask>
no dot1x user free-resource
Enables the switch force client software using private
802.1x authentication packet format. The no command will
disable this function.
Sets free access network resource for unauthorized dot1x
user. The no command close the resource.
47-13
2. Configure Web authentication agent function
Command
Explanation
Global Mode
dot1x web authentication
enable
Enable Web authentication agent, the no command
no dot1x web authentication
disable Web authentication agent.
enable
dot1x web redirect <URL>
Set the HTTP s erver address for Web redirection, the no
no dot1x web redirect
command clears the address.
3. Acce ss management unit property configuration
1) Configure port authentication status
Command
Explanation
Port Mode
dot1x port-control
{auto|force-authorized|force-
Sets the 802.1x authentication mode; the no command
unauthorized }
restores the default setting.
no dot1x port-control
2) Configure port access management method
Command
Explanation
Port Mode
dot1x port-method
{macbased | portba sed
|webbased|userba sed
advanced}
Sets the port access management method; the no
command restores MAC-based access management.
no dot1x port-method
dot1x max-user
macbased
<number>
no dot1x max-user
macbased
Sets the maximum number of access users for the
specified port; the no command restores the default setting
of allowing 1 user.
dot1x max-user userbased
Set the upper limit of the number of users allowed
<number>
accessing the specified port, only used when the access
no dot1x max-user
control mode of the port is userbased; the no command is
userbased
used to reset the limit to 10 by default.
dot1x guest-vlan <vlanID>
Set the guest vlan of the specified port; the no command is
no dot1x guest-vlan
used to delete the guest vlan.
3) Configure expanded 802. 1x function
Command
Explanation
Global Mode
47-14
dot1x macfilter enable
Enables the 802.1x address filter function in the switch; the
no dot1x macfilter enable
no command disables the 802.1x address filter function.
dot1x accept-mac
<mac-address> [interface
<interface-name> ]
Adds 802.1x address filter table entry, the no command
no dot1x accept-mac
deletes 802.1x filter address table entries.
<mac-address> [interface
<interface-name> ]
dot1x eapor enable
no dot1x eapor enable
Enables the EAP relay authentication function in the
switch;
the
no
command
sets
EAP
local
end
authentication.
4) Configure IP v6 passthrough function of the port
Command
Explanation
Global Mode
Enables IP v6 passthrough function of global mode on a
dot1x ipv6 passthrough
switch, only applicable when access control mode is
no dot1x ipv6 passthrough
userbased; the no operation of this command will disable
the function.
4. Supplicant related property configuration
Command
Explanation
Global Mode
dot1x max-req <count>
no dot1x max-req
Sets the number of EAP request/MD5 frame to be sent
before the switch re-initials authentication on no supplicant
response, the no command restores the default setting.
dot1x re-authentication
Enables periodical supplicant authentication; the no
no dot1x re-authentication
command disables this function.
dot1x timeout quiet-period
<seconds>
Sets time to keep silent on port authentication failure; the
no dot1x timeout
no command restores the default value.
quiet-period
dot1x timeout re-authperiod
<seconds>
Sets the supplicant re-authentication interval; the no
no dot1x timeout
command restores the default setting.
re-authperiod
dot1x timeout tx-period
Sets the interval for the supplicant to re-transmit EAP
<seconds>
request/identity frame; the no command restores the
no dot1x timeout tx-period
default setting.
dot1x re-authenticate
Enables IEEE 802.1x re-authentication (no wait timeout
[interface <interface-name> ]
requires) for all ports or a specified port.
47-15
47.3 802.1x Application Example
47.3.1 Examples of Guest Vlan Applications
Update server
Authenticator server
E3
VLAN2
VLAN10
SWITCH
E2
E6
VLAN100
VLAN5
Internet
User
Figure 47-3-1 The Network Topology of Guest VLAN
Notes: in the figures in this session, E2 means Ethernet 1/2, E3 means Ethernet 1/3 and E6 means Ethernet
1/6.
As showed in the next figure, a switch accesses the network using 802.1x authentication, with a RADIUS
server as its authentication server. Ethernet1/2, the port through which the user accesses the switch belongs
to VLAN100; the authentication server is in V LAN2; Update Server, being in VLA N10, is for the user to
download and update supplicant system software; Ethernet1/6, the port used by the switch to access the
Internet is in VLAN5.
Update server
Authenticator server
E3
VLAN10
E2
VLAN10
VLAN2
SWITCH
E6
VLAN5
Internet
User
Figure 2-14 User Joining Guest VLAN
47-16
As illustrated in the up figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLA N10
is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port
Ethernet1/2 is added into VLA N10, allowing the user to access the Update Server.
Update server
Authenticator server
E3
VLAN2
VLAN10
E2
SWITCH
E6
VLAN5
VLAN5
Internet
User
Figure 47-3-2 User Being Online, VLAN Being Offline
As illustrated in t he up figure, when the users bec ome online after a successful authentication, the
authentication server will assign VLAN5, which mak es the user and Ethernet1/6 both in VLA N5, allowing the
user to access the Internet.
The following are configuration steps:
# Configure RA DIUS server.
XGS 3-42000R(config)#radius-s erver authentication host 10.1.1.3
XGS 3-42000R(config)#radius-s erver accounting host 10.1.1. 3
XGS 3-42000R(config)#radius-s erver key test
XGS 3-42000R(config)#aaa enable
XGS 3-42000R(config)#aaa-accounting enable
# Create VLA N100.
XGS 3-42000R(config)#vlan 100
# Enable the global 802.1x function
XGS 3-42000R(config)#dot 1x enable
# Enable the 802.1x function on port Ethernet1/2
XGS 3-42000R(config)#interface ethernet1/2
XGS 3-42000R(config-If-Ethernet1/2)#dot1x enable
47-17
# Set the link type of the port as access mode.
XGS 3-42000R(config-If-Ethernet1/2)#switch-port mode access
# Set the access control mode on the port as portbased.
XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-method portbased
# Set the access control mode on the port as auto.
XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-control auto
# Set the port’s Guest VLAN as 100.
XGS 3-42000R(config-If-Ethernet1/2)#dot1x guest-vlan 100
XGS 3-42000R(config-If-Ethernet1/2)#exit
Using the command of show running-config or show interface ethernet 1/2, users can check the
configuration of Guest VLAN. When there is no online user, no failed user authentication or no user gets
offline s uccessfully, and more authentication-t riggering messages (EAP-Request/Identity) are sent than the
upper limit defined, users can check whet her the Guest VLA N configured on the port takes effect with the
command show vlan id 100.
47.3.2 Examples of IPv4 Radius Applications
10.1.1.2
10.1.1.1
Radius Server
10.1.1.3
Figure 47-3-3 IEEE 802.1x Configuration Example Topology
The P C is connecting to port 1/2 of the switch; IEEE 802.1x authentication is enabled on port1/2; the access
mode is the default MAC-bas ed authentication. The switch IP address is 10.1.1.2. Any port other than port 1/2
is used to connect to RADIUS authentication server, whic h has an IP address of 10.1.1.3, and use the default
port 1812 for authentication and port 1813 for accounting. IEEE 802.1x authentication client software is
installed on the PC and is used in IEEE 802.1x authentication.
47-18
The configuration procedures are listed below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-vlan1)#ip address 10.1.1. 2 255.255. 255. 0
XGS 3-42000R(config-if-vlan1)#exit
XGS 3-42000R(config)#radius-s erver authentication host 10.1.1.3
XGS 3-42000R(config)#radius-s erver accounting host 10.1.1. 3
XGS 3-42000R(config)#radius-s erver key test
XGS 3-42000R(config)#aaa enable
XGS 3-42000R(config)#aaa-accounting enable
XGS 3-42000R(config)#dot 1x enable
XGS 3-42000R(config)#interface ethernet 1/2
XGS 3-42000R(config-If-Ethernet1/2)#dot1x enable
XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-control auto
XGS 3-42000R(config-If-Ethernet1/2)#exit
47.3.3 Examples of IPv6 Radius Application
2004:1:2:3::2
2004:1:2:3::1
Radius Server
2004:1:2:3::3
Figure 47-3-4 IPv6 Radius
Connect the computer to the interface 1/2 of the switch, and enable IEEE802.1x on interface1/2. Us e MAC
based authentication. Configure the IP address of the switch as 2004:1: 2:3::2, and connect the switch with
any interface except interfac e 1/2 t o the RA DIUS authentication server. Configure the IP address of the
RADIUS server to be 2004:1:2:3::3. Use the default ports 1812 and 1813 for authentication and accounting
respectively. Install the IEEE802.1x authentication client soft ware on the comput er, and use the client for
IEEE802.1x authentication.
47-19
The detailed configurations are listed as below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-vlan1)#ipv6 address 2004:1:2: 3::2/64
XGS 3-42000R(config-if-vlan1)#exit
XGS 3-42000R(config)#radius-s erver authentication host 2004:1:2:3::3
XGS 3-42000R(config)#radius-s erver accounting host 2004:1:2:3::3
XGS 3-42000R(config)#radius-s erver key test
XGS 3-42000R(config)#aaa enable
XGS 3-42000R(config)#aaa-accounting enable
XGS 3-42000R(config)#dot 1x enable
XGS 3-42000R(config)#interface ethernet 1/2
XGS 3-42000R(config-If-Ethernet1/2)#dot1x enable
XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-control auto
XGS 3-42000R(config-If-Ethernet1/2)#exit
47.3.4 802.1x Web Proxy Authentication Sample Application
RADIUS Server
Web Server
192.168.20.88/24
192.168.20.20/24
eth1/1
eth1/2
SWITCH1
eth1/16
PC
Figure 47-3-5 802.1x Web Proxy Authentication
47-20
In the network topology shown as above, Ethernet 1/1 on SWITCH1 is connected to the Web server whose IP
address is 192.168.20. 20/24, Ethernet 1/2 on SWITCH1 is connected to the RADIUS server whose IP
address is 192.168.20.88/24 and authentication port is 1812. PC is connected to Ethernet 1/16 on SWITCH1
through an unknown network. The Web server and the authentication server are connected to VLA N 1, while
PC is connected to VLAN 2. 802.1x Web authentication can be enabled through the following configuration.
The re-authentication function is disabled by default. To enable this, corresponding 802.1x configuration
should be issued first.
Configuration task li st on SWITCH1
XGS 3-42000R(config)#dot 1x enable
XGS 3-42000R(config)#dot 1x web authentication enable
XGS 3-42000R(config)#dot 1x web redirect http://192.168.20. 20/WebSupplicant/
XGS 3-42000R(config)#interface ethernet 1/16
XGS 3-42000R(config-If-Ethernet1/16)#dot1x enable
XGS 3-42000R(config-If-Ethernet1/16)#dot1x port-method webbased
47.4 802.1x Troubleshooting

It is possible that 802.1x be configured on ports and 802. 1x authentication be set to auto, t switch
can’t be to authenticated state after the user runs 802.1x supplicant software. Here are some
possible causes and solutions:

If 802.1x cannot be enabled for a port, make sure the port is not executing MAC binding, or
configured as a port aggregation. To enable the 802.1x authentication, the above functions must be
disabled.

If the switch is configured properly but still cannot pass through authentication, connectivity
between the switch and RA DIUS server, the switch and 802.1x client should be verified, and the
port and VLA N configuration for the switch should be checked, too.

Check the event log in the RADIUS server for possible causes. In the event log, not
only
unsuccessful logins are recorded, but prompts for the causes of unsuccessful login. If the event log
indicates wrong authenticator password, radius-server key parameter shall be modified; if the event
log indicates no such authenticator, the authenticator needs to be added to the RADIUS server; if
the event log indicates no such login user, the user login ID and password may be wrong and
should be verified and input again.

Web Authentication Proxy based on 802.1x is disabled by default. Open the debug dot1x switch to
check debugging information when the Web A uthentication Proxy based on 802.1x is opened.

If the state display of the port is not disabled when use show dot1x, that means the Web
Authentication Proxy function based on 802.1x is not close it.

The switch of the Web Authentication Proxy based on 802.1x achieves less than 1024 users who
had authenticated simultaneity on line. If exceeds this limit will return hint information.

When the Web Authentication is failed should check whether the dot 1x privateclient enable
command is enabled, if the command had been enabled, then the private authentication function
need close.
47-21
Chapter 48 The Number Limitation Function
of Port, MAC in VLAN and IP Configuration
48.1 Introduction to the Number Limitation Function of Port,
MAC in VLAN and IP
MAC address list is used to identify the mapping relationship between the destination MAC addresses and the
ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC
address. The static MAC address is set by users, having the highest priority (will not be overwritten by
dynamic MAC address), and will always be effective; dynamic MAC address is learnt by the switch through
transmitting data frames, and will only be effective in a s pecific time range. When the s witch rec eives a data
framed waiting to be transmitted, it will study the source MA C address of the data frame, build a mapping
relationship with the receiving port, and then look up the MAC address list for the destination MAC address. If
any matching list entry is found, the switch will transmit the data frame via the corresponding port, or, the
switch will broadcast the data frame over the VLAN it belongs to. If the dynamically learnt MAC address
matches no transmitted data in a long time, the switch will delete it from the MA C address list.
Usually the switch supports both the static configuration and dynamic study of MAC address, which means
each port can have more than one static set MAC addresses and dynamically learnt MAC addresses, and
thus can implement the transmission of data traffic bet ween port and known MAC addresses. When a MAC
address becomes out of date, it will be dealt with broadcast. No number limitation is put on MAC address of
the ports of our current switches; every port can have several MAC addressed either by configuration or study,
until the hardware list entries are exhausted. To avoid too many MAC addresses of a port, we should limit the
number of MAC addresses a port can have.
For each INTE RFA CE VLAN, there is no number limitation of IP; the upper limit of the number of IP is the
upper limit of the number of user on an interface, which is, at the same time, the upper limit of ARP and ND list
entry. There is no relative configuration command can be used to control the sent number of these list entries.
To enhance the security and the controllability of our products, we need to control the number of MAC address
on eac h port and the number of ARP, ND on each INTE RFA CE VLAN. The num ber of static or dynamic MAC
address on a port should not exceed the configuration. The number of user on each VLA N should not exceed
the configuration, either.
Limiting the number of MA C and ARP list entry can avoid DOS attack to a certain extent. When malicious
users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the
switch, causing successful DOS attacks.
To summer up, it is very meaningful to develop the number limitation function of port, MAC in VLAN and IP.
Switch can control the number of MAC address of ports and the number A RP, ND list entry of ports and VLA N
through configuration commands.
Limiting the number of dynamic MAC and IP of ports:
48-1
1. Limiting the number of dynamic MA C. If the number of dynamically learnt MA C address by the switch is
already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC
study function on this port, otherwis e, the port can continue its study.
2. Limiting the number of dynamic IP. If the number of dynamically learnt ARP and ND by the switch is
already larger than or equal with the max number of dynamic ARP and ND, then s hutdown the ARP and
ND study function of this port, otherwise, the port can continue its study.
Limiting the number of MAC, A RP and ND of interfaces:
1. Limiting the number of dynamic MA C. If the number of dynamically learnt MAC address by the V LAN of
the switch is already larger than or equal with the max number of dynamic MA C address, then shutdown
the MAC study function of all the ports in this VLAN, otherwise, all the ports in this VLAN can continue
their study (except special ports).
2. Limiting the number of dynamic IP. If the number of dynamically learnt ARP and ND by the switch is
already larger than or equal with the max number of dynamic ARP and ND, then the VLA N will not study
any new ARP or ND, otherwise, the study can be continued.
48.2 The Number Limitation Function of Port, MAC in VLAN and
IP Configuration Task Sequence
1. Enable the number limitation function of MAC、IP on ports
2. Enable the number limitation function of MAC、IP in VLA N
3. Configure the timeout value of querying dynamic MAC
4. Display and debug the relative information of number limitation of MAC、IP on ports
1. Enable the number limitation function of MAC、IP on ports
Command
Explanation
Port configuration mode
switchport mac-addre ss dynamic
maximum <value>
Enable and disable the number limitation
no switchport mac-addre ss dynamic
function of MAC on the ports.
maximum
switchport arp dynamic maximum
Enable and disable the number limitation
<value>
function of ARP on the ports.
no switchport arp dynamic maximum
switchport nd dynamic maximum
Enable and disable the number limitation
<value>
function of ND on the ports.
no switchport nd dynamic maximum
2. Enable the number limitation function of MAC、IP in VLAN
Command
Explanation
VLAN configuration mode
48-2
vlan mac-address dynamic maximum
<value>
Enable and disable the number limitation
no vlan mac-address dynamic
function of MAC in the VLA N.
maximum
Interface configuration mode
ip arp dynamic maximum <value>
Enable and disable the number limitation
no ip arp dynamic maximum
function of ARP in the VLA N.
ipv6 nd dynamic maximum <value>
Enable and disable the number limitation
no ipv6 nd dynamic maximum
function of NEIGHBOR in the VLAN.
3. Configure the timeout value of querying dynamic MAC.
Command
Explanation
Global configuration mode
Configure the timeout value of querying
mac-address query timeout < seconds>
dynamic MAC.
4. Display and debug the relative information of number limitation of MAC、IP on ports
Command
Explanation
Admin mode
show mac-address dynamic count {vlan
<vlan-id>|interface ethernet
Display the number of dynamic MAC in
corresponding ports and VLAN.
<portName> }
show arp-dynamic count {vlan
Display the number of dynamic ARP in
<vlan-id> | interface ethernet
corresponding ports and VLAN.
<portName> }
show nd-dynamic count {vlan
Display
the
number
of
dynamic
<vlan-id> | interface ethernet
NEIGHB OUR in corresponding ports and
<portName> }
VLAN.
debug switchport mac count
All kinds of debug information when
no debug switchport mac count
limiting the number of MAC on ports.
debug switchport arp count
All kinds of debug information when
no debug switchport arp count
limiting the number of ARP on ports.
All kinds of debug information when
debug switchport nd count
limiting the number of NE IGHBOUR on
no debug switchport nd count
ports.
debug vlan mac count
All kinds of debug information when
no debug vlan mac count
limiting the number of MAC in VLA N.
debug ip arp count
All kinds of debug information when
no debug ip arp count
limiting the number of ARP in VLAN.
debug ipv6 nd count
All kinds of debug information when
no debug ipv6 nd count
limiting the number of MAC in VLA N.
48-3
48.3 The Number Limitation Function of Port, MAC in VLAN and
IP Typical Examples
SWITCH A
SWITCH B
………
PC
PC
PC
PC
PC
Figure 48-3-1 The Number Limitation of Port, MAC in VLAN and IP Typical Configuration Example
In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation
function of port, MAC in VLAN and IP, if the system hardware has no other limitation, SWTICH A and SWTICH
B can get the MA C, ARP, ND
list entries of all the P C, so limiting the MA C, ARP
attack to a certain extent. When malicious users frequently do MAC, ARP
fill the MA C, ARP
list entry can avoid DOS
cheating, it will be easy for them to
list entries of the switch, causing successful DOS attacks. Limiting the MAC, A RP, ND
list entry can prevent DOS attack.
On port 1/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20, of dynamic ARP
address as 20, NEIGHBOR list entry as 10. In V LAN 1, set the max number of dynamic MAC address as 30,
of dynamic ARP address as 30, NE IGHBOR list entry as 20.
SWITCH A configuration task sequence:
XGS 3-42000R(config)#interface ethernet 1/1
XGS 3-42000R(Config-If-Ethernet1/1)#switchport mac-address dynamic maximum 20
XGS 3-42000R(Config-If-Ethernet1/1)#switchport arp dynamic maximum 20
XGS 3-42000R(Config-If-Ethernet1/1)#switchport nd dynamic maximum 10
XGS 3-42000R(Config-if-Vlan1)#vlan mac-address dynamic maximum 30
48-4
48.4 The Number Limitation Function of Port, MAC in VLAN and
IP Troubleshooting Help
The number limitation function of port, MAC in VLAN and IP is disabled by default, if users need to limit the
number of user accessing the network, they can enable it. If the number limitation function of MAC address
can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and
whet her the port is configured as a MAC-binding port. The number limitation function of MAC address is
mutually exclusive to these configurations, so if the users need to enable the number limitation function of
MAC address on the port, they should check these functions mentioned above on this port are disabled.
If all the configurations are normal, after enabling the number limitation function of port, MAC in VLAN and IP,
users can use debug commands to debug every limitation, check the details of number limitations and judge
whet her t he number limitation function is correct. If there is any problem, please sent result to technical
service cent er.
48-5
Chapter 49 Operational Configuration of AM
Function
49.1 Introduction to AM Function
AM (Access Management) means that when a s witch receives an IP or A RP message, it will compare the
information extracted from the message (such as source IP address or source MAC-IP address) with the
configured hardware address pool. If there is an entry in the address pool matching the information (source IP
address or source MAC-IP address), the message will be forwarded, ot herwise, dumped. The reas on why
source-IP -based AM should be supplemented by source-MAC-IP -based AM is that IP address of a host might
change. Only with a bound IP, can users change the IP of the host into forwarding IP, and hence enable the
messages from t he host to be forwarded by the switch. Given t he fact that MAC-IP can be exclusively bound
with a host, it is necessary to make MAC-IP bound with a host for the purpose of preventing users from
maliciously modifying host IP to forward the messages from their hosts via the switch.
With the interface-bound attribute of AM, net work mangers can bind t he IP (MA C-IP) address of a legal user
to a specified interfac e. After that, only the messages sending by users with specified IP (MAC-IP ) addresses
can be forwarded via the interface, and thus strengthen the monitoring of the network security.
49.2 AM Function Configuration Task List
1. Enable AM function
2. Enable AM function on an interface
3. Configure the forwarding IP
4. Configure the forwarding MAC-IP
5. Delet e all of the configured IP or MA C-IP or both
6. Display relative configuration information of AM
1. Enable AM function
Command
Explanation
Global Mode
am enable
Globally enable or disable AM function.
no am enable
2. Enable AM function on an interface
Command
Explanation
Port Mode
Enable/disable AM function on the port.
am port
When the AM function is enabled on the
no am port
port, no IP or A RP message will be
forwarded by default.
49-1
3. Configure the forwarding IP
Command
Explanation
Port Mode
am ip-pool <ip-address> <num>
Configure the forwarding IP of the port.
no am ip-pool <ip-address> <num>
4. Configure the forwarding MAC-IP
Command
Explanation
Port Mode
am mac-ip-pool <mac-address>
<ip-address>
Configure the forwarding MAC-IP of the
no am mac-ip-pool <mac-address>
port.
<ip-address>
5. Delete all of the configured IP or MAC-IP or both
Command
Explanation
Global Mode
Delet e MAC-IP
no am all [ip-pool|mac-ip-pool]
address pool
or IP
address pool or both pools configured by
all users.
6. Di splay relative configuration information of AM
Command
Explanation
Global Configuration Mode
Display the AM configuration information
show am [interface <interface-name>]
of one port or all ports.
49.3 AM Function Example
Internet
SWITCH
Port1
Port2
HUB 1
HUB 2
………
PC1
PC2
PC30
Figure 49-3-1 a typical configuration example of AM function
49-2
In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP
addresses of these 30 PCs range from 100. 10.10. 1 to 100.10.10.30. Considering security, the system
manager will only take user with an IP address within that range as legal ones. And the switch will only
forward data packets from legal users while dumping packets from other users.
According to the requirements mentioned above, the switch can be configured as follows:
XGS 3-42000R(config)#am enable
XGS 3-42000R(config)#interface ethernet1/1
XGS 3-42000R(config-If-Ethernet1/1)#am port
XGS 3-42000R(config-If-Ethernet1/1)#am ip-pool 10.10.10.1 10
49.4 AM Function Troubleshooting
AM function is disabled by default, and after it is enabled, relative configuration of AM can be made.
Users can view the current AM configuration with “show am” command, such as whether the AM is enabled or
not, and AM information on each interface, they can also use “show am [interface <interface-name>]”
command to check the AM configuration information on a specific interface.
If any operational error happens, the system will display detailed corresponding prompt.
49-3
Chapter 50 Security Feature Configuration
50.1 Introduction to Security Feature
Before introducing t he security features, we here first introduc e the DoS. The DoS is short for Denial of
Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will
drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of
the servic e and worse can lead to leak of sensitive data of the server.
Security feature refers to applications such as protocol check which is for protecting the server from attacks
such as DoS. The protocol check allows the user to drop matched packets based on specified conditions. The
security features provide several simple and effective protections against Dos attacks while acting no
influence on the linear forwarding performance of the switch.
50.2 Security Feature Configuration
50.2.1 Prevent IP Spoofing Function Configuration Task
Sequence
1.Enable the IP spoofing function.
Command
Explanation
Global Mode
[no] dosattack-check srcip-equal-dstip
enable
Enable/disable the function of checking if the
IP source address is the same as the
destination address.
50.2.2 Prevent TCP Unauthorized Label Attack Function
Configuration Task Sequence
1.Enable the anti TCP unauthorized label attack function
2.Enable Checking IP v4 fragment function
Command
Explanation
Global Mode
[no] dosattack-check tcp-flags enable
Enable/disable checking TCP label function
Enable/disable checking IP v4 fragment. This
[no] dosattack-check
ipv4-first-fragment enable
command has no effect when used separately,
but if this function is not enabled, the switch will
not drop the IP v4 fragment packet containing
unauthorized TCP labels.
50-1
50.2.3 Anti Port Cheat Function Configuration Task Sequence
1. Enable the anti port cheat function
Command
Explanation
Global Mode
[no] dosattack-check
srcport-equal-dstport enable
Enable/disable the prevent-port-cheat function.
Enable/disable checking IP v4 fragment. This
dosattack-check ipv4-first-fragment
enable
command has no effect when used separately,
but if this function is not enabled, the switch will
not drop the IP v4 fragment packet whose
source port is equal to its destination port.
50.2.4 Prevent TCP Fragment Attack Function Configuration
Task Sequence
1.Enable the prevent TCP fragment attack function
2.Configure the minimum permitted TCP head length of the packet
Command
Explanation
Global Mode
[no] dosattack-check tcp-fragment
Enable/disable the prevent
enable
attack function.
TCP
fragment
Configure the minimum permitted TCP head
length of the packet. This command has no
dosattack-check tcp-header <size>
effect when used separately, the user should
enable the dosattack-check tcp-fragment
enable.
50.2.5 Prevent ICMP Fragment Attack Function Configuration
Task Sequence
1. Enable the prevent ICMP fragment attack function
2. Configure the max permitted ICMP v4 net load lengt h
3. Configure the max permitted ICMP v6 net load lengt h
Command
Explanation
Global Mode
[no] dosattack-check icmp-attacking
Enable/disable the prevent ICMP fragment
enable
attack function.
50-2
Configure the max permitted ICMP v4 net load
dosattack-check icmpv4-size <size>
length. This command has not effect when
used separat ely, the user have to enable the
dosattack-check icmp-attacking enable.
Configure the max permitted ICMP v6 net load
dosattack-check icmpv6-size <size>
length. This command has not effect when
used separat ely, the user have to enable the
dosattack-check icmp-attacking enable.
50.3 Security Feature Example
Scenario:
The User has follows configuration requirements: the switch do not forward data packet whose source IP
address is equal to the destination address, and those whose source port is equal to the destination port. Only
the ping command wit h default ed options is allowed wit hin the IP v4 network, namely the ICMP request packet
can not be fragmented and its net lengt h is normally smaller than 100.
Configuration procedure:
XGS 3-42000R(config)# dosattack-check srcip-equal-dstip enable
XGS 3-42000R(config)# dosattack-check srcport-equal-dstport enable
XGS 3-42000R(config)# dosattack-check ipv4-first-fragment enable
XGS 3-42000R(config)# dosattack-check icmp-attacking enable
XGS 3-42000R(config)# dosattack-check icmpV4-size 100
50-3
Chapter 51 TACACS+ Configuration
51.1 Introduction to TACACS+
TA CACS+ terminal access controller access control prot ocol is a protoc ol similar to the radius protocol for
control the terminal access to the net work. Three independent functions of Authentication, Authorization,
Accounting are also available in this protocol. Compared with RA DIUS, the transmission layer of TA CACS+
protocol is adopted with TCP protocol, further with the packet head ( except for standard packet head)
encryption, this protocol is of a more reliable transmission and encryption characteristics, and is more
adapted to security control.
According to the characteristics of the TACACS+ (Version 1.78), we provide TACA CS+ authentication function
on the switch, when the user logs, such as telnet, the authentication of user name and password can be
carried out with TA CACS+.
51.2 TACACS+ Configuration Task List
1.
Configure the TACA CS+ authentication key
2.
Configure the TACA CS+ server
3.
Configure the TACA CS+ authentication timeout time
4.
Configure the IP address of the RADIUS NAS
1. Configure the TACACS+ authentication key
Command
Explanation
Global Mode
tacacs-server key < string>
no tacacs-server key
Configure the TA CACS+ server key; the
“no tacacs-server key” command deletes
the key.
2. Configure TACACS+ server
Command
Explanation
Global Mode
tacacs-server authentication host
<IPaddress> [[port {<portNum>}]
[timeout < seconds>] [key < string> ]
[primary]]
no tacacs-server authentication host
<IPaddress>
Configure the IP address, listening port
number, the value of timeout timer and the
key string of the TA CACS+ server; the no
form
of
this
command
deletes
TA CACS+ aut hentication server.
51-1
the
3. Configure the TACACS+ authentication timeout time
Command
Explanation
Global Mode
Configure the authentication timeout for the
tacacs-server timeout <seconds>
TA CACS+ server, the “no tacacs-server
no tacacs-server timeout
timeout” command restores the default
configuration.
4. Configure the IP address of the TACACS+ NAS
Command
Explanation
Global Mode
tacacs-server nas-ipv4 <ip-address>
To configure the source IP address for the
no tacacs-server nas-ipv4
TA CACS+ packets for the switch.
51.3 TACACS+ Scenarios Typical Examples
10.1.1.2
10.1.1.1
Tacacs Server
10.1.1.3
Figure 51-3-1 TACACS Configuration
A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a TA CACS+
authentication server; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 49, set
telnet log on authentication of the switch as tacacs local, via using TA CA CS+ authentication server to achieve
telnet user authentication.
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-vlan1)#ip address 10.1.1. 2 255.255. 255. 0
XGS 3-42000R(config-if-vlan1)#exit
XGS 3-42000R(config)#tacacs-server authentication host 10.1.1.3
XGS 3-42000R(config)#tacacs-server key test
XGS 3-42000R(config)#aut hentication login vty tacacs local
51-2
51.4 TACACS+ Troubleshooting
In configuring and using TACA CS+, the TACA CS+ may fail to authentication due to reasons such as physical
connection failure or wrong configurations. The user should ensure the following:

First good condition of the TACACS+ server physical connection.

Second all int erface and link protocols are in the UP state (use “show interface” command).

Then ensure the TACA CS+ key configured on the switch is in accordance with the one configured on
TA CACS+ server.

Finally ensure to connect to the correct TA CA CS+ server.
51-3
Chapter 52 RADIUS Configuration
52.1 Introduction to RADIUS
52.1.1 AAA and RADIUS Introduction
AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the
network management safely. According to the three functions of Authentication, Authorization, Accounting, the
framework can meet the access control for the security net work: which one can visit the network device,
which access-level the user can have and the accounting for the net work resource.
RADIUS (Remote Authentication Dial in User Servic e), is a kind of distributed and client/server protoc ol for
information exchange. The RA DIUS client is usually used on network appliance to implement AAA in
cooperation with 802. 1x prot ocol. The RADIUS server maintains the database for AAA, and communicates
with the RADIUS client through RA DIUS protocol. The RA DIUS protocol is the most common used protocol in
the AAA framework.
52.1.2 Message structure for RADIUS
The RA DIUS protocol uses UDP to deliver protocol packets. The packet format is shown as below.
Figure 52-1-1 Message structure for RA DIUS
Code field(1octets): is the type of the RA DIUS packet. Available value for the Code field is show as below:
1. Access-Request
2. Access-Accept
3. Access-Reject
4. Accounting-Request
5. Accounting-Res pons e
6. Access-Challenge
Identifier field (1 octet): Identifier for the request and answer packets.
52-1
Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length,
Authenticator and Attributes
Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can
be used to carry encrypted passwords. This field falls into t wo kinds: the Request Authenticator and the
Response Authenticator.
Attribute field: used to carry detailed information about AAA. An Attribute value is formed by Type, Length, and
Value fields.

Ty pe field (1 octet), the type of the attribut e value, which is shown as below:
Property
Ty pe of property
Property
Ty pe of property
1
User-Name
23
Framed-IP X-Net work
2
User-Password
24
State
3
CHAP -Password
25
Class
4
NAS-IP-Address
26
Vendor-Specific
5
NAS-Port
27
Session-Timeout
6
Service-Type
28
Idle-Timeout
7
Framed-P rotocol
29
Termination-Action
8
Framed-IP-A ddress
30
Called-Station-Id
9
Framed-IP-Netmask
31
Calling-Station-Id
10
Framed-Routing
32
NAS-Identifier
11
Filter-Id
33
Proxy-State
12
Framed-MTU
34
Login-LAT-S ervice
13
Framed-Compression
35
Login-LAT-Node
14
Login-IP-Host
36
Login-LAT-Group
15
Login-Servic e
37
Framed-A ppleTalk-Link
16
Login-TCP-P ort
38
Framed-A ppleTalk-Network
17
(unassigned)
39
Framed-A ppleTalk-Zone
18
Reply -Message
40-59
(reserved for accounting)
19
Callback-Number
60
CHAP -Challenge
20
Callback-Id
61
NAS-Port-Type
21
(unassigned)
62
Port-Limit
22
Framed-Route
63
Login-LAT-P ort

Length field (1 octet), the lengt h in octets of the attribute including Type, Length and Value fields.

Value field, value of the attribute whose content and format is determined by the type and length of the
attribute.
52.2 RADIUS Configuration Task List
1. Enable the authentication and accounting function.
2. Configure the RA DIUS authentication key.
3. Configure the RA DIUS server.
4. Configure the parameter of the RADIUS servic e.
52-2
5. Configure the IP address of the RADIUS NAS.
1. Enable the authentication and accounting function.
Command
Explanation
Global Mode
To enable the AAA authentication function.
aaa enable
The no form of this command will disable
no aaa enable
the AAA authentication function.
aaa-accounting enable
To enable AAA accounting. The no form of
no aaa-accounting enable
this command will disable AAA accounting.
aaa-accounting update {enable|disable}
Enable or disable the update accounting
function.
2. Configure the RADIUS authentication key.
Command
Explanation
Global Mode
radius-se rver key <string>
no radius-se rver key
To configure the encryption key for the
RADIUS server. The no form of this
command will remove the configured key.
3. Configure the RADIUS server.
Command
Explanation
Global Mode
radius-se rver authentication host
{ <IPaddress> | <IPv6address> } [[port
{<portNum>}] [key <string>] [primary]
[acce ss-mode {dot1x|telnet}]
no radius-se rver authentication host
<IPaddress>
radius-se rver accounting host
{ <IPaddress> | <IPv6address> } [[port
{<portNum>}] [primary]]
no radius-se rver accounting host
<IPaddress>
Specifies the IP address and listening port
number, cipher key, whether be primary
server or not and access mode for the
RADIUS server; the no command deletes
the RADIUS authentication server.
To configure the IP/IP v6 address and the
port number for the accounting RADIUS
server. The no form of this command will
remove the RA DIUS server configuration.
52-3
4. Configure the parameter of the RADIUS servi ce
Command
Explanation
Global Mode
To configure the interval that the RADIUS
radius-se rver dead-time <minutes>
becomes available after it is down. The no
no radius-se rver dead-time
form of this command will restore the
default configuration.
To configure retry times for t he RADIUS
radius-se rver retransmit <retries>
packets. The no form of this command
no radius-se rver retransmit
restores the default configuration.
To configure the timeout value for the
radius-se rver timeout <seconds>
RADIUS server. The no form of this
no radius-se rver timeout
command
will
restore
the
default
configuration.
radius-se rver accounting-interim-update
timeout <seconds>
no radius-se rver
accounting-interim-update timeout
To
configure
the
update
interval
for
accounting. The no form of this command
will restore the default configuration.
5. Configure the IP address of the RADIUS NAS
Command
Explanation
Global Mode
radius na s-ipv4 <ip-address>
To configure the source IP address for the
no radius na s-ipv4
RADIUS packets for the switch.
radius na s-ipv6 <ipv6-address>
To configure the source IP v6 address for
no radius na s-ipv6
the RADIUS packets for the switch.
52-4
52.3 RADIUS Typical Examples
52.3.1 IPv4 Radius Example
10.1.1.2
10.1.1.1
Radius Server
10.1.1.3
Figure 52-3-1 The Topology of IEEE802.1x configuration
A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RA DIUS
authentication server without Ethernet 1/2; IP address of the server is 10.1.1.3 and the authentication port is
defaulted at 1812, accounting port is defaulted at 1813.
Configure steps as below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-vlan1)#ip address 10.1.1. 2 255.255. 255. 0
XGS 3-42000R(config-if-vlan1)#exit
XGS 3-42000R(config)#radius-s erver authentication host 10.1.1.3
XGS 3-42000R(config)#radius-s erver accounting host 10.1.1. 3
XGS 3-42000R(config)#radius-s erver key test
XGS 3-42000R(config)#aaa enable
XGS 3-42000R(config)#aaa-accounting enable
52-5
52.3.2 IPv6 RadiusExample
2004:1:2:3::2
2004:1:2:3::1
Radius Server
2004:1:2:3::3
Figure 52-3-2 The Topology of IP v6 Radius configuration
A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RA DIUS
authentication server wit hout Ethernet1/2; IP address of the server is 2004: 1:2:3::3 and the authentication port
is defaulted at 1812, accounting port is defaulted at 1813.
Configure steps as below:
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-if-vlan1)#ipv6 address 2004:1:2: 3::2/64
XGS 3-42000R(config-if-vlan1)#exit
XGS 3-42000R(config)#radius-s erver authentication host 2004:1:2:3::3
XGS 3-42000R(config)#radius-s erver accounting host 2004:1:2:3::3
XGS 3-42000R(config)#radius-s erver key test
XGS 3-42000R(config)#aaa enable
XGS 3-42000R(config)#aaa-accounting enable
52.4 RADIUS Troubleshooting
In configuring and using RADIUS, the RA DIUS may fail to authentication due t o reasons such as physical
connection failure or wrong configurations. The user should ensure the following:

First make sure good condition of the RADIUS server physical connection;

Second all int erface and link protocols are in the UP state (use “show interface” command)

Then ensure the RA DIUS key configured on the switch is in accordance with the one configured on
RADIUS server;

Finally ensure to connect to the correct RA DIUS server
If the RADIUS authentication problem remains unsolved, please use debug aaa and ot her debugging
command and copy the DEBUG message within 3 minutes, send the recorded message to the technical
server center of our company.
52-6
Chapter 53 SSL Configuration
53.1 Introduction to SSL
As the computer net working technology spreads, the security of the network has been taking more and more
important impact on the availability and the usability of the networking application. The network security has
become one of the greatest barriers of modern networking applications.
To prot ect sensitive data transferred through Web, Netscape introduced the S ecure Socket Layer – SSL
protocol, for its Web browser. Up till now, SSL 2.0 and 3.0 has been released. SSL 2.0 is obsolete bec ause of
security problems, and it is not supported on the switches of Network. The SSL protocol uses the public-key
encryption, and has become the industry standard for secure communication on internet for Web browsing.
The Web browser integrates HTTP and SSL to realize secure communication.
SSL is a safety protocol to protect private data transmission on the Internet. SSL protocols are designed for
secure transmission bet ween the client and the server, and authentication both at the server sides and
optional client. SSL protocols must build on reliable transport layer (such as TCP ). SSL protocols are
independent for application layer. Some protocols such as HTTP, FTP, TELNE T and so on, can build on SSL
protocols transparently. The SSL protocol negotiates for the encryption algorithm, the enc ryption key and the
server authentication before data is transmitted. E ver since the negotiation is done, all the data being
transferred will be encrypted.
Via above introduction, the security channel is provided by SSL protocols have below three characteristics:

Privacy. First they encrypt the suite through negotiation, then all the messages be encrypted.

Affirmation. Though t he client authentication of the conversational is optional, but the server is
always authenticated.

Reliability. The message integrality inspect is included in the sending message (use MAC).
53.1.1 Basic Element of SSL
The basic strategy of SSL provides a safety channel for random application data forwarding between two
communication programs. In theory, SSL connect is similar with encrypt TCP connect. The position of SSL
protocol is under application layer and on the TCP. If the mechanism of the data forwarding in the lower layer
is reliable, the data read-in the network will be forwarded to the other program in sequence, lose packet and
re-forwarding will not appear. A lot of transmission protocols can provide such kind of service in theory, but in
actual application, SSL is almost running on TCP, and not running on UDP and IP directly.
When web function is running on the switch and client visit our web site through the internet browser, we can
use SSL function. The communication between client and switch through SSL connect can improve the
security.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method,
a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the
53-1
data transmission in the application layer will be encrypted.
SSL handshake is done when the SSL session is being set up. The switch should be able to provide
certification keys. Currently the keys provided by the switch are not the formal certification k eys issued by
official authentic, but the private certification keys generated by SSL software under Linux which may not be
recognized by the web brows er. With regard to the switch application, it is not necessary to apply for a formal
SSL certification key. A private certification key is enough to make the communication safe between the users
and the switch. Currently it is not required that the client is able to check the validation of the certification key.
The encryption key and the encryption method should be negotiated during the handshake period of the
session which will be then used for data enc ryption.
SSL session handshake process:
53.2 SSL Configuration Task List
1.
Enable/disable SSL function
2.
Configure/delete port number by SSL used
3.
Configure/delete secure cipher suite by SSL used
4.
Maintenance and diagnose for the SSL function
1. Enable/disable SSL function
Command
Explanation
Global Mode
ip http secure-server
no ip http secure-server
Enable/disable SSL function.
53-2
2. Configure/delete port number by SSL used
Command
Explanation
Global Mode
Configure port number by SSL used, the“no
ip http secure-port <port-number>
ip http secure-port” command deletes the
no ip http secure-port
port number.
3. Configure/delete secure cipher suite by SSL used
Command
Explanation
Global Mode
ip http secure-ciphersuite
{des-cbc3-sha|rc4-128-sha|
Configure/delete secure cipher suite by SSL
des-cbc-sha}
used.
no ip http secure-ciphersuite
4. Maintenance and diagnose for the SSL function
Command
Explanation
Admin Mode or Configuration Mode
show ip http secure-server status
Show the configured SSL information.
debug ssl
Open/close the DEBUG for SSL function.
no debug ssl
53.3 SSL Typical Example
When the Web function is enabled on the switch, SSL can be configured for users to access the web interface
on the switch. If the SSL has been configured, communication bet ween the client and the switch will be
encrypted through SSL for safety.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method,
a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the
data transmission in the application layer will be encrypted.
Web Server
Date Acquisition
Fails
Malicious Users
Web Browser https
SSLSession
Connected
PC Users
53-3
Configuration on the switch:
XGS 3-42000R(config)# ip http secure-server
XGS 3-42000R(config)# ip http secure-port 1025
XGS 3-42000R(config)# ip http secure-ciphersuite rc4-128-sha
53.4 SSL Troubleshooting
In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or
wrong configurations. The user should ens ure the following:

First good condition of the physical connection;

Second all int erface and link protocols are in the UP state (use “show int erface” command);

Then, make sure SSL function is enabled (use ip http secure-server command );

Don’t use the default port number if configured port number, pay attention to the port number when
input the web wide;

If SSL is enabled, SSL should be restarted after changes on the port configuration and encryption
configuration;

IE 7.0 or above should be used for use of des-cbc-sha;

If the SSL problems remain unsolved after above try, please use debug SSL and other debugging
command and copy the DEBUG message within 3 minutes, send the recorded message to
technical server center of our company.
53-4
Chapter 54 IPv6 Security RA Configuration
54.1 Introduction to IPv6 Security RA
In IP v6 networks, the network topology is generally compromised of rout ers, layer-t wo switches and IP v6
hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IP v6 hosts
receive RA, they will create link address, and set the default router as the one sending RA in order to
implement IP v6 network communication. If a vicious IP v6 host sends RA to cause that normal IP v6 users set
the default router as the vicious IP v6 host user, the vicious user will be able to capture the information of other
users, which will threat the net work security. Simultaneously, the normal users get incorrect address and will
not be able to connect to the network. So, in order to implement the security RA function, configuring on the
switch ports to reject vicious RA messages is necessary, thus to prevent forwarding vicious RA to a certain
extent and to avoid affecting the normal operation of the net work.
54.2 IPv6 Security RA Configuration Task Sequence
1.
Globally enable IP v6 security RA
2.
Enable IP v6 security RA on a port
3.
Display and debug the relative information of IP v6 security RA
1. Globally enable IPv6 security RA
Command
Explanation
Global Configuration Mode
ipv6 security-ra enable
Globally enable and disable IP v6 security
no ipv6 security-ra enable
RA.
2. Enable IPv6 security RA on a port
Command
Explanation
Port Configuration Mode
ipv6 security-ra enable
Enable and disable IP v6 security RA in port
no ipv6 security-ra enable
configuration mode.
3. Di splay and debug the relative information of IPv6 securi ty RA
Command
Explanation
Admin Mode
Enable the debug information of IP v6
debug ipv6 security-ra
security RA module, the no operation of
no debug ipv6 security-ra
this command will disable the output of
debug information of IP v6 security RA.
show
ipv6
<interface-li st>]
security-ra
[interface
Display the distrust port and whether
globally security RA is enabled.
54-1
54.3 IPv6 Security RA Typical Examples
Other IP v6 net work
RA
X
Ethernet1/3
Ethernet1/1
Ethernet1/2
RA
PC user
Illegal user
Instructions: if the illegal user in t he graph advertises RA, the normal user will receive the RA, set the default
router as the vicious IP v6 host user and change its own address. This will cause the normal user to not be
able to connect the network. We want to set security RA on the 1/2 port of the switch, so that the RA from the
illegal user will not affect the normal user.
Switch configuration task sequence:
XGS 3-42000R#config
XGS 3-42000R(config)#ipv6 security-ra enable
XGS 3-42000R(config-If-Ethernet1/2)# ipv6 security-ra enable
54.4 IPv6 Security RA Troubleshooting Help
The function of IP v6 security RA is quite simple, if the function does not meet the expectation after configuring
IP v6 security RA:

Check if the switch is correctly configured.

Check if there are rules conflicting with security RA function configured on the switch, this kind
of rules will cause RA messages to be forwarded..
54-2
Chapter 55 VLAN-ACL Configuration
55.1 Introduction to VLAN-ACL
The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and
VLAN-A CL enables the user to expediently manage the net work. The user only needs to configure ACL policy
in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to
solely configure on each member port.
When VLAN A CL and Port ACL are configured at the same time, the principle of denying firstly is used. When
the packets match VLAN ACL and Port A CL at the same time, as long as one rule is drop, then the final action
is drop.
Egress ACL can implement the filtering of the packets on egress and ingress direction, the packets match the
specific rules can be allowed or denied. ACL can support IP ACL, MAC ACL, MAC-IP ACL, IP v6 ACL. Ingress
direction of VLAN can bind four kinds of A CL at the same time, there are four resources on egress direction of
VLAN, IP ACL and MAC ACL engage one resource severally, MAC-IP ACL and IP v6 ACL engage two
resources severally, so egress direction of VLA N can not bind four kinds of ACL at the same time. When
binding three kinds of A CL at the same time, it should be the types of IP, MAC, MAC-IP or IP, MAC, IP v6.
When binding two kinds of ACL at the same time, any combination of ACL type is valid. Each type can only
apply one on a VLAN.
55.2 VLAN-ACL Configuration Task List
1.
Configure VLAN-ACL of IP type
2.
Configure VLAN-ACL of MAC type
3.
Configure VLAN-ACL of MAC-IP
4.
Configure VLAN-ACL of IP v6 type
5.
Show configuration and statistic information of VLAN-ACL
6.
Clear statistic information of VLA N-A CL
1. Configure VLAN-ACL of IP type
Command
Explanation
Global mode
vacl ip access-group {<1-299> | WORD} {in
| out} [traffi c-statistic] vlan WORD
Configure or delete IP VLAN-ACL.
no vacl ip access-group {<1-299> |
WORD} {in | out} vlan WORD
55-1
2. Configure VLAN-ACL of MAC type
Command
Explanation
Global mode
vacl mac access-group {<700-1199> |
WORD} {in | out} [traffic-stati stic] vlan
WORD
Configure or delete MA C VLAN-ACL.
no vacl mac access-group {<700-1199> |
WORD} {in | out} vlan WORD
3. Configure VLAN-ACL of MAC-IP
Command
Explanation
Global mode
vacl mac-ip access-group {<3100-3299> |
WORD} {in | out} [traffic-stati stic] vlan
WORD
Configure or delete MA C-IP VLAN-ACL.
no vacl mac-ip access-group
{<3100-3299> | WORD} {in | out} vlan
WORD
4. Configure VLAN-ACL of IPv6 type
Command
Explanation
Global mode
vacl ipv6 access-group (<500-699> |
WORD) {in | out} (traffic-stati stic|) vlan
WORD
Configure or delete IP v6 VLAN-ACL.
no ipv6 access-group {<500-699> | WORD}
{in | out} vlan WORD
5. Show configuration and stati stic information of VLAN-ACL
Command
Explanation
Admin mode
Show the configuration and the statistic
show vacl [in | out] vlan [<vlan-id>]
information of VACL.
6. Clear statistic information of VLAN-ACL
Command
Explanation
Admin mode
clear vacl [in | out] stati stic vlan
Clear the statistic information of VACL.
[<vlan-id>]
55-2
55.3 VLAN-ACL Configuration Example
A company’s network configuration is as follows, all departments are divided by different VLANs, technique
department is Vlan1, finance department is Vlan2. It is required that technique department can access the
outside net work at timeout, but financ e department are not allowed to access the outside network at any time
for the security. Then the following policies are configured:

Set the policy VACL_A for technique department. At timeout they can access the outside network,
the rule as permit, but other times the rule as deny, and the policy is applied to Vlan1.

Set the policy VACL_B of ACL for finance department. At any time they can not access the outside
network, but can access the inside net work with no limitation, and apply the policy to Vlan2.
Network environment is shown as below:
Figure 55-3-1 VLA N-A CL configuration example
Configuration ex ample:
1) First, configure a timerange, the valid time is the working hours of working day:
XGS 3-42000R(config)#time-range t1
XGS 3-42000R(config-time-range-t 1)#periodic weekdays 9:00:00 to 12:00:00
XGS 3-42000R(config-time-range-t 1)#periodic weekdays 13:00:00 to 18:00:00
2)
Configure the extended acl_a of IP, at working hours it only allows to access the resource wit hin the
internal net work (such as 192.168.0.255).
XGS 3-42000R(config)# ip access-list extended vacl_a
XGS 3-42000R(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0. 0.0.255 time-range t1
XGS 3-42000R(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1
55-3
3)
Configure the extended acl_b of IP, at any time it only allows to access resource wit hin the int ernal
network (such as 192.168.1.255).
XGS 3-42000R(config)#ip access-list extended vacl_b
XGS 3-42000R(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0. 0.0.255
XGS 3-42000R(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination
4)
Apply the configuration to VLAN
XGS 3-42000R(config)#vacl ip access-group vacl_a in vlan 1
XGS 3-42000R(config)#vacl ip access-group vacl_b in vlan 2
55.4 VLAN-ACL Troubleshooting

When VLA N ACL and P ort ACL are configured at the same time, the principle of denying firstly is used.
When the packets match VLAN ACL and Port ACL at the same time, as long as one rule is drop, then the
final action is drop.

Each ACL of different types can only apply one on a V LAN, such as the basic IP A CL, each V LAN can
applies one only.
55.5 Introduction to Mirror
Mirror functions include port mirror function, CPU mirror function, flow mirror function.
Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port
is referred to as mirror source port and the duplicating port is referred to as mirror destination port. A protocol
analyzer (such as Sniffer) or a RMON monitor will be connected at mirror destination port to monitor and
manage the network, and diagnose the problems in the network.
CPU mirror function means that the switch exactly copies the data frames received or sent by the CPU to a
port. Flow mirror function means that the switch exactly copies the data frames received or by the specified
rule of a port to another port. The flow mirror will take effect only the specified rule is permit.
A Chassis Switch supports at most 4 mirror destination ports, each boardcard allows a source or destination
port of a mirror session. At present, each box switch can set many mirror sessions.For 5950 series box
switches, many mirror s essions are not supported by XGS3-24040-52T/ XGS 3-24040-52T-L. There is no
limitation on mirror source ports, one port or several ports is allowed. When there are more than one source
ports, they can be in the same V LAN or in different VLAN. The source port and destination port can be in
different VLA N.
box switch can't use CP U's rx mirror and port 's tx mirror at the same time.
55-4
55.6 Mirror Configuration Task List
1. Specify mirror destination port
2. Specify mirror source port(CPU)
3. Specify flow mirror source
1. Specify mirror destination port
Command
Explanation
Global mode
monitor se ssion < session> de stination
Specifies mirror destination port; the no
interface <interface-number>
no monitor se ssion < session> de stination
interface <interface-number>
command deletes mirror destination source
port.
2. Specify mirror source port (CPU)
Command
Explanation
Global mode
monitor se ssion < session> source
{interface <interface-li st> | cpu [slot
<slotnum> ]} {rx| tx| both}
Specifies mirror source port; the no command
no monitor se ssion < session> source
deletes mirror source port.
{interface <interface-li st> | cpu [slot
<slotnum> ]}
3. Specify flow mirror source
Command
Explanation
Global mode
monitor se ssion < session> source
{interface <interface-li st>} access-group
<num> {rx|tx|both}
no monitor se ssion < session> source
{interface <interface-li st>} access-group
Specifies flow mirror s ourc e port and apply
rule; the no command deletes flow mirror
source port.
<num>
55-5
55.7 Mirror Examples
Example:
The requirement of the configurations is shown as below: to monitor at interface 1 the data frames sent out by
interface 9 and received from interfac e 7, sent and received by CPU, and the data frames received by
interface 15 and matched by rule 120(The sourc e IP address is 1.2.3.4 and the destination IP address is
5.6.7.8).
Configuration guidelines:
1. Configure interfac e 1 to be a mirror destination interface.
2. Configure the interface 7 ingress and interface 9 egress to be mirrored source.
3. Configure the CP U as one of the source.
4. Configure access list 120.
5. Configure access 120 to binding interface 15 ingress.
Configuration procedure is a s follows:
XGS 3-42000R(config)#monitor session 4 destination interface et hernet 1/1
XGS 3-42000R(config)#monitor session 4 source interface ethernet 1/7 rx
XGS 3-42000R(config)#monitor session 4 source interface ethernet 1/9 tx
XGS 3-42000R(config)#monitor session 4 source cpu
XGS 3-42000R(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255
XGS 3-42000R(config)#monitor session 4 source interface ethernet 1/15 access-list 120 rx
55.8 Device Mirror Troubleshooting
If problems occur on configuring port mirroring, pleas e check the following first for causes:

Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK
group.

If the throughput of mirror destination port is smaller than the total throughput of mirror source port(s),
the destination port will not be able to duplicate all source port traffic; please dec reas e the number of
source ports, duplicate traffic for one direction only or choose a port with greater throughput as the
destination port. Mirror destination port can not be pulled into Isolate vlan, or will affect mirror bet ween
VLAN.
55-6
Chapter 56 RSPAN Configuration
56.1 Introduction to RSPAN
Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated
port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is
more convenience for network administrator to monitor and manage the network and diagnostic after the
mirroring function achieved. But it only used for such instance that the mirror source port and the mirror
destination ports are located in the same switch.
RSPAN (remote switched port analyzer) refers to remote port mirroring. It eliminates the limitation that the
source port and the destination port must be located on the same switch. This feat ure mak es it possible for
the source port and the destination port to be located on different devices in the network, and facilitates the
network administrator to manage remote switches. It can’t forward traffic flows on remote mirror VLAN.
There are three types of switches with the RSPA N enabled:
1. Source switch: The switch to which the monitored port belongs. The source s witch copies the mirrored
traffic flows to the Remote VLAN, and then through Layer 2 forwarding, the mirrored flows are sent to
an intermediate switch or destination switch.
2. Intermediate switch: Switches between the source switch and destination switch on the network.
Intermediate s witch forwards mirrored flows to t he next intermediate switch or the destination switch.
Circumstanc es can occur where no intermediat e switch is present, if a direct connection exists
between the source and destination switches.
3. Destination switch: The switch to which the destination port for remot e mirroring belongs. It forwards
mirrored flows it received from the Remot e VLAN to the monitoring device through the destination
port.
When configuring t he RSPAN mirroring of the source s witch, reflector port mode or destination mirror port
mode can be selected. The destination switch will redirect all the data frames in the RSPAN VLAN to the
RSPAN destination port. For RSPAN mirroring, normal mode and advanced mode can be chosen, normal is
introduced by default and fit the normal user. The advanced mode fit the advanced user.
1. Advanced mode: To redirect data frames in RSPAN VLAN to the RSPAN destination port, the
intermediary and destination devices should support the redirection of flow.
2. Normal mode: To configure the RSPAN destination port in the RSPAN VLAN. Thus, datagrams in the
RSPAN VLA N will be broadc asted to the destination port. In this mode, the destination port should be
in RSPAN VLA N, and the source port should not be configured for broadcasting storm control.
TRUNK ports should be configured carefully in order not to forward RSPAN datagrams to external
networks. The normal mode has the benefit of easy configuration, and reduced system resources.
To be noticed: Normal mode is introduced by default. When using the normal mode, datagrams with reserved
MAC addresses cannot be broadcasted.
56-1
For Chassis Switches, at most 4 mirror destination ports are supported, and source or destination port of one
mirror session can be configured on each line card. For box switches, only one mirror session can be
configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source
ports are not restricted to be in the same V LAN. The destination port and the source ports can be in different
VLAN.
For configuration of RSPAN, a dedicated RSPAN V LAN should be configured first for carrying the RSPAN
datagrams. The default VLAN, dynamic VLAN, private VLAN, multicast VLAN, and the layer 3 interface
enabled VLA N cannot be configured as the RSPAN VLA N. The reflector port must belong to the RSPAN
VLAN. The destination port should be connected to the Monitor and the configured as access port or the
TRUNK port. The RSPAN reflector port will be working dedicatedly for mirroring, when a port is configured as
a reflector port, it will discards all the existing connections to the remot e peer, disable configurations related to
loopback interfaces, and stop forwarding
datagram. Connectivity between the source and destination switch
for Remote VLA N, should be made sure by configuration.
To be noticed:
1. Layer 3 interfaces relat ed to RSPA N VLA N should not be configured on the source, intermediate, and
the destination switches, or the mirrored datagrams may be discarded.
2. For the source and intermediate switches in the RSPAN connections, the native VLAN of TRUNK port
cannot be configured as the RSPAN VLAN, Otherwise the RSPAN tag will be disposed before reaching
the destination switches.
3. The source port, in access or trunk mode, should not be added to RSPAN V LAN if advanced RSPA N
mode is chosen. When the reflector port is used for a inter-card mirroring of CPU TX data, it must be
configured as TRUNK port and allows the RSPAN VLA N data passing, the Native VLA N should not be
configured as RSPA N VLAN.
4. When configuring the remote mirroring function, the net work bandwidth should be considered in order
to carry the net work flow and the mirrored flow.
Keywards:
RSPAN: Remote Switched Port Analyzer
RSPAN VLA N: Dedicat ed VLA N for RSPA N
RSPAN Tag: The VLA N tag whic h is attached to MTP of the RSPA N datagrams.
Reflector P ort: The local mirroring port bet ween the RSPAN source and destination ports, which is not
directly connected to the intermediate switches.
56.2 RSPAN Configuration Task List
1.
Configure RSPA N VLAN
2.
Configure mirror source port(CPU)
3.
Configure mirror destination port
4.
Configure reflector port
5.
Configure remote VLA N of mirror group
56-2
1. Configure RSPAN VLAN
Command
Explanation
VLAN Configuration Mode
To configure the specified VLAN as
remote-span
RSPAN VLAN. The no command will
no remote-span
remove the configuration of RSPA N
VLAN.
2. Configure mirror source port (CPU)
Command
Explanation
Global Mode
monitor se ssion < session> source
{interface <interface-li st> | cpu [slot
<slotnum>]} {rx| tx | both}
To configure mirror source port; The no
no monitor se ssion < session> source
command delet es the mirror source port.
{interface <interface-li st> | cpu [slot
<slotnum>]}
3. Configure mirror de stination port
Command
Explanation
Global Mode
monitor se ssion < session> de stination
To configure mirror destination interface;
interface <interface-number>
no monitor se ssion < session> de stination
interface <interface-number>
The no command deletes the mirror
destination port.
4. Configure reflector port
Command
Explanation
Global Mode
monitor se ssion < se ssion> reflector-port
To configure the interfac e to reflector
<interface-number>
port; The no command deletes the
no monitor se ssion < se ssion> reflector-port
reflector port.
5. Configure remote VLAN of mirror group
Command
Explanation
Global Mode
monitor se ssion < session>
To configure remote V LAN of mirror
remote vlan <vid>
group, the no command deletes the
no monitor se ssion <. session> remote vlan
remot e VLAN of mirror group.
56-3
56.3 Typical Examples of RSPAN
Before RSPAN is invented, network administrators had to connect their P Cs directly to the switches, in order
to check the statistics of the net work.
However, with the help of RSPA N, the network administrators can c onfigure and supervise the switches
remot ely, which brings more efficiency. The figure below shows a sample application of RSPAN.
Source S witch
E1
Destination Switch
Intermediate Switch
E2
E9
E7
E6
PC1
E10
Monitor
Figure 56-3-1 RSPAN Application Sample
Two configuration solutions can be chosen for RSPAN: the first is without reflector port, and the other is with
reflector port. For the first one, only one fixed port can be connected to the intermediate switch. However, no
reflector port has to be configured. This maximizes the usage of witch ports. For the latter one, the port
connected to the intermediate switch is not fixed. Datagrams can be broadcasted in the RSPAN VLA N
through the loopback, which is much more flexible.
The normal mode configuration is show as below:
Solution 1:
Source switch:
Interface ethernet 1/1 is the source port for mirroring.
Interface ethernet 1/2 is the destination port which is connected to the intermediate switch.
RSPAN VLA N is 5.
XGS 3-42000R(config)#vlan 5
XGS 3-42000R(config-Vlan5)#remote-span
XGS 3-42000R(config-Vlan5)#exit
XGS 3-42000R(config)#interface ethernet 1/2
XGS 3-42000R(config-If-Ethernet1/2)#switchport mode trunk
XGS 3-42000R(config-If-Ethernet1/2)#exit
XGS 3-42000R(config)#monitor session 1 source interface ethernet1/1 rx
XGS 3-42000R(config)#monitor session 1 destination interface et hernet1/ 2
XGS 3-42000R(config)#monitor session 1 remote vlan 5
56-4
Intermediate switch:
Interface ethernet1/6 is the source port which is connected to the source switch.
Interface ethernet1/7is the destination port which is connected to the intermediat e switch. The native VLAN of
this port cannot be configured as RSPAN VLA N, or the mirrored data may not be carried by the destination
switch.
RSPAN VLA N is 5.
XGS 3-42000R(config)#vlan 5
XGS 3-42000R(config-Vlan5)#remote-span
XGS 3-42000R(config-Vlan5)#exit
XGS 3-42000R(config)#interface ethernet 1/6-7
XGS 3-42000R(config-If-Port-Range)#switchport mode trunk
XGS 3-42000R(config-If-Port-Range)#exit
Destination switch:
Interface ethernet1/9 is the source port, which is connected to the source switch.
Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be
configured as an access port, and belong to the RSPA N VLAN.
RSPAN VLA N is 5.
XGS 3-42000R(config)#vlan 5
XGS 3-42000R(config-Vlan5)#remote-span
XGS 3-42000R(config-Vlan5)#exit
XGS 3-42000R(config)#interface ethernet 1/9
XGS 3-42000R(config-If-Ethernet1/9)#switchport mode trunk
XGS 3-42000R(config-If-Ethernet1/9)#exit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#s witchport access vlan 5
XGS 3-42000R(config-If-Ethernet1/10)#exit
Solution 2:
Source switch:
Interface ethernet 1/1 is the source port.
Interface ethernet 1/2 is the TRUNK port, which is connected to the intermediate switch. The native VLA N
should not be a RSPAN VLAN.
Interface Ethernet 1/3 is a reflector port. The reflector port belongs the RSPAN VLAN, it is access port or
TRUNK port of the RSPAN VLA N.
RSPAN VLA N is 5.
XGS 3-42000R(config)#vlan 5
XGS 3-42000R(config-Vlan5)#remote-span
XGS 3-42000R(config-Vlan5)#exit
XGS 3-42000R(config)#interface ethernet 1/2
XGS 3-42000R(config-If-Ethernet1/2)#switchport mode trunk
XGS 3-42000R(config-If-Ethernet1/2)#exit
XGS 3-42000R(config)#interface ethernet 1/3
56-5
XGS 3-42000R(config-If-Ethernet1/3)#switchport mode trunk
XGS 3-42000R(config-If-Ethernet1/3)#exit
XGS 3-42000R(config)#monitor session 1 source interface ethernet1/1 rx
XGS 3-42000R(config)#monitor session 1 reflector-port ethernet 1/3
XGS 3-42000R(config)#monitor session 1 remote vlan 5
Intermediate switch:
Interface ethernet1/6 is the source port which is connected to the source switch.
Interface ethernet1/7 is the destination port which is connected to the destination switch. The native VLA N of
the port should not be configured as RSPAN VLAN, or the mirrored data may not be carried by the destination
switch.
RSPAN VLA N is 5.
XGS 3-42000R(config)#vlan 5
XGS 3-42000R(config-Vlan5)#remote-span
XGS 3-42000R(config-Vlan5)#exit
XGS 3-42000R(config)#interface ethernet 1/6-7
XGS 3-42000R(config-If-Port-Range)#switchport mode trunk
XGS 3-42000R(config-If-Port-Range)#exit
Destination switch:
Interface ethernet1/9 is the source port which is connected to the source switch.
Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be
configured as an access port, and belong to the RSPA N VLAN.
RSPAN VLA N is 5.
XGS 3-42000R(config)#vlan 5
XGS 3-42000R(config-Vlan5)#remote-span
XGS 3-42000R(config-Vlan5)#exit
XGS 3-42000R(config)#interface ethernet 1/9
XGS 3-42000R(config-If-Ethernet1/9)#switchport mode trunk
XGS 3-42000R(config-If-Ethernet1/9)#exit
XGS 3-42000R(config)#interface ethernet 1/10
XGS 3-42000R(config-If-Ethernet1/10)#s witchport access vlan 5
XGS 3-42000R(config-If-Ethernet1/10)#exit
56.4 RSPAN Troubleshooting
Due to the following reasons, RSPAN may not function:
56-6

Whether the destination mirror port is a member of the Port -channel group. If so, please change the
Port-channel group configuration;

The throughput the destination port is less than the total throughput of the source mirror ports. If so,
the destination cannot catch all the datagrams from every source ports. To solve the problem,
please reduce the number of the source ports, or mirror only single direction data flow, or choose
some other port with higher capacity as the destination port.

Between the source switch and the intermediate switch, whether the native VLA N of the TRUNK
ports is configured as RSPAN VLA N. If so, please change the native VLA N for the TRUNK ports.
56-7
Chapter 57 sFlow Configuration
57.1 Introduction to sFlow
The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network
traffic information developed by the InMon Company. The monitored s witch or router sends date to the client
analyzer t hrough its main operations such as sampling and statistic, then the analyzer will analyze according
to the user requirements so to monitor the network.
A sFlow monitor system includes: sFlow proxy, central data collector and sFlow analyzer. The sFlow proxy
collects data from the switch using sampling technology. The sFlow collector is for formatting the sample data
statistic which is to be forwarded to the sFlow analyzer which will analyze the sample data and perform
corresponding measure according to the result. Our switch here acts as the proxy and central data collector in
the sFlow system. We have achieved data sampling and statistic targeting physical port.
Our data sample includes the IP v4 and IP v6 packets. Extensions of other types are not supported so far. As
for non IP v4 and IP v6 packet, the unify HEADE R mode will be adopted following t he requirements in
RFC3176, copying the head information of the packet based on analyzing the type of its protocol.
The latest sFlow protocol presented by InMon Company is the version 5. Since it is the version 4 which is
realized in the RFC3176, version conflict might exist in some case such as the structure and the packet format.
This is becaus e the version 5 has not become the official protocol, so, in order to be compatible with current
applications, we will continue to follow the RFC3176.
57.2 sFlow Configuration Task List
1. Configure sFlow Collector address
Command
Explanation
Global mode and Port Mode
sflow destination <collector-address>
Configure the IP address and port number of
[<collector-port>]
the host in which the sFlow analysis software
no sflow destination
is installed. As for the ports, if IP address is
configured on the port, the port configuration
will be applied, or else will be applied the
global
configuration.
The
“no
sflow
destination” command restores to the default
port value and delet es the IP address.
57-1
2. Configure the sFlow proxy address
Command
Explanation
Global Mode
sflow agent-address <collector-address>
Configure the sourc e IP address applied by
no sflow agent-address
the sFlow proxy; the “no” form of the
command delet es this address.
3. Configure the sFlow proxy priority
Command
Explanation
Global Mode
sflow priority <priority-vlaue>
Configure the priority when sFlow receives
no sflow priority
packet from the hardware; the “no sflow
priority” command restores to the default
4. Configure the packet head length copied by sFlow
Command
Explanation
Port Mode
sflow header-len <length-vlaue>
Configure the length of the packet data head
no sflow header-len
copied in the sFlow data sampling; the “no”
form of this command restores to the default
value.
5. Configure the max data head length of the sFlow packet
Command
Explanation
Port Mode
sflow data-len <length-vlaue>
Configure the max length of the data packet in
no sflow data-len
sFlow; the “no” form of this command restores
to the default.
6. Configure the sampling rate value
Command
Explanation
Port Mode
sflow rate {input <input-rate> | output
Configure the sampling rate when sFlow
<output-rate >}
performing hardware sampling.
no sflow rate [input | output]
command delet es the rate value.
The “no”
7. Configure the sFlow stati stic sampling interval
Command
Explanation
Port Mode
sflow counter-interval <interval-vl aue>
Configure the max interval when sFlow
no sflow counter-interval
performing statistic sampling. The “no” form of
this command deletes
57-2
57.3 sFlow Examples
SWITCH
PC
Figure 57-3-1 sFlow configuration topology
As shown in the figure, sFlow sampling is enabled on the port 1/1 and 1/2 of the switch. Assume the sFlow
analysis software is installed on the PC with the address of 192.168.1.200. The address of the layer 3
interface on the SwitchA connected with PC is 192.168.1.100. A loopback interface with the address of
10.1.144.2 is configured on the SwitchA. sFlow configuration is as follows:
Configuration procedure is a s follows:
XGS 3-42000R#config
XGS 3-42000R(config)#sflow ageng-address 10.1. 144. 2
XGS 3-42000R(config)#sflow destination 192.168.1.200
XGS 3-42000R(config)#sflow priority 1
XGS 3-42000R(config)# interfac e ethernet 1/1
XGS 3-42000R(Config-If-Ethernet1/1)#sflow rate input 10000
XGS 3-42000R(Config-If-Ethernet1/1)#sflow rate output 10000
XGS 3-42000R(Config-If-Ethernet1/1)#sflow counter-interval 20
XGS 3-42000R(Config-If-Ethernet1/1)#exit
XGS 3-42000R(config)# interfac e ethernet 1/2
XGS 3-42000R(Config-If-Ethernet1/2)#sflow rate input 20000
XGS 3-42000R(Config-If-Ethernet1/2)#sflow rate output 20000
XGS 3-42000R(Config-If-Ethernet1/2)#sflow counter-interval 40
57.4 sFlow Troubleshooting
In configuring and using sFlow, the sFlow server may fail t o run properly due to physical connection failure,
wrong configuration, etc. The user should ensure the following:
 Ensure the physical connection is correct

Guarant ee the address of the sFlow analyzer configured under global or port mode is accessible.
 If traffic sampling is required, the sampling rate of the interface must be configured
 If statistic sampling is required, the statistic sampling interval of the interface must be configured
If the examination remains unsolved, please contact with the technical service center of our company.
57-3
Chapter 58 VRRP Configuration
58.1 Introduction to VRRP
VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection
reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IE TF for local
area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide
applications.
All hosts in one LAN generally have a default route c onfigured to specified default gat eway, any packet
destined to an address outside the native segment will be sent to the default gateway via this default route.
These hosts in the LAN can communicate with the external networks. However, if the communication link
connecting the router serving as default game and external networks fails, all hosts using that gateway as the
default next hop route will be unable to communicate with the external networks.
VRRP emerged to resolve such problem. VRRP runs on multiple routers in a LAN, simulating a " virtual" router
(also referred to as a "Standby cluster") with the multiple routes. There is an active router (the "Master") and
one or more backup routers (the "Backup") in the Standby cluster. The workload of the virtual router is actually
undertaken by the active router, while the Backup routers serve as backups for the active router.
The virtual rout er has its own "virtual" IP address (can be identical with the IP address of some router in the
Standby cluster), and routers in the Standby cluster also have their own IP address. Since VRRP runs on
routes or Ethernet Switches only, the Standby cluster is transparent to the hosts with the segment. To t hem,
there exists only the IP address of the Virtual Rout er instead of the actual IP addresses of the Master and
Backup(s). And the default gateway setting of all the hosts uses the IP address of the Virtual Router.
Therefore, hosts within the LA N communicate wit h the other networks via this Virtual Router. But basically,
they are communicating with the other networks via the Master. In the case when the Master of the Standby
cluster fails, a backup will take over its task and become the Master to serve all the hosts in the LA N, so that
uninterrupted communic ation between LA N hosts and external networks can be achieved.
To sum it up, in a VRRP Standby cluster, there is always a router/Ethernet serving as the active router
(Master), while the rest of the Standby cluster servers act as the backup router(s) (Backup, can be multiple)
and monitor the activity of Master all t he time. S hould the Master fail, a new Master will be elected by all the
Backups to take over the work and continue serving the hosts within the segment. Since the election and
take-over duration is brief and smooth, hosts within the segment can us e the Virtual Router as normal and
uninterrupted communic ation can be achieved.
58-1
58.2 VRRP Configuration Task List
Configuration Task List:
1. Create/Remove the Virtual Router (required)
2. Configure VRRP dummy IP and interface (required)
3. Activate/ Deactivate Virtual Router (required)
4. Configure VRRP sub-parameters (optional)
(1)
Configure the preemptive mode for VRRP
(2)
Configure VRRP priority
(3)
Configure VRRP Timer intervals
(4)
Configure VRRP interface monitor
1. Create/Remove the Virtual Router
Command
Explanation
Global Mode
router vrrp <vrid>
no router vrrp <vrid>
Creates/Removes the Virtual Rout er.
2. Configure VRRP Dummy IP Address and Interface
Command
Explanation
VRRP protocol configuration mode
Configures VRRP Dummy IP address; the
virtual-ip <ip>
"no virtual-ip" command removes the
no virtual-ip
virtual IP address.
interface {IFNAME | ethernet IFNAME |
Vlan <ID> }
Configures
VRRP
interface,
the
"no
interface" command removes the interface.
no interface
3. Activate/Deactivate Virtual Router
Command
Explanation
VRRP protocol configuration mode
enable
Activates the Virtual Router.
disable
Deactivates the Virtual Rout er.
4. Configure VRRP Sub-parameters
(1) Configure the preemptive mode for VRRP
Command
Explanation
VRRP protocol configuration mode
preempt-mode {true| false}
Configures the preemptive mode for VRRP.
58-2
(2) Configure VRRP priority
Command
Explanation
VRRP protocol configuration mode
priority <priority>
Configures VRRP priority.
(3) Configure VRRP Timer intervals
Command
Explanation
VRRP protocol configuration mode
advertisement-interval <time>
Configures VRRP timer value (in seconds).
(4) Configure VRRP interface monitor
Command
Explanation
VRRP protocol configuration mode
circuit-failover {IFNAME | ethernet
Configures VRRP interface monitor, the "no
IFNAME | Vlan <ID> } <value_reduced>
circuit-failover" removes monit or to the
no circuit-failover
interface.
58.3 VRRP Typical Examples
As shown in the figure below, SwitchA and SwitchB are Layer three Ethernet Switches in the same group and
provide redundancy for each other.
SWITCHB
SWITCHA
Interface vlan1
Interface vlan1
Figure 58-3-1 VRRP Network Topology
Configuration of SwitchA:
SwitchA(config)#int erface vlan 1
SwitchA (Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0
SwitchA (config)#router vrrp 1
SwitchA(Config-Router-Vrrp)# virt ual-ip 10.1. 1.5
SwitchA(Config-Router-Vrrp)# interfac e vlan 1
SwitchA(Config-Router-Vrrp)# enable
58-3
Configuration of SwitchB:
SwitchB(config)#int erface vlan 1
SwitchB (Config-if-Vlan1)# ip address 10.1.1. 7 255.255.255. 0
SwitchB(config)#router vrrp 1
SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5
SwitchB(Config-Router-Vrrp)# interfac e vlan 1
SwitchB(Config-Router-Vrrp)# enable
58.4 VRRP Troubleshooting
In configuring and using VRRP protocol, the VRRP protocol may fail to run properly due to reasons such as
physical connection failure or wrong configurations. The user should ensure the following:
 Good condition of the physical connection.

All interface and link protoc ols are in the UP state (use “show interface” command).

Ensure VRRP is enabled on the interface. Verify the authentication mode of different routers (or L3
Ethernet switches) in the same standby cluster are the same.

Verify the timer time of different routers (or L3 Ethernet switches) in the same standby cluster are the
same.

Verify the dummy IP address is in the same network segment of the interfac e’s actual IP address.

If the examination remains unsolved, please use debug vrrp and other debugging command and
copy the DEBUG message within 3 minut es, send the recorded message to the technical server
center of our company.
58-4
Chapter 59 IPv6 VRRPv3 Configuration
59.1 Introduction to VRRPv3
VRRP v3 is a virtual router redundancy protocol for IP v6. It is designed based on VRRP (V RRP v2) in IP v4
environment. The following is a brief int roduction to it.
In a net work based on TCP/IP protocol, in order t o guarantee the communication between the devices which
are not physically connected, routers should be specified. At present there are two most commonly used
methods to s pecify routers: one is to study dynamically via routing prot ocols (such as internal routing
protocols RIP and OSPF); the other is to configure statically. Running dynamic al routing protocol on each
terminal is unrealistic, since most operating systems for client end do not support dy namical routing protocol,
even if they do, they are limit ed by the overheads of management, convergenc e, security and many other
problems. So the common method is to adopt static routing configuration on terminal IP devices, which
usually means specify one or more default gateway for terminal devices. Static routing simplifies the
management of net work and reduces the communic ation overheads of terminal devices, but it still has a
disadvantage: if the router acting as the default gateway breaks, the communication of all the hosts which use
this gateway as their next hop host. Even if there are more than one default gateways, before rebooting the
terminal devices, they can not switch to the new gateway. Adopting virtual router redundancy protocol (V RPR)
can effectively avoid the flaws of statically specifying gateways.
In V RRP protocol, there are two groups of import concepts: VRRP routers and virtual routers, master routers
and backup routers. VRRP routers are routers running VRRP, which are physical entities; virtual routers are
the ones created by VRRP, which are logical concepts. A group of V RRP rout ers cooperate to comprise a
virtual router, which acts out wardly as a logical router with a unique fixed IP address and MAC address. The
routers belonging to the same VRRP group play two mutually exclusive roles at the same time: master routers
and backup rout ers. One VRRP group can only have one master router other but one or more backup routers.
VRRP v3 protocol uses selection policy to select a master router from the router group to take charge of
responding ND(Neighbor Discovery) neighbor request messages(A RP in IP v4) and forwarding IP data
packets, while the other routers in the group will be in a state of waiting as backups. When the master router
has a problem for some seas on, the backup router will be updated to the master router after a delay of a few
seconds. Since this switch is very fast and does not need to change IP address or MA C address, it will be
transparent to terminal user systems.
In IP v6 environment, the hosts in a LA N usually learn the default gateway via neighbor discovery protocol
(NDP), which is implemented based on regularly receiving advertisement messages from routers. The NDP of
IP v6 has a mechanism called Neighbor Unreac hability Detection, which checks whether a neighbor node is
failed by sending unicast neighbor request messages to it. In order to reduce the overheads of sending
neighbor request messages, these messages are only sent to those neighbor nodes which are sending flows,
and are only sent if there is no instruction of UP state of the router in a period of time. In Neighbor
Unreachability Detection, if adopting default parameters, it will take about 38 seconds to detect an
unreachable router, which is a delay not ignorable for users and might caus e a time-out in some transport
protocols. Compared with NDP, VRRP provides a fast default gateway switch. In VRRP, backup routers can
59-1
take up the unavailable master router in about 3 seconds (default parameter), and this process needs no
interaction with hosts, which means being transparent to hosts.
59.1.1 The Format of VRRPv3 Message
VRRP v3 has its own message format, VRRP messages are used to communicate the priority of routers and
the state of Master in the backup group, they are encapsulated in IP v6 messages to send, and are sent to the
specified IP v6 multicast address. The format of VRRP v3 message is shown in Graph 1. The source address
of the IP v6 message encapsulating the VRRP v3 message is the local address of the outbound interface of the
message, and the destination address of it is the IP v6 multicast address(the multicast allocated to VRRP v3 is
FF02:0:0: 0:0:0:0:12). The number of hops should be limited to 255, and t he next message head is
112(representing a VRRP message).
The meaning of each field in a VRRP v3 message is shown as follows:
Version: The version of VRRP v3, whose value is 3;
Ty pe: The type of VRRP messages. There is only one type: ADVE RTISEMENT, and its value is 1;
Virtual Rtr ID:The ID of the virtual router;
Priority:Priority, ranging from 0 to 255;
Count IP v6 Addr:The number of IP v6 addresses in a VRRP v3 message, the minimum of which is 1;
Rs vd:Reserved field, whose value is 0;
Adver Int:The advertisement interval of VRRP v3 messages, in seconds;
Checksum:The checksum, taking account of the whole V RRP v3 message and an IP v6 pseudo head
(please refer to RFC2460 for details);
IP v6 Address(es):one or more IP v6 addresses related to the virtual router, the number of which is the
same with ”Count IP v6 Addr”, and the first one of which should be the virtual IP v6
address of the virtual router.
Figure 59-1-1 VRRPv3 message
59-2
59.1.2 VRRPv3 Working Mechanism
The working mec hanism of VRRP v3 is the same with that of VRRP v2, which is mainly implemented via the
interaction of V RRP advertisement messages. It will be briefly described as follows:
Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MA C
address outwardly, and the format of which is 00-00-5E -00-02-{VRID} (the format of virtual MAC address in
VRRP v2 is 00-00-5E -00-01-{VRID}). Master router is in charge of using this MAC address to respond to ND
neighbor request (it is ARP request in VRRP v2). Thus, no matter what switch is made, the terminal devices
will get the same IP and MA C address all the time, reducing the affection t hat the switch causes on t erminal
devic es.
There is only one kind of VRRP control message: VRRP advertisement. It uses IP multicast data packets to
encapsulate, and the format of multicast addresses is FF02:0:0:0:0:0: XXXX: XXXX. In order to keep a
consistence with the multicast address in VRRP v2 (224.0.0.18), the multicast addresses used by VRRP v3
advertisement messages can be FF02:0:0:0:0:0:0: 12, and the advertisement is limited within the same LAN.
Thus, different VRID are guarant eed t o be used repeatedly in different net works. In order to reduce the
overheads of net work bandwidth, only master routers can send VRRP advertisement messages regularly.
Backup routers will start a new round of VRRP selection if it hasn’t received a VRRP advertisement in 3
advertisement intervals in a row or if it receives an advertisement with a priority of 0.
In a VRRP router group, the master router is selected according to priority. The range of priority in VRRP
protocol is 0-255. If the IP address of a VRRP router is the same to that of the virtual router interfac e, then the
virtual router will be called the IP address owner in the V RRP group; the IP address owner automatically has
the highest priority: 255. The priority of 0 is usually used when the IP address owner gives up the role of
master. The range of priority can be configured is 1-254. The configuration rule of priority can be set
according to the speed and cost of the link, the performance and reliability of the router and other
management policies. In the selection of the master router, the virtual router with high priority will win. So, if
there is an IP owner in the VRRP group, it will always be the master router. For the candidate routers having
the same priority, selection will be done according to the magnitude of IP addresses (the bigger IP address
takes precedence). VRRP also provides a preemptive priority policy. If such policy is configured, the backup
router with higher priority will preempt the role of new master router over the current master router with lower
priority.
In order t o avoid the fault of returning a physical MAC address when Pinging virtual IP, it is regulated that
virtual IP can not be the real IP of the interface. Thus, all the interfaces participating of the backup group
selection will be backup by default.
59-3
59.2 VRRPv3 Configuration
59.2.1 Configuration Task Sequence
1.
Create/delete the virtual router (necessary )
2.
Configure the virtual IP v6 address and interface of VRRP v3 (nec essary)
3.
Enable/disable the virtual router (necessary)
4.
Configure VRRP v3 assistant parameters (optional)
(1) Configure VRRP v3 preempt mode
(2) Configure VRRP v3 priority
(3) Configure the VRRP v3 advertisement interval
(4) Configure the monitor int erface of VRRP v3
1. Create/delete the virtual router
Command
Explanation
Global Configuration Mode
router ipv6 vrrp <vrid>
no router ipv6 vrrp <vrid>
Create/delete the virtual router.
2. Configure the virtual IPv6 address and interface of VRRP v3
Command
Explanation
VRRP v3 Protocol Mode
virtual-ipv6 <ipv6-address> Interface
{Vlan <ID> | IFNAME }
no virtual-ipv6 interface
Configure the virtual IP v6 address and
interface of VRRP v3, the no operation of this
command
will
delete
the
virtual
address and interface.
3. Enable/disable the virtual router
Command
Explanation
VRRP v3 Protocol Mode
enable
Enable the virtual router.
disable
Disable the virtual router.
4. Configure VRRPv3 a ssi stant parameters
(1 ) Configure VRRP v3 preempt mode
Command
Explanation
VRRP v3 Protocol Mode
preempt-mode {true| false}
Configure VRRP v3 preempt mode.
( 2 ) Configure VRRP v3 priority
Command
Explanation
VRRP v3 Protocol Mode
priority < priority >
Configure VRRP v3 priority.
59-4
IP v6
( 3 ) Configure the VRRP v3 advertisement interval
Command
Explanation
VRRP v3 Protocol Mode
Configure
advertisement-interval <time>
the
V RRP v3
advertisement
interval (in cent seconds).
(4 ) Configure the monitor interfac e of V RRP v3
Command
Explanation
VRRP v3 Protocol Mode
circuit-failover {vlan <ID>| IFNAME}
Configure the monitor int erface of VRRP v3,
<value_reduced>
the no operation of this command will delete
no circuit-failover
the monitor interface.
59.3 VRRPv3 Typical Examples
Figure 59-3-1 VRRPv3 Typical Network Topology
As shown in graph, switch A and switch B are backups to each other, switch A is the master of backup group 1
and a backup of backup group 2. Switch B is the master of backup group 2 and a Backup of backup group 1.
The IP v6 addresses of switch A and switch B are “IP v6_A ” and “IP v6_ B” respectively (it is recommended that
IP v6_A and IP v6_B are in the same segment), the virtual IP v6 address of backup group 1 and backup group
are “V _IP v6_C” and “V_IPV6_D” res pectively, and the default IP v6 gateway address are configured as
“V_IP v6_C” and “V_IP v6_D” respectively (in reality, the IP v6 gateway address of hosts are usually learnt
automatically via router advertisements, thus, the IP v6 next hop of the hosts will have some randomness).
Doing this will not only implement router backup but also the flow sharing function in the LAN.
59-5
The configuration of SwitchA:
SwitchA (config)#ipv6 enable
SwitchA (config)#int erface vlan 1
SwitchA (config)#router ipv6 vrrp 1
SwitchA (config-router)#virt ual-ipv6 fe80::2 interface vlan 1
SwitchA (config-router)#priority 150
SwitchA (config-router)#enable
SwitchA (config)#router ipv6 vrrp 2
SwitchA (config-router)#virt ual-ipv6 fe80::3 interface vlan 1
SwitchA (config-router)#enable
The configuration of SwitchB:
SwitchB (config)# ipv6 enable
SwitchB (config)# interface vlan 1
SwitchB (config)# router ipv6 vrrp 2
SwitchB (config-router)# virtual-ipv6 fe80::3 interface vlan 1
SwitchB (config-router)# priority 150
SwitchB (config-router)# enable
SwitchB (config)# router ipv6 vrrp 1
SwitchB (config-router)# virtual-ipv6 fe80::2 interface vlan 1
SwitchB (config-router)# enable
59.4 VRRPv3 Troubleshooting
When configuring and using VRRP v3 protocol, it might operat e abnormally because of incorrect physical
connections and configuration. So, users should pay attention to the following points:

First, the physical connections should be correct;

Next, the interface and link protocol are UP (use show ipv6 interface command);

And then, make sure that IP v6 forwarding function is enabled (use ipv6 enable command);

Besides, make sure that VRRP v3 protocol is enable on the interface;

Check whether the time of timer in different routers (or layer-three Ethernet switch) within the same
backup group is the same;

Check whether the virtual IP v6 addresses in the same backup group is the same.
59-6
Chapter 60 MRPP Configuration
60.1 Introduction to MRPP
MRPP (Multi-layer Ring Protection Prot ocol), is a link layer protocol applied on Ethernet loop protection. It can
avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node
on ring net work when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link
automatic protection protocol).
MRPP prot ocol is similar to STP protocol on function, MRPP has below characters, compare to STP protocol:
<1> MRPP specifically uses to Ethernet ring topology
<2> fast convergence, less than 1 s. ideally it can reac h 100-50 ms.
60.1.1 Conception Introduction
SWITCH A
SWITCH B
SWITCH F
E1
Master
Node
E2
SWITCH E
SWITCH G
Ring 1
Ring 2
Master Node
E1
SWITCH C
SWITCH D
E2
SWITCH H
Figure 60-1-1 MRPP Sketch Map
1. Control VLAN
Cont rol VLAN is a virtual VLAN, only used to identify MRPP protocol packet trans ferred in the link. To avoid
confusion with other configured VLAN, avoids configuring control VLAN ID to be the same with other
configured VLA N ID. The different MRPP ring should configure the different cont rol VLAN ID.
2. Ethernet Ring (MRPP Ring)
Ring link ed Ethernet network topology.
Each MRPP ring has two states.
Healt h state: The whole ring net work physical link is connected.
Break state: one or a few physical link break in ring network
60-1
3. nodes
Each switch is named after a node on Ethernet. The node has some types:
Primary node: each ring has a primary node, it is main node to detect and defend.
Trans fer node: except for primary node, other nodes are trans fer nodes on each ring.
The node role is determined by user configuration. As shown above, Switch A is primary node of Ring 1,
Switch B. Switch C; Switch D and Switch E are trans fer nodes of Ring 1.
4. Primary port and secondary port
The primary node and transfer node have two ports connecting to Ethernet separately, one is primary port,
and another is secondary port. The role of port is determined by user configuration.
Primary port and secondary port of primary node
The primary port of primary node is used to send ring health examine packet (hello), the secondary port is
used to receive Hello packet sending from primary node. When the Ethernet is in health state, the
secondary port of primary node blocks other data in logical and only MRPP packet can pass. When the
Ethernet is in break state, the secondary port of primary node releases block state, and forwards dat a
packets.
There are no difference on function bet ween Primary port and secondary port of transfer node.
The role of port is determined by us er configuration. As shown in above, S witch A E1 is primary port, E2 is
secondary port.
5. Timer
The two timers are used when the primary node sends and receives MRPP prot ocol packet: Hello timer and
Fail Timer.
Hello timer: define timer of time interval of health examine packet sending by primary node primary port.
Fail timer: define timer of overtime interval of health examine packet receiving by primary node primary port.
The value of Fail timer must be more than or equal to the 3 times of value of Hello timer.
60.1.2 MRPP Protocol Packet Types
Packet Type
Explanation
Hello packet (Health examine packet) Hello
The primary port of primary node evokes to detect ring, if the
secondary port of primary node can receive Hello packet in
configured overtime, so the ring is normal.
LINK-DOWN (link Down event packet)
After transfer node detects Down event on port, immediately
sends LINK-DOWN packet to primary node, and inform primary
node ring to fail.
LINK-DOWN-FLUS H_FDB packet
After primary node detects ring failure or receives LINK-DOW N
packet, open blocked secondary port, and then us es two ports
to send the packet, to inform each transfer node to refresh own
MAC address.
LINK-UP-FLUS H_FDB packet
After primary detects ring failure to restore normal, and uses
packet from primary port, and informs each transfer node to
refres h own MAC address.
60-2
60.1.3 MRPP Protocol Operation System
1. Link Down Alarm System
When trans fer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to
primary node immediately. The primary node receives link down packet and immediately releas es block
state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of trans fer nodes,
refres hing own MA C address forward list.
2. Poll System
The primary port of primary node sends Hello packet to its neighbors timely according to configured
Hello-timer.
If the ring is health, the secondary port of primary node receives health detect packet, and the primary node
keeps secondary port.
If the ring is break, the secondary port of primary node can’t receive health detect packet when timer is over
time. The primary releases the secondary port block state, and sends LINK-DOWN-FLUSH_FDB packet to
inform all of transfer nodes, to refresh own MAC address forward list.
3. Ring Restore
After the primary node occur ring fail, if the secondary port receives Hello packet sendi