Professional Documents
Culture Documents
Manual 4500
Manual 4500
Manual 4500
Configure to authenticate
users using the local
password
authentication-mo
de password
Required
By default, users logging in through the
Console port are not authenticated.
Set the local password set
authentication
password { cipher |
simple } password
Required
Configure
the Console
port
Set the baud
rate
speed speed-value Optional
The default baud rate of an AUX port (also
the Console port) is 9,600 bps.
Set the
check mode
parity { even | mark |
none | odd | space }
Optional
By default, the check mode of a Console
port is set to none, that is, no check bit.
Set the stop
bits
stopbits { 1 | 1.5 | 2
}
Optional
The default stop bits of a Console port is
1.
Set the data
bits
databits { 5 | 6 | 7 | 8
}
Optional
The default data bits of a Console port is
8.
Configure the command
level available to users
logging into the user
interface
user privilege
level level
Optional
By default, commands of level 3 are
available to users logging into the AUX
user interface.
Define a shortcut key for
starting terminal sessions
activation-key
character
Optional
By default, pressing Enter key starts the
terminal session.
Define a shortcut key for
aborting tasks
escape-key {
default | character }
Optional
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services
available to the user
interface
shell Optional
By default, terminal services are available
in all user interfaces.
32 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Configuration
Procedure
Note that the level the commands of which are available to users logging into a switch
depends on both the authentication-mode password and the user
privilege level level command, as listed in the following table.
Configuration
Example
Network requirements
Perform the following configuration for users logging in through the Console port:
Authenticate users logging in through the Console port using the local password.
Set the local password to 123456 (in plain text).
The commands of level 2 are available to users logging into the AUX user interface.
The baud rate of the Console port is 19,200 bps.
The screen can contain up to 30 lines.
The history command buffer can store up to 20 commands.
The timeout time of the AUX user interface is 6 minutes.
Set the maximum number
of lines the screen can
contain
screen-length
screen-length
Optional
By default, the screen can contain up to
24 lines.
You can use the screen-length 0
command to disable the function to
display information in pages.
Set history command
buffer size
history-command
max-size value
Optional
The default history command buffer size is
10. That is, a history command buffer can
store up to 10 commands by default.
Set the timeout time for
the user interface
idle-timeout
minutes [ seconds ]
Optional
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10 minutes,
the connection to a user interface is
terminated if no operation is performed in
the user interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout function.
Table 10 Configuration Procedure (continued)
To Use the command Remarks
Table 11 Determine the command level (B)
Scenario
Command level Authentication mode User type Command
Local authentication
(authentication-mode
password)
Users logging into
the AUX user
interface
The user privilege
level level command not
executed
Level 3
The user privilege
level level command
already executed
Determined by the
level argument
Console Port Login Configuration with Authentication Mode Being Password 33
Network diagram
Figure 7 Network diagram for AUX user interface configuration (with the authentication mode
being password)
Configuration procedure
1 Enter system view.
<3Com> syst em- vi ew
2 Enter AUX user interface view.
[ 3Com] user - i nt er f ace aux 0
3 Specify to authenticate users logging in through the Console port using the local
password.
[ 3Com- ui - aux0] aut hent i cat i on- mode passwor d
4 Set the local password to 123456 (in plain text).
[ 3Com- ui - aux0] set aut hent i cat i on passwor d si mpl e 123456
5 Specify commands of level 2 are available to users logging into the AUX user interface.
[ 3Com- ui - aux0] user pr i vi l ege l evel 2
6 Set the baud rate of the Console port to 19,200 bps.
[ 3Com- ui - aux0] speed 19200
7 Set the maximum number of lines the screen can contain to 30.
[ 3Com- ui - aux0] scr een- l engt h 30
8 Set the maximum number of commands the history command buffer can store to 20.
[ 3Com- ui - aux0] hi st or y- command max- si ze 20
9 Set the timeout time of the AUX user interface to 6 minutes.
[ 3Com- ui - aux0] i dl e- t i meout 6
Console port
Console cable
RS-232
Console port
Console cable
RS-232
34 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Console Port Login
Configuration with
Authentication
Mode Being
Scheme
Configuration
Procedure
Table 12 Configuration Procedure
To Use the command Remarks
Enter system view system-view
Configure
the
authentica
tion mode
Enter the
default ISP
domain view
domain Domain name Optional
By default, the local AAA scheme is applied.
If you specify to apply the local AAA scheme,
you need to perform the configuration
concerning local user as well.
If you specify to apply an existing scheme by
providing the radius-scheme-name
argument, you need to perform the
following configuration as well:
Perform AAA & RADIUS configuration on
the switch. (Refer to the AAA, RADIUS,
and TACACS+ Configuration chapter
for more.)
Configure the user name and password
accordingly on the AAA server. (Refer to
the user manual of AAA server.)
Specify the
AAA
scheme to
be applied
to the
domain
authentication
default {
hwtacacs- scheme
hwtacacs-scheme-name
[ local ] | local |
none |
radius-scheme
radius-scheme-name [
local ] }
Quit to
system view
quit
Create a local user (Enter
local user view.)
local-user
user-name
Required
No local user exists by default.
Set the authentication
password for the local
user
password { simple |
cipher } password
Required
Specify the service type
for AUX users
service-type
terminal [ level
level ]
Required
Quit to system view quit
Enter AUX user interface
view
user-interface
aux 0
Configure to
authenticate users locally
or remotely
authentication-mo
de scheme [
command-
authorization ]
Required
The specified AAA scheme determines
whether to authenticate users locally or
remotely.
Users are authenticated locally by default.
Console Port Login Configuration with Authentication Mode Being Scheme 35
Note that the level the commands of which are available to users logging into a switch
depends on the authentication-mode scheme [ command-authorization ]
command, the user privilege level level command, and the service-type
terminal [ level level ] command, as listed in Table 13.
Configure
the Console
port
Set the
baud rate
speed speed-value Optional
The default baud rate of the AUX port (also
the Console port) is 9,600 bps.
Set the
check
mode
parity { even | mark |
none | odd | space }
Optional
By default, the check mode of a Console port
is set to none, that is, no check bit.
Set the
stop bits
stopbits { 1 | 1.5 | 2 } Optional
The default stop bits of a Console port is 1.
Set the
data bits
databits { 5 | 6 | 7 | 8
}
Optional
The default data bits of a Console port is 8.
Configure the command
level available to users
logging into the user
interface
user privilege
level level
Optional
By default, commands of level 3 are available
to users logging into the AUX user interface.
Define a shortcut key for
starting terminal sessions
activation-key
character
Optional
By default, pressing Enter key starts the
terminal session.
Define a shortcut key for
aborting tasks
escape-key {
default | character }
Optional
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services
available to the user
interface
shell Optional
By default, terminal services are available in
all user interfaces.
Set the maximum
number of lines the
screen can contain
screen-length
screen-length
Optional
By default, the screen can contain up to 24
lines.
You can use the screen-length 0
command to disable the function to display
information in pages.
Set history command
buffer size
history-command
max-size value
Optional
The default history command buffer size is
10. That is, a history command buffer can
store up to 10 commands by default.
Set the timeout time for
the user interface
idle-timeout
minutes [ seconds ]
Optional
The default timeout time of a user interface
is 10 minutes.
With the timeout time being 10 minutes, the
connection to a user interface is terminated
if no operation is performed in the user
interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout function.
Table 12 Configuration Procedure (continued)
To Use the command Remarks
36 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Configuration
Example
Network requirements
Perform the following configuration for users logging in through the Console port:
Configure the name of the local user to be guest.
Set the authentication password of the local user to 123456 (in plain text).
Set the service type of the local user to Terminal.
Configure to authenticate users logging in through the Console port in the scheme
mode.
The commands of level 2 are available to users logging into the AUX user interface.
The baud rate of the Console port is 19,200 bps.
The screen can contain up to 30 lines.
The history command buffer can store up to 20 commands.
The timeout time of the AUX user interface is 6 minutes.
Table 13 Determine the command level
Scenario
Command level
Authentication
mode User type Command
authentication-mode
scheme [ command-
authorization ]
Users logging
into the
Console port
and pass
AAA&RADIUS
or local
authentication
The user privilege level
level command is not executed, and
the service-type terminal
[ level level ] command does not
specify the available command level.
Level 0
The user privilege level
level command is not executed, and
the service-type terminal
[ level level ] command specifies
the available command level.
Determined by the
service-typ
e terminal [
level level ]
command
The user privilege level
level command is executed, and the
service-type terminal [
level level ] command does not
specify the available command level.
Level 0
The user privilege level
level command is executed, and the
service-type terminal [
level level ] command specifies
the available command level.
Determined by the
service-typ
e terminal [
level level ]
command
Console Port Login Configuration with Authentication Mode Being Scheme 37
Network diagram
Figure 8 Network diagram for AUX user interface configuration (with the authentication mode
being scheme)
Configuration procedure
1 Enter system view.
<3Com> syst em- vi ew
2 Create a local user named guest and enter local user view.
[ 3Com] l ocal - user guest
3 Set the authentication password to 123456 (in plain text).
[ 3Com- l user - guest ] passwor d si mpl e 123456
4 Set the service type to Terminal, Specify commands of level 2 are available to users
logging into the AUX user interface.
[ 3Com- l user - guest ] ser vi ce- t ype t er mi nal l evel 2
[ 3Com- l user - guest ] qui t
5 Enter AUX user interface view.
[ 3Com] user - i nt er f ace aux 0
6 Configure to authenticate users logging in through the Console port in the scheme
mode.
[ 3Com- ui - aux0] aut hent i cat i on- mode scheme
7 Set the baud rate of the Console port to 19,200 bps.
[ 3Com- ui - aux0] speed 19200
8 Set the maximum number of lines the screen can contain to 30.
[ 3Com- ui - aux0] scr een- l engt h 30
9 Set the maximum number of commands the history command buffer can store to 20.
[ 3Com- ui - aux0] hi st or y- command max- si ze 20
10 Set the timeout time of the AUX user interface to 6 minutes.
[ 3Com- ui - aux0] i dl e- t i meout 6
Console port
Console cable
RS-232
Console port
Console cable
RS-232
38 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
3 LOGGING IN THROUGH TELNET
Introduction You can telnet to a remote switch to manage and maintain the switch. To achieve this,
you need to configure both the switch and the Telnet terminal properly.
Common
Configuration
Table 15 lists the common Telnet configuration.
Table 14 Requirements for Telnet to a switch
Item Requirement
Switch The management VLAN of the switch is created and the route between
the switch and the Telnet terminal is available. (Refer to the VLAN
module for more.)
The authentication mode and other settings are configured. Refer to
Table 15 and Table 16.
Telnet terminal Telnet is running.
The IP address of the management VLAN of the switch is available.
Table 15 Common Telnet configuration
Configuration Description
VTY user
interface
configuration
Configure the command level
available to users logging into the
VTY user interface
Optional
By default, commands of level 0 is available to
users logging into a VTY user interface.
Configure the protocols the user
interface supports
Optional
By default, Telnet and SSH protocol are
supported.
Set the command that is
automatically executed when a
user logs into the user interface
Optional
By default, no command is automatically
executed when a user logs into a user interface.
VTY terminal
configuration
Define a shortcut key for aborting
tasks
Optional
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services available Optional
By default, terminal services are available in all
user interfaces
Set the maximum number of lines
the screen can contain
Optional
By default, the screen can contain up to 24
lines.
Set history command buffer size Optional
By default, the history command buffer can
contain up to 10 commands.
Set the timeout time of a user
interface
Optional
The default timeout time is 10 minutes.
40 CHAPTER 3: LOGGING IN THROUGH TELNET
CAUTION:
The auto-execute command command may cause you unable to perform
common configuration in the user interface, so use it with caution.
Before executing the auto-execute command command and save your
configuration, make sure you can log into the switch in other modes and cancel the
configuration.
Telnet Configurations
for Different
Authentication
Modes
Table 16 lists Telnet configurations for different authentication modes.
Table 16 Telnet configurations for different authentication modes
Authentication
mode Telnet configuration Description
None Perform common
configuration
Perform common
Telnet configuration
Optional
Refer to Table 15.
Password Configure the
password
Configure the
password for local
authentication
Required
Perform common
configuration
Perform common
Telnet configuration
Optional
Refer to Table 15.
Scheme Specify to perform
local
authentication or
RADIUS
authentication
AAA configuration
specifies whether to
perform local
authentication or
RADIUS
authentication
Optional
Local authentication is performed
by default.
Refer to the AAA, RADIUS, and
TACACS+ Configuration chapter
for more information.
Configure user
name and
password
Configure user
names and
passwords for
local/remote users
Required
The user name and password of
a local user are configured on the
switch.
The user name and password of
a remote user are configured on
the DADIUS server. Refer to user
manual of RADIUS server for more.
Manage VTY users Set service type for
VTY users
Required
Perform common
configuration
Perform common
Telnet configuration
Optional
Refer to Table 15.
Telnet Configuration with Authentication Mode Being None 41
Telnet
Configuration with
Authentication
Mode Being None
Configuration
Procedure
Table 17 Configuration Procedure
To Use the command Remarks
Enter system view
system-view
Configure not to
authenticate users logging
into VTY user interfaces
authentication-mod
e none
Required
By default, VTY users are authenticated
after logging in.
Configure the command
level available to users
logging into VTY user
interface
user privilege
level level
Optional
By default, commands of level 0 are
available to users logging into VTY user
interfaces.
Configure the protocols to
be supported by the VTY
user interface
protocol inbound {
all | ssh | telnet }
Optional
By default, both Telnet protocol and SSH
protocol are supported.
Set the command that is
automatically executed
when a user logs into the
user interface
auto-execute
command text
Optional
By default, no command is automatically
executed when a user logs into a user
interface.
Define a shortcut key for
aborting tasks
escape-key {
default | character }
Optional
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services
available
shell
Optional
By default, terminal services are available
in all user interfaces.
Set the maximum number
of lines the screen can
contain
screen-length
screen-length
Optional
By default, the screen can contain up to
24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set the history command
buffer size
history-command
max-size value
Optional
The default history command buffer size
is 10. That is, a history command buffer
can store up to 10 commands by default.
42 CHAPTER 3: LOGGING IN THROUGH TELNET
Note that if you configure not to authenticate the users, the command level available to
users logging into a switch depends on both the authentication-mode none
command and the user privilege level level command, as listed in Table 18.
Configuration
Example
Network requirements
Perform the following configuration for Telnet users logging into VTY 0:
Do not authenticate users logging into VTY 0.
Commands of level 2 are available to users logging into VTY 0.
Telnet protocol is supported.
The screen can contain up to 30 lines.
The history command buffer can contain up to 20 commands.
The timeout time of VTY 0 is 6 minutes.
Set the timeout time of the
VTY user interface
idle-timeout
minutes [ seconds ]
Optional
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10 minutes,
the connection to a user interface is
terminated if no operation is performed
in the user interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.
Table 18 Determine the command level when users logging into switches are not authenticated
Scenario
Command level
Authentication
mode User type Command
None (authentica-
tion-mode none)
VTY users The user privilege level
level command not executed
Level 0
The user privilege level
level command already executed
Determined by the
level argument
Table 17 Configuration Procedure (continued)
To Use the command Remarks
Telnet Configuration with Authentication Mode Being None 43
Network diagram
Figure 9 Network diagram for Telnet configuration (with the authentication mode being none)
Configuration procedure
1 Enter system view.
<3Com> syst em- vi ew
2 Enter VTY 0 user interface view.
[ 3Com] user - i nt er f ace vt y 0
3 Configure not to authenticate Telnet users logging into VTY 0.
[ 3Com- ui - vt y0] aut hent i cat i on- mode none
4 Specify commands of level 2 are available to users logging into VTY 0.
[ 3Com- ui - vt y0] user pr i vi l ege l evel 2
5 Configure Telnet protocol is supported.
[ 3Com- ui - vt y0] pr ot ocol i nbound t el net
6 Set the maximum number of lines the screen can contain to 30.
[ 3Com- ui - vt y0] scr een- l engt h 30
7 Set the maximum number of commands the history command buffer can store to 20.
[ 3Com- ui - vt y0] hi st or y- command max- si ze 20
8 Set the timeout time to 6 minutes.
[ 3Com- ui - vt y0] i dl e- t i meout 6
User PC running Telnet
Ethernet
User PC running Telnet
GigabitEthernet1/0/1
Ethernet
User PC running Telnet
Ethernet
User PC running Telnet
GigabitEthernet1/0/1
Ethernet
44 CHAPTER 3: LOGGING IN THROUGH TELNET
Telnet
Configuration with
Authentication
Mode Being
Password
Configuration
Procedure
Table 19 Configuration Procedure
To Use the command Remarks
Enter system view
system-view
Configure to authenticate
users logging into VTY user
interfaces using the local
password
authentication-mode
password
Required
Set the local password set authentication
password { cipher |
simple } password
Required
Configure the command
level available to users
logging into the user
interface
user privilege level
level
Optional
By default, commands of level 0 are
available to users logging into VTY
user interface.
Configure the protocol to
be supported by the user
interface
protocol inbound {
all | ssh | telnet }
Optional
By default, both Telnet protocol and
SSH protocol are supported.
Set the command that is
automatically executed
when a user logs into the
user interface
auto-execute command
text
Optional
By default, no command is
automatically executed when a user
logs into a user interface.
Define a shortcut key for
aborting tasks
escape-key { default |
character }
Optional
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
Make terminal services
available
shell
Optional
By default, terminal services are
available in all user interfaces.
Telnet Configuration with Authentication Mode Being Password 45
Note that if you configure to authenticate the users in the password mode, the
command level available to users logging into a switch depends on both the
authentication-mode password command and the user privilege level
level command, as listed in Table 20.
Configuration
Example
Network requirements
Perform the following configuration for Telnet users logging into VTY 0:
Authenticate users logging into VTY 0 using the local password.
Set the local password to 123456 (in plain text).
Commands of level 2 are available to users logging into VTY 0.
Telnet protocol is supported.
The screen can contain up to 30 lines.
The history command buffer can contain up to 20 commands.
The timeout time of VTY 0 is 6 minutes.
Set the maximum number
of lines the screen can
contain
screen-length
screen-length
Optional
By default, the screen can contain up
to 24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set the history command
buffer size
history-command
max-size value
Optional
The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands
by default.
Set the timeout time of the
user interface
idle-timeout minutes [
seconds ]
Optional
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
You can use the idle-timeout
0 command to disable the timeout
function.
Table 20 Determine the command level when users logging into switches are authenticated in
the password mode
Scenario
Command level
Authentication
mode User type Command
Password (authentica-
tion-mode password)
VTY users The user privilege level
level command not executed
Level 0
The user privilege level
level command already executed
Determined by the
level argument
Table 19 Configuration Procedure (continued)
To Use the command Remarks
46 CHAPTER 3: LOGGING IN THROUGH TELNET
Network diagram
Figure 10 Network diagram for Telnet configuration (with the authentication mode being
password)
Configuration procedure
1 Enter system view.
<3Com> syst em- vi ew
2 Enter VTY 0 user interface view.
[ 3Com] user - i nt er f ace vt y 0
3 Configure to authenticate users logging into VTY 0 using the local password.
[ 3Com- ui - vt y0] aut hent i cat i on- mode passwor d
4 Set the local password to 123456 (in plain text).
[ 3Com- ui - vt y0] set aut hent i cat i on passwor d si mpl e 123456
5 Specify commands of level 2 are available to users logging into VTY 0.
[ 3Com- ui - vt y0] user pr i vi l ege l evel 2
6 Configure Telnet protocol is supported.
[ 3Com- ui - vt y0] pr ot ocol i nbound t el net
7 Set the maximum number of lines the screen can contain to 30.
[ 3Com- ui - vt y0] scr een- l engt h 30
8 Set the maximum number of commands the history command buffer can store to 20.
[ 3Com- ui - vt y0] hi st or y- command max- si ze 20
9 Set the timeout time to 6 minutes.
[ 3Com- ui - vt y0] i dl e- t i meout 6
User PC running Telnet
Ethernet
User PC running Telnet
GigabitEthernet1/0/1
Ethernet
User PC running Telnet
Ethernet
User PC running Telnet
GigabitEthernet1/0/1
Ethernet
Telnet Configuration with Authentication Mode Being Scheme 47
Telnet
Configuration with
Authentication
Mode Being
Scheme
Configuration
Procedure
Table 21 Configuration Procedure
To Use the command Remarks
Enter system view
system-view
Configure
the
authenticatio
n scheme
Enter the
default ISP
domain view
domain Domain name Optional
By default, the local AAA scheme is
applied. If you specify to apply the local
AAA scheme, you need to perform the
configuration concerning local user as
well.
If you specify to apply an existing
scheme by providing the
radius-scheme-name argument, you
need to perform the following
configuration as well:
Perform AAA & RADIUS configuration
on the switch. (Refer to the AAA,
RADIUS, and TACACS+ Configuration
chapter for more information.
Configure the user name and password
accordingly on the AAA server. (Refer
to the user manual of the AAA server.)
Configure the
AAA scheme
to be applied
to the
domain
authentication
default {
hwtacacs-scheme
hwtacacs-scheme- name
[ local ] | local |
none | radius-scheme
radius-scheme-name [
local ] }
Quit to
system view
quit
Create a local user and enter
local user view
local-user
user-name
The admin, manager, and monitor
users exist by default.
Set the authentication
password for the local user
password { simple |
cipher } password
Required
Specify the service type for
VTY users
service-type
telnet [ level level ]
Required
Quit to system view
quit
Configure to authenticate
users locally or remotely
authentication-mod
e scheme
Required
The specified AAA scheme determines
whether to authenticate users locally or
remotely.
Users are authenticated locally by
default.
Configure the command
level available to users
logging into the user
interface
user privilege
level level
Optional
By default, commands of level 0 are
available to users logging into the VTY
user interfaces.
Configure the supported
protocol
protocol inbound {
all | ssh | telnet }
Optional
Both Telnet protocol and SSH protocol
are supported by default.
48 CHAPTER 3: LOGGING IN THROUGH TELNET
Note that if you configure to authenticate the users in the scheme mode, the command
level available to users logging into a switch depends on the authentication-mode
scheme [ command-authorization ] command, the user privilege level
level command, and the service-type { ftp [ ftp-directory directory ] |
lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in
Table 22.
Set the command that is
automatically executed when
a user logs into the user
interface
auto-execute
command text
Optional
By default, no command is
automatically executed when a user
logs into a user interface.
Define a shortcut key for
aborting tasks
escape-key { default
| character }
Optional
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
Make terminal services
available
shell
Optional
Terminal services are available in all use
interfaces by default.
Set the maximum number of
lines the screen can contain
screen-length
screen-length
Optional
By default, the screen can contain up to
24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set history command buffer
size
history-command
max-size value
Optional
The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands by
default.
Set the timeout time for the
user interface
idle-timeout
minutes [ seconds ]
Optional
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.
Table 21 Configuration Procedure (continued)
To Use the command Remarks
Telnet Configuration with Authentication Mode Being Scheme 49
Refer to the corresponding chapters in this guide for information about AAA, RADIUS,
TACACS+, and SSH.
Table 22 Determine the command level when users logging into switches are authenticated in
the scheme mode
Scenario
Command level
Authentication
mode User type Command
Scheme
(authentication
-mode scheme
[
command-auth
orization ])
VTY users that
are
AAA&RADIUS
authenticated
or locally
authenticated
The user privilege level level
command is not executed, and the
service-type command does not
specify the available command level.
Level 0
The user privilege level level
command is not executed, and the
service-type command specifies the
available command level.
Determined by the
service-typ
e command
The user privilege level level
command is executed, and the
service-type command does not
specify the available command level.
Level 0
The user privilege level level
command is executed, and the service-type
command specifies the available command
level.
Determined by the
service-typ
e command
VTY users that
are
authenticated in
the RSA mode
of SSH
The user privilege level level
command is not executed, and the
service-type command does not
specify the available command level.
Level 0
The user privilege level level
command is not executed, and the
service-type command specifies the
available command level.
The user privilege level level
command is executed, and the
service-type command does not
specify the available command level.
Determined by the
user
privilege
level level
command
The user privilege level level
command is executed, and the
service-type command specifies the
available command level.
VTY users that
are
authenticated in
the password
mode of SSH
The user privilege level level
command is not executed, and the
service-type command does not
specify the available command level.
Level 0
The user privilege level level
command is not executed, and the
service-type command specifies the
available command level.
Determined by the
service-typ
e command
The user privilege level level
command is executed, and the
service-type command does not
specify the available command level.
Level 0
The user privilege level level
command is executed, and the
service-type command specifies the
available command level.
Determined by the
service-typ
e command
50 CHAPTER 3: LOGGING IN THROUGH TELNET
Configuration
Example
Network requirements
Perform the following configuration for Telnet users logging into VTY 0:
Configure the name of the local user to be guest.
Set the authentication password of the local user to 123456 (in plain text).
Set the service type of VTY users to Telnet.
Configure to authenticate users logging into VTY 0 in scheme mode.
The commands of level 2 are available to users logging into VTY 0.
Telnet protocol is supported in VTY 0.
The screen can contain up to 30 lines.
The history command buffer can store up to 20 commands.
The timeout time of VTY 0 is 6 minutes.
Network diagram
Figure 11 Network diagram for Telnet configuration (with the authentication mode being
scheme)
Configuration procedure
1 Enter system view.
<3Com> syst em- vi ew
2 Create a local user named guest and enter local user view.
[ 3Com] l ocal - user guest
3 Set the authentication password of the local user to 123456 (in plain text).
[ 3Com- l user - guest ] passwor d si mpl e 123456
4 Set the service type to Telnet, Specify commands of level 2 are available to users logging
into VTY 0.
[ 3Com- l user - guest ] ser vi ce- t ype t el net l evel 2
5 Enter VTY 0 user interface view.
[ 3Com] user - i nt er f ace vt y 0
6 Configure to authenticate users logging into VTY 0 in the scheme mode.
[ 3Com- ui - vt y0] aut hent i cat i on- mode scheme
User PC running Telnet
Ethernet
User PC running Telnet
GigabitEthernet1/0/1
Ethernet
User PC running Telnet
Ethernet
User PC running Telnet
GigabitEthernet1/0/1
Ethernet
Telnet Connection Establishment 51
7 Configure Telnet protocol is supported.
[ 3Com- ui - vt y0] pr ot ocol i nbound t el net
8 Set the maximum number of lines the screen can contain to 30.
[ 3Com- ui - vt y0] scr een- l engt h 30
9 Set the maximum number of commands the history command buffer can store to 20.
[ 3Com- ui - vt y0] hi st or y- command max- si ze 20
10 Set the timeout time to 6 minutes.
[ 3Com- ui - vt y0] i dl e- t i meout 6
Telnet Connection
Establishment
Telneting to a Switch
from a Terminal
In order to Telnet to the switch, you need to configure an IP address on a VLAN interface.
Use the following procedure to establish a Telnet connection to a switch through the
management VLAN:
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
Connect to the Console port. Refer to the chapter Setting up the Connection to the
Console Port.
Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> syst em
a Enter management VLAN interface view.
[ 3Com] i nt er f ace Vl an- i nt er f ace 1
b Remove the existing IP address of the management VLAN interface.
[ 3Com- Vl an- i nt er f ace1] undo i p addr ess
c Configure the IP address of the management VLAN interface to be 202.38.160.92.
[ 3Com- Vl an- i nt er f ace1] i p addr ess 202. 38. 160. 92 255. 255. 255. 0
2 Configure the user name and password for Telnet on the switch. See the sections entitled
Telnet Configuration with Authentication Mode Being None,Telnet Configuration
with Authentication Mode Being Password, and Telnet Configuration with
Authentication Mode Being Scheme for additional information.
3 Connect your PC to the Switch, as shown in Figure 12. Make sure the Ethernet port to
which your PC is connected belongs to the management VLAN of the switch and the
route between your PC and the switch is available.
52 CHAPTER 3: LOGGING IN THROUGH TELNET
Figure 12 Network diagram for Telnet connection establishment
4 Launch Telnet on your PC, with the IP address of the management VLAN interface of the
switch as the parameter, as shown in the following figure.
Figure 13 Launch Telnet
5 Enter the password when the Telnet window displays Login authentication and
prompts for login password. The CLI prompt (such as <3Com>) appears if the password
is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says All user interfaces are used, please try
later!. A 3Com Switch 4500G Family Ethernet switch can accommodate up to five
Telnet connections at same time.
6 After successfully Telneting to a switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
A Telnet connection will be terminated if you delete or modify the IP address of the
VLAN interface in the Telnet session.
By default, commands of level 0 are available to Telnet users authenticated by
password. Refer to the Basic System Configuration and Maintenance module for
information about command hierarchy.
Workstation
Workstation
Server
PC with Telnet
running on it
(used to configure
the switch)
Ethernet port
Ethernet
Workstation
Workstation
Server
PC with Telnet
running on it
(used to configure
the switch)
Ethernet port
Ethernet
Telnet Connection Establishment 53
Telneting to Another
Switch from the
Current Switch
You can Telnet to another switch from the current switch. In this case, the current switch
operates as the client, and the other operates as the server. If the interconnected
Ethernet ports of the two switches are in the same LAN segment, make sure the IP
addresses of the two management VLAN interfaces to which the two Ethernet ports
belong to are of the same network segment, or the route between the two VLAN
interfaces is available.
As shown in Figure 14, after Telneting to a switch (labeled as Telnet client), you can
Telnet to another switch (labeled as Telnet server) by executing the telnet command
and then to configure the later.
Figure 14 Network diagram for Telneting to another switch from the current switch
1 Configure the user name and password for Telnet on the switch operating as the Telnet
server. Refer to the sections entitled Telnet Configuration with Authentication Mode
Being None, Telnet Configuration with Authentication Mode Being Password, and
Telnet Configuration with Authentication Mode Being Scheme for more information.
2 Telnet to the switch operating as the Telnet client.
3 Execute the following command on the switch operating as the Telnet client:
<3Com> t el net xxxx
Where xxxx is the IP address or the host name of the switch operating as the Telnet
server. You can use the ip host to assign a host name to a switch.
4 Enter the password. If the password is correct, the CLI prompt (such as <3Com>)
appears. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says All user interfaces are used, please try
later!.
5 After successfully Telneting to the switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
Telnet client PC
Telnet server Telnet client PC
Telnet server
54 CHAPTER 3: LOGGING IN THROUGH TELNET
4 LOGGING IN USING MODEM
Introduction The administrator can log into the Console port of a remote switch using a modem
through PSTN (public switched telephone network) if the remote switch is connected to
the PSTN through a modem to configure and maintain the switch remotely. When a
network operates improperly or is inaccessible, you can log into the switches in the
network in this way to configure these switches, to query logs and warning messages,
and to locate problems.
To log into a switch in this way, you need to configure the terminal and the switch
properly, as listed in the following table.
Configuration on
the Administrator
Side
The PC can communicate with the modem connected to it. The modem is properly
connected to PSTN. And the telephone number of the switch side is available.
Configuration on
the Switch Side
Modem
Configuration
Perform the following configuration on the modem directly connected to the switch:
AT&F - - - - - - - - - - - - - - - - - - - - - - - Rest or e t he f act or y set t i ngs
ATS0=1- - - - - - - - - - - - - - - - - - - - - - - Conf i gur e t o answer aut omat i cal l y af t er t he
f i r st r i ng
AT&D - - - - - - - - - - - - - - - - - - - - - - - I gnor e DTR si gnal
AT&K0- - - - - - - - - - - - - - - - - - - - - - - Di sabl e f l ow cont r ol
AT&R1- - - - - - - - - - - - - - - - - - - - - - - I gnor e RTS si gnal
AT&S0- - - - - - - - - - - - - - - - - - - - - - - Set DSR t o hi gh l evel by f or ce
ATEQ1&W- - - - - - - - - - - - - - - - - - - - - - - Di sabl e t he modemf r omr et ur ni ng command
r esponse and t he r esul t , save t he changes
Table 23 Requirements for logging into a switch using a modem
Item Requirement
Administrator side The PC can communicate with the modem connected to it.
The modem is properly connected to PSTN.
The telephone number of the switch side is available.
Switch side The modem is connected to the Console port of the switch properly.
The modem is properly configured.
The modem is properly connected to PSTN and a telephone set.
The authentication mode and other related settings are configured on the switch.
Refer to Table 7.
56 CHAPTER 4: LOGGING IN USING MODEM
You can verify your configuration by executing the AT&V command.
The above configuration is unnecessary to the modem on the administrator side.
The configuration commands and the output of different modems may differ. Refer to
the user manual of the modem when performing the above configuration.
Switch Configuration
After logging into a switch through its Console port by using a modem, you will enter
the AUX user interface. The corresponding configuration on the switch is the same as
those when logging into the switch locally through its Console port except that:
When you log in through the Console port using a modem, the baud rate of the
Console port is usually set to a value lower than the transmission speed of the
modem. Otherwise, packets may get lost.
Other settings of the Console port, such as the check mode, the stop bits, and the data
bits, remain the default.
The configuration on the switch depends on the authentication mode the user is in.
Refer to Table 7 for the information about authentication mode configuration.
Configuration on switch when the authentication mode is none
Refer to Console Port Login Configuration with Authentication Mode Being None.
Configuration on switch when the authentication mode is password
Refer to Console Port Login Configuration with Authentication Mode Being Password.
Configuration on switch when the authentication mode is scheme
Refer to Console Port Login Configuration with Authentication Mode Being Scheme.
Modem Connection
Establishment
1 Configure the user name and password on the switch. Refer to Console Port Login
Configuration with Authentication Mode Being None, Console Port Login
Configuration with Authentication Mode Being Password, and Console Port Login
Configuration with Authentication Mode Being Scheme for more information.
2 Perform the following configuration on the modem directly connected to the switch.
AT&F - - - - - - - - - - - - - - - - - - - - - - - Rest or e t he f act or y set t i ngs
ATS0=1- - - - - - - - - - - - - - - - - - - Conf i gur e t o answer aut omat i cal l y af t er t he
f i r st r i ng
AT&D - - - - - - - - - - - - - - - - - - - - - - - I gnor e DTR si gnal
AT&K0- - - - - - - - - - - - - - - - - - - - - - - Di sabl e f l ow cont r ol
AT&R1- - - - - - - - - - - - - - - - - - - - - - - I gnor e RTS si gnal
AT&S0- - - - - - - - - - - - - - - - - - - - - - - Set DSR t o hi gh l evel by f or ce
ATEQ1&W- - - - - - - - - - - - - - - - - - - - - - - Di sabl e t he modemf r omr et ur ni ng command
r esponse and t he r esul t , save t he changes
You can verify your configuration by executing the AT&V command.
Modem Connection Establishment 57
The configuration commands and the output of different modems may differ. Refer
to the user manual of the modem when performing the above configuration.
Set the baud rate of the AUX port (also the Console port) to a value lower than the
transmission speed of the modem. Otherwise, packets may get lost.
3 Connect your PC, the modems, and the switch, as shown in the following figure.
Figure 15 Establish the connection by using modems
4 Launch a terminal emulation utility on the PC and set the telephone number to call the
modem directly connected to the switch, as shown in Figure 16 and Figure 17. Note that
you need to set the telephone number to that of the modem directly connected to the
switch.
Figure 16 Set the telephone number
Modem
Telephone line
Modem
Serial cable
Telephone number: 82882285 Console port
PSTN
PC
Modem
Telephone line
Modem
Serial cable
Telephone number: 82882285 Console port
PSTN
PC
58 CHAPTER 4: LOGGING IN USING MODEM
Figure 17 Call the modem
5 Provide the password when prompted. If the password is correct, the prompt (such as
<3Com>) appears. You can then configure or manage the switch. You can also enter the
character ? at anytime for help. Refer to the following chapters for information about
the configuration commands.
If you perform no AUX user-related configuration on the switch, the commands of level
3 are available to modem users. Refer to the Basic System Configuration and
Maintenance module for information about command level.
5 LOGGING IN THROUGH WEB-BASED
NETWORK MANAGEMENT SYSTEM
Introduction A Switch 4500G Series switch has a Web server built in. You can log into a Switch 4500G
series switch through a Web browser and manage and maintain the switch intuitively by
interacting with the built-in Web server.
To log into an Switch 4500G through the built-in Web-based network management
system, you need to perform the related configuration on both the switch and the PC
operating as the network management terminal.
HTTP Connection
Establishment
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
Connect to the Console port. Refer to Setting up the Connection to the Console
Port.
Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> syst em
a Enter management VLAN interface view.
[ 3Com] i nt er f ace Vl an- i nt er f ace 1
b Remove the existing IP address of the management VLAN interface.
[ 3Com- Vl an- i nt er f ace1] undo i p addr ess
c Configure the IP address of the management VLAN interface to be 10.153.17.82.
[ 3Com- Vl an- i nt er f ace1] i p addr ess 10. 153. 17. 82 255. 255. 255. 0
Table 24 Requirements for logging into a switch through the Web-based network management
system
Item Requirement
Switch The management VLAN of the switch is configured. The route between
the switch and the network management terminal is available. (Refer
to the VLAN module for more.)
The user name and password for logging into the Web-based network
management system are configured.
PC operating as the network
management terminal
IE is available.
The IP address of the management VLAN interface of the switch is
available.
60 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
2 Configure the user name and the password for the Web-based network management
system.
a Configure the user name to be admin.
[ 3Com] l ocal - user admi n
b Set the user level to level 3.
[ 3Com- l user - admi n] ser vi ce- t ype t el net l evel 3
c Set the password to admin.
[ 3Com- l user - admi n] passwor d si mpl e admi n
3 Establish an HTTP connection between your PC and the switch, as shown in the
following figure.
Figure 18 Establish an HTTP connection between your PC and the switch
4 Log into the switch through IE. Launch IE on the Web-based network management
terminal (your PC) and enter the IP address of the management VLAN interface of the
switch (here it is http://10.153.17.82). (Make sure the route between the Web-based
network management terminal and the switch is available.)
5 When the login interface (shown in Figure 19) appears, enter the user name and the
password configured in step 2 and click <Login> to bring up the main page of the
Web-based network management system.
Figure 19 The login page of the Web-based network management system
PC
HTTP Connection
Switch
PC
HTTP Connection
PC
HTTP Connection
Switch
PC
HTTP connection
PC
HTTP Connection
Switch
PC
HTTP Connection
PC
HTTP Connection
Switch
PC
HTTP connection
Web Server Shutdown/Startup 61
Web Server
Shutdown/Startup
You can shut down or start up the Web server.
The Web server is started by default.
Table 25 Web Server Shutdown/Startup
To Use the command Remarks
Shut down the Web
server
ip http enable
Required
Execute this command in system
view.
Start the Web server undo ip http enable Required
Execute this command in system
view.
62 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
6 LOGGING IN THROUGH NMS
Introduction You can also log into a switch through an NMS (network management station), and then
configure and manage the switch through the agent module on the switch.
The agent here refers to the software running on network devices (switches) and as
the server.
SNMP (simple network management protocol) is applied between the NMS and the
agent.
To log into a switch through an NMS, you need to perform related configuration on both
the NMS and the switch.
Connection
Establishment
Using NMS
Figure 20 Network diagram for logging in through an NMS
Table 26 Requirements for logging into a switch through an NMS
Item Requirement
Switch The management VLAN of the switch is configured. The route between the
NMS and the switch is available. (Refer to the VLAN module for more.)
The basic SNMP functions are configured. (Refer to the SNMP-RMON module
for more.)
NMS The NMS is properly configured. (Refer to the user manual of your NMS for
more.)
Switch
PC
HTTP Connection
Switch
PC
HTTP Connection
64 CHAPTER 6: LOGGING IN THROUGH NMS
7 CONTROLLING LOGIN USERS
Introduction A switch provides ways to control different types of login users, as listed in Table 27.
Controlling Telnet
Users
Prerequisites The controlling policy against Telnet users is determined, including the source and
destination IP addresses to be controlled and the controlling actions (permitting or
denying).
Table 27 Ways to control different types of login users
Login mode Control method Implementation Related section
Telnet By source IP
addresses
Through basic ACLs Controlling Telnet Users by Source IP
Addresses
By source and
destination IP
addresses
Through advanced
ACLs
Controlling Telnet Users by Source and
Destination IP Addresses
By source MAC
addresses
Through Layer 2 ACLs Controlling Telnet Users by Source MAC
Addresses
SNMP
WEB
By source IP
addresses
Through basic ACLs Controlling Network Management Users
by Source IP Addresses
By source IP
addresses
Through basic ACLs Controlling Web Users by Source IP
Addresses
Disconnect Web
users by force
By executing
commands in CLI
Disconnecting a Web User by Force
66 CHAPTER 7: CONTROLLING LOGIN USERS
Controlling Telnet
Users by Source IP
Addresses
Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which
are numbered from 2000 to 2999.
Controlling Telnet
Users by Source and
Destination IP
Addresses
Controlling Telnet users by source and destination IP addresses is achieved by applying
advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module for
information about defining an ACL.
Table 28 Controlling Telnet Users by Source IP Addresses
To Use the command Remarks
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
Use either command
Configured in Ethernet port
view, the following settings are
effective on the current port
only; configured in port group
view, the following settings are
effective on all ports in the port
group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure a port as a trunk port port link-type trunk Required
Add the current trunk port to
specified VLANs
port trunk permit
vlan { vlan-id-list | all }
Required
By default, all trunk ports only
allow VLAN 1 to pass.
Set the default VLAN for the
trunk port
port trunk pvid vlan
vlan-id
Optional
By default, the default VLAN of
the trunk port is VLAN 1
Displaying VLAN Configuration 131
Configuring a Hybrid
Port-Based VLAN
A hybrid port allows multiple VLANs to pass, but you can only configure it in Ethernet
port view/port group view.
A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly. You must specify it as an access port first, and then specify it
to a hybrid port.
The VLANs configured to be permitted to pass through a hybrid port must exist.
The default VLAN ID of the hybrid port on the local switch must be the same as that
of the hybrid on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.
Displaying VLAN
Configuration
After the above configuration, you can execute the display command in any view to
view the running of the VLAN configuration, and to verify the effect of the configuration.
Table 81 Configure a hybrid port-based VLAN
To do Use the command Remarks
Enter system view system-view
Enter
Ethernet port
view or port
group view
Enter
Ethernet port
view
interface interface-type
interface-number
Use either command
Configured in Ethernet port view,
the following settings are effective
on the current port only;
configured in port group view, the
following settings are effective on
all ports in the port group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure a port as a Hybrid
port
port link-type hybrid Required
Add the current hybrid port
to specified VLANs
port hybrid vlan
vlan-id-list { tagged |
untagged }
Required
You can configure a hybrid port to
or not to add a tag to specified
VLAN packets when it sends
packets.
Set the default VLAN for the
hybrid port.
port hybrid pvid vlan
vlan-id
Optional
By default, the default VLAN of
the hybrid port is VLAN 1
Table 82 Display the information about specified VLANs
To do Use the command Remarks
Display the information about
specified VLANs
display vlan [ vlan-id1 [ to
vlan-id2 ] | all | static |
dynamic | reserved ]
Available in any view
Display the information about
specified VLAN interface
display interface
vlan-interface [
vlan-interface-id ]
132 CHAPTER 12: VLAN CONFIGURATION
VLAN
Configuration
Example
Network
Requirements
Switch A connects with Switch B through the trunk port GigabitEthernet1/0/1.
The default VLAN ID of the port is 100.
The port permits the packets from VLAN 2, VLAN 6 through 50, and VLAN 100 to
pass.
Network Diagram Figure 45 Configure packets to pass through the default VLAN
Configuration
Procedure
1 Configure Switch A
a Create VLAN 2, VLAN 6 through VLAN 50 and VLAN 100.
<3Com> syst em- vi ew
Syst emVi ew: r et ur n t o User Vi ew wi t h Ct r l +Z.
[ 3Com] vl an 2
[ 3Com- vl an2] vl an 100
[ 3Com- vl an100] vl an 6 t o 50
Pl ease wai t . . . Done.
b Enter Ethernet port view of GigabitEthernet1/0/1.
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
c Configure GigabitEthernet1/0/1 as a trunk port, and configure its default VLAN ID as
VLAN 100.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t l i nk- t ype t r unk
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk pvi d vl an 100
d Configure GigabitEthernet1/0/1 to permit the packets from VLAN 2, VLAN 6 through
50, and VLAN 100 to pass.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk per mi t vl an 2 6 t o 50 100
Pl ease wai t . . . Done.
2 Configuration on Switch B is the same as that on Switch A.
Switch B Switch A
GigabitEthernet1/0/1
Switch B Switch B Switch A
GigabitEthernet1/0/1
13 VOICE VLAN CONFIGURATION
Voice VLAN
Overview
Voice VLANs are VLANs configured specially for voice data stream. By adding the ports
with voice devices attached to voice VLANs, you can perform QoS (quality of
service)-related configuration for voice data, ensuring the transmission priority of voice
data stream and voice quality.
The Switch 4500G determines whether a received packet is a voice packet by checking
its source MAC address. If the source MAC addresses of packets comply with the
organizationally unique identifier (OUI) addresses configured by the system, the packets
are determined as voice packets and transmitted in voice VLAN.
You can configure an OUI address for voice packets or specify to use the default OUI
address.
The following table shows the five default OUI addresses of a switch.
An OUI address is a globally unique identifier assigned to a vendor by IEEE. You can
determine which vendor a device belongs to according to the OUI address which
forms the first 24 bits of a MAC address.
You can add or delete the default OUI address manually.
Automatic Mode and
Manual Mode of
Voice VLAN
A voice VLAN can operate in two modes: automatic mode and manual mode. You can
configure the operation mode for a voice VLAN according to data stream passing
through the ports of the voice VLAN.
In automatic mode, the system identifies the source MAC address contained in the
untagged packet sent when the IP phone is powered on and matches it against the
OUI addresses. If a match is found, the system will automatically add the port into the
Voice VLAN and send ACL rules to ensure the packet precedence. An aging time can
be configured on the device. The system will remove a port from the voice VLAN if no
voice packets are received from it within the aging time. The adding and deleting of
ports are automatically realized by the system.
Table 83 Default OUI addresses preset by the switch
Number OUI Address Vendor
1 0003-6b00-0000 Cisco phone
2 000f-e200-0000 3Com Aolynk phone
3 00d0-1e00-0000 Pingtel phone
4 00e0-7500-0000 Polycom phone
5 00e0-bb00-0000 3com phone
134 CHAPTER 13: VOICE VLAN CONFIGURATION
In manual mode, administrators add the IP phone access port directly to the voice
VLAN. It then identifies the source MAC address contained in the packet, matches it
against the OUI addresses, and decides whether to forward the packet in the voice
VLAN. The administrators send ACL rules while adding or deleting a port from the
voice VLAN. In this mode, the adding or deleting of ports is realized by the
administrators.
Both modes forward tagged packets in the same manner: forward them based on the
VLAN ID contained in the packets.
The above two working modes are only configured under Ethernet interface view. The
working modes for different voice VLAN vary and different ports can be configured to
work in different modes.
The following table lists the co-relation between the working modes of a voice VLAN, the
voice traffic type of an IP phone, and the interface modes of a VLAN interface.
Table 84 Port modes and voice stream types
Port voice
VLAN mode
Voice
stream
type Port type Supported or not
Automatic
mode
Tagged
voice stream
Access Not supported
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged
voice stream
Access Not supported., because the default VLAN of the port
must be a voice VLAN and the access port is in the
voice VLAN. To do so, you can also add the port to the
voice VLAN manually.
Trunk
Hybrid
Manual mode Tagged
voice stream
Access Not supported
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged
voice stream
Access Supported
Make sure the default VLAN of the port is a voice
VLAN.
Trunk Supported
Make sure the default VLAN of the port is a voice
VLAN and the port permits the packets of the VLAN.
Hybrid Supported
Make sure the default VLAN of the port is a voice
VLAN and is in the list of untagged VLANs whose
packets are permitted by the port.
Voice VLAN Configuration 135
CAUTION:
If the voice stream transmitted by your IP phone is with VLAN tag and the port which
the IP phone is attached to is enabled with 802.1x authentication and 802.1x guest
VLAN, assign different VLAN IDs for the voice VLAN, the default VLAN of the port,
and the 802.1x guest VLAN to ensure the two functions to operate properly.
If the voice stream transmitted by the IP phone is without VLAN tag, the default VLAN
of the port which the IP phone is attached can only be configured as a voice VLAN for
the voice VLAN function to take effect. In this case, 802.1x authentication is
unavailable.
The default VLAN of all ports is VLAN 1. You can use the corresponding command to
specify a default VLAN for a port, and allow certain VLAN to pass through the port.
Relate command 1.4 Port-Based VLAN.
Use the display interface command to display the VLANs allowed to pass
through a port and the default VLAN of the port.
Security Mode and
Ordinary Mode of
Voice VLAN
Voice VLAN works in security mode or ordinary mode according to the packet filtering
rule of the port enabled with voice VLAN function.
In security mode, the port with the voice VLAN function enabled allow only the voice
packets with source MAC address being recognizable OUI address. Other packets are
discarded (including some authentication packets, like 802.1x authentication
packets).
In ordinary mode, the port with voice VLAN function enabled allow both voice
packets and other types of packets to pass. Voice packets comply with the filtering
rule of the voice VLAN and other types of packets comply with the filtering rule of the
ordinary VLAN.
You are recommended not to transmit voice data and other service data in a voice VLAN
simultaneously. If you need to do so, make sure you have disabled the security mode of
the voice VLAN.
Voice VLAN
Configuration
Configuration
Prerequisites
Create the corresponding VLAN before configuring a voice VLAN.
VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not
support the voice VLAN function.
136 CHAPTER 13: VOICE VLAN CONFIGURATION
Configuring a Voice
VLAN to Operate in
Automatic Mode
Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.
Configuring a Voice
VLAN to Operate in
Manual Mode
Table 85 Configure a voice VLAN to operate in automatic mode
To do Use the command Remarks
Enter system view system-view
Set the aging time for the voice
VLAN
voice vlan aging
minutes
Optional
The default aging time is 1,440
minutes, and only effective for the
port in automatic mode.
Enable the voice VLAN security
mode
voice vlan security
enable
Optional
By default, the voice VLAN security
mode is enabled.
Set an OUI address that can be
identified by the voice VLAN
voice vlan
mac-address oui mask
oui-mask [ description text ]
Optional
A voice VLAN has five default OUI
addresses.
Enable the voice VLAN function
globally
voice vlan vlan-id
enable
Required
Enter port view interface
interface-type
interface-number
Attribute Type Defined by the concerned GARP application 0x01 for GVRP,
indicating the VLAN ID
attribute
Attribute List Consists of one or multiple attributes
Attribute Consists of an Attribute Length, an Attribute
Event, and an Attribute Value. If the Attribute
Event is LeaveAll, Attribute Value is omitted
Enter aggregation
port group view
port-group aggregation
agg-id
Enter Ethernet
interface view
or port group
view
Enter Ethernet
interface view
interface interface-type
interface-number
At least one required;
Configurations made under
Ethernet interface view apply
to the current port only
whereas configurations made
under port group view apply to
all ports in the group.
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure broadcast storm
suppression ratio
broadcast-suppression {
ratio | pps pps }
Optional
Default to 100%, that is,
broadcast traffic is not
suppressed by default
Configure multicast storm
suppression ratio
multicast-suppression {
ratio | pps pps }
Optional
Default to 100%, that is,
multicast traffic is not
suppressed by default
Configure unknown unicast
storm suppression ratio
unicast-suppression {
ratio | pps pps }
Optional
Default to 100%, that is,
unknown unicast traffic is not
suppressed by default
156 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
Copying
Configurations from
a Specified Port to
Other Ports
Using the copy configuration command you can easily copy configurations from a
specified Ethernet interface to other Ethernet interfaces provided that they all work in
Layer 2 mode.
Configurations that can be copied include VLAN, QoS, STP, and port configurations, as
illustrated below:
VLAN configurations: VLANs that are allowed to pass through the port, default VLAN
ID;
QoS configurations: rate limiting, port priority, default 802.1p priorities;
STP configuration: STP enabled/disabled, link types (point-to-point or not), STP
priority, route cost, rate limit, looping, root protection, edge ports or not.
Port configuration: link type, rate, duplex mode.
Follow the following steps to copy configurations from a specified port to other ports:
Enabling the
Forwarding of Jumbo
Frames
Due to tremendous amount of traffic occurred in Ethernet, it is likely that some frames
might have a frame size greater than the standard Ethernet frame size. By allowing such
frames (called jumbo frames) to pass through Ethernet interfaces, you can forward
frames with a size greater than the standard Ethernet frame size and yet still within the
specified size range.
Follow the following steps to enable the forwarding of jumbo frames
Configuring an
Ethernet Interface to
Perform Loopback
Detection
The purpose of loopback detection is to detect loopbacks on an interface.
When loopback detection is enabled on an Ethernet interface, the device will routinely
check whether the ports have any external loopback. If it detects a loopback on a port,
the device will turn that port under loopback detection mode.
Table 100 Copying Configurations from a Specified Port to Other Ports
To... Use the command... Remarks
Enter system view
system-view
Enable the
forwarding
of jumbo
frames
Enable the
forwarding on port
group ports
port-group { manual
port-group-name |
aggregation agg-id }
At least one required
jumboframe enable
Enable the
forwarding on a
specified port
interface interface-type
interface-number
jumboframe enable
General Ethernet Interface Configuration 157
If an Access port has been detected with loopbacks, it will be shutdown. A Trap
message will be sent to the terminal and the corresponding MAC address forwarding
entries will be deleted.
If a Trunk port or Hybrid port has been detected with loopbacks, a Trap messag
loopback detection control feature is enabled on them. In addition, a Trap message
will be sent to the terminal and the corresponding MAC address forwarding entries
will be deleted.
Follow the following steps to configure loopback detection:
CAUTION:
Loopback detection on a given port is enabled only after the
loopback-detection enable command has been issued in both system view
and the interface view of the port.
Loopback detection on all ports will be disabled after the issuing of the undo
loopback-detection enable command under system view.
Table 102 Configuring an Ethernet Interface to Perform Loopback Detection
To... Use the command... Remarks
Enter system view
system-view
Enter Ethernet
interface view
or port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
At least one required;
Configurations made under
Ethernet interface view apply to
the current port only whereas
configurations made under port
group view apply to all ports in
the group.
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Add the Ethernet port to the
isolation group
port-isolate enable Required
By default, an isolation group
contains no port.
Table 113 Display port isolation configuration
Operation Command Description
Display the information about
the Ethernet ports added to the
isolation group
display port-isolate
group
You can execute the display
command in any view
172 CHAPTER 17: PORT ISOLATION CONFIGURATION
Port Isolation
Configuration
Example
Network requirements
PC 2, PC 3 and PC 4 are connected to GigabitEthernet1/0/2, GigabitEthernet1/0/3,
and GigabitEthernet1/0/4 ports.
The switch connects to the Internet through GigabitEthernet1/0/1 port.
It is desired that PC 2, PC 3 and PC 4 cannot communicate with each other.
Network diagram
Figure 51 Network diagram for port isolation configuration
Configuration procedure
1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the
isolation group.
<3Com> syst em- vi ew
Syst emVi ew: r et ur n t o User Vi ew wi t h Ct r l +Z.
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 2
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] por t - i sol at e enabl e
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] qui t
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 3
[ 3Com- Gi gabi t Et her net 1/ 0/ 3] por t - i sol at e enabl e
[ 3Com- Gi gabi t Et her net 1/ 0/ 3] qui t
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 4
[ 3Com- Gi gabi t Et her net 1/ 0/ 4] por t - i sol at e enabl e
2 Display the information about the ports in the isolation group.
<3Com> di spl ay por t - i sol at e gr oup
Por t - i sol at e gr oup i nf or mat i on:
Upl i nk por t suppor t : NO
Gr oup I D: 1
Gi gabi t Et her net 1/ 0/ 2 Gi gabi t Et her net 1/ 0/ 3 Gi gabi t Et her net 1/ 0/ 4
Internet
PC2 PC3 PC4
Switch
Internet
GE1/0/2 GE1/0/4
GE1/0/1
PC2 PC3 PC4
GE1/0/3
Internet
PC2 PC3 PC4
Switch
Internet
GE1/0/2 GE1/0/4
GE1/0/1
PC2 PC3 PC4
GE1/0/3
18 MAC ADDRESS TABLE MANAGEMENT
Introduction to
Managing MAC
Address Table
A Ethernet switch needs to maintain a MAC address table to speed up packet
forwarding. A table entry includes the MAC address of a device connected to the
Ethernet switch, the interface number and VLAN ID of the Ethernet switch connected to
the device. A MAC address table includes both static and dynamic address entries. The
static entries are manually configured by users whereas the dynamic entries can be
manually configured by users, or dynamically learned by the Ethernet switch. The static
entries will not be aged whereas the dynamic entries can be aged (if the entry has its
aging time configured as aging, it will be aged; if it is configured as no-aging, it will not
be aged).
A Ethernet switch learns a MAC address in the following way: after receiving a data
frame from a port (assumed as port A), the Ethernet switch analyzes its source MAC
address (assumed as MAC-SOURCE) and considers that the packets destined for
MAC-SOURCE can be forwarded through port A. If the table contains the
MAC-SOURCE, the Ethernet switch will update the corresponding entry, otherwise, it will
add the new MAC address and the related forwarding port as a new entry to the table.
During MAC address learning, static MAC addresses that are manually configured by
users will not be overwritten by dynamic MAC addresses. However, the latter can be
overwritten by the former.
The Ethernet switch forwards packets whose destination MAC addresses can be found in
the MAC address table and broadcasts those whose destination MAC addresses are not
in the table. Upon receipt of the broadcast packet, the destination network device sends
a response packet back which contains the MAC address of the device. The Ethernet
switch learns and adds this new MAC address to the MAC address table of the device.
The consequent packets destined for the same MAC address can be forwarded directly
thereafter.
174 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
Figure 52 A Ethernet switch forwards packets according to the MAC address tab
The Ethernet switch also provides the function of MAC address aging. If the Ethernet
switch does not receive a packet from a network device within a period of time, it will
delete the corresponding entry from the MAC address table.
You can configure (add or modify) the MAC address entries manually according to the
actual network environment. The entries can be static ones or dynamic ones.
Configuring the
MAC Address Table
Configuring MAC
Address Table Entries
Administrators can manually add, modify, or delete the entries in a MAC address table
according to actual needs.
MAC AddressPort
MACA 1
MACB 1
MACC 2
MACD 2
MACDMACA ......
Port 1
MACDMACA ......
Port 2
Table 114 Configure MAC Address Table Entries
To do Use the command Remarks
Enter system view
system-view
Enter the
interface
view of a
port or port
group view
of a port
group
Enter the interface
view of a specified
port
interface
interface-type
interface-number
At least one required
The consequent configurations
apply to the current interface
only after entering its interface
view; the consequent
configurations apply to all ports
in a port group after entering
the port group view
Enter the port group
view of a specified
port group
port-group { maual
port-group-name |
aggregation agg-id }
Configure the maximum MAC
addresses that can be learned by
an Ethernet port. Configure
whether to forward packets when
the number of MAC addresses has
reached count.
mac-address
max-mac-count count
Required
By default, the Maximum MAC
Addresses that an Ethernet Port
or a Port Group Can Learn is not
configured
176 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
Displaying and
Maintaining the
MAC Address Table
MAC Address Table
Management
Configuration
Example
Network
requirements
The user logs on the switch through the Console port. Configure the MAC address table
management function. Configure the aging time for dynamic table entries to be 500
seconds. Add a static address table entry 00e0-fc35-dc71 to the interface Gigabit
Ethernet 1/0/7 in VLAN 1.
Network diagram Figure 53 Typical configuration of address table management
Table 117 Display and maintain the MAC address table
To... Use the command Remarks
Display the information in the
address table
display mac-address [
mac-address [ vlan
vlan-id ] | [ blackhole |
dynamic | static ] [
interface
interface-type
interface-number ] [
vlan vlan-id ] [ count ] ]
Available in any view
Display the aging time of
dynamic address table entries
display mac-address
aging-time
Available in any view
Console Port
Network Port
Switch
Internet
MAC Address Table Management Configuration Example 177
Configuration
procedure
1 Enter the system view of the switch.
<3Com> syst em- vi ew
2 Add a static MAC address (specify the native VLAN, port, and state).
[ 3Com] mac- addr ess st at i c 00e0- f c35- dc71 i nt er f ace Gi gabi t Et her net 1/ 0/ 7
vl an 1
3 Configure the aging time for dynamic MAC address table entries to be 500 seconds.
[ 3Com] mac- addr ess t i mer agi ng 500
4 Display the MAC address configurations under any view.
[ 3Com] di spl ay mac- addr ess i nt er f ace gi gabi t Et her net 1/ 0/ 7
MAC ADDR VLAN I D STATE PORT I NDEX AGI NG
TI ME( s)
00e0- f c35- dc71 1 Conf i g st at i c Gi gabi t Et her net 1/ 0/ 7
NOAGED
- - - 1 mac addr ess( es) f ound - - -
178 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
19 MSTP CONFIGURATION
MSTP Overview
Introduction to STP Functions of STP
The spanning tree protocol (STP) is a protocol used to eliminate loops in a local area
network (LAN). Devices running this protocol detects any loop in the network by
exchanging information with one another and eliminate the loop by properly blocking
certain ports until the loop network is pruned into a loop-free tree, thereby avoiding
proliferation and infinite recycling of packets in a loop network.
Basic concepts in STP
1 Root bridge
A tree network must have a root; hence the concept of root bridge has been
introduced in STP.
There is one and only one root bridge in the entire network, and the root bridge can
change alone with changes of the network topology. Therefore, the root bridge is not
fixed.
Upon network convergence, the root bridge generates and sends out at a certain interval
a BPDU and other devices just forward this BPDU. This mechanism ensures the
topological stability.
2 Root port
On a non-root bridge device, the root port is the port with the lowest path cost to the
root bridge. The root port is responsible for forwarding data to the root bridge. A
non-root-bridge device has one and only one root port. The root bridge has no root port.
3 Designated bridge and designated port
Refer to the following table for the description of designated bridge and designated
port.
Table 118 Description of designated bridge and designated port
Classification Designated bridge Designated port
For a device The device directly connected with this
device and responsible for forwarding
BPDUs
The port through which the
designated bridge forwards
BPDUs to this device
For a LAN The device responsible for forwarding
BPDUs to this LAN segment
The port through which the
designated forwards BPDUs to
this LAN segment
180 CHAPTER 19: MSTP CONFIGURATION
Figure 54 shows designated bridges and designated ports. In the figure, AP1 and AP2,
BP1 and BP2, and CP1 and CP2 are ports on Switch A, Switch B, and Switch C
respectively.
If Switch A forwards BPDUs to Switch B through AP1, the designated bridge for
Switch B is Switch A, and the designated port is the port AP1 on Switch A.
Two devices are connected to the LAN: Switch B and Switch C. If Switch B forwards
BPDUs to the LAN, the designated bridge for the LAN is Switch B, and the designated
port is the port BP2 on Switch B.
Figure 54 A schematic diagram of designated bridges and designated ports
All the ports on the root bridge are designated ports.
How STP works
STP identifies the network topology by transmitting configuration BPDUs between
network devices. Configuration BPDUs contain sufficient information for network
devices to complete the spanning tree computing. Important fields in a configuration
BPDU include:
Root bridge ID: consisting of root bridge priority and MAC address.
Root path cost: the cost of the shortest path to the root bridge.
Designated bridge ID: designated bridge priority plus MAC address.
Designated port ID, designated port priority plus port name.
Message age: age of the configuration BPDU
Max age: maximum age of the configuration BPDU.
Hello time: configuration BPDU interval.
Forward delay: forward delay of the port.
Switch A
Switch C
Switch B
CP2
BP2
CP1 BP1
AP2 AP1
LAN
Switch A
Switch C
Switch B
CP2
BP2
CP1 BP1
AP2 AP1
LAN
MSTP Overview 181
For the convenience of description, the description and examples below involve only four
parts of a configuration BPDU:
Root bridge ID (in the form of device priority)
Root path cost
Designated bridge ID (in the form of device priority)
Designated port ID (in the form of port name)
1 Specific computing process of the STP algorithm
Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root, in
which the root path cost is 0, designated bridge ID is the device ID, and the designated
port is the local port.
Selection of the optimum configuration BPDU
Each device sends out its configuration BPDU and receives configuration BPDUs from
other devices.
The process of selecting the optimum configuration BPDU is as follows:
Principle for configuration BPDU comparison:
The configuration BPDU that has the lowest root bridge ID has the highest priority.
If all the configuration BPDUs have the same root bridge ID, they will be compared for
their root path costs. If the root path cost in a configuration BPDU plus the path cost
corresponding to this port is S, the configuration BPDU with the smallest S value has
the highest priority.
If all configuration BPDU have the same root path cost, they will be compared for
their designated bridge IDs, then their designated port IDs, and then the IDs of the
ports on which they are received. The smaller the ID, the higher message priority.
Selection of the root bridge
At network initialization, each STP-compliant device on the network assumes itself to be
the root bridge, with the root bridge ID being their own device ID. By exchanging
configuration BPDUs, the devices compare one anothers root bridge ID. The device with
the smallest root bridge ID is elected as the root bridge.
Table 119 Selection of the optimum configuration BPDU
Step Description
1 Upon receiving a configuration BPDU on a port, the device performs the following
processing:
If the received configuration BPDU has a lower priority than that of the configuration
BPDU generated by the port, the device will discard the received configuration BPDU
without doing any processing on the configuration BPDU of this port.
If the received configuration BPDU has a higher priority than that of the configuration
BPDU generated by the port, the device will replace the content of the configuration
BPDU generated by the port with the content of the received configuration BPDU.
2 The device compares the configuration BPDUs of all the ports and chooses the optimum
configuration BPDU.
182 CHAPTER 19: MSTP CONFIGURATION
Selection of the root port and designated ports
The process of selecting the root port and designated ports is as follows:
When the network topology is stable, only the root port and designated ports forward
traffic, while other ports are all in the blocked state they only receive STP packets but
do not forward user traffic.
Once the root bridge, the root port on each non-root bridge and designated ports have
been successfully elected, the entire tree-shaped topology has been constructed.
The following is an example of how the STP algorithm works. The specific network
diagram is shown in Figure 55. In the feature, the priority of Switch A is 0, the priority of
Switch B is 1, the priority of Switch C is 2, and the path costs of these links are 5, 10 and
4 respectively.
Figure 55 Network diagram for STP algorithm
Table 120 Selection of the root port and designated ports
Step Description
1 The root port is the port on which the optimum configuration BPDU was received.
2 Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
The root bridge ID is replaced with that of the configuration BPDU of the root port.
The root path cost is replaced with that of the configuration BPDU of the root port plus
the path cost corresponding to the root port.
The designated bridge ID is replaced with the ID of this device.
The designated port ID is replaced with the ID of this port.
3 The device compares the computed configuration BPDU with the configuration BPDU on
the corresponding port, and performs processing accordingly based on the comparison
result:
If the configuration BPDU is superior, the device will block this port without changing its
configuration BPDU, so that the port will only receive BPDUs, but not send any, and will
not forward data.
If the computed configuration BPDU is superior, this port will serve as the designated
port, and the configuration BPDU on the port will be replaced with the computed
configuration BPDU, which will be sent out periodically.
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch A
with priority 0
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch B
with priority 1
Switch C
with priority 2
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch A
with priority 0
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch B
with priority 1
Switch C
with priority 2
MSTP Overview 183
Initial state of each device
The following table shows the initial state of each device.
Comparison process and result on each device
Table 121 Initial state of each device
Device Port name BPDU of port
Switch A AP1 {0, 0, 0, AP1}
AP2 {0, 0, 0, AP2}
Switch B BP1 {1, 0, 1, BP1}
BP2 {1, 0, 1, BP2}
Switch C CP1 {2, 0, 2, CP1}
CP2 {2, 0, 2, CP2}
184 CHAPTER 19: MSTP CONFIGURATION
The following table shows the comparison process and result on each device.
Table 122 Comparison process and result on each device
Device Comparison process
BPDU of port after
comparison
Switch A Port AP1 receives the configuration BPDU of Switch B {1,
0, 1, BP1}. Switch A finds that the configuration BPDU of
the local port {0, 0, 0, AP1} is superior to the configuration
received message, and discards the received configuration
BPDU.
Port AP2 receives the configuration BPDU of Switch C {2,
0, 2, CP1}. Switch A finds that the BPDU of the local port
{0, 0, 0, AP2} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
Switch A finds that both the root bridge and designated
bridge in the configuration BPDUs of all its ports are
Switch A itself, so it assumes itself to be the root bridge. In
this case, it does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
AP1: {0, 0, 0, AP1}
AP2: {0, 0, 0, AP2}
Switch B Port BP1 receives the configuration BPDU of Switch A {0,
0, 0, AP1}. Switch B finds that the received configuration
BPDU is superior to the configuration BPDU of the local
port {1, 0,1, BP1}, and updates the configuration BPDU of
BP1.
Port BP2 receives the configuration BPDU of Switch C {2,
0, 2, CP2}. Switch B finds that the configuration BPDU of
the local port {1, 0, 1, BP2} is superior to the received
configuration BPDU, and discards the received
configuration BPDU.
BP1: {0, 0, 0, AP1}
BP2: {1, 0, 1, BP2}
Switch B compares the configuration BPDUs of all its ports,
and determines that the configuration BPDU of BP1 is the
optimum configuration BPDU. Then, it uses BP1 as the root
port, the configuration BPDUs of which will not be
changed.
Based on the configuration BPDU of BP1 and the path cost
of the root port (5), Switch B calculates a designated port
configuration BPDU for BP2 {0, 5, 1, BP2}.
Switch B compares the computed configuration BPDU {0,
5, 1, BP2} with the configuration BPDU of BP2. If the
computed BPDU is superior, BP2 will act as the designated
port, and the configuration BPDU on this port will be
replaced with the computed configuration BPDU, which
will be sent out periodically.
Root port BP1:
{0, 0, 0, AP1}
Designated port BP2:
{0, 5, 1, BP2}
MSTP Overview 185
Switch C Port CP1 receives the configuration BPDU of Switch A {0,
0, 0, AP2}. Switch C finds that the received configuration
BPDU is superior to the configuration BPDU of the local
port {2, 0, 2, CP1}, and updates the configuration BPDU of
CP1.
Port CP2 receives the configuration BPDU of port BP2 of
Switch B {1, 0, 1, BP2} before the message was updated.
Switch C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0,
2, CP2}, and updates the configuration BPDU of CP2.
CP1: {0, 0, 0, AP2}
CP2: {1, 0, 1, BP2}
By comparison:
The configuration BPDUs of CP1 is elected as the optimum
configuration BPDU, so CP1 is identified as the root port,
the configuration BPDUs of which will not be changed.
Switch C compares the computed designated port
configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and
the configuration BPDU of this port will be replaced with
the computed configuration BPDU.
Root port CP1:
{0, 0, 0, AP2}
Designated port CP2:
{0, 10, 2, CP2}
Next, port CP2 receives the updated configuration BPDU
of Switch B {0, 5, 1, BP2}. Because the received
configuration BPDU is superior to its old one, Switch C
launches a BPDU update process.
At the same time, port CP1 receives configuration BPDUs
periodically from Switch A. Switch C does not launch an
update process after comparison.
CP1: {0, 0, 0, AP2}
CP2: {0, 5, 1, BP2}
By comparison:
Because the root path cost of CP2 (9) (root path cost of
the BPDU (5) + path cost corresponding to CP2 (4)) is
smaller than the root path cost of CP1 (10) (root path cost
of the BPDU (0) + path cost corresponding to CP2 (10)),
the BPDU of CP2 is elected as the optimum BPDU, and CP2
is elected as the root port, the messages of which will not
be changed.
After comparison between the configuration BPDU of CP1
and the computed designated port configuration BPDU,
port CP1 is blocked, with the configuration BPDU of the
port remaining unchanged, and the port will not receive
data from Switch A until a spanning tree computing
process is triggered by a new condition, for example, the
link from Switch B to Switch C becomes down.
Blocked port CP2:
{0, 0, 0, AP2}
Root port CP2:
{0, 5, 1, BP2}
Table 122 Comparison process and result on each device (continued)
Device Comparison process
BPDU of port after
comparison
186 CHAPTER 19: MSTP CONFIGURATION
After the comparison processes described in the table above, a spanning tree with
Switch A as the root bridge is stabilized, as shown in Figure 56
Figure 56 The final computed spanning tree
To facilitate description, the spanning tree computing process in this example is
simplified, while the actual process is more complicated.
2 The BPDU forwarding mechanism in STP
Upon network initiation, every switch regards itself as the root bridge, generates
configuration BPDUs with itself as the root, and sends the configuration BPDUs at a
regular interval of hello time.
If it is the root port that received the configuration BPDU and the received
configuration BPDU is superior to the configuration BPDU of the port, the device will
increase message age carried in the configuration BPDU by a certain rule and start a
timer to time the configuration BPDU while it sends out this configuration BPDU
through the designated port.
If the configuration BPDU received on the designated port has a lower priority than
the configuration BPDU of the local port, the port will immediately sends out its
better configuration BPDU in response.
If a path becomes faulty, the root port on this path will no longer receive new
configuration BPDUs and the old configuration BPDUs will be discarded due to
timeout. In this case, the device will generate a configuration BPDU with itself as the
root and sends out the BPDU. This triggers a new spanning tree computing process so
that a new path is established to restore the network connectivity.
However, the newly computed configuration BPDU will not be propagated throughout
the network immediately, so the old root ports and designated ports that have not
detected the topology change continue forwarding data through the old path. If the
new root port and designated port begin to forward data as soon as they are elected, a
temporary loop may occur. For this reason, STP uses a state transition mechanism.
Namely, a newly elected root port or designated port requires twice the forward delay
time before transitioning to the forwarding state, when the new configuration BPDU has
been propagated throughout the network.
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
BP1
AP1
4
5
Switch B
with priority 1
CP2
BP2
BP1
AP1
4
5
Switch A
with priority 0
Switch C
with priority 2
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
BP1
AP1
4
5
Switch B
with priority 1
CP2
BP2
BP1
AP1
4
5
Switch A
with priority 0
Switch C
with priority 2
MSTP Overview 187
Introduction to MSTP Why MSTP
1 Disadvantages of STP and RSTP
STP does not support rapid state transition of ports. A newly elected root port or
designated port must wait twice the forward delay time before transitioning to the
forwarding state, even if it is a port on a point-to-point link or it is an edge port, which
directly connects to a user terminal rather than to another device or a shared LAN
segment.
The rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows a
newly elected root port or designated port to enter the forwarding state much quicker
under certain conditions than in STP. As a result, it takes a shorter time for the network
to reach the final topology stability.
In RSTP, a newly elected root port can enter the forwarding state rapidly if this
condition is met: The old root port on the device has stopped forwarding data and
the upstream designated port has started forwarding data.
In RSTP, a newly elected designated port can enter the forwarding state rapidly if this
condition is met: The designated port is an edge port or a port connected with a
point-to-point link. If the designated port is an edge port, it can enter the forwarding
state directly; if the designated port is connected with a point-to-point link, it can
enter the forwarding state immediately after the device undergoes handshake with
the downstream device and gets a response.
Although RSTP support rapid network convergence, it has the same drawback as STP
does: All bridges within a LAN share the same spanning tree, so redundant links cannot
be blocked based on VLANs, and the packets of all VLANs are forwarded along the same
spanning tree.
2 Features of MSTP
The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and
RSTP. In addition to support for rapid network convergence, it also allows data flows of
different VLANs to be forwarded along their own paths, thus providing a better load
sharing mechanism for redundant links.
MSTP features the following:
MSTP supports mapping VLANs to MST instances by means of a VLAN-to-instance
mapping table.
MSTP divides a switched network into multiple regions, each containing multiple
spanning trees that are independent of one another.
MSTP prunes loop networks into a loop-free tree, thus avoiding proliferation and
endless recycling of packets in a loop network. In addition, it provides multiple
redundant paths for data forwarding, thus supporting load balancing of VLAN data in
the data forwarding process.
MSTP is compatible with STP and RSTP.
188 CHAPTER 19: MSTP CONFIGURATION
Some concepts in MSTP
As shown in Figure 57 there are four multiple spanning tree (MST) regions, each made
up of four switches running MSTP. In light with the diagram, the following paragraphs
will present some concepts of MSTP.
Figure 57 Basic concepts in MSTP
1 MST region
An MST region is composed of multiple devices in a switched network and network
segments among them. These devices have the following characteristics:
All are MSTP-enabled,
They have the same region name,
They have the same VLAN-to-instance mapping configuration,
They have the same MSTP revision level configuration, and
They are physically linked with one another.
In area A0 in Figure 57, for example, all the device have the same MST region
configuration: the same region name, the same VLAN-to-instance mapping (VLAN1 is
mapped to MST instance 1, VLAN2 to MST instance 2, and the rest to the command and
internal spanning tree (CIST). CIST refers to MST instance 0), and the same MSTP revision
level (not shown in the figure).
Multiple MST regions can exist in a switched network. You can use an MSTP command to
group multiple devices to the same MST region.
2 VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the
mapping relationships between VLANs and MST instances. In Figure 57, for example, the
VLAN-to-instance mapping table of region A0 describes that the same region name, the
same VLAN-to-instance mapping (VLAN1 is mapped to MST instance 1, VLAN2 to MST
instance 2, and the rest to CIST.
C
A
B
D
BPDU
BPDU
BPDU
Region A0
VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2
Other VLANs mapped CIST
CST
C
A
B
D
Region B0
VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2
Other VLANs mapped CIST
Region C0
VLAN 1 mapped to instance 1
VLANs 2 and 3 mapped to instance 2
Other VLANs mapped CIST
Region D0
VLAN 1 mapped to instance 1,
B as regional root bridge
VLAN 2 mapped to instance 2,
C as regional root bridge
Other VLANs mapped CIST
MSTP Overview 189
3 IST
Internal spanning tree (IST) is a spanning tree that runs in an MSTP region, with the
instance number of 0. ISTs in all MST regions the common spanning tree (CST) jointly
constitute the common and internal spanning tree (CIST) of the entire network. An IST is
a section of the CIST in an MST region. In Figure 57, for example, the CIST has a section
is each MST region, and this section is the IST in each MST region.
4 CST
The CST is a single spanning tree that connects all MST regions in a switched network. If
you regard each MST region as a device, the CST is a spanning tree computed by these
devices through MSTP. For example, the red lines in Figure 57 describe the CST.
5 CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all
devices in a switched network. In Figure 57, for example, the ISTs in all MST regions plus
the inter-region CST constitute the CIST of the entire network.
6 MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one spanning
tree being independent of another. Each spanning tree is referred to as a multiple
spanning tree instance (MSTI). In Figure 57, for example, multiple spanning tree can exist
in each MST region, each spanning tree corresponding to a VLAN. These spanning trees
are called MSTIs.
7 Regional root bridge
The root bridge of the IST or an MSTI within an MST region is the regional root bridge of
the MST or that MSTI. Based on the topology, different spanning trees in an MST region
may have different regional roots. For example, in region D0 in Figure 57, the regional
root of instance 1 is device B, while that of instance 2 is device C.
8 Common root bridge
The root bridge of the CIST is the common root bridge. In Figure 57, for example, the
common root bridge is a device in region A0.
9 Boundary port
A boundary port is a port that connects an MST region to another MST configuration, or
to a single spanning-tree region running STP, or to a single spanning-tree region running
RSTP.
During MSTP computing, a boundary port assumes the same role on the CIST and on
MST instances. Namely, if a boundary port is master port on the CIST, it is also the master
port on all MST instances within this region. In Figure 57, for example, if a device in
region A0 is interconnected with the first port of a device in region D0 and the common
root bridge of the entire switched network is located in region A0, the first port of that
device in region D0 is the boundary port of region D0.
190 CHAPTER 19: MSTP CONFIGURATION
10 Roles of ports
In the MSTP computing process, port roles include designated port, root port, master
port, alternate port, backup port, and so on.
Root port: a port responsible for forwarding data to the root bridge.
Designated port: a port responsible for forwarding data to the downstream network
segment or device.
Master port: A port on the shortest path from the entire region to the common root
bridge, connect the MST region to the common root bridge.
Alternate port: The standby port for a root port or master port. If a root port or
master port is blocked, the alternate port becomes the new root port or master port.
Backup port: If a loop occurs when two ports of the same device are interconnected,
the device will block either of the two ports, and the backup port is that port to be
blocked.
A port can assume different roles in different MST instances.
Figure 58 Port roles
Figure 58 helps understand these concepts. Where,
Devices A, B, C, and D constitute an MST region.
Port 1 and port 2 of device A connect to the common root bridge.
Port 5 and port 6 of device C form a loop.
Port 3 and port 4 of device D connect downstream to other MST regions.
MSTP Overview 191
How MSTP works
MSTP divides an entire Layer 2 network into multiple MST regions, which are
interconnected by a computed CST. Inside an MST region, multiple spanning trees are
generated through computing, each spanning tree called a MST instance. Among these
MST instances, instance 0 is the IST, while all the others are MSTIs. Similar to RSTP, MSTP
uses configuration BPDUs to compute spanning trees. The only difference between the
two protocols being in that what is carried in an MSTP BPDU is the MSTP configuration
on the device from which this BPDU is sent.
1 CIST computing
By comparison of configuration BPDUs, one device with the highest priority is elected
as the root bridge of the CIST. MSTP generates an IST within each MST region through
computing, and, at the same time, MSTP regards each MST region as a single device and
generates a CST among these MST regions through computing. The CST and ISTs
constitute the CIST of the entire network.
2 MSTI computing
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings.
MSTP performs a separate computing process, which is similar to spanning tree
computing in STP, for each spanning tree. For details, refer to How STP works.
In MSTP, a VLAN packet is forwarded along the following paths:
Within an MST region, the packet is forwarded along the corresponding MSTI.
Between two MST regions, the packet is forwarded along the CST.
Implementation of MSTP on devices
MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized
by devices running MSTP and used for spanning tree computing.
In addition to basic MSTP functions, many management-facilitating special functions
are provided, as follows:
Root bridge hold
Root bridge backup
Root guard
BPDU guard
Loop guard
Support for hot swapping of interface cards and active/standby changeover.
192 CHAPTER 19: MSTP CONFIGURATION
Configuring the
Root Bridge
Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leave node. In each instance, one, and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as the root bridge:
If both GVRP and MSTP are enabled on a device at the same time, GVRP packets will be
forwarded along the CIST. Therefore, if both GVRP and MSTP are running on the same
device and you wish to advertise an certain VLAN within the network through GVRP,
make sure that this VLAN is mapped to the CIST (instance 0) when configuring the
VLAN-to-instance mapping table.
Table 123 Configuration Tasks
Task Remarks
Configuring an MST Region Required
Specifying the Root Bridge or a Secondary Root Bridge Optional
Configuring the Work Mode of MSTP Optional
Configuring the Priority of the Current Device Optional
Configuring the Maximum Hops of an MST Region Optional
Configuring the Network Diameter of a Switched Network Optional
Configuring Timers of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required
Configuring the Root Bridge 193
Configuring an MST
Region
Configuration procedure
Follow these steps to configure an MST region:
CAUTION: Two device belong to the same MST region only if they are configure to have
the same MST region name, the same VLAN-to-instance mapping entries in the MST
region and the same MST region revision level, and they are interconnected via a physical
link.
Your configuration of MST regionrelated parameters, especially the VLAN-to-instance
mapping table, will cause MSTP to launch a new spanning tree computing process,
which may result in network topology instability. To reduce the possibility of topology
instability caused by configuration, MSTP will not immediately launch a new spanning
tree computing process when processing MST regionrelated configurations; instead,
such configurations will take effect only if you:
activate the MST regionrelated parameters suing the active
region-configuration command, or
enable MSTP using the stp enable command.
Configuration example
1 Configure the MST region name to be info, the MSTP revision level to be 1, and VLAN
2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through VLAN 30 to
instance 2.
<3Com> syst em- vi ew
[ 3Com] st p r egi on- conf i gur at i on
[ 3Com- mst - r egi on] r egi on- name i nf o
[ 3Com- mst - r egi on] i nst ance 1 vl an 2 t o 10
[ 3Com- mst - r egi on] i nst ance 2 vl an 20 t o 30
[ 3Com- mst - r egi on] r evi si on- l evel 1
[ 3Com- mst - r egi on] act i ve r egi on- conf i gur at i on
Table 124 Configuring an MST Region
To... Use the command... Remarks
Enter system view
system-view
Enter
Ethernet
port view or
port group
view
Enter
Ethernet port
view
interface
interface-type
interface-number
User either command
Configured in Ethernet port view, the
setting is effective on the current port
only; configured in port group view,
the setting is effective on all ports in
the port group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure the port(s) as
edge port(s)
stp edged-port
enable
Required
All Ethernet ports are non-edge ports
by default
Configuring the Root Bridge 201
With BPDU guard disabled, when a port set as an edge port receives a BPDU from
another port, it will become a non-edge port again. In this case, you must reset the
port before you can configure it to be an edge port again.
If a port directly connects to a user terminal, configure it to be an edge port and
enable BPDU guard for it. This enables the port to transition to the forwarding state
while ensuring network security.
Configuration example
1 Configure GigabitEthernet1/0 /1to be an edge port.
<3Com> syst em- vi ew
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p edged- por t enabl e
Configuring Whether
Ports Connect to
Point-to-Point Links
A point-to-point link is a link directly connecting with two devices. If the two ports across
a point-to-point link are root ports or designated ports, the ports can rapidly transition to
the forwarding state by transmitting synchronization packets.
Configuration procedure
Following these steps to configure whether a port or a group of ports connect to
point-to-point links:
As for aggregated ports, all ports can be configured as connecting to point-to-point
links. If a port works in auto-negotiation mode and the negotiation result is full
duplex, this port can be configured as connecting to a point-to-point link.
If a port is configured as connecting to a point-to-point link, the setting takes effect
for the port in all MST instances. If the physical link to which the port connects is not
a point-to-point link and you force it to be a point-to-point link by configuration, your
configuration may incur a temporary loop.
Configuration example
1 Configure port GigabitEthernet 1/0/1 as connecting to a point-to-point link.
<3Com> syst em- vi ew
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p poi nt - t o- poi nt f or ce- t r ue
Table 135 Configuring Whether Ports Connect to Point-to-Point Links
To... Use the command... Remarks
Enter system view system-view
Enter
Ethernet
port view
or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Configured in Ethernet port view, the
setting is effective on the current port
only; configured in port group view, the
setting is effective on all ports in the port
group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure whether the
port(s) connect to
point-to-point links
stp point-to-point
{ force-true |
force-false | auto
}
Optional
The default setting is auto; namely the
device automatically detects whether an
Ethernet port connects to a
point-to-point link
202 CHAPTER 19: MSTP CONFIGURATION
Configuring the
MSTP Packet
Format for Ports
A port support two types of MSTP packets:
02.1s-compliant standard format
Compatible format
The default packet format setting is auto, namely a port recognizes the two MSTP
packet formats automatically. You can configure the MSTP packet format to be used by a
port on your command line. After your configuration, when working in MSTP mode, the
port sends and receives only MSTP packets of the format you have configured.
Configuration procedure
Follow these steps to configure the MSTP packet format for a port or a group of ports:
If the port is configured not to detect the packet format automatically while it works
in the MSTP mode, and if it receives a packet in the format other than as configured,
that port will become a designated port, and the port will remain in the discarding
state to prevent the occurrence of a loop.
If a port receives MSTP packets of different formats frequently, this means that the
MSTP packet formation configuration contains error. In this case, if the port is
working in MSTP mode, it will be disabled for protection. Those ports closed thereby
can be restored only by the network administers.
Configuration example
1 Configure port GigabitEthernet 1/0/1 to receive and send standard-format MSTP
packets.
<3Com> syst em- vi ew
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p compl i ance dot 1s
Table 136 Configuring the MSTP Packet Format for Ports
To... Use the command... Remarks
Enter system view
system-view
Enter
Ethernet
port view
or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Configured in Ethernet port view, the
setting is effective on the current port
only; configured in port group view, the
setting is effective on all ports in the port
group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure the MSTP packet
format for the port(s)
stp compliance {
auto | dot1s | legacy
}
Optional
auto by default
Configuring the Root Bridge 203
Enabling the MSTP
Feature
Configuration procedure
Follow these steps to enable the MSTP feature:
You must enable MSTP for the device before any other MSTP-related configuration can
take effect.
Configuration example
1 Enable MSTP for the device and disable MSTP for port GigabitEthernet 1/0/1.
<3Com> syst em- vi ew
[ 3Com] st p enabl e
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p di sabl e
Table 137 Enabling the MSTP Feature
To... Use the command... Remarks
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Configured in Ethernet port
view, the setting is effective on
the current port only;
configured in port group view,
the setting is effective on all
ports in the port group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure the path cost of the
port(s)
stp [ instance
instance-id ] cost cost
Required
By default, MSTP automatically
calculates the path cost of
each port
Configuring Leaf Nodes 207
On an MSTP-compliant device, a port can have different priorities in different MST
instances, and the same port can play different roles in different MST instances, so that
data of different VLANs can be propagated along different physical paths, thus
implementing per-VLAN load balancing. You can set port priority values based on the
actual networking requirements.
Configuration procedure
Follow these steps to configure the priority of a port or a group of ports:
When the priority of a port is changed, MSTP will re-compute the role of the port and
initiate a state transition.
Generally, a lower configured value priority indicates a higher priority of the port. If
you configure the same priority value for all the Ethernet ports on the a device, the
specific priority of a port depends on the index number of that port. Changing the
priority of an Ethernet port triggers a new spanning tree computing process.
Configuration example
1 Set the priority of port GigabitEthernet 1/0/1 to 16 in MST instance 1.
<3Com> syst em- vi ew
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p i nst ance 1 por t pr i or i t y 16
Configuring Whether
Ports Connect to
Point-to-Point Links
Refer to Configuring Whether Ports Connect to Point-to-Point Links.
Configuring the
MSTP Packet Format
for Ports
Refer to Configuring the MSTP Packet Format for Ports.
Enabling the MSTP
Feature
Refer to Enabling the MSTP Feature.
Table 142 Configuring Port Priority
To... Use the command... Remarks
Enter system view
system-view
Enter
Ethernet
port view
or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Configured in Ethernet port view, the
setting is effective on the current port
only; configured in port group view, the
setting is effective on all ports in the port
group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure port priority stp [ instance
instance-id ] port
priority priority
Optional
128 for all Ethernet ports by default
208 CHAPTER 19: MSTP CONFIGURATION
Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible mode,
RSTP mode, and MSTP mode.
In a switched network, if a port on the device running MSTP (or RSTP) connects to a
device running STP, this port will automatically migrate to the STP-compatible mode.
However, if the device running STP is removed, this will not be able to migrate
automatically to the MSTP (or RSTP) mode, but will remain working in the
STP-compatible mode. In this case, you can perform an mCheck operation to force the
port to migrate to the MSTP (or RSTP) mode.
You can perform mCheck on a port through two approaches, which lead to the same
result.
Configuration prerequisites
MSTP has been correctly configured on the device.
Performing mCheck globally
Follow these steps to perform mCheck:
Performing mCheck in Ethernet port view
Follow these steps to perform mCheck in Ethernet port view:
CAUTION: The stp mcheck command is meaningful only when the device works in
the MSTP (or RSTP) mode, not in the STP-compatible mode.
Configuration example
1 Perform mCheck on port GigabitEthernet 1/0/1.
a Method 1: Perform mCheck globally.
<3Com> syst em- vi ew
[ 3Com] st p mcheck
b Method 2: Perform mCheck in Ethernet port view
<3Com> syst em- vi ew
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p mcheck
Table 143 Performing mCheck globally
To... Use the command... Remarks
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Configured in Ethernet port
view, the setting is effective on
the current port only;
configured in port group view,
the setting is effective on all
ports in the port group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Enable the root guard function
for the ports(s)
stp root-protection Required
Disabled by the default
Table 147 Enabling Loop Guard
To... Use the command... Remarks
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Configured in Ethernet port
view, the setting is effective on
the current port only;
configured in port group view,
the setting is effective on all
ports in the port group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Enable the loop guard function
for the ports(s)
stp loop-protection Required
Disabled by the default
212 CHAPTER 19: MSTP CONFIGURATION
Configuration example
1 Enable the loop guard function for port GigabitEthernet 1/0/1.
<3Com> syst em- vi ew
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p l oop- pr ot ect i on
Enabling TC-BPDU
Attack Guard
Configuration procedure
Follow these steps to enable TC-BPDU attack guard
We recommend that this function should not be disabled.
Configuration example
1 Enable the TC-BPDU attack guard function.
<3Com> syst em- vi ew
[ 3Com] st p t c- pr ot ect i on enabl e
Displaying and
Maintaining MSTP
MSTP
Configuration
Example
Network requirements
Configure MSTP so that packets of different VLANs are forwarded along different
spanning trees. The specific configuration requirements are as follows:
All devices on the network are in the same MST regions.
Packets of VLAN 10 are forwarded along MST region 1, those of VLAN 30 are
forwarded along MST instance 3, those of VLAN 40 are forwarded along MST
instance 4, and those of VLAN 20 are forwarded along MST instance 0.
Switch A and Switch B are convergence layer devices, while Switch C and Switch D
are access layer devices. VLAN 10 and VLAN 30 are terminated on the convergence
layer devices, and VLAN 40 is terminated on the access layer devices, so the root
bridges of MST instance 1 and MST instance 3 are Switch A and Switch B respectively,
while the root bridge of MST instance 4 is Switch C.
Table 148 Enabling TC-BPDU Attack Guard
To... Use the command... Remarks
Enter system view
system-view
Configure an IPv6
aggregatable
global unicast
address or
site-local address
Manually assign
an IPv6 address
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
Alternative
By default, no site-local address
or aggregatable global unicast
address is configured for an
interface.
Note that the prefix length
specified by the prefix-length
argument cannot be greater
than 64.
Adopt the EUI-64
format to form
an IPv6 address
ipv6 address
ipv6-address/prefix-length
eui-64
Configure an IPv6
link-local address
Automatically
generate a
link-local address
ipv6 address auto
link-local
Optional
By default, after an IPv6
site-local address or
aggregatable global unicast
address is configured for an
interface, a link-local address
will be generated
automatically.
Manually assign a
link-local address
for an interface.
ipv6 address ipv6-address
link-local
Table 165 Configuring a static neighbor entry
To... Use the command... Remarks
Enter system view system-view -
Configure a static neighbor
entry
ipv6 neighbor ipv6-address mac-address {
vlan-id port-type port-number | interface
interface-type interface-number }
Required
244 CHAPTER 23: CONFIGURING IPV6
Configuring the
Maximum Number of
Neighbors
Dynamically Learned
The device can dynamically acquire the link-layer address of a neighbor node through NS
and NA messages.Too large a neighbor table from which neighbor entries can be
dynamically acquired may lead to the forwarding performance degradation of the
device.Therefore, you can restrict the size of the neighbor table by setting the maximum
number of neighbors that an interface can dynamically learn.When the number of
dynamically learned neighbors reaches the threshold, the interface will stop learning
neighbor information.
Follow the steps in Table 166 to configure the maximum number of neighbors
dynamically learned.
Configuring
Parameters Related
to an RA Message
You can configure whether the interface sends an RA message, the interval for sending
RA messages, and parameters in RA messages.After receiving an RA message, a host can
use these parameters to perform corresponding operations. Table 167 lists the
configurable parameters in an RA message and their descriptions.
Table 166 Configuring the maximum number of neighbors dynamically learned
To Use the command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Configure the maximum number
of neighbors dynamically learned
by an interface
ipv6 neighbors
max-learning-num number
Optional
The default value is 1024
Table 167 Parameters in an RA message and their descriptions
Parameters Description
Cur hop limit When sending an IPv6 packet, a host uses the value of this parameter to
fill the Hop Limit field in IPv6 headers.Meanwhile, the value of this
parameter is equal to the value of the Cur Hop Limit field in response
messages of the device.
Prefix information
options
After receiving the prefix information, the hosts on the same link can
perform stateless autoconfiguration operations.
M flag This field determines whether hosts use the stateful autoconfiguration to
acquire IPv6 addresses.
If the M flag is set to 1, hosts use the stateful autoconfiguration to
acquire IPv6 addresses. Otherwise, hosts use the stateless
autoconfiguration to acquire IPv6 addresses, that is, hosts configure IPv6
addresses according to their own link-layer addresses and the prefix
information issued by the router.
O flag This field determines whether hosts use the stateful autoconfiguration to
acquire information other than IPv6 addresses.
If the O flag is set to 1, hosts use the stateful autoconfiguration (for
example, DHCP server) to acquire information other than IPv6 addresses.
Otherwise, hosts use the stateless autoconfiguration to acquire
information other than IPv6 addresses.
Configuring IPv6 NDP 245
The values of the retrans timer field and the reachable time field configured for an
interface are sent to hosts via RA messages. Furthermore, the interface sends NS
messages at intervals of the value of the retrans timer field and considers a neighbor
reachable in the time of the value of the reachable time field.
Follow the steps in Table 168 to configure parameters related to an RA message:
Router lifetime This field is used to set the lifetime of the router that sends RA messages
to serve as the default router of hosts.According to the router lifetime in
the received RA messages, hosts determine whether the router sending
RA messages can serve as the default router of hosts.
Retrans timer If a node fails to receive a response message within the specified time
after sending an NS message, the node will retransmit it.
Reachable time After the neighbor unreachability detection shows that a neighbor is
reachable, a node considers the neighbor is reachable within the
reachable time. If the node needs to send a packet to a neighbor after
the reachable time expires, the node will again confirm whether the
neighbor is reachable.
Table 168 Configuring parameters related to an RA message
To Use the command Remarks
Enter system view system-view -
Configure the current hop
limit
ipv6 nd hop-limit value Optional
64 by default.
Enter interface view interface interface-type
interface-number
-
Disable the RA message
suppression.
undo ipv6 nd ra halt Optional
By default, RA messages are
suppressed.
Configure the interval for
sending RA messages
ipv6 nd ra interval
max-interval-value min-
interval-value
Optional
The device issues RA messages at
intervals of a random value between
the maximum interval and the
minimum interval.
By default, the maximum interval for
sending RA messages is 600
seconds, and the minimum interval
is 200 seconds.
Configure the prefix
information options in RA
messages
ipv6 nd ra prefix { ipv6-address
prefix-length |
ipv6-address/prefix-length }
valid-lifetime preferred-lifetime [
no-autoconfig | off-link ]*
Optional
By default, no prefix information is
configured in RA messages and the
IPv6 address of the interface sending
RA messages is used as the prefix
information.
Set the M flag to 1 ipv6 nd autoconfig
managed-address-flag
Optional
By default, the M flag bit is set to 0,
that is, hosts acquire IPv6 addresses
through stateless autoconfiguration.
Table 167 Parameters in an RA message and their descriptions
Parameters Description
246 CHAPTER 23: CONFIGURING IPV6
Caution:The maximum interval for sending RA messages should be less than or equal to
the router lifetime in RA messages.
Configuring the
Attempts to Send an
NS Message for
Duplicate Address
Detection
The device sends a neighbor solicitation (NS) message for duplicate address detection. If
the device does not receive a response within a specified time (set by the ipv6 nd ns
retrans-timer value command), the device continues to send an NS message. If the device
still does not receive a response after the number of attempts to send an NS message
reaches the maximum, the device judges the acquired address is available
Follow the steps in Table 169 to configure the attempts to send an NS message for
duplicate address detection:
Configuring PMTU
Discovery
Configuring a Static
PMTU for a Specified
IPv6 Address
You can configure a static PMTU for a specified IPv6 address.When forwarding packets,
an interface compares the MTU of the interface with the static PMTU of the specified
destination IPv6 address, and uses the smaller one to fragment packets.
Set the O flag bit to 1. ipv6 nd autoconfig other-flag Optional
By default, the O flag bit is set to 0,
that is, hosts acquire other
information through stateless
autoconfiguration.
Configure the router
lifetime in RA messages
ipv6 nd ra router-lifetime value Optional
1,800 seconds by default.
Set the retrans timer ipv6 nd ns retrans-timer value Optional
By default, the local interface sends
NS messages at intervals of 1,000
milliseconds and the Retrans Timer
field in RA messages sent by the
local interface is equal to 0.
Set the reachable time ipv6 nd nud reachable-time
value
Optional
By default, the neighbor reachable
time on the local interface is 30,000
milliseconds and the Reachable
Timer field in RA messages is 0.
Table 168 Configuring parameters related to an RA message
To Use the command Remarks
Table 169 Configuring the attempts to send an NS message for duplicate address detection
To Use the command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Configure the attempts to
send an NS message for
duplicate address detection
ipv6 nd dad attempts value Optional
1 by default. When the value
argument is set to 0, the duplicate
address detection is disabled.
Configuring IPv6 TCP Properties 247
Follow the steps in Table 170 to configure a static PMTU for a specified address:
Configuring the
Aging Time for PMTU
After the MTU of the path from the source host to the destination host is dynamically
determined, the source host uses this MTU to send subsequent packets to the
destination host.After the aging time expires, the dynamically determined PMTU is
deleted and the source host re-determines the MTU to send packets according to the
PMTU mechanism.
The aging time is invalid for static PMTU.
Follow the steps Table 171 to configure the aging time for PMTU:
Configuring IPv6
TCP Properties
The IPv6 TCP properties you can configure include:
synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no
response packet is received before the synwait timer expires, the IPv6 TCP connection
establishment fails.
finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer
is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP
connection is terminated. If FIN packets are received, the IPv6 TCP connection status
becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the
last packet and the connection is terminated after the finwait timer expires.
Size of the IPv6 TCP buffer.
Follow the steps in Table 172 to configure IPv6 TCP properties:
Table 170 Configuring a static PMTU for a specified address
To Use the command Remarks
Enter system view system-view -
Configure a static PMTU for a
specified IPv6 address
ipv6 pathmtu
ipv6-address [ value ]
Required
By default, no static PMTU is
configured.
Table 171 Configuring the aging time for PMTU
To Use the command Remarks
Enter system view system-view -
Configure the aging time for PMTU ipv6 pathmtu age age-time Optional
10 minutes by default.
Table 172 Configuring IPv6 TCP properties
To Use the command Remarks
Enter system view system-view -
248 CHAPTER 23: CONFIGURING IPV6
Configuring the
Maximum Number
of IPv6 ICMP Error
Packets Sent within
a Specified Time
If too many IPv6 ICMP error packets are sent within a short time in a network, network
congestion may occur.To avoid network congestion, you can control the maximum
number of IPv6 ICMP error packets sent within a specified time. Currently, the token
bucket algorithm is adopted.
You can set the capacity of a token bucket, namely, the number of tokens in the bucket.
In addition, you can set the update period of the token bucket, namely, the interval for
updating the number of tokens in the token bucket to the configured capacity.One
token allows one IPv6 ICMP error packet to be sent. Each time an IPv6 ICMP error packet
is sent, the number of tokens in a token bucket decreases by 1.If the number of IPv6
ICMP error packets successively sent exceeds the capacity of the token bucket, the
subsequent IPv6 ICMP error packets cannot be sent out until the number of tokens in the
token bucket is updated and new tokens are added to the bucket.
Follow the steps in Table 173 to configure the maximum number of IPv6 ICMP error
packets sent within a specified time period:
Configuring IPv6
DNS
Configuring Static
IPv6 DNS
You can establish the mapping between host name and IPv6 address through the
following configuration.You can directly use a host name when applying telnet
applications and the system will resolve the host name into an IPv6 address.Each host
name can correspond to eight IPv6 addresses at most.
Set the finwait timer of IPv6 TCP
packets
tcp ipv6 timer fin-timeout
wait-time
Optional
675 seconds by default
Set the synwait timer of IPv6 TCP
packets
tcp ipv6 timer syn-timeout
wait-time
Optional
75 seconds by default
Set the size of the IPv6 TCP buffer tcp ipv6 window size Optional
8 kB by default
Table 172 Configuring IPv6 TCP properties
To Use the command Remarks
Table 173 Configuring the maximum number of IPv6 ICMP error packets sent within a specified
time period
To Use the command Remarks
Enter system view system-view -
Configure the capacity of the token
bucket controlling the number of
IPv6 ICMP error packets sent within a
specified time as well as the update
period
ipv6 icmp-error {
bucket bucket-size |
ratelimit interval }*
Optional
By default, the capacity of a token
bucket is 10 and the update period
to 100 milliseconds. That is, at most
10 IPv6 ICMP error packets can be
sent within 100 milliseconds.
Displaying and Maintaining IPv6 249
Follow the steps in Table 174 to configure a host name and the corresponding IPv6
address:
Configuring Dynamic
IPv6 DNS
If you want to use the dynamic domain name function, you can use the following
command to enable the dynamic domain name resolution function. In addition, you
should configure a DNS server so that a query request message can be sent to the correct
server for resolution.The system can support at most six DNS servers.
You can configure a domain name suffix so that you only need to enter some fields of a
domain name and the system automatically adds the preset suffix for address
resolution.The system can support at most 10 domain name suffixes.
Follow the steps Table 175 to configure dynamic IPv6 DNS:
The dns resolve and dns domain commands are the same as those of IPv4 DNS.
Displaying and
Maintaining IPv6
Use the commands in Table 176 to display and maintain IPv6 information.
Table 174 Configuring a host name and the corresponding IPv6 address
To Use the command Remarks
Enter system view system-view -
Configure a host name and the
corresponding IPv6 address
ipv6 host hostname ipv6-address Required
Table 175 Configuring dynamic IPv6 DNS
To Use the command Remarks
Enter system view system-view -
Enable the dynamic
domain name resolution
function
dns resolve Required
Disabled by default.
Configure an IPv6 DNS
server
dns server ipv6
ipv6-address [ interface-type
interface-number ]
Required
Configure the domain
suffix.
dns domain domain-name Required
By default, no domain name suffix is
configured, that is, the domain name
is resolved according to the input
information.
Table 176 Displaying and maintaining IPv6 information
To Use the command Remarks
Display DNS domain name suffix
information
display dns domain [ dynamic ] Any view
Display IPv6 dynamic domain
name cache information.
display dns ipv6 dynamic-host Any view
Display DNS server information display dns server [ dynamic ] Any view
Display the FIB entries display ipv6 fib [ ipv6-address ] Any view
Display the mapping between
host name and IPv6 address
display ipv6 host Any view
250 CHAPTER 23: CONFIGURING IPV6
The display dns domain and display dns server commands are the same as those of
the IPv4 DNS. For details about the commands, refer to DNS module.
IPv6 Configuration
Example
Network
requirements
Two switches are directly connected through two GigabitEthernet ports. The
GigabitEthernet ports belong to VLAN1. Different types of IPv6 addresses are configured
for the VLAN 1 interface to verify the connectivity between two switches. The
aggregatable global unicast address of Switch A is 3001::1/64, and the aggregatable
global unicast address of Switch B is 3001::2/64.
Display the brief IPv6
information of an interface
display ipv6 interface [ interface-type
interface-number | brief ]
Any view
Display neighbor information display ipv6 neighbors [ ipv6-address | all |
dynamic | interface interface-type
interface-number | static | vlan vlan-id ] [ | {
begin | exclude | include } text ]
Any view
Display the total number of
neighbor entries satisfying the
specified conditions
display ipv6 neighbors { all | dynamic |
static | interface interface-type
interface-number | vlan vlan-id } count
Any view
Display the PMTU information of
an IPv6 address
display ipv6 pathmtu { ipv6-address | all |
dynamic | static }
Any view
Display information related to a
specified socket
display ipv6 socket [ socktype socket-type ]
[ task-id socket-id ]
Any view
Display the statistics of IPv6
packets and IPv6 ICMP packets
display ipv6 statistics Any view
Display the statistics of IPv6 TCP
packets
display tcp ipv6 statistics Any view
Display the IPv6 TCP connection
status
display tcp ipv6 status Any view
Display the statistics of IPv6 UDP
packets
display udp ipv6 statistics Any view
Clear IPv6 dynamic domain
name cache information
reset dns ipv6 dynamic-host In user view
Clear IPv6 neighbor information reset ipv6 neighbors [ all | dynamic |
interface interface-type interface-number |
static ]
In user view
Clear the corresponding PMTU reset ipv6 pathmtu { all | static | dynamic} In user view
Clear the statistics of IPv6
packets
reset ipv6 statistics In user view
Clear the statistics of all IPv6 TCP
packets
reset tcp ipv6 statistics In user view
Clear the statistics of all IPv6
UDP packets
reset udp ipv6 statistics In user view
Table 176 Displaying and maintaining IPv6 information
To Use the command Remarks
IPv6 Configuration Example 251
Network diagram
Figure 70 Network diagram for IPv6 address configuration
Configuration procedure
1 Configure Switch A.
# Enable the IPv6 packet forwarding function on Switch A.
<Swi t chA> syst em- vi ew
[ Swi t chA] i pv6
# Configure an automatically generated link-local address for the VLAN 1 interface.
[ Swi t chA] i nt er f ace vl an- i nt er f ace 1
[ Swi t chA- Vl an- i nt er f ace1] i pv6 addr ess aut o l i nk- l ocal
# Configure an aggregatable global unicast address for the VLAN 1 interface.
[ Swi t chA- Vl an- i nt er f ace1] i pv6 addr ess 3001: : 1/ 64
2 Configure Switch B.
# Enable the IPv6 packet forwarding function.
<Swi t chB> syst em- vi ew
[ Swi t chB] i pv6
# Configure an automatically generated link-local address for the VLAN 1 interface.
[ Swi t chB] i nt er f ace vl an- i nt er f ace 1
[ Swi t chB- Vl an- i nt er f ace1] i pv6 addr ess aut o l i nk- l ocal
# Configure an aggregatable global unicast address for the VLAN 1 interface.
[ Swi t chB- Vl an- i nt er f ace1] i pv6 addr ess 3001: : 2/ 64
Verification
# Display the brief IPv6 information of an interface on Switch A.
<Swi t chA> di spl ay i pv6 i nt er f ace vl an- i nt er f ace 1
Vl an- i nt er f ace1 cur r ent st at e : UP
Li ne pr ot ocol cur r ent st at e : UP
I Pv6 i s enabl ed, l i nk- l ocal addr ess i s FE80: : 7D6C: 0: 5C0C: 1
Gl obal uni cast addr ess( es) :
3001: : 1, subnet i s 3001: : / 64
J oi ned gr oup addr ess( es) :
FF02: : 1: FF0C: 1
FF02: : 1: FF00: 1
FF02: : 2
FF02: : 1
MTU i s 1500 byt es
VLAN 1 Interface
Switch A Switch B
VLAN 1 interface
252 CHAPTER 23: CONFIGURING IPV6
ND DAD i s enabl ed, number of DAD at t empt s: 1
ND r eachabl e t i me i s 30000 mi l l i seconds
ND r et r ansmi t i nt er val i s 1000 mi l l i seconds
Host s use st at el ess aut oconf i g f or addr esses
# Display the brief IPv6 information of the interface on switch B.
<Swi t chB> di spl ay i pv6 i nt er f ace vl an- i nt er f ace 1
Vl an- i nt er f ace1 cur r ent st at e : UP
Li ne pr ot ocol cur r ent st at e : UP
I Pv6 i s enabl ed, l i nk- l ocal addr ess i s FE80: : E525: 0: F01D: 1
Gl obal uni cast addr ess( es) :
3001: : 2, subnet i s 3001: : / 64
J oi ned gr oup addr ess( es) :
FF02: : 1: FF00: 2
FF02: : 1: FF1D: 1
FF02: : 2
FF02: : 1
MTU i s 1500 byt es
ND DAD i s enabl ed, number of DAD at t empt s: 1
ND r eachabl e t i me i s 30000 mi l l i seconds
ND r et r ansmi t i nt er val i s 1000 mi l l i seconds
Host s use st at el ess aut oconf i g f or addr esses
# On Switch A, ping the link-local address and aggregatable global unicast address of
Switch B.If the configurations are correct, the above two types of IPv6 addresses can be
pinged.
Caution: When you ping the link-local address, you should use the "-i" parameter to
specify the interface for a link-local address.
<Swi t chA> pi ng i pv6 FE80: : E525: 0: F01D: 1 - i vl an- i nt er f ace 1
PI NG FE80: : E525: 0: F01D: 1 : 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r omFE80: : E525: 0: F01D: 1
byt es=56 Sequence=1 hop l i mi t =255 t i me = 80 ms
Repl y f r omFE80: : E525: 0: F01D: 1
byt es=56 Sequence=2 hop l i mi t =255 t i me = 60 ms
Repl y f r omFE80: : E525: 0: F01D: 1
byt es=56 Sequence=3 hop l i mi t =255 t i me = 60 ms
Repl y f r omFE80: : E525: 0: F01D: 1
byt es=56 Sequence=4 hop l i mi t =255 t i me = 70 ms
Repl y f r omFE80: : E525: 0: F01D: 1
byt es=56 Sequence=5 hop l i mi t =255 t i me = 60 ms
- - - FE80: : E525: 0: F01D: 1 pi ng st at i st i cs - - -
5 packet ( s) t r ansmi t t ed
5 packet ( s) r ecei ved
0. 00%packet l oss
r ound- t r i p mi n/ avg/ max = 60/ 66/ 80 ms
<Swi t chA> pi ng i pv6 3001: : 2
PI NG 3001: : 2 : 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r om3001: : 2
byt es=56 Sequence=1 hop l i mi t =255 t i me = 50 ms
Repl y f r om3001: : 2
byt es=56 Sequence=2 hop l i mi t =255 t i me = 60 ms
Repl y f r om3001: : 2
byt es=56 Sequence=3 hop l i mi t =255 t i me = 60 ms
IPv6 Configuration Example 253
Repl y f r om3001: : 2
byt es=56 Sequence=4 hop l i mi t =255 t i me = 70 ms
Repl y f r om3001: : 2
byt es=56 Sequence=5 hop l i mi t =255 t i me = 60 ms
- - - 3001: : 2 pi ng st at i st i cs - - -
5 packet ( s) t r ansmi t t ed
5 packet ( s) r ecei ved
0. 00%packet l oss
r ound- t r i p mi n/ avg/ max = 50/ 60/ 70 ms
254 CHAPTER 23: CONFIGURING IPV6
24 CONFIGURING IPV6 APPLICATIONS
Introduction to IPv6
Application
IPv6 has become widely used as it is developing with time. Most of IPv6 application are
the same as those of IPv4, including:
Ping
Traceroute
FTP
TFTP
Telnet
Ping IPv6 To ping IPv6, use the following command(which is available in any view):
ping ipv6 [ -a source-ipv6-address | -c echonum | -m interval | -s bytenum | -t timeout ]*
{ destination-ipv6-address | hostname } [ -i interface-type interface-number ]
Caution: You must specify the -i parameter when the destination address is a link local
address or multicast address.
Traceroute IPv6 Traceroute IPv6 is used to record the route of IPv6 packets from source to destination, so
as to check whether the link is available and determine the point of trouble.
Figure 71 Tracerout process
As Figure 71 shows, the traceroute process is as follows:
The source sends a IP datagram with TTL as 1 (the UDP port number of the carrier
UDP packet is a port number that is not available to any application in the destination.
RTA RTB
Hop Limit = 1
Hop Limit = n
UDP port unreachable
RTC
RTD
TTL exceeded
Hop Limit = 2
TTL exceeded
256 CHAPTER 24: CONFIGURING IPV6 APPLICATIONS
If the first device receiving the datagram reads the TTL as 1, it will discard the packet
and return a ICMP timeout error message. Thus, the source can get the first device's
address in the route.
The source sends a datagram with TTL as 2 and the second hop device returns a ICMP
timeout error message. And the source gets the second device's address in the route.
This process continues until the datagram reaches the destination host. As there is no
application using the UDP port, the destination returns a "port unreachable" ICMP
error message.
The source receives the "port unreachable" ICMP error message and understands
that the packet has reached the destination, thus determines the route of the packet
from source to destination.
To traceroute IPv6, iussue the following command (which is available in any view):
tracert ipv6 [ -f first-hop-limit | -m max-hop-limit | -p port-number | -q probenum | -w
wait-time ]* { ipv6-address | hostname }
FTP Configuration IPv6 supports file transfer protocol (FTP) applications. You can log into the switch (serving
as an FTP client) by running the terminal emulation program on your PC or by using
Telnet. Then, you can use the ftp command to connects the switch to a remote FTP server
and access the files on the remote FTP server.
Configuration
Prerequisites
The FTP server is started, with the related parameters, such as username, password, and
user rights, configured. Refer to File System Management module for detailed
procedures.
FTP Configuration You can perform the following configuration task on an authorized directory when the
device serves as an FTP client
Caution: Make sure you use the -i keyword to specify the interface for a link-local
address.
TFTP Configuration IPv6 supports TFTP (Trival File Transfer Protocol). As a client, the device can download files
from or upload files to a TFTP server.
Configuration
Preparation
Start the TFTP server and specify the route to download or upload files. Refer to TFTP
server configuration specifications for specific instructions.
Table 177 Configure FTP
To Use the command Remarks
Establish a control
connection with a
remote FTP server
ftp ipv6 [ [ { ipv6-address | hostname } [
port-number ] ] [ -a source-ipv6 ] [ -i
interface-type interface-number ] ]
Required
Use this command in
user view.
IPv6 Telnet 257
TFTP Configuration Manage users' access to TFTP servers
Follow the steps in Table 178 to configure the ACL for the TFTP application.
Download files
Following the following steps to download files from TFTP servers
Caution: Make sure to specify the -i parameter when the destination address is a link
local address.
Upload files
Follow the following steps to upload files to TFTP servers:
To doUse the commandRemarks
Upload files to TFTP serverstftp ipv6 { tftp-server-ipv6-address | hostname } [-i
interface-type interface-number ] put source-filename [ destination-filename ]Required
Available in user view
Caution: Make sure to specify the -i parameter when the destination address is a link
local address.
IPv6 Telnet Telnet protocol belongs to application layer protocols of the TCP/IP protocol suite, and is
used to provide remote login and virtual terminals. The device can be used either as a
Telnet client or a Telnet server.
As the following figure shows, the Host is running Telnet client application of IPv6 to set
up an IPv6 Telnet connection with Device A, which serves as the Telnet server. If Device A
again connects to Device B through Telnet, the Device A is the Telnet client and Device B
is the Telnet server.
Table 178 Configuring the ACL for the TFTP application
To Use the command Remarks
Enter system view system-view -
Configure the ACL for the TFTP
application to enable or disable
access to a specific TFTP server
tftp-server ipv6 acl
acl-number
Required
ACL is not related to TFTP
application by default.
Table 179
To Use the command Remarks
Download files from
TFTP server
tftp ipv6 { ipv6-address | hostname } [ -i
interface-type interface-number ] get
source-filename [ destination-filename ]
Required
Available in user view
258 CHAPTER 24: CONFIGURING IPV6 APPLICATIONS
Figure 72 Providing Telnet services
Configuration
Prerequisites
Telnet has three kinds of authentications: None, Password and Scheme, with the default
as Password. Refer to Login module for specific instructions.
Setting up IPv6 Telnet
Connections
Follow the following steps to set up IPv6 Telnet connections:
To doUse the commandRemarks
Perform the Telnet command at the Telnet client to login and manage other devices
telnet ipv6 { ipv6-address | hostname } [ -i interface-type interface-name] [ port-number ]
Required
Available in user view
Caution: Make sure you specify the -i parameter when the destination address is a link
local address.
Displaying and
Maintaining IPv6
Telnet
Follow the following steps to display and debug IPv6 Telnet:
To doUse the commandRemarks
Display the use information of the user's interfacedisplay users [ all ]Available in any view
Examples of Typical
IPv6 Application
Configurations
Network
requirements
In Figure 73, SWA, SWB and SWC represent three switchs in the public domain. In the
same LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP
service to the switch respectively.
Telnet Client
Telnet Client
Telnet Client Telnet Server
Telnet Server
Host
Device A Device B
Examples of Typical IPv6 Application Configurations 259
Network diagram Figure 73 IPv6 application network diagram
Configuration
procedure
Configure the IPv6 address at the switch's and server's interfaces and ensure that the
route between the switch and the server is accessible before the following configuration.
# Ping SWB's IPv6 address from SWA.
<SWA> pi ng i pv6 3003: : 1
PI NG 3003: : 1 : 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r om3003: : 1
byt es=56 Sequence=1 hop l i mi t =255 t i me = 2 ms
Repl y f r om3003: : 1
byt es=56 Sequence=2 hop l i mi t =255 t i me = 2 ms
Repl y f r om3003: : 1
byt es=56 Sequence=3 hop l i mi t =255 t i me = 2 ms
Repl y f r om3003: : 1
byt es=56 Sequence=4 hop l i mi t =255 t i me = 2 ms
Repl y f r om3003: : 1
byt es=56 Sequence=5 hop l i mi t =255 t i me = 2 ms
- - - 3003: : 1 pi ng st at i st i cs - - -
5 packet ( s) t r ansmi t t ed
5 packet ( s) r ecei ved
0. 00%packet l oss
r ound- t r i p mi n/ avg/ max = 2/ 2/ 2 ms
# Trace the IPv6 route from SWA to SWC.
<SWA> t r acer t i pv6 3002: : 1
t r acer out e t o 3002: : 1 30 hops max, 60 byt es packet
1 3003: : 1 30 ms 0 ms 0 ms
2 3002: : 1 10 ms 10 ms 0 ms
# SWC download a file from TFTP server 3001::3.
<SWC> t f t p i pv6 3001: : 3 get f i l et oget f l ash: / f i l egot her e
Tr ansf er f i l e i n bi nar y mode.
Telnet_Server
3001::2
TFTP_Server
3001::3
SWA
SWB
SWC
3001::4 /64
3002::1/64
3002::2/64
3003::1/64
3003::2 /64
Telnet_Server
3001::2
TFTP_Server
3001::3
SWA
SWB
SWC
3001::4 /64
3002::1/64
3002::2/64
3003::1/64
3003::2 /64
Telnet_Server
3001::2
TFTP_Server
3001::3
SWA
SWB
SWC
3001::4 /64
3002::1/64
3002::2/64
3003::1/64
3003::2 /64
260 CHAPTER 24: CONFIGURING IPV6 APPLICATIONS
Now begi n t o downl oad f i l e f r omr emot e t f t p ser ver , pl ease wai t f or a
whi l e. . .
TFTP: 11369 byt es r ecei ved i n 1 seconds.
Fi l e downl oaded successf ul l y.
# Connect to Telnet server 3001::2.
<SWA> t el net i pv6 3001: : 2
Tr yi ng 3001: : 2. . .
Pr ess CTRL+K t o abor t
Connect ed t o 3001: : 2 . . .
Tel net Ser ver >
# Set up a Telnet connection from SWA to SWC.
<SWA> t el net i pv6 3002: : 1
Tr yi ng 3002: : 1 . . .
Pr ess CTRL+K t o abor t
Connect ed t o 3002: : 1 . . .
*********************************************************************
* Copyr i ght ( c) 2007- 2008 3ComCor por at i on.
* Wi t hout t he owner ' s pr i or wr i t t en consent , *
* no decompi l i ng or r ever se- engi neer i ng shal l be al l owed. *
*********************************************************************
<SWC>
Troubleshooting
IPv6 Application
Unable to Ping a
Remote Destination
Symptom
Unable to Ping a remote destination and return an error message.
Solution
Use the display ipv6 interface command to determine the interfaces of the source and
the destination and the link-layer protocol between them are in the up state.
Use the display current-configuration command to check whether the IPv6 forward
function is enabled. If not, enable it with the ipv6 command.
Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type
interface-number ] command to increase the timeout time limit, so as to determine
whether it is due to the timeout limit is too small.
Use the debugging ipv6 icmpv6 command to enable ICMPv6 debugging and check
the request and response packets.
Unable to Run
Traceroute
Symptom
Unable to trace the route by performing Traceroute operations.
Solution
Determine whether you can Ping the destination host.
Troubleshooting IPv6 Application 261
If yes, check whether the UDP port used by Traceroute has the required application in
the destination host If yes again, specify a UDP port that is unreachable in the tracert
ipv6 command.
Use the debugging udp ipv6 packet command to enable UDP packet debugging to
send and receive UDP packets.
Use the debugging ipv6 icmpv6 command to check the ICMPv6 packets received
from different devices.
Unable to Run TFTP Symptom
Unable to download and upload files by performing TFTP operations.
Solution
Determine that the ACL configured for the TFTP server does not block the connection
to the TFTP server.
Determine that the file system of the device is usable. You can check it by running the
dir command under the user view.
Use the debugging udp ipv6 packet command to enable UDP packet debugging to
send and receive UDP packets under the user view.
Unable to Run Telnet Symptom
Unable to login to Telnet server by performing Telnet operations.
Solution
Determine the Telnet server application is running on the server. Check the
configuration allows the server reachable.
Run the debugging telnet command to debug Telnet under the user view.
Run the debugging tcp ipv6 packet command to check the packet information under
the user view.
262 CHAPTER 24: CONFIGURING IPV6 APPLICATIONS
25 STATIC ROUTING CONFIGURATION
A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.
Introduction
Static Routing A static route is a special route that is manually configured by the network administrator.
If a network is relatively simple, you only need to configure static routes for the network
to work normally. The proper configuration and usage of static routes can improve a
networks performance and ensure bandwidth for important network applications.
The disadvantage of static routing is that, if a fault or a topological change occurs to the
network, the route will be unreachable and the network breaks. In this case, the network
administrator has to modify the configuration manually.
Default Routes A default route is another special route generated from a static route or some dynamic
routes, such as OSPF and IS-IS.
Generally, a router selects the default route only when it cannot find any matching entry
in the routing table. In a routing table, the default route is in the form of the route to the
network 0.0.0.0 (with the mask 0.0.0.0). You can check whether a default route has
been configured by running the display ip routing-table command.
If the destination address of a packet fails to match any entry in the routing table, the
router selects the default route to forward the packet. If there is no default route and the
destination address of the packet is not in the routing table, the packet will be discarded
and an ICMP packet is sent to the source reporting that the destination or the network is
unreachable.
Application
Environment of Static
Routing
Switch 4500G Family supports general static routing.
You need to be familiar with the following contents while configuring static routes:
1 Destination address and masks
In the ip route-static command, the IPv4 address is in dotted decimal format and
the mask can be in either dotted decimal format or the mask length (the digits of
consecutive 1s in the mask).
2 Output interface and the next hop address
While configuring static routes, you can specify either the output interface or next hop
address. Whether you should specify the output interface or the next hop address
depends on the specific occasion.
264 CHAPTER 25: STATIC ROUTING CONFIGURATION
In fact, all the route entries must specify the next hop address. While forwarding a
packet, the corresponding route is determined by searching the routing table for the
packets destination address. Only after the next hop address is specified, the
corresponding link-layer address can be found for the link-layer to forward the packet.
3 Other attributes
You can configure different preferences for different static routes for the purpose of easy
routing management policy. For example, while configuring multiple routes to the same
destination, using identical preference allows for load sharing while using different
preference allows for routing backup.
While running the ip route-static command to configure static, configuring
all-zero destination address and mask specifies using the default route.
Switch 4500G Family does not support load sharing.
Configuring Static
Route
Configuration
Prerequisites
Before configuring a static route, you need to finish the following tasks:
Configuring the physical parameters for relative interfaces
Configuring the link-layer attribute for relative interfaces
Configuring the IP address for relative interfaces
Configuring Static
Routes
Follow these steps to configure a static route:
While configuring a static route, it will use the default preference if no value is
specified. After resetting the default preference, it is valid only for the newly created
static route.
The description text can describe the usage and function of some specific routes, thus
make it easy for you to classify and manage different static routes.
You can easily control the routes by using the tag set in the routing policy.
Table 180 Configuring Static Routes
Operation Command Description
Enter system view system-view
Configure a static route ip route-static
ip-address { mask |
mask-length } { [
vlan-interface
vlan-id ] nexthop-address
| NULL interface-number } [
preference preference |
description
description-info | tag
tag-value ]*
Required
Configure the default preference
for a static route
ip route-static
default-preference
default-preference-value
Optional
The preference is 60 by
default.
Displaying and Maintaining Static Routes 265
Displaying and
Maintaining Static
Routes
After the configuration, you can run the display command in any view to display the
running status and configuration effect of the static route configuration.
You can use the delete command in the system view to delete all the static routes
configured.
Follow these steps to display and maintain a static route:
You can use the undo ip route-static demand in the system view to delete a static route,
and use the delete state-routes all demand in the system view to delete all the static
routes configured (including the default IPv4 routes configured manually) at the same
time.
Example of Static
Routes
Configuration
Network requirements
The switches interfaces and the hosts IP addresses and masks are shown in the
following figure. It requires static routes to connect the hosts for inter-communication.
Network diagram
Figure 74 Network diagram for static routes
Table 181 Displaying and Maintaining Static Routes
Operation Command
Display the current configuration display current-configuration
Display the summary of the IP routing table display ip routing-table
Display the details of the IP routing table display ip routing-table verbose
Display the information of a static route display ip routing-table protocol
static [ inactive | verbose ]
Delete all static routes delete static-routes all
PC1
1.1.1.2/24
SwitchA
SwitchB
SwitchC
Vlan-interface200
1.1.1.1/24
Vlan-interface100
1.1.4.1/30
Vlan-interface100
1.1.4.2/30
Vlan-interface102
1.1.2.1/24
Vlan-interface101
1.1.4.5/30
Vlan-interface101
1.1.4.6/30
Vlan-interface300
1.1.3.1/24
PC2
1.1.2.2/24
PC3
1.1.3.2/24
266 CHAPTER 25: STATIC ROUTING CONFIGURATION
Configuration procedure
1 Configuring the interfaces IP addresses
Omitted.
2 Configuring the static route
a Configure a default route on Switch A.
[ Swi t ch A] i p r out e- st at i c 0. 0. 0. 0 0. 0. 0. 0 1. 1. 4. 2
b Configure two static routes on Switch B.
[ Swi t ch B] i p r out e- st at i c 1. 1. 1. 0 255. 255. 255. 0 1. 1. 4. 1
[ Swi t ch B] i p r out e- st at i c 1. 1. 3. 0 255. 255. 255. 0 1. 1. 4. 6
c Configure a default route on Switch C.
[ Swi t ch B] i p r out e- st at i c 0. 0. 0. 0 0. 0. 0. 0 1. 1. 4. 5
3 Configure the hosts
The default gateways for the three hosts PC1, PC2 and PC3 are configured as 1.1.1.1,
1.1.2.1 and 1.1.3.1 respectively.
4 Display the configuration result
a Display the IP route table of Switch A.
[ Swi t ch A] di spl ay i p r out i ng- t abl e
Rout i ng Tabl es: Publ i c
Dest i nat i ons : 7 Rout es : 7
Dest i nat i on/ Mask Pr ot o Pr e Cost Next Hop I nt er f ace
0. 0. 0. 0/ 0 St at i c 60 0 1. 1. 4. 2 Vl an100
1. 1. 1. 0/ 24 Di r ect 0 0 1. 1. 1. 1 Vl an200
1. 1. 1. 1/ 32 Di r ect 0 0 127. 0. 0. 1 I nLoop0
1. 1. 4. 0/ 30 Di r ect 0 0 1. 1. 4. 1 Vl an100
1. 1. 4. 1/ 32 Di r ect 0 0 127. 0. 0. 1 I nLoop0
127. 0. 0. 0/ 8 Di r ect 0 0 127. 0. 0. 1 I nLoop0
127. 0. 0. 1/ 32 Di r ect 0 0 127. 0. 0. 1 I nLoop0
b Use the ping command to check the connectivity.
[ Swi t ch A] pi ng 1. 1. 3. 1
PI NG 1. 1. 3. 1: 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r om1. 1. 3. 1: byt es=56 Sequence=1 t t l =254 t i me=62 ms
Repl y f r om1. 1. 3. 1: byt es=56 Sequence=2 t t l =254 t i me=63 ms
Repl y f r om1. 1. 3. 1: byt es=56 Sequence=3 t t l =254 t i me=63 ms
Repl y f r om1. 1. 3. 1: byt es=56 Sequence=4 t t l =254 t i me=62 ms
Repl y f r om1. 1. 3. 1: byt es=56 Sequence=5 t t l =254 t i me=62 ms
- - - 1. 1. 3. 1 pi ng st at i st i cs - - -
5 packet ( s) t r ansmi t t ed
5 packet ( s) r ecei ved
0. 00%packet l oss
r ound- t r i p mi n/ avg/ max = 62/ 62/ 63 ms
Example of Static Routes Configuration 267
c Use the tracert command to check the connectivity.
[ Swi t ch A] t r acer t 1. 1. 3. 1
t r acer out e t o 1. 1. 3. 1( 1. 1. 3. 1) 30 hops max, 40 byt es packet
1 1. 1. 4. 2 31 ms 32 ms 31 ms
2 1. 1. 4. 6 62 ms 63 ms 62 ms
268 CHAPTER 25: STATIC ROUTING CONFIGURATION
26 RIP CONFIGURATION
The term "router" in this document refers to a router in a generic sense or a Layer 3
switch. To improve readability, this will not be described in the present manual again.
RIP Overview RIP is a simple Interior Gateway Protocol (IGP), which is mainly used in small-size
networks, such as academic networks and simple structured LANs.
RIP is still widely used in practical networking due to its simple implementation, and
easier configuration and maintenance than OSPF and IS-IS.
RIP Mechanism Basic concept of RIP
RIP is a distance-vector-based routing protocol, using UDP messages for exchanging
information on port 520.
RIP uses a routing metric (Hop Count) to measure the distance to the destination. The
Hop Count value of a router to its directly connected network is 0. Networks which are
reachable through one other router are one hop etc. To reduce the convergence time, RIP
limits the metric value from 0 to 15. It is considered infinity if the value is equal or larger
than 16, which means the destination network is unreachable. That is why RIP cannot be
used in large scale networks.
RIP prevents routing loops by implementing Split Horizon and Poison Reverse functions.
RIP routing table
Each RIP router has a routing table, containing routing entries of all reachable
destinations.
Destination address: the IP address of a host or a network.
Next hop: IP address of the adjacent router to the destination network.
Interface: The interface for forwarding
Metric: Cost from the local router to the destination
Routing time: The amount of time since the entry was last updated. The time is reset
to 0 when the routing entry is updated every time.
Route change tag: Indicates that the information about this route has changed.
RIP timers
RIP uses four timers to control its operation. They are Update, Timeout, Suppress, and
Garbage-Collect.
Update timer triggers sending new update messages periodically.
270 CHAPTER 26: RIP CONFIGURATION
Timeout timer controls the validity of a route. A route is considered as unreachable
when the RIP router does not receive update messages within the aged time from any
neighbor.
Suppress timer. A route changes to the suppress status when no updated messages
are send within the timeout-value or the metric value reaches 16. In the suppress
status, the router only accepts update messages with the metric value less than 16
and from the same neighbor to replace the unreachable route.
Garbage-Collect timer. The period from the metric value of a route reaches 16 to the
route is purged from the table is defined as the garbage collection time in RFC.
During the Garbage-Collect time, RIP keeps advertising the route with a metric value
of 16. Once the Garbage-Collect time expires and the route is not updated, the route
is deleted from the table.
RIP initialization and running procedure
Following procedures describe how RIP works.
1 After enabling RIP, the router sends Request messages to neighboring routers.
Neighboring routers return Response messages including all information about the
routing table.
2 The router updates its local routing table, and broadcasts the routing updates to its
neighbors with triggered updating messages. All routers on the network do the same to
keep the latest routing table.
In RIP, the routing table on each router is updated upon receipt of RIP messages
periodically advertised by neighboring routers. The aged routes are deleted to make sure
routes are always valid. The procedure is as follows: RIP periodically advertises the local
routing table to neighboring routers, which update their local routes upon receipt of the
packets. This procedure repeats on all RIP-enabled routers.
Routing loops prevention
RIP is a D-V based routing protocol. Each router calculates the distance to a destination
based on the routing information from its neighbors. When a connection to a
destination goes down, there is no way for the router on that connection to notify the
others about its metric changes. The other routers still use the old routing information to
calculate the distance to that destination. Therefore, routing loops can occur in this case.
RIP uses the following mechanisms to prevent routing loops.
Counting to infinity. The metric value of 16 is defined as infinity. When a routing loop
occurs, the route is considered as unreachable when the metric value reaches 16.
Split Horizon. The router does not send the routing table to neighboring routers via
the same interface on which it receives. Split Horizon can definitely prevent routing
loops and save the bandwidth.
Poison Reverse. The router sends routing tables through the same interface from
which the tables are received with a metric value of 16 (means infinite). This method
can remove useless information in routing tables of neighboring routers.
Triggered Updates. Each router sends out its new routing table as long as it receives
an update, rather than waiting until the usual update period expires. This can speed
up the network convergence.
RIP Overview 271
RIP Version RIP has two versions: RIP-1 and RIP-2.
RIP-1, a Classful Routing Protocol, supports broadcasting protocol messages. RIP-1
protocol messages do not carry mask information, which means it can only recognize
routing information on segments with natural addresses such as Class A, B, and C. That
is why RIP-1 does not support routing convergence and Discontiguous Subnet.
RIP-2 is a Classless Routing Protocol. Compared with RIP-1, RIP-2 has the following
advantages.
Supports Route Tag. The Route Tag is intended to differentiate the internal RIP routes
from the external RIP routes.
Supports masks, route summarization and CIDR (Classless Inter-Domain Routing).
Supports next hop, which must be directly reachable on the broadcast network.
Supports multicasting to reduce unnecessary load on hosts that do not need to listen
to RIP-2 messages.
Supports authentication to enhance security. Plain text authentication and MD5
(Message Digest 5) are two authentication methods.
RIP-2 has two types of message transmission: broadcasting and multicasting.
Multicasting is the default type using 224.0.0.9 as the multicast address. The interfaces
running RIP-2 broadcasting can also receive RIP-1 messages.
RIP Message Format RIP-1 message format
A RIP message consists of Header and Route Entries which can be up to 25.
The format of RIP-1 message is shown in Figure 75.
Figure 75 RIP-1 Message Format
Command: The type of message. 1 indicates Request, 2 indicates Response.
Version: The version of RIP. RIP-1 is 0x01.
AFI (Address Family Identifier): The family of protocol. 2 is for IP.
IP Address: IP address of the destination. Only natural addresses are acceptable here.
Metric: The cost of the route.
metric
0 7 15 31
command
address family identifier
IP address
must be zero version
must be zero
must be zero
must be zero
Route
Entries
Header
272 CHAPTER 26: RIP CONFIGURATION
RIP-2 message format
The format of RIP-2 message is similar with RIP-1, as shown in Figure 76.
Figure 76 RIP-2 Message Format
The differences from RIP-1 are stated as following.
Version: The version of RIP. For RIP-2 the value is 0x02.
Route Tag: An attribution to indicate from where the routes are imported.
IP Address: The destination IP address. It could be a natural address, subnet address or
host address.
Subnet Mask: Mask of the destination address.
Next Hop: The address of the best next hop. 0.0.0.0 indicates that the originator of
the route is the best next hop.
RIP-2 authentication
RIP-2 supports plain text authentication, which uses the first Route Entry for
authentication. The value of 0xFFFF indicates that the entry is authentication information
rather than routing information. See Figure 77
Figure 77 RIP-2 Authentication Message
Authentication Type: 2 represents plain text authentication, while 3 represents MD5.
Authentication: The actual authentication data. It includes the password information
when using plain text authentication.
FC 1723 only defines plain text authentication. For information about MD5
authentication, see RFC2082 RIP-2 MD5 Authentication.
RIP Feature
Supported
Currently, Comware 5.0 supports the following RIP features.
RIP-1
RIP-2
Metric
0 7 15 31
Command
Address Family Identifier
IP Address
unused Version
Next Hop
Subnet Mask
Route Tag
Route
Entries
Header
0 7 15 31
command
0xFFFF
Authentication (16 octets)
unused version
Authentication Type
RIP Basic Configuration 273
RIP Related RFC RFC 1058: Routing Information Protocol
RFC 1723: RIP Version 2 - Carrying Additional Information
RFC 1721: RIP Version 2 Protocol Analysis
RFC 1722: RIP Version 2 Protocol Applicability Statement
RFC 1724: RIP Version 2 MIB Extension
RFC 2082: RIP-2 MD5 Authentication
RIP Basic
Configuration
In this section, you are presented with the information needed to configure the basic RIP
features.
Configuration
Prerequisites
Before configuring RIP features, please first configure IP address on each interface, and
make sure all routers are reachable.
Configuring RIP Basic
Function
Enabling RIP and specify networks
Follow these steps to enable RIP:
If you perform some RIP configurations in interface view before enabling RIP, those
configurations will take effect after RIP is enabled.
The router does not send, receive or forward any routing information if you do not
enable RIP on that network.
You can enable RIP on all interfaces of the network by using the network 0.0.0.0
command.
Table 182 Configuring RIP Basic Function
Operation Command Description
Enter system view
system-view
Configure an interface to
receive routing updates
rip input
Optional
By default, the router receives
and send RIP messages Configure an interface to
send routing updates
rip output
Table 184 Configuring the RIP version
Operation Command Description
Enter system view
system-view
Configure RIP-2
authentication mode
rip authentication-mode {
simple password | md5 { rfc2082
password key-id | rfc2453
password } }
If the authentication mode is
MD5, you must specify the
message type defined in
either RFC 2453 or RFC 2082.
Table 196 Configuring RIP peer
Operation Command Description
Enter system view
system-view
Configure default
authorization for all users
domain isp-name Required
Create an ISP domain or
enter the created ISP domain
view
authorization default {
radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
Optional
Configure authorization for
login users
authorization login
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
Optional
Configure authorization for
lan-access users
authorization lan-access {
radius-scheme
radius-scheme-name [ local ] |
local | none }
Optional
Configure authorization for
CLI users
authorization command
hwtacacs-scheme
hwtacacs-scheme-name
Optional
332 CHAPTER 31: AAA, RADIUS, AND TACACS+ CONFIGURATION
In the case of that local or none is used as the first solution for authorization, you
can only use the local authorization or unauthorization. You cannot use RADIUS
solution simultaneously.
Since the authorization information of the RADIUS server is transmitted to the
RADIUS client together with the authentication response packet, if you specify both
authentication and authorization schemes as RADIUS scheme, you must ensure that
the RADIUS authorization server and the RADIUS authentication server run on the
same device; otherwise the system will give an error prompt.
Configuring AAA
Accounting of an ISP
Domain
Accounting is an independent procedure at the same level as authentication and
authorization in AAA, which sends a request of starting/updating/ending accounting to
the configured accounting server. Accounting is not required in the AAA configuration of
an ISP domain. Without accounting, users accessing the domain do not need to go the
accounting procedure. You can configure accounting according to the following three
procedures:
1 To use RADIUS or TACACS+ solution for accounting, you need to first configure the
RADIUS scheme or TACACS+ scheme to cite; to use local or none solution for
accounting, you do need to configure a scheme.
2 Determine the access ways or service types to configure. You can configure accounting
based on different access ways and service types, and restrict the accounting protocols
available for access through configuration.
3 Determine whether to configure a default accounting for all access ways or service types.
Table 221 Configure AAA accounting of an ISP domain
Operation Command Remarks
Enter system view system-view
Create an ISP domain or enter
the created ISP domain view
domain isp-name
Open/close the
accounting-optional switch
accounting-optional
Optional
By default, once an ISP domain is
created, the accounting-optional
switch is closed.
Configure accounting for all
users
accounting default {
radius-scheme
radius-scheme-name [
local ] |
hwtacacs-scheme
hwtacacs-scheme-name [
local ] | local | none }
Optional
Configure accounting for login
users
accounting login {
radius-scheme
radius-scheme-name [
local ] |
hwtacacs-scheme
hwtacacs-scheme-name [
local ] |
local | none }
Optional
Configure accounting for
lan-access users
accounting
lan-access {
radius-scheme
radius-scheme-name [
local ] |local | none }
Optional
AAA Configuration 333
When charging a user, if the system does not find any available accounting server or
fails to communicate with any accounting server, it will not disconnect the user as
long as the accounting optional command has been executed.
The accounting configured by the accounting default command is applicable to
all users. That is, the configuration takes effect for users. But its priority is lower than
that configured in the specified access mode.
Local accounting is only used to manage the connections of local users. It has no real
statistics function. The management of local connections only has effect to local
accounting, not local authentication and authorization.
If the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local command is configured, the local is used as the
alternative accounting when the RADIUS Server or TACACS server fails. That is, the
local accounting is used only when the RADIUS Server or TACACS server does not
work.
In the case of that local or none is used as the first solution for accounting, you can
only use the local accounting or no accounting. You cannot use RADIUS or TACACS+
solution simultaneously.
FTP does not support accounting for login.
Configuring the
Attributes of a Local
User
When local scheme is chosen as the AAA scheme, you should create local users on the
switch and configure the relevant attributes.
The local users are users set on the switch, with each user uniquely identified by a user
name. To make a user who is requesting network service pass through the local
authentication, you should add an entry in the local user database on the switch for the
user.
Table 222 Configure the attributes of a local user
Operation Command Description
Enter system view
system-view
Configure an interface to
dynamically obtain IP
address through BOOTP
ip address bootp-alloc Required
By default, an interface does
not use BOOTP to obtain an IP
address.
Table 295 Displaying BOOTP Client Configuration
To do Use the command Remarks
Display related information
on a BOOTP client
display bootp client [
interface interface-type
interface-number ]
Available in any view
41 ACL OVERVIEW
ACL Overview An access control list (ACL) is used primarily to identify traffic flows. In order to filter data
packets, a series of match rules must be configured on the network device to identify the
packets to be filtered. After the specific packets are identified, and based on the
predefined policy, the network device can permit/prohibit the corresponding packets to
pass.
ACLs classify packets based on a series of match conditions, which can be the source
addresses, destination addresses and port numbers carried in the packets.
The packet match rules defined by ACLs can be referenced by other functions that need
to differentiate traffic flows, such as the definition of traffic classification rules in QoS.
Time-Based ACL A time range-based ACL enables you to implement ACL control over packets by
differentiating the time ranges.
A time range can be specified in each rule in an ACL. If the time range specified in a rule
is not configured, the system will give a prompt message and allow such a rule to be
successfully created. However, the rule does not take effect immediately. It takes effect
only when the specified time range is configured and the system time is within the time
range. If you remove the time range of an ACL rule, the ACL rule becomes invalid the
next time the ACL rule timer refreshes.
IPv4 ACL This section covers these topics:
IPv4 ACL Classification
IPv4 ACL Match Order
IP Fragments Filtering with IPv4 ACL
IPv4 ACL
Classification
IPv4 ACLs are numbered ACLs. Depending on the header fields used for filtering, they
fall into the following three types:
Basic ACL, based on source IP address.
Advanced ACL, based on source IP address, destination IP address, upper layer
protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.
Ethernet frame header ACL, based on Layer 2 protocol header fields such as source
MAC address, destination MAC address, 802.1p priority, and link layer protocol type.
IPv4 ACL Match Order Each ACL is a sequential collection of rules defined with different matching criteria. The
order in which a packet is matched against the rules may thus affect how the packet is
handled.
412 CHAPTER 41: ACL OVERVIEW
At present, the following two match orders are available:
config: where rules are compared against in the order in which they are configured.
auto: where depth-first match is performed.
In a basic or advanced IPv4 ACL, depth-first match works as follows:
1 Sort rules first by the wildcard length of source IP address, with the one configured with
shorter wildcard being compared first.
2 When two rules with the same source IP address wildcard are present, the one with
shorter destination IP address wildcard is compared first.
3 If the lengths of their destination IP address wildcards are the same, the one configured
first is compared prior to the other.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to
the rule with the source IP address wildcard 0.0.255.255.
In an Ethernet frame header ACL, depth-first match works as follows:
1 Sort rules first by the mask length of source MAC address, with the one configured with
longer mask length being compared first.
2 When two rules with the same source MAC address mask length are present, the one
with shorter destination MAC address mask length is compared prior to the other.
3 If the lengths of their destination MAC address masks are the same, the one configured
first is compared prior to the other.
For example, the rule with MAC address mask FFFF-FFFF-0000 is compared prior to the
rule with the source MAC address mask FFFF-0000-0000.
The display acl command displays ACL rules in their match order rather than the
configuration order.
The comparison of a packet against an ACL stops once a match is found. The packet is
then processed as per the rule.
IP Fragments Filtering
with IPv4 ACL
Traditionally, ACL does not check all IP fragments but first ones. All non-first fragments
are handled the way the first fragments are handled. This causes security risk as attackers
may fabricate non-first fragments to attack your network.
Note that ACL rules configured with the fragment keyword only apply to non-first
fragments, and those configured without the keyword apply to all packets (including first
fragments) but non-first fragments.
Look at the following commands:
[ 3Com- basi c- 2000] r ul e 1 deny sour ce 202. 101. 1. 0 0. 0. 0. 255 f r agment
[ 3Com- basi c- 2000] r ul e 2 per mi t sour ce 202. 101. 2. 0 0. 0. 0. 255
[ 3Com- adv- 3001] r ul e 3 per mi t i p dest i nat i on 171. 16. 23. 1 0 f r agment
[ 3Com- adv- 3001] r ul e 4 deny i p dest i nat i on 171. 16. 23. 2 0
Among these rules, the first and the third rules only apply to non-first fragments while
the second and the fourth apply to all packets but non-first fragments.
IPv4 ACL 413
IPv4 ACL Creation An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must first
create an IPv4 ACL.
When creating an IPv4 ACL:
You must specify an ACL number (numeric type), and
You can optionally specify the match order of the IPv4 ACL.
After an IPv4 ACL is created, the IPv4 ACL view is displayed.
414 CHAPTER 41: ACL OVERVIEW
42 IPV4 ACL CONFIGURATION
This chapter covers these topics:
Creating a Time Range
Configuring a Basic IPv4 ACL
Configuring an Advanced IPv4 ACL
Configuring an Ethernet Frame Header ACL
Configuring a User-Defined IPv4 ACL
Displaying and Maintaining IPv4 ACLs
IPv4 ACL Configuration Example
Creating a Time
Range
Three types of time ranges are available:
Periodic time range, which recurs periodically on the day or days of the week.
Absolute time range, which takes effect only in a period of time and does not recur.
Compound time range, which recurs on the day or days of the week within a period.
CAUTION: On the Switch 4500G, the start time of an absolute time range cannot be
earlier than 1970/1/1 00:00 and the end time of an absolute time range cannot be later
than 2100/12/31 24:00.
Configuration
Procedure
Follow these steps to create a time range:
If only a periodic time section is defined in a time range, the time range is active only
within the defined periodic time section.
If only an absolute time section is defined in a time, the time range is active only within
the defined absolute time section.
Table 296 Creating a Time Range
To do Use the command Remarks
Enter system view system-view
Create a time range time-range time-name {
start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] | from
time1 date1 [ to time2 date2 ] | to
time2 date2 }
Required
Display the configuration and
state of a specified or all time
ranges
display time-range { all |
time-name }
Optional
Available in any view
416 CHAPTER 42: IPV4 ACL CONFIGURATION
If both a periodic time section and an absolute time section are defined in a time range,
the time range is active only when the periodic time range and the absolute time range
are both matched. Assume that a time range defines an absolute time section from
00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from
12:00 to 14:00 every Wednesday. This time range is active only from 12:00 to 14:00
every Wednesday in 2004.
If the start time is specified, the time range starts on the current date and ends on the
end date.
If the end date is note specified, the time range is from the date of configuration till the
largest date available in the system.
Configuration
Example
1 Create a time range that spans from 8:00 to 18:00 every working day.
<3Com> syst em- vi ew
[ 3Com] t i me- r ange t est 8: 00 t o 18: 00 wor ki ng- day
[ 3Com] di spl ay t i me- r ange t est
Cur r ent t i me i s 13: 27: 32 4/ 16/ 2005 Sat ur day
Ti me- r ange : t est ( I nact i ve )
08: 00 t o 18: 00 wor ki ng- day
2 Create an absolute time range that spans from 15:00 2000/1/28 to 15:00 2004/1/28.
<3Com> syst em- vi ew
[ 3Com] t i me- r ange t est f r om15: 00 2000/ 1/ 28 t o 15: 00 2004/ 1/ 28
[ 3Com] di spl ay t i me- r ange t est
Cur r ent t i me i s 13: 27: 32 4/ 16/ 2005 Sat ur day
Ti me- r ange : t est ( I nact i ve )
f r om15: 00 1/ 28/ 2000 t o 15: 00 1/ 28/ 2004
Configuring a Basic IPv4 ACL 417
Configuring a Basic
IPv4 ACL
Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the
range 2000 to 2999.
Configuration
Prerequisites
If you want to reference a time range to a rule, define it with the time-range
command first.
Configuration
Procedure
Follow these steps to configure a basic IPv4 ACL:
When configuring a rule, note that:
1 In case the match order is config
If you specify a rule ID but a rule with the same rule ID already exists, the existing rule
will be displayed and you can edit the rule.
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
The content of the rule you are editing or defining cannot be identical with that of
any existing rule. Otherwise, the editing or creating operation will fail, and the system
will prompt that the rule already exists.
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
2 In case the match order is auto
You can add a new rule, delete an existing rule. But you are not allowed to edit an
existing rule (if you do this, an error will be prompted).
A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
Table 297 Configuring a Basic IPv4 ACL
To do Use the command Remarks
Enter system view system-view
Create and enter a basic
IPv4 ACL view
acl number acl-number [
match-order { config | auto } ]
Required
The default match order is
config.
Create or modify a rule rule [ rule-id ] { permit | deny }
[ rule-string ]
Required
To create multiple rules,
repeat this step.
Set a rule numbering step step step-value Optional
The default step is 5.
Create an ACL description description text Optional
Create a rule description rule rule-id comment text Optional
Display information about
a specified or all IPv4 ACLs
display acl { all | acl-number } Optional
Available in any view
418 CHAPTER 42: IPV4 ACL CONFIGURATION
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
The system will insert a newly created rule between existing rules in depth-first order,
without changing the ID of any rule.
CAUTION:
You can modify the match order of an ACL only when it does not contain any rules.
You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 2000 to deny the packets with the source address 1.1.1.1 to pass.
<3Com> syst em- vi ew
[ 3Com] acl number 2000
[ 3Com- acl - basi c- 2000] r ul e deny sour ce 1. 1. 1. 1 0
2 Verify the configuration.
[ 3Com- acl - basi c- 2000] di spl ay acl 2000
Basi c ACL 2000, 1 r ul e,
Acl ' s st ep i s 5
r ul e 0 deny sour ce 1. 1. 1. 1 0 ( 0 t i mes mat ched)
Configuring an
Advanced IPv4 ACL
Advanced IPv4 ACLs filter packets based on source IP address, destination IP address,
upper protocol carried on IP, and other protocol header fields, such as the TCP/UDP
source port, TCP/UDP destination port, TCP flag, ICMP message type, and ICMP message
code.
In addition, advanced ACLs allow you to filter packets based on three priority criteria:
type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Advanced ACLs are numbered in the range 3000 to 3999. Compared to basic ACLs, they
allow of more flexible and accurate filtering.
When you configure both IP priority and ToS priority for a rule, both priorities are
valid.
When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid.
Configuration
Prerequisites
If you want to reference a time range to a rule, define it with the time-range
command first.
Configuring an Advanced IPv4 ACL 419
Configuration
Procedure
Follow these steps to configure an advanced IPv4 ACL:
When configuring a rule, note that:
1 In case the match order is config
If you specify a rule ID but a rule with the same rule ID already exists, the existing rule
will be displayed and you can edit the rule.
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
The content of the rule you are editing or defining cannot be identical with that of
any existing rule. Otherwise, the editing or creating operation will fail, and the system
will prompt that the rule already exists.
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
2 In case the match order is auto
You can add a new rule, delete an existing rule. But you are not allowed to edit an
existing rule (if you do this, an error will be prompted).
A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
Table 298 Configuring an Advanced IPv4 ACL
To do Use the command Remarks
Enter system view system-view
Create and enter an advanced
IPv4 ACL view
acl number acl-number
[ match-order { config
| auto } ]
Required
The default match order is
config.
Create or modify a rule rule [ rule-id ] { permit
| deny } protocol [
rule-string ]
Required
To create multiple rules, repeat
this step.
Set a rule numbering step step step-value Optional
The default step is 5.
Create an ACL description description text Optional
Create a rule description rule rule-id comment
text
Optional
Display information about a
specified or all IPv4 ACLs
display acl { all |
acl-number }
Optional
Available in any view
420 CHAPTER 42: IPV4 ACL CONFIGURATION
The system will insert a newly created rule between existing rules in depth-first order,
without changing the ID of any rule.
CAUTION:
You can modify the match order of an ACL only when it does not contain any rules.
You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 3000 to permit TCP packets with port number 80 sent from 129.9.0.0
to 202.38.160.0.
<3Com> syst em- vi ew
[ 3Com] acl number 3000
[ 3Com- acl - adv- 3000] r ul e per mi t t cp sour ce 129. 9. 0. 0 0. 0. 255. 255
dest i nat i on 202. 38. 160. 0 0. 0. 0. 255 dest i nat i on- por t eq 80
2 Verify the configuration.
[ 3Com- acl - adv- 3000] di spl ay acl 3000
Advanced ACL 3000, 1 r ul e,
Acl ' s st ep i s 5
r ul e 0 per mi t t cp sour ce 129. 9. 0. 0 0. 0. 255. 255 dest i nat i on 202. 38. 160. 0
0. 0. 0. 255 dest i nat i on- por t eq www ( 0 t i mes mat ched)
Configuring an
Ethernet Frame
Header ACL
Ethernet frame header ACLs filter packets based on Layer 2 protocol header fields such
as source MAC address, destination MAC address, 802.1p priority, and link layer protocol
type. They are numbered in the range 4000 to 4999.
Configuration
Prerequisites
If you want to reference a time range to a rule, define it with the time-range
command first.
Configuration
Procedure
Follow these steps to configure an Ethernet frame header ACL:
Table 299 Configuring an Ethernet Frame Header ACL
To do Use the command Remarks
Enter system view system-view
Create and enter an Ethernet
frame header ACL view
acl number acl-number [
match-order { config |
auto } ]
Required
The default match order is
config.
Create or modify a rule rule [ rule-id ] { permit
| deny } [ rule-string ]
Required
To create multiple rules, repeat
this step.
Set a rule numbering step step step-value Optional
The default step is 5.
Create an ACL description description text Optional
Create a rule description rule rule-id comment
text
Optional
Display information about a
specified or all IPv4 ACLs
display acl { all |
acl-number }
Optional
Available in any view
Configuring an Ethernet Frame Header ACL 421
When configuring a rule, note that:
1 In case the match order is config
If you specify a rule ID but a rule with the same rule ID already exists, the existing rule
will be displayed and you can edit the rule.
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
The content of the rule you are editing or defining cannot be identical with that of
any existing rule. Otherwise, the editing or creating operation will fail, and the system
will prompt that the rule already exists.
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
2 In case the match order is auto
You can add a new rule, delete an existing rule. But you are not allowed to edit an
existing rule (if you do this, an error will be prompted).
A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
The system will insert a newly created rule between existing rules in depth-first order,
without changing the ID of any rule.
CAUTION:
You can modify the match order of an ACL only when it does not contain any rules.
You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 4000 to deny frames with the 802.1p priority of 3.
<3Com> syst em- vi ew
[ 3Com] acl number 4000
[ 3Com- acl - et her net f r ame- 4000] r ul e deny cos 3
2 Verify the configuration.
[ 3Com- acl - et her net f r ame- 4000] di spl ay acl 4000
Et her net f r ame ACL 4000, 1 r ul e,
Acl ' s st ep i s 5
r ul e 0 deny cos excel l ent - ef f or t ( 0 t i mes mat ched)
422 CHAPTER 42: IPV4 ACL CONFIGURATION
Displaying and
Maintaining IPv4
ACLs
IPv4 ACL
Configuration
Example
Network
Requirements
Different departments of an enterprise are interconnected on the intranet through the
ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of the
R&D department are connected to the GigabitEthernet1/0/1 port of the switch. Apply an
ACL to deny requests sourced from the R&D department and destined for the wage
server during the working hours (8:00 to 18:00).
Network Diagram Figure 117 Network diagram for ACL configuration
Configuration
Procedure
1 Create a time range for office hours
a Create a periodic time range spanning 8:00 to 18:00 in working days.
<3Com> syst em- vi ew
[ 3Com] t i me- r ange t r name 8: 00 t o 18: 00 wor ki ng- day
2 Define an ACL to control accesses to the salary server
a Create and enter the view of advanced IPv4 ACL 3000.
[ 3Com] acl number 3000
b Create a rule to control accesses of the R&D Department to the salary server.
[ 3Com- acl - adv- 3000] r ul e 0 deny i p sour ce any dest i nat i on 192. 168. 1. 2
0. 0. 0. 0 t i me- r ange t r name
[ 3Com- acl - adv- 3000] qui t
Table 300 Displaying and Maintaining IPv4 ACLs
To... Use the command Remarks
Display information about a
specified or all IPv4 ACLs
display acl { all | acl-number
}
Available in any view
Display the configuration and
state of a specified or all time
ranges
display time-range { all |
time-name }
Clear the statistics about the
specified or all ACLs
reset acl counter { all |
acl-number }
Available in user view
R&D Department
Salary server
192.168.1.2
Switch
#1
#3
To a router
#2
R&D Department
Salary server
192.168.1.2
Switch
#1
#3
To a router
#2
IPv4 ACL Configuration Example 423
3 Apply the ACL
Apply IPv4 ACL 3000 to the inbound direction of interface GigabitEthernet1/0/1.
[ 3Com] t r af f i c cl assi f i er t est
[ 3Com- cl assi f i er - t est ] i f - mat ch acl 3000
[ 3Com- cl assi f i er - t est ] qui t
[ 3Com] t r af f i c behavi or t est
[ 3Com- behavi or - t est ] f i l t er deny
[ 3Com- behavi or - t est ] qui t
[ 3Com] qos pol i cy t est
[ 3Com- qospol i cy- t est ] cl assi f i er t est behavi or t est
[ 3Com- qospol i cy- t est ] qui t
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos appl y pol i cy t est i nbound
424 CHAPTER 42: IPV4 ACL CONFIGURATION
43 QOS OVERVIEW
Introduction Quality of Service (QoS) is a concept generally existing in occasions where service
supply-demand relations exist. QoS measures the ability to meet the service needs of
customers. Generally, the evaluation is not to give precise grading. The purpose of the
evaluation is to analyze the conditions where the services are good and the conditions
where the services still need to be improved, so that specific improvements can be
implemented.
In Internet, QoS measures the ability of the network to deliver packets. The evaluation on
QoS can be based on different aspects because the network provides diversified services.
Generally speaking, QoS is the evaluation on the service ability to support the critical
indexes such as delay, delay jitter and packet loss rate in packet delivery.
Traditional Packet
Delivery Service
The traditional IP network treats all the packets equally. The switch adopts the first in first
out (FIFO) policy in packet processing and assigns resources necessary for packet
forwarding according to the arrival time of the packet. All the packets share the network
and router resources. The resources that the packet can get depend completely on the
chance at packets arrival.
This service policy is called Best-Effort. The switch makes its best effort to deliver the
packets to the destination but it cannot provide any guarantee for delay, delay jitter,
packet loss rate, and reliability in packet delivery.
The traditional Best-Effort service policy is only applicable to services such as WWW, FTP,
and E-mail, which are not sensitive to the bandwidth and the delay performance.
New Requirements
Brought forth by
New Services
With the fast development of computer networks, more and more networks are
connected into Internet. Internet extends very quickly in scale, coverage and the number
of users. More and more users use the Internet as a platform for data transmission and
develop various applications on it.
Besides traditional applications such as WWW, E-mail, and FTP, Internet users also try to
develop new services on Internet, such as tele-education, tele-medicine, video phones,
video conferencing, and video on demand (VOD). Enterprise users also hope to connect
their branch offices in different locations through the VPN technology to develop some
transaction applications, such as to access to the database of the company or to manage
remote switches through Telnet.
426 CHAPTER 43: QOS OVERVIEW
The new services have one thing in common: they all have special requirements for
delivery performances such as bandwidth, delay, and delay jitter. For example, video
conferencing and VOD require the guarantee of high bandwidth, low delay and low
delay jitter. Some key services such as the transaction handling and the Telnet do not
necessarily require high bandwidth but they are highly dependent on low delay and need
to be processed preferentially in case of congestion.
The emergence of new services brings forward higher requirements for the service
capability of the IP network. In the delivery process, users hope to get better services,
such as dedicated bandwidth for users, reduced packet loss rate, management and
avoidance of network congestion, control of network traffic, provision of packet priority,
and so on, instead of just having packets delivered to the destination. To meet these
requirements, the network service capability need to be further improved.
Occurrence and
Influence of
Congestion and the
Countermeasures
QoS issues that traditional networks face are mainly caused by congestion. Congestion
means reduced service rate and extra delay introduced because of relatively insufficient
resource provisioned.
Occurrence of
Congestion
Congestion is very common in a complicated environment of packet switching on
Internet. The diagram below gives two examples:
Figure 118 Traffic congestion
1 Packets enter a router over a high-speed link and are forwarded out over a low-speed
link.
2 Packets enter a router through multiple interfaces of the same rate at the same time and
are forwarded out on an interface of the same rate.
If the traffic arrives at the wire speed, the traffic will encounter the bottleneck of
resources and congestion occurs.
Besides bandwidth bottleneck, any insufficiency of resources for packet forwarding, such
as insufficiency of assignable processor time, buffer size, and memory resources can
cause congestion. In addition, congestion will also occur if the traffic that arrives within a
certain period of time is improperly controlled and the traffic goes beyond the assignable
network resources.
1000M 100M
100M
100M 100M
100M
Traffic congestion on interfaces
of different rates
Traffic congestion on interfaces
of the same rates
1000M 100M
100M
100M 100M
100M
Traffic congestion on interfaces
of different rates
Traffic congestion on interfaces
of the same rates
Major Traffic Management Techniques 427
Influence of
Congestion
Congestion may cause a series of negative influences:
Congestion increases delay and delay jitter in packet delivery.
Excessively high delay will cause retransmission of packets.
Congestion decreases the effective throughput of the network and the utilization of
the network resources.
Aggravated congestion will consume a large amount of network resources (especially
memory resources), and unreasonable resource assignment will even lead to system
resource deadlock and cause the system breakdown.
It is obvious that congestion is the root of service performance declination because
congestion makes traffic unable to get resources timely. However, congestion is common
in a complicated environment where packet switching and multi-user services coexist.
Therefore, congestion must be treated carefully.
Countermeasures Increasing network bandwidth is a direct way to solve the problem of resource
insufficiency, but it cannot solve all the problems that cause network congestion.
A more effective way to solve network congestion problems is to enhance the function
of the network layer in traffic control and resource assignment, to provide differentiated
services for different requirements, and to assign and utilize resources correctly. In the
process of resource assignment and traffic control, the direct or indirect factors that may
cause network congestion must be properly controlled so as to reduce the probability of
congestion. When congestion occurs, the resource assignment should be balanced
according to the features and requirements of all the services to minimize the influence
of congestion on QoS.
Major Traffic
Management
Techniques
Traffic classification, traffic policing (TP), traffic shaping (TS), congestion management,
and congestion avoidance are the foundation for providing differentiated services. Their
main functions are as follows:
Traffic classification: Identifies packets according to certain match rules. Traffic
classification is the prerequisite of providing differentiated services.
TP: Monitors and controls the specifications of specific traffic entering the device.
When the traffic exceeds the threshold, restrictive or punitive measures can be taken
to protect the business interests and network resources of the operator from being
damaged.
Congestion management: Congestion management is necessary for solving resource
competition. Congestion management is generally to cache packets in the queues
and arrange the forwarding sequence of the packets based on a certain scheduling
algorithm.
Congestion avoidance: Excessive congestion will impair the network resources.
Congestion avoidance is to supervise the network resource usage. When it is found
that congestion is likely to become worse, the congestion avoidance mechanism will
drop packets and regulate traffic to solve the overload of the network.
TS: TS is a traffic control measure to regulate the output rate of the traffic actively. TS
regulates the traffic to match the network resources that can be provided by the
downstream devices so as to avoid unnecessary packet loss and congestion.
428 CHAPTER 43: QOS OVERVIEW
Among the traffic management techniques, traffic classification is the basis because it
identifies packets according to certain match rules, which is the prerequisite of providing
differentiated services. TP, TS, congestion management, and congestion avoidance
control network traffic and assigned resources from different approaches, and are the
concrete ways of providing differentiated services.
Switch 4500G Switches support the following functions:
Traffic classification
Access control
TP
Congestion management
Traffic Classification Traffic classification is to identify packets conforming to certain characters according to
certain rules. It is the basis and prerequisite for proving differentiated services.
A traffic classification rule can use the precedence bits in the type of service (ToS) field of
the IP packet header to identify traffic with different precedence characteristics. A traffic
classification rule can also classify traffic according to the traffic classification policy set by
the network administrator, such as the combination of source addresses, destination
addresses, MAC addresses, IP protocol or the port numbers of the applications. Traffic
classification is generally based on the information in the packet header and rarely based
on the content of the packet. The classification result is unlimited in range. They can be a
small range specified by a quintuplet (source address, source port number, protocol
number, destination address, and destination port number), or all the packets to a certain
network segment.
Generally, the precedence of bits in the ToS field of the packet header is set when
packets are classified on the network border. Thus, IP precedence can be used directly as
the classification criterion inside the network. Queue techniques can also process packets
differently according to IP precedence. The downstream network can either accept the
classification results of the upstream network or re-classify the packets according to its
own criterion.
The purpose of traffic classification is to provide differentiated services, so traffic
classification is significant only when it is associated with a certain traffic control or
resource assignment action. The specific traffic control action to be adopted depends on
the phase and the current load status. For example, when the packets enter the network,
TP is performed on the packets according to CIR; before the packets flow out of the
node, TS is performed on the packets; when congestion occurs, queue scheduling is
performed on the packets; when congestion get worse, congestion avoidance is
performed on the packets.
Major Traffic Management Techniques 429
Precedence The following describes several types of precedence:
1 IP precedence, ToS precedence and DSCP precedence
Figure 119 DS field and ToS byte
As shown in the figure above, the ToS field in the IP header contains 8 bits, which are
described as follows:
The first three bits indicate IP precedence, in the value range of 0 to 7.
Bit 3 to bit 6 indicate ToS precedence, in the value range of 0 to 15.
RFC2474 re-defines the ToS field in the IP packet header, and it is called the DS field. The
first six bits in the DS field indicate DSCP precedence, in the value rang of 0 to 63. The
last two bits (bit6 and bit7) are reserved.
2 2802.1p priority
802.1p priority lies in the layer 2 packet header. It is suitable for occasions where it is not
necessary to analyze the Layer 3 packet headers and QoS is needed in Layer 2.
Figure 120 The format of an Ethernet frame with an 802.1Q tag header
As shown in the figure above, each host supporting 802.1Q protocol adds a 4-bit
802.1Q tag header after the source address in the original Ethernet frame header when
sending a packet.
The 4-bit 802.1Q tag header contains a 2-bit Tag Protocol Identifier (TPID) whose value is
8100 and a 2-bit Tag Control Information (TCI). TPID is a new type defined by IEEE to
indicate a packet with a 802.1Q tag. The following figure shows the detailed contents of
an 802.1Q tag header.
Figure 121 The format of an 802.1Q tag header
430 CHAPTER 43: QOS OVERVIEW
In the figure above, the 3-bit Priority field in the TCI byte is the 802.1p priority, in the
value range of 0 to 7.These three bits represent the priority of the frame. There are a
total of eight priority levels to determine which packet is to be sent in priority when
congestion occurs to the switch. These precedence levels fall in 802.1p priority because
the applications related to these precedence levels are all defined in detail in the 802.1p
specification.
Introduction to TP If the traffic from users is not limited, a large amount of continuous burst packets will
result in worse network congestion. The traffic of users must be limited in order to make
better use of the limited network resources and provide better service for more users. For
example, if a traffic flow obtains only the resources committed to it within a certain
period of time, network congestion due to excessive burst traffic can be avoided.
TP is traffic control policies to limit the traffic and its resource usage through supervision
of the traffic specification. The regulation policy is implemented according to the
evaluation result on the premise of the awareness of whether the traffic exceeds the
specification when TP is implemented. Generally, the token bucket algorithm is adopted
for the evaluation of traffic specification.
Traffic Evaluation and
Token Bucket
The features of the token bucket
The token bucket can be considered as a container with a certain capacity to hold
tokens. The system puts tokens into the bucket at the set rate. When the token bucket is
full, the tokens in excess will overflow and the number of tokens in the bucket stops
increasing, as shown in Figure 122.
Figure 122 Evaluate the traffic with the token bucket
Evaluate the traffic with the token bucket
The evaluation of the traffic specification is based on whether the number of tokens in
the bucket can meet the need of packet forwarding. If the number of tokens in the
bucket is enough for forwarding the packets, the traffic is compliant with the
specification; otherwise the traffic is incompliant with, or in excess of, the specification.
Enter port
view or port
group view
Enter port
view
interface interface-type
interface-number
One of them is required.
In Ethernet port view, the
following configuration takes
effect only on the current port.
In port group view, the
following configuration takes
effect on all the ports in the port
group.
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure SP
queue-scheduling algorithm
qos sp
Required
446 CHAPTER 45: CONGESTION MANAGEMENT
Configuring WRR
Queue Scheduling
By default, all ports adopt the WRR queue-scheduling algorithm. The queues which are
not configured on the port adopt the default WRR priority.
Configuration
Procedure
Configuration
Example
1 Network requirements
Configure queue 1, queue 3, queue 4 on GigabitEthernet1/0/1 to adopt the WRR
queue-scheduling algorithm, with the weight value of 1, 5, and 10 respectively.
Configure queue 5 and queue 6 on GigabitEthernet1/0/1 to adopt the WRR
queue-scheduling algorithm, with the weight value of 2 and 10 respectively.
2 Configuration procedure
a Enter system view.
<3Com> syst em- vi ew
b Configure WRR queues on GigabitEthernet1/0/1.
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 1 gr oup 1 wei ght 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 3 gr oup 1 wei ght 5
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 4 gr oup 1 wei ght 10
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 5 gr oup 1 wei ght 2
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 6 gr oup 1 wei ght 10
Table 310 Configure WRR queue scheduling
To do Use the command Remarks
Enter system view
system-view
Enter port
view or port
group view
Enter port
view
interface interface-type
interface-number
One of them is required.
In Ethernet port view, the
following configuration takes
effect only on the current port. In
port group view, the following
configuration takes effect on all
the ports in the port group.
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Enable the WRR queue
scheduling on the port
qos wrr
Required
Configure WRR queue
scheduling
qos wrr queue-id group 1
weight schedule-value
Required
Display the configuration of
WRR queue scheduling
display qos wrr
interface [
interface-type
interface-number ]
Optional
You can execute the display
command in any view.
Configuring SP+WRR Queue Scheduling 447
Configuring
SP+WRR Queue
Scheduling
As required, you can configure part of the queues on the port to adopt the SP
queue-scheduling algorithm and parts of queues to adopt the WRR queue-scheduling
algorithm. Through adding the queues on a port to the SP scheduling group and WRR
scheduling group (namely, group 1), the SP+WRR queue scheduling is implemented.
During the queue scheduling process, the queues in the SP scheduling group is
scheduled preferentially. When no packet is to be sent in the queues in the SP scheduling
group, the queues in the WRR scheduling group are scheduled. The queues in the SP
scheduling group are scheduled according to the strict priority of each queue, while the
queues in the WRR queue scheduling group are scheduled according the weight value of
each queue.
Configuration Procedure
Configuration
Example
Network requirements
SP+WRR queue scheduling algorithm is adopted on GigabitEthernet1/0/1.
Queue 0 and queue 1 on GigabitEthernet1/0/1 belong to the SP scheduling group.
Queue 2, queue 3 and queue 4 on GigabitEthernet1/0/1 belong to the WRR
scheduling group, with the weight value of 2, 7 and 10 respectively. Other queues are
scheduled by the WRR queue-scheduling algorithm according to the default weight
values.
Table 311 Configure the SP+WRR queue scheduling
To do Use the command Remarks
Enter system view
system-view
Enter port
view or
port group
view
Enter port
view
interface
interface-type
interface-number
One of them is required.
In Ethernet port view, the following
configuration takes effect only on the
current port. In port group view, the
following configuration takes effect on
all the ports in the port group.
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Enable the WRR
queue-scheduling on the
port
qos wrr
Required
Configure SP queue
scheduling
qos wrr queue-id group
sp
Required
Configure WRR queue
scheduling
qos wrr queue-id group
1 weight
schedule-value
Required
Display the configuration
of WRR queue
scheduling
display qos wrr
interface [
interface-type
interface-number ]
Optional
You can execute the display
command in any view.
448 CHAPTER 45: CONGESTION MANAGEMENT
Configuration procedure
1 Enter system view.
<3Com> syst em- vi ew
2 Configure the queues on GigabitEthernet1/0/1 to adopt the SP+WRR queue-scheduling
algorithm.
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 0 gr oup sp
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 1 gr oup sp
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 2 gr oup 1 wei ght 2
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 3 gr oup 1 wei ght 7
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 4 gr oup 1 wei ght 10
46 PRIORITY MAPPING
Overview When a packet enters the switch, the switch will assign a series of parameters (including
802.1p priority, local precedence and so on) to it according to the precedence that the
switch supports and corresponding rules. The local precedence is the precedence the
switch assigns to the packet locally, which is corresponding to the outbound queue ID on
the port.
The Switch 4500G switches always trust the packet priority instead of port priority. For
tagged packets, the switch performs dot1p-to-lp mapping according to the 802.1p
priority carried in the tags; for untagged packets, all the packets are tagged with 802.1p
priority after they enter the switch. The 802.1p priority is the port priority, according to
which the dot1p-to-lp mapping is performed.
The switch provides the dot1p-to-lp mapping table, as shown in Table 312.
The 3Com Switch 4500G Switches do not support editing dot1p-to-lp (802.1p
priority-to-local priority) mapping table.
Table 312 The default dot1p-to-lp mapping
802.1p priority (dot1p) Local precedence (LP)
0 2
1 0
2 1
3 3
4 4
5 5
6 6
7 7
450 CHAPTER 46: PRIORITY MAPPING
Configuring Port
Priority
An untagged packet is tagged after it enters the switch. Its 802.1p priority is port priority.
You can assign the packet to different outbound queues on the port according to the
port priority to be set. The port priority is in the range of 0 to 7.
The port priority takes effect only on untagged packets instead of tagged packets.
Configuration
Prerequisites
The port priority of each port is specified.
Configuration
Procedure
Configuration
Example
Network requirements
Department 1 and department 2 of the company are interconnected through
Ethernet switches.
The switch generates different local precedence values for the packets from
department 1 and department 2 through mapping according to the priorities of the
access ports.
Network diagram
Figure 125 Network diagram for port priority
Table 313 Configure port priority
To do Use the command Remarks
Enter system view system-view
Enter the corresponding
Ethernet port view
interface interface-type
interface-number
C
a
n
c
e
l
s
d
e
s
i
g
n
a
t
i
o
n
a
s
m
a
n
a
g
e
m
e
n
t
d
e
v
ic
e
Management device
Member device
Candidate device
D
e
s
i
g
n
a
t
e
d
a
s
t
h
e
n
e
w
m
a
n
a
g
e
m
e
n
t
d
e
v
ic
e
a
f
t
e
r
t
h
e
o
r
i
g
i
n
a
l
o
n
e
f
a
i
l
s
a
n
d
t
h
e
c
l
u
s
t
e
r
i
s
u
n
g
r
o
u
p
e
d
.
D
e
s
i
g
n
a
t
e
d
a
s
m
a
n
a
g
e
m
e
n
t
d
e
v
i
c
e
Removed from the cluster
J oins the cluster
D
e
s
i
g
n
a
t
e
s
a
n
o
t
h
e
r
d
e
v
i
c
e
a
s
t
h
e
n
e
w
m
a
n
a
g
e
m
e
n
t
d
e
v
i
c
e
a
f
t
e
r
t
h
e
c
l
u
s
t
e
r
is
r
e
g
r
o
u
p
e
d
C
a
n
c
e
l
s
d
e
s
i
g
n
a
t
i
o
n
a
s
m
a
n
a
g
e
m
e
n
t
d
e
v
ic
e
466 CHAPTER 50: GMP V2 CONFIGURATION
Cluster Principle and
Implementation
Procedure of building a cluster
Network neighbor discovery: It uses NDP to discover the information about the
directly connected neighbor devices.
Network topology discovery. It uses NTDP to collect the information about the
network topology, including device connections and candidate device information in
the network. The hop range for topology discovery can be adjusted manually.
Member recognition: The management device recognizes each member in the cluster
by locating each member and then distributes configuration and management
commands to the members.
Member management: The following events are managed through the management
device: adding/removing a member, the members authentication on the
management device, and handshake interval.
Introduction to NDP
NDP is the protocol for discovering the information about the adjacent nodes. NDP
operates on the data link layer, so it supports different network layer protocols.
NDP is used to discover the information about directly connected neighbors, including
the device type, software/hardware version, and connecting port of the adjacent devices.
It can also provide the information concerning device ID, port simplex/duplex status,
product version, Bootrom version and so on.
An NDP-enabled device maintains an NDP information table. Each entry in an NDP table
ages with time. You can also clear the current NDP information manually to have
adjacent information collected again.
An NDP-enabled device broadcasts NDP packets regularly to all ports in up state. An NDP
packet carries the holdtime field, which indicates the period for the receiving devices to
keep the NDP data. Receiving devices only store the information carried in the received
NDP packets rather than forward them. The corresponding data entry in the NDP table is
updated when the received information is different from the existing one. Otherwise,
only the holdtime of the corresponding entry is updated.
Introduction to NTDP
NTDP is a protocol for network topology information collection. NTDP provides the
information about the devices that can be added to clusters and collects the topology
information within the specified hops for cluster management.
Based on the NDP information table created by NDP, NTDP transmits and forwards NTDP
topology collection request to collect the NDP information and neighboring connection
information of each device in a specific network range for the management device or the
network administrator to implement needed functions.
Upon detecting a change occurred on a neighbor, a member device informs the
management device of the change through handshake packets. The management device
then collects the specified topology information through NTDP. Such a mechanism
enables topology changes to be tracked in time.
Introduction to GMP V2 467
Handshake packets
Handshake packets are used primarily to maintain the states of the members in a cluster.
Figure 130 Cluster state machine
After a cluster is built, a member device initiates the handshake process and sends
packets at the default interval of ten seconds. The management device also sends
handshake packets to the member device at the default interval of ten seconds. The
management device and member devices do not respond to the handshake packets
they received but switch to or remain in the Active state.
If the management switch receives no handshake packet from a member switch for
three consecutive times, it changes the state of the member device to Connect.
Likewise, if a member device receives no handshake response packet from the
management device for three consecutive times, the state of the member device
changes from Active to Connect.
If the member device in the Connect state receives no handshake packet or
management packet within the holdtime (60 seconds by default) that switches its
state to Active, the member device changes to the Disconnect state, and the
management device considers the member to be disconnected. A member device in
the Active or Connect state is connected.
In addition, handshake packets are used to notify the management device of topology
changes of neighboring devices.
Management VLAN No device connected to a port not belonging to the management VLAN can join the
cluster. Therefore, the management VLAN of candidate devices needs to be modified
through auto-negotiation if the management device and candidate devices in the cluster
belong to different management VLANs. In this case, the candidate devices must ensure
that the management VLAN exists. If a new VLAN must be created, the devices limit on
the number of VLANs must be satisfied.
468 CHAPTER 50: GMP V2 CONFIGURATION
The ports in the management VLAN of a device must be configured to permit the
packets of the management VLAN to pass with tags (the packets from VLAN1 can pass
without tags); otherwise, the cluster will not work properly.
You can specify the management VLAN only before building a cluster. You cannot modify
the management VLAN after a device has joined the cluster. To modify the management
VLAN after the cluster is built, delete the cluster configuration on the current device
before designating the new management VLAN and finally building the cluster.
GMP V2
Configuration Task
Overview
Table 321 GMP V2 configuration task overview
Operation Description Related section
Configure the
management
device
Enable NDP globally and for
specific ports
Required Enabling NTDP Globally and on
Specific Ports
Configure NDP-related
parameters
Optional Configuring NDP-related
Parameters.
Enable NTDP globally and for
specific ports
Required Enabling NTDP Globally and for
Specific Ports
Configure NTDP-related
parameters
Optional Configuring NTDP-related
Parameters
Enable the cluster function Required Enabling the Cluster Function
Build a cluster Required Building a Cluster
Configure cluster
management
Required Configuring Cluster Management.
Configure cluster parameters Optional Configuring Cluster Parameters
Configure interaction for the
cluster
Optional Configuring Interaction for the
Cluster
Configure
member devices
Enable NDP globally and for
specific ports
Required Enabling NDP Globally and on
Specific Ports
Enable NTDP globally and for
specific ports
Required Enabling NTDP Globally and on
Specific Ports
Enable the cluster function Required Enabling the Cluster Function
Configure to add a member
to the cluster
Optional Configuring to Add a Candidate
Device to the Cluster
Management Device Configuration 469
Management
Device
Configuration
Enabling NDP
Globally and for
Specific Ports
CAUTION: NDP works only if it is enabled globally and on the ports.
Configuring
NDP-related
Parameters
Enabling NTDP
Globally and for
Specific Ports
CAUTION: NTDP works only if it is enabled globally and on the ports.
Table 322 Enable NDP globally and for specific ports
Operation Command Description
Enter system view system-view
Enable NDP globally ndp enable Required
By default, NDP is enabled
globally.
Enable NDP for
the Ethernet
port
system view ndp enable interface
interface-list
Either is required.
By default, NDP is enabled
on all ports. Ethernet port
view
interface interface-type
interface-number
ndp enable
Table 323 Configure NDP-related parameters
Operation Command Description
Enter system view system-view
Configure the holdtime of
NDP information
ndp timer aging
aging-time
Optional
By default, the aging time of NDP packets is
180 seconds
Configure the interval to
send NDP packets
ndp timer hello
hello-time
Optional
By default, the interval of sending NDP
packets is 60 seconds
Table 324 Enabling NDP globally and for specific ports
Operation Command Description
Enter system view system-view
Enable NTDP globally ntdp enable Optional
By default, NTDP is enabled
globally.
Enable NTDP for
the Ethernet
port
System view ntdp enable
interfaceinterface-list
Optional
By default, NTDP is enabled
on all ports. Ethernet port
view
interface interface-type
interface-number
ntdp enable
470 CHAPTER 50: GMP V2 CONFIGURATION
Configuring
NTDP-related
Parameters
Enabling the Cluster
Function
The ntdp enable command in cluster management is not compatible with the
bpdu-tunnel enable command in BPDU TUNNEL. You cannot configure these two
commands at the same time. For BPDU TUNNEL, refer to VLAN VPN Configuration.
Building a Cluster Before building a cluster, you must configure a private IP address pool available for the
member devices in the cluster. When a candidate device joins the cluster, the
management device dynamically assigns the candidate device a private IP address for
inner-cluster communication. This enables the management device to manage and
maintain member devices.
Table 325 Configure NTDP parameters
Operation Command Description
Enter system view system-view
Configure the range
topology information
within which is to be
collected
ntdp hop hop-value Optional
By default, the hop range for
topology collection is 3 hops
Configure the interval to
collect topology
information
ntdp timer interval-time Optional
By default, the interval of
topology collection is 1 minute.
Configure the hop delay
to forward
topology-collection
request packets
ntdp timer hop-delay
time
Optional
By default, the delay of the device
is 200 ms
Configure the port delay
to forward topology
collection request packets
ntdp timer port-delay
time
Optional
By default, the port delay is 20 ms
Quit system view. quit
Start topology
information collection
ntdp explore
Optional
Table 326 Enable the cluster function
Operation Command Description
Enter system view
system-view
Create a hostname to IP
address mapping entry
ip host hostname
ip-address
Required
No IP address is assigned to the host
name by default.
Table 359 Configuring Dynamic Domain Name Resolution
To do Use the command Remarks
Enter the system view
system-view
Establish a connection
with the remote SFTP
server and enter SFTP
client view.
sftp { host-ip | host-name } [ port-num ]
[ prefer_kex { dh_group1 |
dh_exchange_group } |
prefer_ctos_cipher { des | aes128 |
3des } | prefer_stoc_cipher { des |
aes128 | 3des } | prefer_ctos_hmac {
sha1 | sha1_96 | md5 | md5_96 } |
prefer_stoc_hmac { sha1 | sha1_96 |
md5 | md5_96 } ]*
Create a certificate
attribute access control
policy and enter certificate
attribute access control
policy view
pki certificate
access-control-policy
policy-name
Required
By default, no certificate attribute
access control policy is created.
Create a certificate
attribute control rule
rule [ id ] { permit | deny }
group-name
Optional
By default, no certificate attribute
control rule is created.
614 CHAPTER 62: PKI CONFIGURATION
Displaying and
Maintaining PKI
Follow these steps to display and maintain PKI:
Certificate format and fields comply with X.509 standard. All kinds of identifying
information about user and CA are included, such as user email address; public key of the
certificate holder; issuer, serial number, and validity (period) of the certificate, etc.
CRL complies with X.509 standard, covering version, signature (algorithm), issuer name,
this update, next update, user public key, signature value, serial number, and revocation
date, etc.
Typical
Configuration
Examples
CAUTION:
When a server running Windows operating system is used as the CA, the Simple
Certificate Enrollment Protocol plug-in is required. In this case, you need to specify
the entity to apply for the certificate from RA by using the certificate request
from ra command when configuring the PKI domain.
The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon
software is used. In this case, you need to specify the entity to apply for the certificate
from CA by using the certificate request from ca command when
configuring the PKI domain.
This section assumes RSA Keon software is used on the CA server.
PKI Certificate
Request to CA
Network requirements
The device is connected to the CA server through an IP network and is configured to
request for a certificate from RSA CA.
Network diagram
Figure 172 Network datagram for PKI certificate request to CA
Table 435 Displaying and Maintaining PKI
To do Use the command Remarks
Display certificates display pki certificate { {
ca | local } domain domain-name
| request-status }
Available in any view
Display CRLs display pki crl domain
domain-name
Available in any view
Display a certificate
attribute group
display pki certificate
attribute-group {
group-name | all }
Available in any view
Display a certificate
attribute access control
policy
display pki certificate
access-control-policy {
policy-name | all }
Available in any view
Typical Configuration Examples 615
Configuration procedure
1 Configure entity name space.
<SysnameCA> syst em- vi ew
[ SysnameCA] pki ent i t y t or sa
[ SysnameCA- pki - ent i t y- t or sa] common- name 1
[ SysnameCA- pki - ent i t y- t or sa] qui t
2 Configure parameters for PKI domain (The URLs of registration organization servers for
certificate requests vary depending on the CA servers used. The configuration mentioned
here is used as an example only. Perform configuration based on actual conditions).
[ SysnameCA] pki domai n t or sa
[ SysnameCA- pki - domai n- t or sa] ca i dent i f i er r sa
[ SysnameCA- pki - domai n- t or sa] cer t i f i cat e r equest ur l
ht t p: / / 4. 4. 4. 133: 446/ 6953bf 7f b5b1cf 514376243ce67ebed1209c292a
[ SysnameCA- pki - domai n- t or sa] cer t i f i cat e r equest f r omca
[ SysnameCA- pki - domai n- t or sa] cer t i f i cat e r equest ent i t y t or sa
[ SysnameCA- pki - domai n- t or sa] cr l ur l
ht t p: / / 4. 4. 4. 133: 447/ secur i t y_r sa. cr l
[ SysnameCA- pki - domai n- t or sa] qui t
3 Create a local key pair by using RSA.
[ SysnameCA] r sa l ocal - key- pai r cr eat e
4 Request for a certificate.
[ SysnameCA] pki r et r i eval - cer t i f i cat e ca domai n t or sa
[ SysnameCA] pki r et r i eval - cr l domai n t or sa
[ SysnameCA] pki r equest - cer t i f i cat e domai n t or sa chal l enge- wor d
ACL Policy Based on
Certificate Attribute
Network requirements
Clients accessing the device remotely with HTTP Security (HTTPS) protocol
Ensuring authorized clients login to HTTPS server securely with SSL protocol
Creating ACL policy based on certificate attribute for HTTPS server to restrict access of
the clients
Networking diagram
Figure 173 Networking diagram of ACL policy based on certificate attribute
IP Network
Host
HTTPS Client
Device
HTTPS Server
616 CHAPTER 62: PKI CONFIGURATION
Configuration procedure
For SSL configuration, refer to SSL Configuration.
For HTTPS configuration, refer to HTTPS Server Configuration.
1 Configure HTTPS server
a Configure the SSL policy used by the HTTPS server. The PKI domain to be referred must
be already created.
<SysnameCA> syst em- vi ew
[ SysnameCA] ssl ser ver - pol i cy myssl
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] pki - domai n 1
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] cl ose- mode wai t
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] cl i ent - ver i f y enabl e
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] qui t
2 Configure the certificate attribute group
a Configure the certificate attribute group mygroup1 and create two attribute rules. The
first rule defines that the DN of the subject name includes the string aabbcc, and the
second rule defines that the IP address of the certificate issuer is 10.0.0.1.
[ SysnameCA] pki cer t i f i cat e at t r i but e- gr oup mygr oup1
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup1] at t r i but e 1 subj ect - name
dn ct n aabbcc
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup1] at t r i but e 2 i ssuer - name
i p equ 10. 0. 0. 1
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup1] qui t
b Configure the certificate attribute group mygroup2 and create two attribute rules. The
first rule defines that the FQDN of the subject name does not include the string apple,
and the second rule defines that the DN of the certificate issuer name includes the
string aabbcc.
[ SysnameCA] pki cer t i f i cat e at t r i but e- gr oup mygr oup2
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup2] at t r i but e 1
al t - subj ect - name f qdn nct n appl e
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup2] at t r i but e 2 i ssuer - name
dn ct n aabbcc
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup2] qui t
3 Configure the certificate ACL policy
Configure the certificate attribute group myacp and create two ACL rules.
[ SysnameCA] pki cer t i f i cat e access- cont r ol - pol i cy myacp
[ SysnameCA- pki - cer t - acp- myacp] r ul e 1 deny mygr oup1
[ SysnameCA- pki - cer t - acp- myacp] r ul e 2 per mi t mygr oup2
[ SysnameCA- pki - cer t - acp- myacp] qui t
4 Configure the HTTPS server to relate with corresponding policies, and start the HTTPS
server.
a Configure the SSL policy specifying HTTPS server as myssl.
[ SysnameCA] i p ht t ps ssl - ser ver - pol i cy myssl
b Configure the certificate ACL specifying HTTPS as myacp.
[ SysnameCA] i p ht t ps cer t i f i cat e access- cont r ol - pol i cy myacp
c Start the HTTPS server.
[ SysnameCA] i p ht t ps enabl e
Troubleshooting 617
Troubleshooting
Failed to Retrieve a
CA Certificate
Troubleshooting: If you fail to obtain a CA certificate, the reasons might include:
1 Software problems
No trustworthy CA is specified.
Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.
Server URL for the certificate request through SCEP is not correct or not configured.
You can check if the server is well connected by using the ping command.
No RA is specified.
System clock is not correct.
2 Hardware problems
Network connection faults, such as broken network cable and loose interface.
Failed to Request a
Local Certificate
Troubleshooting: If you fail to request a local certificate when the router has finished the
configuration of PKI domain parameters and entity DN, and has created a new RSA key
pair, the reasons might include:
1 Software problems
No CA/RA certificate has been retrieved.
No key pair is created, or the current key pair has had a certificate.
No trustworthy CA is specified.
Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.
Server URL for the certificate request through SCEP is not correct or not configured.
You can check if the server is well connected by using the ping command.
No certificate authority is configured.
The necessary attributes of entity DN are not configured. You can configure the
relevant attributes by checking CA/RA authentication policy.
2 Hardware problems
Network connection faults, such as broken network cable and loose interface.
Failed to Retrieve a
CRL
Troubleshooting: If you fail to retrieve a CRL, the reasons might include:
1 Software problems
The devices are not synchronized to the CA server.
No local certificate exists when you try to retrieve a CRL.
IP address of LDAP server is not configured.
CRL distribution point location is not configured.
LDAP server version is wrong.
2 Hardware problems
Network connection faults, such as broken network cable and loose interface.
618 CHAPTER 62: PKI CONFIGURATION
63 POE CONFIGURATION
PoE Overview
Introduction to PoE Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power
to powered devices (PD) such as IP telephone, wireless LAN access point, and web
camera from Ethernet interfaces through twisted pair cables.
Advantages
Reliable: Power is supplied in a centralized way so that it is very convenient to provide
a backup power supply.
Easy to connect: A network terminal requires only one Ethernet cable, but no external
power supply.
Standard: In compliance with IEEE 802.3af, a globally uniform power interface is
adopted.
Promising: It can be applied to IP telephones, wireless LAN access points, portable
chargers, card readers, web cameras, and data collectors.
Composition
A PoE system consists of PoE power, PSE, and PD.
PoE power
The whole PoE system is powered by the PoE power, which includes external PoE power
and internal PoE power.
The support for the PoE power type depends on the device model.
PSE
PSE is a card or subcard. PSE manages its own PoE interfaces independently. PSE
examines the Ethernet cables connected to PoE interfaces, searches for the devices that
comply with the specification, classifies them, and supplies power to them. When
detecting a PD is unplugged, the PSE stops supplying the power to the PD.
An Ethernet interface with the PoE capability is called PoE interface. Currently, a PoE
interface can be an FE or GE interface.
PD
A PD is a device accepting power from the PSE. There are standard PDs and nonstandard
PDs. A standard PD refers to the one that complies with IEEE 802.3af. The PD that is
being powered by the PSE can be connected to other power supply unit for redundancy
backup.
620 CHAPTER 63: POE CONFIGURATION
Protocol Specification The protocol specification related to PoE is IEEE 802.3af.
PoE Configuration
Tasks
Complete these tasks to configure PoE:
Configuring the PoE
Interface
You can configure a PoE interface in either of the following two ways:
Adopt the command line.
Configure a PoE configuration file and apply the file to the specified PoE interface(s).
Usually, you can adopt the command line to configure a single PoE interface, and adopt
a PoE configuration file to batch configure PoE interfaces.
You can adopt either mode to configure, modify, or delete a PoE configuration
parameter under the same PoE interface.
The PSE applies power to a PoE interface in two modes. For a device with only signal
cables, power is supplied over signal cables. For a device with spare cables and signal
cables, power can be supplied over spare cables or signal cables.
To clearly identify the PD connected to a PoE interface, you can give a PD description.
Table 436 PoE Configuration Tasks
Task Remarks
Configuring the PoE Interface Required
Configuring PoE Power Management Optional
Configuring a Power Alarm Threshold for the PSE Optional
Upgrading PSE Processing Software Online Optional
Configuring a PD Disconnection Detection Mode Optional
Enabling the PSE to Detect Nonstandard PDs Optional
Configuring the PoE Interface 621
Configuring a PoE
Interface through the
Command Line
Follow these steps to configure a PoE interface through the command line:
Configuring PoE
Interfaces through a
PoE Configuration
File
A PoE configuration file is used to batch configure PoE interfaces with the same
attributes to simplify operations. This configuration method is a supplement to the
common command line configuration.
Commands in a PoE configuration file are called configurations.
Table 437 Configuring a PoE Interface through the Command Line
To do Use the command Remarks
Enter system view system-view
Enter PoE interface view interface
interface-type
interface-number
Configure
the power
priority for a
PoE
interface.
Configure the
power priority for
the PoE interface in
PoE interface view
interface interface-type
interface-number
poe priority { critical |
high | low }
Use either approach.
By default, the power
priority of a PoE
interface is low.
Configure the
power priority for
the PoE interface in
PoE configuration
file view
poe-profile profile-name [
index ]
poe priority { critical |
high | low }
Configure a PD power
management priority policy
poe pd-policy priority Optional
By default, no PD
power management
priority policy is
configured.
624 CHAPTER 63: POE CONFIGURATION
Configuring a
Power Alarm
Threshold for the
PSE
When the current power utilization of the PSE is above or below the alarm threshold
for the first time, the system will send a Trap message.
When the PSE starts or stops supplying power to a PD, the system will send a Trap
message, too.
Follow these steps to configure a power alarm threshold for the PSE:
Upgrading PSE
Processing
Software Online
You can upgrade the PSE processing software online in either of the following modes:
Refresh mode
Normally, you can upgrade the PSE processing software in the Refresh mode through the
command line.
Full mode
When an exception, such as interruption (power failure) or error, occurs during the
upgrade in Refresh mode, you can upgrade the PSE processing software in Full mode.
When the PSE processing software is damaged (in this case, you can execute none of PoE
commands successfully), you can upgrade the PSE software processing software in Full
mode to restore the PSE function. Online PSE processing software upgrade may be
unexpectedly interrupted (for example, an error results in device reboot). If you fail to
upgrade the PSE processing software in Full mode after reboot, you can power off the
device and restart it before upgrading it again. After upgrade, restart the device
manually to make the original PoE configurations take effect. The support for this
upgrade method depends on the device model.
Follow these steps to upgrade the PSE processing software online:
Table 440 Configuring a Power Alarm Threshold for the PSE
To do Use the command Remarks
Enter system view system-view
Configure a power alarm
threshold for the PSE
poe
utilization-thresho
ld
utilization-threshold-v
alue
Optional
By default, the power alarm
threshold for the PSE is 80%.
Table 441 Upgrading PSE Processing Software Online
To do Use the command Remarks
Enter system view system-view
Upgrade the PSE processing software
online
poe update { full |
refresh } filename
Optional
Configuring a PD Disconnection Detection Mode 625
Configuring a PD
Disconnection
Detection Mode
To detect the PD connection with PSE, PoE provides two detection modes: AC detection
and DC detection. The AC detection mode is energy saving relative to the DC detection
mode.
Follow these steps to configure a PD disconnection detection mode:
If you adjust the PD disconnection detection mode when the device is running, the
connected PDs will be powered off. Therefore, be cautious to do so!
Enabling the PSE to
Detect Nonstandard
PDs
There are standard PDs and nonstandard PDs. Usually, the PSE can detect only standard
PDs and supply power to them. The PSE can detect nonstandard PDs and supply power
to them only after the PSE is enabled to detect nonstandard PDs.
Follow these steps to enable the PSE to detect nonstandard PDs:
Table 442 Configuring a PD Disconnection Detection Mode
To do Use the command Remarks
Enter system view system-view
Configure a PD
disconnection
detection mode
poe disconnect { ac | dc } Optional
The default PD disconnection detection
mode depends on the device model.
Table 443 Enabling the PSE to Detect Nonstandard PDs
To do Use the command Remarks
Enter system view system-view
Enable the PSE to supply
power to the detected
nonstandard PDs
poe legacy enable Optional
By default, the PSE is disabled
from supplying power to the
detected nonstandard PDs.
626 CHAPTER 63: POE CONFIGURATION
Displaying and
Maintaining PoE
PoE Configuration
Example
Network requirements
GigabitEthernet1/0/1 and GigabitEthernet1/0/2 are connected to IP telephones.
GigabitEthernet1/0/5 and GigabitEthernet1/0/6 are connected to access point (AP)
devices.
The power priority of GigabitEthernet1/0/2 is critical.
The power of the AP device connected to GigabitEthernet1/0/5 does not exceed
9,000 milliwatts.
Table 444 Displaying and Maintaining PoE
To do Use the command Remarks
Display the mapping between
ID, module, and slot of all PSEs.
display poe device Available in any view
Display the power state and
information of the specified PoE
interface
display poe interface [
interface-type
interface-number ]
Available in any view
Display the power information of
a PoE interface(s)
display poe interface
power [ interface-type
interface-number ]
Available in any view
Display the information of PSE display poe pse [ pse-id ] Available in any view
Display the power state and
information of PoE interfaces
connected with the PSE
display poe interface [
interface-type
interface-number ]
Available in any view
Display the power of all PoE
interfaces connected with the
PSE
display poe interface
power [ interface-type
interface-number ]
Available in any view
Display all information of the
configurations and applications
of the PoE configuration file
display poe-profile [
index index | name
profile-name ]
Available in any view
Display all information of the
configurations and applications
of the PoE configuration file
applied to the specified PoE
interface
display poe-profile
interface interface-type
interface-number
Available in any view
PoE Configuration Example 627
Network diagram
Figure 174 Network diagram for PoE
Configuration procedure
1 Enable PoE on GigabitEthernet1/0/1, GigabitEthernet1/0/2, GigabitEthernet1/0/5, and
GigabitEthernet1/0/6.
<Sysname> syst em- vi ew
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 1
[ Sysname- Gi gabi t Et her net 1/ 0/ 1] poe enabl e
[ Sysname- Gi gabi t Et her net 1/ 0/ 1] qui t
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 2
[ Sysname- Gi gabi t Et her net 1/ 0/ 2] poe enabl e
[ Sysname- Gi gabi t Et her net 1/ 0/ 2] qui t
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 5
[ Sysname- Gi gabi t Et her net 1/ 0/ 5] poe enabl e
[ Sysname- Gi gabi t Et her net 1/ 0/ 5] qui t
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 6
[ Sysname- Gi gabi t Et her net 1/ 0/ 6] poe enabl e
2 Set the power priority level of GigabitEthernet1/0/2 to critical.
<Sysname> syst emvi ew
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 2
[ Sysname- Gi gabi t Et her net 1/ 0/ 2] poe pr i or i t y cr i t i cal
3 Set the maximum power of GigabitEthernet1/0/5 to 9,000 milliwatts.
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 5
[ Sysname- Gi gabi t Et her net 1/ 0/ 5] poe max- power 9000
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
GigabitEthernet1/0/1
IP Phone
AP
AP
Network Network
GigabitEthernet1/0/2 GigabitEthernet1/0/6
GigabitEthernet1/0/5
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
IP Phone
AP
AP
Network Network
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
GigabitEthernet1/0/1
IP Phone
AP
AP
Network Network
GigabitEthernet1/0/2 GigabitEthernet1/0/6
GigabitEthernet1/0/5
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
IP Phone
AP
AP
Network Network
628 CHAPTER 63: POE CONFIGURATION
Troubleshooting
PoE
Symptom: Setting the priority of a PoE interface to critical fails.
Analysis: The guaranteed remaining power of the PSE is lower than the maximum power of the
PoE interface.
The priority of the PoE interface is already set.
Solution: In the former case, you can solve the problem by increasing the maximum PSE power,
or by reducing the maximum power of the PoE interface when the guaranteed
remaining power of the PSE cannot be modified.
In the latter case, you should first remove the priority already configured.
Symptom: Applying a PoE configuration file to a PoE interface fails.
Analysis: Some configurations in the PoE configuration file are already configured.
Some configurations in the PoE configuration file do not meet the configuration
requirements of the PoE interface.
Another PoE configuration file is already applied to the PoE interface.
Solution: In case 1, you can solve the problem by removing the original configurations of those
configurations.
In case 2, you need to need to modify some configurations in the PoE configuration
file.
In case 3, you need to remove the application of the undesired PoE configuration file
to the PoE interface.
Symptom: Provided that parameters are valid, configuring an AC input under-voltage threshold
fails.
Analysis: The AC input under-voltage threshold is greater than or equal to the AC input
over-voltage threshold.
Solution: You can drop the AC input under-voltage threshold below the AC input over-voltage
threshold.