GL5600-08P User Manual

Getting Started Operation
XXXX
Communication Technology Co., Ltd
Tel: (86)
Fax: (86)
URL:
Email:
XXXX Confidential & Proprietary Information
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 19
All rights reserved. Printed in the Peoples Republic of China.

No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical,
chemical, manual or otherwise without the prior written consent of XXXX Communication Technology Co., Ltd.
XXXX makes no representations or warranties with respect to this document contents and specifically disclaims
any implied warranties of merchantability or fitness for any specific purpose. Further, XXXX reserves the right to
revise this document and to make changes from time to time in its content without being obligated to notify any
person of such revisions or changes.
XXXX values and appreciates comments you may have concerning our products or this document. Please address
comments to:
XXXX Communication Technology Co., Ltd
Tel: (86)
Fax: (86)
URL:
Email:
All other products or services mentioned herein may be registered trademarks, trademarks, or service marks of
their respective manufacturers, companies, or organizations.
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 19
XXXX Feedback Form

Your opinion helps us improve the quality of our product documentation and offer better
services.
Document Title
Product Version
Documen
t Revision
Number
1.0
Evaluate this
Presentation:
document
(Introductions, procedures, illustrations, completeness, arrangement, appearance)

Good
Fair
Average
Poor
Accessibility:
(Contents, index, headings, numbering)
Good
Fair
Average
Poor
Editorial:
(Language, vocabulary, readability, clarity, technical accuracy, content)
Good
Your suggestions
Fair
Average
Poor
Please check suggestions to improve this document:
to improve the
Improve introduction
document
Improve Contents
Make more concise
Add more step-by-step procedures/tutorials
Improve arrangement
Add more technical information
Include images
Make it less technical
Add more detail
Improve index
If you wish to be contacted, complete the following:

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 19
Contents
Contents ............................................................................................................................... 4
Chapter 1 Logging in Ethernet Switch .............................................................................. 5
1.1 Set up Configuration Environment via Console Port ................................................ 5
1.2 Set up Configuration Environment through Telnet.................................................... 6
1.2.1 Connect PC to Ethernet Switch through Telnet .......................................... 6
1.2.2 Telnet Ethernet Switch through Ethernet Switch ......................................... 7
Chapter 2 Command Line Interface .................................................................................. 9
2.1 Introduction of Command Line Interface................................................................... 9
2.2 Command Line Configuration Mode .......................................................................... 9
2.3 Feature and Functions of Command Line ............................................................... 11
2.3.1 Help of Command Line .............................................................................. 11
2.3.2 Displaying Characteristics of Command Line.............................................. 12
2.3.3 Show history Command of Command Line ............................................... 13
2.3.4 Common Command Line Error Messages .................................................. 13
2.4 Symbols in Command ............................................................................................... 13
2.5 Parameter in command ............................................................................................ 14
Chapter 3 Manage Users ................................................................................................. 14
3.1 System Default User.................................................................................................. 15
3.2 Users Authentication ................................................................................................ 15
3.3 Local Authentication Configuration ........................................................................... 15
3.3.1 Add Users .................................................................................................. 15
3.3.2 Change Password ....................................................................................... 16
3.3.3 Modify User's Privilege Level ..................................................................... 16
3.3.4 Delete User ................................................................................................ 17
3.3.5 Show Users ................................................................................................ 17
3.4 Remote Authentication Configuration ....................................................................... 18
3.4.1 Configure RADIUS to Be Remote Authentication Server ........................... 18
3.4.2 Configure TACACS+ Remote Authentication ............................................... 19
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 19
Chapter 1 Logging in Ethernet Switch

This chapter describes how to connect to the switch and do the configurations. There are ways
as via console port and through telnet. It contains following sections:
Set up Configuration Environment via the Console Port
Set up Configuration Environment through Telnet
Telnet Ethernet Switch through Ethernet Switch
1.1 Set up Configuration Environment via Console Port

Step 1: As shown in the figure below, to set up the local configuration environment, connect the
serial port of a PC (or a terminal) to the Console port of the Ethernet switch with the Console
cable.
RS-232 Serial port
Console port
Console cable
Figure 1-1 Set up the local configuration environment via the Console port
Step 2: Run terminal emulator (such as Hyper Terminal on Windows 9X/2000/XP/Vista) on the
Computer. Set the terminal communication parameters as follows: Set the baud rate to 9600,
data bit to 8, parity check to none, stop bit to 1, flow control to none and select the terminal
type as auto-detection.
Figure 1-2 Set up new connection
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 19
Figure 1-3 Configure the port for connection
Figure 1-4 Set communication parameters
Step 3: The Ethernet switch is powered on. Display self-test information of the Ethernet switch
and prompt you to press Enter to show the command line prompt such as < > after you have
entered the correct username and password. The initial username is admin and the matched
password is admin. It is suggested modifying the initial password after the first logging in. Please
remember the modified password. If the password is forgotten, please contact us as soon as
possible. Modify password refers to Change password.
Step 4: Input a command to configure the Ethernet switch or Configuration Mode the operation
state. Input a ? to get an immediate help. For details of specific commands, refer to the
following chapters.
1.2 Set up Configuration Environment through Telnet

1.2.1 Connect PC to Ethernet Switch through Telnet
After you have correctly configured IP address of a VLAN interface for an Ethernet Switch via
Console port (the way to configure switch via console refers to Set up Configuration Environment
via the Console Port; the way to configure ip address of switch refers to 03 using ip address
command in VLAN interface mode), and make sure PC can ping the switch, then you can telnet
this Ethernet switch and configure it.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 19
Step 1: Authenticate the Telnet user via the Console port before the user logs in by Telnet.
Step 2: To set up the configuration environment, connect the Ethernet port
of the PC to that of the Ethernet switch via the LAN.
Workstation
Ethernet port
Ethernet
Serv er
Workstation PC ( for configuring the switch

via Telnet )
Figure 1-1 Set up configuration environment through telnet
Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port.
Figure 1-2 Run Telnet
Step 4: The terminal displays Username (1-32 chars): and prompts the user
to input the login username and password. After you input the correct username and
corresponded password, it displays the command line prompt (such as < >). If the prompt Too
many users! appears, it indicates that too many users are connected to the Ethernet through the
Telnet at this moment. In this case, please reconnect later. At most 5 Telnet users are allowed to
log in to the series Ethernet Switches simultaneously. Default username is admin and the
password is admin. If the default password has been modified, it requires the modified password.
Step 5: Use the corresponding commands to configure the Ethernet switch orto monitor the
running state. Enter ? to get the immediate help. For details of specific commands, refer to the
following chapters.
& Note:
When configuring the Ethernet switch via Telnet, do not modify the IP address of it
unnecessary, for the modification might cut the Telnet connection.
1.2.2 Telnet Ethernet Switch through Ethernet Switch

The switch can be both the Telnet server and client. After a user has telnet to a switch from PC,
he or she can configure another switch through this switch via Telnet. The local switch serves as
Telnet client and the peer switch serves as Telnet server. If the ports connecting these two
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 19

switches are in a same local network, their IP addresses must be configured in the same network
segment. Otherwise, the two switches must establish a route that can reach each other.
As shown in the figure below, after you telnet to an Ethernet switch (that is Telnet Client in Figure
2-1), you can run telnet command to log in and configure another Ethernet switch (that is Telnet
Server in Figure2-1).
PC
Telnet Client
Telnet Server
Figure 1-1 Provide Telnet Client service
Step 1: Configure IP address for the switch (that is Telnet Client in Figure 2-1). The way to
configure switch via console refers to Set up Configuration Environment via the Console Port; the
way to configure ip address of switch refers to 03 using ip address command in VLAN interface
mode).
Step 2: The user logs in the Telnet Client (Ethernet switch). For the login process, refer to the
section describing Telnet PC to Ethernet Switch.
Step 3: Perform the following operations on the Telnet Client:
#telnet A.B.C.D (A.B.C.D is the IP address of the Telnet Server.)
Step 4: Enter the preset login password and you will see the prompt such < >. If the prompt Too
many users! appears, it indicates that too many users are connected to the Ethernet through the
Telnet at this moment. In this case, please connect later.
Step 5: Use the corresponding commands to configure the Ethernet switch or Configuration
Mode it running state. Enter ? to get the immediate help. For details of specific commands,
refer to the following chapters.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 19
Chapter 2 Command Line Interface

This chapter describes command line interface (CLI) which you may use to configure your switch.
It contains flowing sections:
Introduction of CLI
CLI mode
Feature and functions of CLI
Symbols in command
Parameters in command
2.1 Introduction of Command Line Interface

Ethernet Switches provide a series of configuration commands and command line interfaces for
configuring and managing the Ethernet switch. The command line interface has the following
characteristics:
Local configuration via the Console port.
Local or remote configuration via Telnet.
Hierarchy command protection to avoid the unauthorized users accessing Ethernet switch.
Enter a ? to get immediate online help.
Provide network testing commands, such as Tracert and Ping, to fast troubleshoot the
network.
Provide various detailed debugging information to help with network troubleshooting.
Log in and manage other Ethernet switch directly, using the Telnet command.
Provide FTP/TFTP/Xmodem service for the users to upload and download files.
The command line interpreter searches for target not fully matching the keywords. It is ok for you
to key in the whole keyword or part of it, as long as it is unique and not ambiguous.
2.2 Command Line Configuration Mode

Ethernet Switches provide hierarchy protection for the command lines to avoid unauthorized
user accessing illegally.
Commands are classified into three levels, namely visit and monitoring level, configuration level
and management level. They are introduced as follows:
Visit and monitoring level: Commands of this level involve command of network diagnosis
tool (such as ping and tracert), command of switch between different language environments of
user interface (language-mode) and telnet command etc and including the display command and
the debugging command, are used to system maintenance, service fault diagnosis, etc. The
operation of saving configuration file is not allowed on this level of commands.
Configuration level: Service configuration commands, including routing command and
commands on each network layer are used to provide direct network service to the user.
Management level: They are commands that influence basis operation of the system and
system support module, which plays a support role on service. Commands of this level involve
file system commands, FTP commands, TFTP commands, Xmodem downloading commands, user
management commands, and level setting commands.
At the same time, login users are classified into three levels that correspond to the three
command levels respectively. After users of different levels logging in, they can only use
commands at the levels that are equal to or lower than their own level.
In order to prevent unauthorized users from illegal intrusion, user will be identified when
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 19

switching from a lower level to a higher level with username username [privilege level]
{password encryption-type password} command. For the sake of confidentiality, on the screen
the user cannot see the password that he entered. Only when correct password is input for three
times, can the user switch to the higher level. Otherwise, the original user level will remain
unchanged.
Different command configuration mode is implemented according to different requirements.
They are related to one another. For example, after logging in the Ethernet switch, you will enter
user mode, in which you can only use some basic functions such as displaying the running state
and statistics information. In user mode, key in enable to enter privileged mode, in which you can
key in different configuration commands and enter the corresponding configuration modes.
The command line provides the following configuration modes:
User Mode
Privileged Mode
Global Configuration Mode
Interface Configuration Mode
VLAN Configuration Mode
AAA Configuration Mode
RADIUS Configuration Mode
Domain Configuration Mode
VLAN-interface Configuration Mode
SuperVLAN-interface Configuration Mode
RIP Configuration Mode
OSPF Configuration Mode
PIM Configuration Mode
The following table describes the function features of different Configuration Modes and the
ways to enter or quit.
Table 2-1 Function feature of Command Configuration Mode
Command
Configuration
Function
Prompt
Command to enter
Command to exit
Switch>
Enter right after

connecting the switch
exit disconnects
to the switch
Switch#
Key in enable in user

mode
exit returns to
user mode; quit
disconnects to
the switch
Mode
User Mode
Privileged mode
Show the basic

information
about
operation and
statistics
Show the basic
information
about
operation and
statistics and
manage the
system
Global
Configuration
Mode
Configure
system
parameters
Switch(conf
ig)#
Interface
Configuration
Mode
Configure
Interface
parameters
Switch(conf
ig-if-ethern
et-0/0/1)
VLAN
Configure
Switch(conf
Key in configure
terminal in privileged
Mode
Key in interface
ethernet 0/0/1 in
global Configuration
Mode
Key in vlan 1 in system
PDF pdfFactory Pro
www.fineprint.cn
exit and end

returns to
privileged mode;
quit disconnects
to the switch
exit returns to
global
configuration
mode and end
returns to
Page 10 of 19

Command
Configuration
Function
Prompt
Command to enter
Command to exit
VLAN
parameters
ig-if-Vlan)#
Configuration Mode
Create domain
Switch(conf
ig-aaa)#
Key in aaa in global

configuration mode
privileged mode;
quit disconnects
to the switch
Configure
RADIUS server
parameters
Switch(conf
ig-radius-d
efault)#
Key in radius host

default in AAA
configuration mode
Configure
domain
parameters
Switch(conf
ig-aaa-test.
com)#
Key in domain test.com

in AAA configuration
mode
Switch(conf
ig-if-vlanInt
erface-22)#
Key in interface
vlan-interface 22 in
global configuration
mode
Mode
Configuration
Mode
AAA
Configuration
Mode
RADIUS
Configuration
Mode
Domain
Configuration
Mode
SuperVLAN
interface
Configuration
Mode
Configure IP
interface
parameters for
a VLAN or a
VLAN
aggregation
Configure
Supervlan
interface
parameters
PIM Configuration
Mode
Configure PIM
parameters
RIP Configuration
Mode
OSPF
Configuration
Mode
Configure RIP
parameters
Configure
OSPF
parameters
VLAN interface
Configuration
Mode
Switch(conf
ig-if-superV
LANInterfac
e-1)#
Switch(conf
ig-router-pi
m#
Switch(conf
ig-router-os
pf#
Key in interface
supervlan-interface 1
in global configuration
mode
Key in pim in global
configuration mode
exit returns to
privileged mode
and end returns
to AAA
configuration
mode; quit
disconnects to
the switch
end returns to
privileged mode
exit returns to
global
configuration
mode and quit
disconnects to
the switch
Key in route ospf in

global Configuration
Mode
2.3 Feature and Functions of Command Line

2.3.1 Help of Command Line
You can get the help information through the help commands, which are described as follows.
Command
Purpose
Examples
help
Obtain a brief description of

the help system in any
command mode.
Switch>help
System mode commands:
cls
clear screen
help description of the interactive help

ping ping command
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 19
Abbreviated-comm
Obtain a list of commands
and-entry?
that begin with a particular

character string.
List all commands available

for a particular command
mode.
Switch(config)#interf?
interface
Switch>?
System mode commands:
cls
clear screen
help description of the interactive help

ping ping command
command?
List the associated keywords

for a command.
Switch(config)#spanning-tree ?
forward-time config switch delaytime
hello-time
config switch hellotime
max-age
config switch max
agingtime
command
List
the
associated
keyword?
arguments for a keyword.
priority
config switch priority
<enter>
The command end.
Switch(config)#spanning-tree
forward-time ?
INTEGER<4-30>
switch
delaytime:
<4-30>(second)
& Note:
To switch to the Chinese display for the above information, perform the terminal language
{chinese | english} command in privileged mode.
2.3.2 Displaying Characteristics of Command Line

Command line interface provides the following display characteristics:
For users convenience, the instruction and help information can be displayed in both English and
Chinese.
For the information to be displayed exceeding one screen, pausing function is provided. In this
case, users can have three choices, as shown in the table below.
Table 2-1 Functions of displaying
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 19
Key or Command
Function
Press <Ctrl+C> when the display pauses

Press other key when the display pauses
Press <Enter> when the display pauses
Stop displaying and executing command.

Continue to display the next screen of
information.
Continue to display the next line of
information.
2.3.3 Show history Command of Command Line

Command line interface provides the function similar to that of DosKey. The commands entered
by users can be automatically saved by the command line interface and you can invoke and
execute them at any time later. History command buffer is defaulted as 100. That is, the
command line interface can store 100 history commands for each user. The operations are shown
in the table below.
Table 2-1 Retrieve history command
Operation
Key
Result
Retrieve the previous history

command
Retrieve the next history
command
Up cursor key <> or

<Ctrl+P>
Down cursor key <> or
<Ctrl+N>
Retrieve the previous history

command, if there is any.
Retrieve the next history command,
if there is any.
& Note:
Cursor keys can be used to retrieve the history commands in Windows 9X/2000/XP
Terminal and Telnet.
2.3.4 Common Command Line Error Messages

All the input commands by users can be correctly executed, if they have passed the grammar
check. Otherwise, error messages will be reported to users. The common error messages are
listed in the following table.
Table 2-1 Common command line error messages
Error messages
Causes
Cannot find the command.
Unrecognized command
Cannot find the keyword.

Wrong parameter type.
The value of the parameter exceeds the range.
Incomplete command
The input command is incomplete.
Too many parameters
Enter too many parameters.
Ambiguous command
The parameters entered are not specific.
2.4 Symbols in Command

This publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 19
Commands and keywords are in boldface text.
Arguments for which you supply values are in italic.
Square brackets ([ ]) mean optional elements.
Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an
optional element.
Interactive examples use these conventions:
Terminal sessions and system displays are in screen font.
Information you enter is in boldface screen font.
Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
2.5 Parameter in command

There are 5 types of parameters:
Integer
The two numbers in the angle brackets (<>), connecting by hyphen (-) mean this parameter is the
integer between these two numbers.
For example: INTEGER<1-10> means user can key in any integer which can bemore than or equal
to 1 and less than or equal to 10, such as 8.
IP address
A.B.C.D means an IP address.
For example: 192.168.0.100 is a valid IP address.
MAC address
H:H:H:H:H:H means a MAC address. If a multicast MAC address is needed, there would be
corresponded prompt.
For example: 01:02:03:04:05:06 is a valid MAC address.
Interface list
Interface list is prompt as STRING<3-4>. Port parameter interface-num consists of port type and
port number. Port type is Ethernet and port number is device/slot-num/port-num. Device means
stack value which is 0; slot-num means slot number (S3100 supports slot 0 and 1 and S3100
supports slot 0, 1 and 2); port-num is the port number in the slot ( S3100 is in the range of 1 to
24 and S3100 is in the range of 1 to 48). Port parameter interface-list means multiple ports.
Seriate interfaces with the same type can be linked by to, but the port number behind the to
must be larger than the one in the front, and this argument only can be repeated up to 3 times.
The special declaration of interface parameter interface list will be displayed in the command.
For example: Showing spanning-tree interface ethernet 0/0/1 ethernet 0/0/3 to ethernet 0/0/5
means showing the spanning-tree information about interface ethernet 0/0/1, ethernet 0/0/2,
ethernet 0/0/3, ethernet 0/0/4 and ethernet 0/0/5.
String
The prompt STRING<1-19> means a character string which is in the length of1 to 19. Enter ? to
see the parameter description of this command.
Chapter 3 Manage Users

There are three kinds of users:
Super-administrator
Administrator
Normal user
The normal users can only be in the user's mode after logging in the switch so they can only
check the basic information about operation and statistics; administrator can enter each
PDF pdfFactory Pro
www.fineprint.cn
Page 14 of 19

configuration mode to check and manage the system; super-administrator can both manage the
system and all kinds of users.
& Note:
Normal users cannot configure the switch and change their own password.
Administrator can manage himself; for example, change his own privilege and
password. It cannot create or delete other users and change other users password
and privilege.
This chapter contains following sections:

System default user
Add users
Change password
Modify User's Privilege Level
Delete User
Show users
3.1 System Default User

There is an internal username with password called Super-administrator. It processes the superior
priority in the switch to manage both the users and the switch.
The username of Super-administrator is admin and its initial password is admin. It is suggested
modifying the password after the initial-logging in. This username and its administrator privilege
cannot be deleted and modified.
& Note:
There must be only one super-administrator and all the configurations in the
manual is setting super-administrator as example.
3.2 Users Authentication

Users authentication can be divided into local authentication and remote authentication:
l Local authentication:The users account and password are saved in local database. All users
are supported by local authentication.
l Remote authentication:The users account and password are saved in RADIUS/TACACS+
server. Super-administrator admin is not supported by remote authentication.
3.3 Local Authentication Configuration

3.3.1 Add Users
At most 15 users can be added. Log in the switch first as Super-administrator and create new
users as following steps:
Table 3-1 Add users
Step
Command
Description
enable
Enter privileged mode
config terminal
Enter global configuration mode
username
username
privilege
privilege <0,1> password password
Adding a new user and specified the

privilege.
PDF pdfFactory Pro
www.fineprint.cn
Page 15 of 19
show username
Check the configuration.
exit
Exit to user mode
copy running-config startup-config
Save the configuration
& Note:
Username: it means the name of the user to be added which must be 1 to 32
printable characters without '/',':','*','?','\\','<','>','|','"'.
Level: means the priority of the user to be added which is the number between 0
and 15. 0 and 1 mean the normal user and 2 to 15 mean the administrator.
encryption-type: it can be 0 or 7. 0 means clear text and 7 means encrypted text
(not supported now).
privilege it can be 0, 1 or 2 to 15. 0 and 1 mean normal users while 2 to 15 mean
administrators.
Password: the login password of new-added user which is 1 to 16 characters.
If the user's privilege level is not specified, it will default to be normal user. There is
up to 8 users in the system.
Caution: Case-sensitive is for password but not username.
Example:
!Create administrator "XXXX" with its password being 1234 and privilege level is 3
Switch(config)#username XXXX privilege 3 password 0 1234
3.3.2 Change Password

In global configuration mode, Super-administrator "admin" can use following command to
change the password of all users, but other administrators can only change their own password.
Normal users cannot modify their own password.
Enter global configuration mode (how to enter global configuration mode refers to the first 2
steps in Table 4-1) before following the below steps:
Table 4-2 Modify password
Step
1
Command
Description
username change-password
Enter the modified password following the

prompt. The new password will be effective
in the next log in.
exit
Exit to user mode
3
Example:
!Change the password of user "XXXX" to be 123456
Switch(config)#username change-password
please input you login password : ******
please input username :XXXX
Please input user new password :******
Please input user comfirm password :******
change user XXXX password success.
3.3.3 Modify User's Privilege Level

In global configuration mode, only Super-administrator "admin" can modify the privilege level of
other users. Enter global configuration mode (how to enter global configuration mode refers to
PDF pdfFactory Pro
www.fineprint.cn
Page 16 of 19

the first 2 steps in Table 4-1) before following the below steps:
Table 4-3 Modify User's Privilege Level
Step
Command
Description
username username privilege privilege<0-15>
Modify users privilege.
show username
Check configuration.
exit
Exit to user mode
& Note:
Username: means the name of the existed user to be modified which must be 1 to
32 printable characters without '/',':','*','?','\\','<','>','|','"'. If the entered username
is not existed, add it to be the new one.
Level: means the priority of the existed user (except the Super-administrator) to be
modified which is the number between 0 and 15. 0 and 1 mean the normal user
and 2 to 15 mean the administrator.
Caution: Case-sensitive is for password but not username.
Example:
!Modify the privilege of the existed user "XXXX" to be 1 and its password to be 1234
Switch(config)#username XXXX privilege 0 password 0 1234
3.3.4 Delete User

Only Super-administrator "admin" can add and delete user in global configuration mode. Enter
global configuration mode (how to enter global configuration mode refers to the first 2 steps in
Table 4-1) before following the below steps:
Table 4-4 Delete user
Step
Command
Description
no username username
Delete user.
show username
Check configuration.
exit
Exit to user mode
& Note:
Username: means the name of the user to be deleted.
When deleting a user which is used, it will be disconnected before delete it.
Example:
!Delete user "XXXX"
Switch(config)#no username XXXX
3.3.5 Show Users

After configuration, you can use following steps to check it. Any configurationmode is permitted.
Table 4-5 Show users
PDF pdfFactory Pro
www.fineprint.cn
Page 17 of 19
Step
Command
Description
show username
Show specific user.
show users
Show users log. At most 5

users are permitted on line at
the same time.
3.4 Remote Authentication Configuration

3.4.1 Configure RADIUS to Be Remote Authentication Server
Table 3-6 configure RADIUS remote authentication
Operation
Enter global configuration
Command
Description
configure terminal
Selected
If local is configured, it
means
local
Enable RADIUS remote
muser radius name {chap|pap}
authentication is used if
authentication
[local]
remote
authentication
failed.
By default, it is local
authentication
Enter AAA configuration
mode
aaa
radius host name
Create RADIUS server name

and enter RADIUS
configuration mode
Selected
Authentication
and
accounting port should

Configure IP of
{primary-acct-ip | primary-auth-ip }
be the same as that of
authentication/accounting
A.B.C.D
RADIUS
RADIUS server
authentication port }
accounting
port
server.
Generally, they are:

Accounting port:1813
Authentication
port:1812
Configure shared-key of
authentication/accounting
RADIUS server
Show configuration
Selected
{acct-secret-key|
auth-secret-key}
key
should
be
the same as that of

RADIUS server.
show muser
PDF pdfFactory Pro
Shared-key
www.fineprint.cn
Page 18 of 19
3.4.2 Configure TACACS+ Remote Authentication

Configuring users login through TACACS+ server authentication, accounting and authorization
through TACACS+ server can be chosen. When configuring TACACS+ authorization, configure
corresponded priority to users first. There are 16 levels (0-16) priorities but there are only 2 levels
(0-1 means normal users and 2-15 means administrators) for switches. When configuring
TACACS+ un-authorization, the priority is determined by priv_lvl replied from remote server (no
reply means administrator). Authorization failure means normal user.
When configuring TACACS+ accounting, it begins with the pass of authentication and ends with
users exit.
Table 3-7 Configure TACACS+ remote authentication
Operation
Command
Description
Selected
If localis
configured, it
means local
Enable TACACS+
muser tacacs+ {account [local] |author
authorization/accounting
[local]|local}
authentication is
used if remote
authentication
failed.
By default, it is
local
authentication
Selected
Configure IP/shared-key/TCP
tacacs+ { priamary | secondary } server
By default, TCP
port/timeout of TACACS+
ipaddress [key keyvalue] [port portnum]
port is 49 and
remote server
[timeout timevalue]
timeout is5
seconds.
Show TACACS+ configuration
show tacacs+
Show current authentication
show muser
PDF pdfFactory Pro
www.fineprint.cn
Page 19 of 19
Ethernet PortConfiguration
Ethernet Port Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 19
No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language or computer language, in any form or by any means, electronic, mechanical,
magnetic, optical, chemical, manual or otherwise without the prior written consent of XXXX
Communication Technology Co., Ltd.
XXXX makes no representations or warranties with respect to this document contents and specifically
disclaims any implied warranties of merchantability or fitness for any specific purpose. Further, XXXX
reserves the right to revise this document and to make changes from time to time in its content without
being obligated to notify any person of such revisions or changes.
XXXX values and appreciates comments you may have concerning our products or this document.
Please address comments to:

Tel: (86)
Fax: (86)
URL:
Email:
All other products or services mentioned herein may be registered trademarks, trademarks, or service
marks of their respective manufacturers, companies, or organizations.
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 19
Contents
Chapter 1 Ethernet Port Configuration .................................................................. 4
1.1 Ethernet Port Overview ................................................................................................. 4
1.1.1 Link Type of Ethernet Ports ................................................................................ 4
1.1.2 Configuring Default VLAN ID for an Ethernet Port ............................................. 4
1.1.3 Handling Packets ................................................................................................ 4
1.2 Configure Ethernet Port ................................................................................................ 5
1.2.1 Basic Ethernet Port Configuration ...................................................................... 5
1.2.2 Combo Port....................................................................................................... 11
1.2.3 Enable/Disable Ingress Filtering ....................................................................... 11
1.2.4 Acceptable-Frame Type for Ethernet Port ........................................................ 12
1.2.5 Enable/Disable Flow Control for Ethernet Port ................................................. 13
1.2.6 Display and Debug Ethernet Port ..................................................................... 14
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 19
Chapter 1 Ethernet Port Configuration

This chapter describes the types of interfaces on switches and how to configure them.
1.1 Ethernet Port Overview

1.1.1 Link Type of Ethernet Ports
An Ethernet port can operate in one of the three link types:
Access: An access port only belongs to one VLAN, normally used to connect user
device.
Trunk: A trunk port can belong to more than one VLAN. It can receive/send packets
from/to multiple VLANs and is generally used to connect another switch. The packet sent
from this port can only be with tag label.
Hybrid: A hybrid port can belong to multiple VLANs, can receive, or send packets for
multiple VLANs, used to connect either user or network devices. It allows packets of
multiple VLANs to be sent with or without the tag label
1.1.2 Configuring Default VLAN ID for an Ethernet Port

Both hybrid port and trunk port can belong to more than one VLAN, but there is a default
VLAN for each port. The default VLAN ID (PVID) is VLAN 1 and it can be changed if
necessary (the way to change PVID refers to Table 1-5)
1.1.3 Handling Packets

Different ports have different ways to handle the packet. Details are in Table 1-1.
Table 1-1 Different port handles different packet
Port
Ingress
type
Untagged
Egress
Tagged packet
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 19
packet
Access
Receive it
If VID of the
Strip the Tag and transmit the
port
and add a tag
packet is equal
packet as the VID of the packet is
with VID
to the port
equal to the port permitted VID
Hybrid
being equal
permitted VID,
If VID of the packet is equal to the
port
to PVID.
receive it; if
port permitted untag VID, remove
VID is different,
the tag and transmit it; If VID of
discard it.
the packet is equal to the port

permitted tag VID, keep the tag
and transmit it.
Trunk
port
port permitted VID, keep the tag

and transmit it.
1.2 Configure Ethernet Port

Ethernet port configuration includes:
Basic Ethernet Port Configuration
Combo port
Enable/disable ingress filtering
Acceptable-frame type for Ethernet port
Enable/Disable Flow Control for Ethernet Port
Display and Debug Ethernet Port
1.2.1 Basic Ethernet Port Configuration

Basic Ethernet port configuration includes:
Enter interface configuration mode
Enter interface range mode
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 19
Basic port configuration
Configure default VLAN
Add a port to a VLAN
Basic port configuration
1.2.1.1 Enter Interface Configuration Mode

Before configuring the Ethernet port, enter interface configuration mode first.
Perform the following configuration in privileged mode.
Table 1-2 Enter interface configuration mode
Step
Command
Description
configure terminal
1
mode.
interface ethernet
Enter interface configuration
{ device-num/slot-num/port-num }
mode.
& Note:
The details of the parameters in Table 1-2 are in Interface list.
1.2.1.2 Enter Interface Range Mode

Sometimes we need to configure a patch of ports with the same configurations. We can
use interface range mode to avoid the repetition. Perform the following configuration in
privileged mode.
Table 1-3 Enter interface range mode
Step
Command
Description
configure terminal
Enter global configuration mode.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 19
Enter interface range configuration mode.
interface range interface-list
Example:
! Divide interfaces from Ethernet 0/0/1 to Ethernet 0/0/16 into an interface range.
Switch(config)#interface range ethernet 0/0/1 to ethernet 0/0/16
Switch(config-if-range)#
1.2.1.3 Configure Port Mode
Table 1-4 Configure port mode
Operation
Enter
global
configuration
mode
Command
Remarks
configure terminal
interface
ethernet
mode
device-num/slot-num/port-num
Configure port mode to be
switchport
Access, Hybrid or Trunk
{access|hybrid|trunk}
Show port mode
show
mode
interface
ethernet
Example:
! There is VLAN 1-20. Configure uplink port e 0/1/1 to be trunk, and it can transceive
packets of VLAN1-20
Switch(config)#vlan 1-20
Switch(config-if-vlan)#switchport ethernet 0/1/1
Add VLAN port successfully.
Switch(config-if-vlan)#interface ethernet 0/1/1
Switch(config-if-ethernet-0/1/1)#switchport mode trunk
Switch(config-if-ethernet-0/1/1)# show interface brief ethernet 0/1/1
Port
Desc
e0/1/1
Link shutdn Speed

down FALSE auto
Pri PVID Mode TagVlan UtVlan

0
trk 1-20
Total entries: 1 .
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 19
1.2.1.4 Configure Default VLAN

Table 1-5 Configure default VLAN
Operation
mode
Enter
interface
Command
Remarks
configure terminal
interface
configuration mode
Modify port default VLAN
switchport default vlan vlan_id
ethernet
Example:
! The first four ports (e 0/0/1 e0/0/4) connect to different server. These four servers
should be isolated. And the servers belong to VLAN 10,VLAN 20,VLAN 30 and VLAN 40
Switch(config)#vlan 10
Switch(config-if-vlan)#vlan 20
Switch(config-if-vlan)#interface ethernet 0/0/1
Switch(config-if-ethernet-0/0/1)#switchport default vlan 10
Switch(config-if-ethernet-0/0/1)#interface ethernet 0/0/2
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 19

Switch(config-if-ethernet-0/0/4)#vlan 1
Switch(config-if-vlan)#no switchport ethernet 0/0/1 to ethernet 0/0/4
Switch(config-if-vlan)#show interface brief e 0/0/1 to e 0/0/4
Port
Desc
Link shutdn Speed
Pri PVID Mode TagVlan
UtVlan
e0/0/1
down false auto
10
hyb
10
e0/0/2
down false auto
20
hyb
20
e0/0/3
down false auto
30
hyb
30
e0/0/4
down false auto
40
hyb
40
Total entries: 4 .
1.2.1.5 Add a Port to a VLAN
User can add current ethernet port to a specific VLAN, thus, the ethernet port can forward
packet of the vlan.
Hybrid port and Trunk port can belong to multiple VLANs and Access port can only belong
to one VLAN, which is the default vlan. By default, all ports belong to VLAN 1.
In VLAN configuration mode, user can use switchport ethernet command to add a port to
vlan, please refer to VLAN configuration chapter.
There is another way to add port to a vlan, in interface configuration mode.
Table 1-6 Add a port to a VLAN
Operation
Command
configure terminal
Enter
interface
interface
configuration
Remarks
ethernet
mode
Add Hybrid port to specific VLAN
switchport
and keep the packet VID
vlan-list
Add Hybrid port to specific VLAN
switchport hybrid untagged vlan
and strip the packet VID
vlan-list
Delete Hybrid port from specific

VLAN
Add Trunk port to specific VLAN
hybrid
tagged
vlan
no switchport hybrid vlan vlan-list

switchport
trunk
allowed
vlan
vlan-list
Delete Trunk port from specific
no switchport trunk allowed vlan
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 19
VLAN
vlan-list
There are two ways to add an Access port to VLAN: one is to configure port default VLAN;
the other is to add the port to another VLAN directly. Access port can only belong to one
VLAN, so this port will be auto-deleted from the original VLAN.
Example:
e 0/0/1 is Hybrid. Configure this port keeping tag of VLAN 10.
Switch (config-if-vlan)#interface ethernet 0/0/1
Switch (config-if-ethernet-0/0/1)#switchport hybrid tagged vlan 10
Switch (config-if-ethernet--0/0/1)#show interface brief e 0/0/1
Port
Desc
e0/0/1
Link shutdn Speed

down false auto
Pri PVID Mode TagVlan

0
hyb 10
UtVlan
1
Total entries: 1 .
1.2.1.6 Basic Port Configuration

Following basic port configurations are in the interface configuration mode.
Table 1-7 Basic port configuration
Operation
Command
Description
Disable specific port
shutdown
By default, the port is enabled. If

you want to re-enable the port, use
no shutdown command.
Configure duplex of a
port
duplex { auto | full | half }

no duplex
10/100/1000BASE-T supports full

duplex,
half
auto-negotiation;
supports
full
duplex
and
1000BASE-X
duplex
and
auto-negotiation. By default, the

working mode is auto. If duplex is
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 19
auto, the speed will be auto.

Configure speed of a
speed { speed-value |
10/100/1000BASE-T
port
auto }
10Mbps, 100Mbps and 1000Mbps;
no speed
1000BASE-X
supports
supports
only
1000Mbps. By default, the speed is

auto. If the speed is auto, the
duplex will be auto.
Configure priority of a
port
priority priority-value
no priority
Priority-value could be 0 to 7 and

the default interface priority is 0.
The larger the priority value is, the
higher the priority is. And the packet
with the higher priority will be
quickly handled.
Configure
port
description
description
The
description
is
used
to
description-list
distinguish ports. By default, the

description of a port is empty.
1.2.2 Combo Port

A combo port is formed by two Ethernet ports on the panel, one of which is an optical port
and the other is an electrical port. For the two ports forming a combo port, only one works
at a given time. They are TX-SFP multiplexed. You can specify a combo port to operate as
an electrical port or an optical port as needed. That is, a combo port cannot operate as
both an electrical port and an optical port simultaneously.
Generally, if both electrical port and optical port are all inserted, only electrical port can
work. If the user wants to use optical port, please unplug the electrical port.
1.2.3 Enable/Disable Ingress Filtering

If ingress filtering is enabled, the received 802.1Q packets which do not belong to the
VLAN where the interface locates will be dropped. The packet will not be dropped if the
function is disabled and the VLAN which the packet belonged to is existed.
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 19
Perform the following configuration in global configuration mode.

Table 1-8 Enable/disable ingress filtering
Operation
Command
Enable ingress filtering
ingress filtering
Disable ingress filtering
no ingress filtering
Note:
By default, ingress filtering is enabled.
Example:
! Disable VLAN ingress filtering
Switch(config)#no ingress filtering
Disable ingress filtering successfully!
! Enable VLAN ingress filtering
Switch(config)#ingress filtering
Enable ingress filtering successfully!
1.2.4 Acceptable-Frame Type for Ethernet Port

We can configure ingress acceptable frame mode to be all types or only tagged. The
untagged frame will not be accepted after the port setting to be only tagged.
Perform the following configuration in interface configuration mode.
Table 1-9 Configure ingress acceptable-frame
Operation
Command
Enable ingress
ingress acceptable-frame { all | tagged }
acceptable-frame
Disable ingress
no ingress acceptable-frame
acceptable-frame
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 19
Note:
By default, ingress acceptable-frame is all.
Example:
! Configure Ethernet 0/0/5 only to receive tagged frame
Switch(config)#interface ethernet 0/0/5
Switch(config-if-ethernet-0/0/5)#ingress acceptable-frame tagged
Config acceptable-frame type successfully!
! Restore the default ingress acceptable-frame of Ethernet 0/0/5
Switch(config-if-ethernet-0/0/5)#no ingress acceptable-frame
Config acceptable-frame type successfully!
1.2.5 Enable/Disable Flow Control for Ethernet Port

After enabling flow control in both the local and the peer switch, if congestion occurs in the
local switch, the switch will inform its peer to pause packet sending. Once the peer switch
receives this message, it will pause packet sending, and vice versa. In this way, packet
loss is reduced effectively. The flow control function of the Ethernet port can be enabled or
disabled through the following command.
Perform the following configuration in interface configuration mode.
Table 1-10 Enable/Disable Flow Control for Ethernet Port
Option
Command
Enable Ethernet port flow
flow-control
control
Disable Ethernet port flow
no flow-control
control
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 19
Note:
By default, Ethernet port flow control is disabled.
Example:
! Enable flow-control on ethernet 0/0/5
Switch(config-if-ethernet-0/0/5)#flow-control
Setting successfully! flow-control is enable
! Disable flow-control on ethernet 0/0/5
Switch(config-if-ethernet-0/0/5)#no flow-control
Setting successfully! flow-control is disable
1.2.6 Display and Debug Ethernet Port

After the above configuration, execute show command in any configuration mode to
display the running of the ethernet port configuration, and to verify the effect of the
configuration.
Execute clear interface command in user mode to clear the statistics information of the
port.
Table 1-11 Display and debug Ethernet port
Operation
Command
Description
The information of the
Clear the statistics
interface includes:
clear interface
information of the
numbers of unicast,
[ interface-num | slot-num ]
multicast and broadcast
port.
message etc.
Display interface
show description interface
PDF pdfFactory Pro
www.fineprint.cn
Page 14 of 19
description.
[ interface-list ]
Display port
show interface
configuration
[ interface-num ]
Display the
statistic
show statistics interface
information of
[ interface-num ]
specified port or all
ports.
Statistic information
Display the
statistic
show statistic dynamic
refreshes automatically
information of all
interface
every 3 seconds. Press

Enter to exit.
interfaces
The utilization
information of all ports
Display the
includes receiving and
utilization
show utilization interface
sending speed,
information of all
bandwidth utilization
ports
rate, etc. Press Enter

to exit.
Note:
Using clear interface command in global mode, if the interface-num and
slot-num are not assigned, the information of all interfaces is cleared. If the
slot-num is assigned, the port information of the assigned slot is cleared. In
interface mode, only the information of the current port can be cleared.
PDF pdfFactory Pro
www.fineprint.cn
Page 15 of 19
If port type and port number are not specified, the above command displays
information about all ports. If both port type and port number are specified,
the command displays information about the specified port.
Example:
! Show description of all port
Switch(config-if-ethernet-0/0/1)#show description interface
Port
description
e0/0/1
test
e0/0/2
e0/0/3 XXXX
e0/0/4
e0/0/5
! Show interface Ethernet 0/0/5

Switch(config-if-ethernet-0/0/1)#show interface ethernet 0/0/5
Ethernet e0/0/5 is enabled, port link is down
Hardware is Fast Ethernet, Hardware address is 00:0a:5a:11:b5:71
SetSpeed is auto, ActualSpeed is unknown, porttype is 10/100/1000M
Priority is 0
Flow control is disabled
PVID is 1
Port mode:hybrid
Tagged
VLAN ID :
Untagged VLAN ID : 1
0 packets output
0 bytes, 0 unicasts, 0 multicasts, 0 broadcasts
0 packets input
0 bytes, 0 unicasts, 0 multicasts, 0 broadcasts
PDF pdfFactory Pro
www.fineprint.cn
Page 16 of 19
! Show statistic interface ethernet 0/0/2

Switch(config-if-ethernet-0/0/1)#show statistics interface ethernet 0/0/2
Port number : e0/0/2
input rate 0 bits/sec, 0 packets/sec
output rate 0 bits/sec, 0 packets/sec
64 byte packets:0
65-127 byte packets:0
0 packets input, 0 bytes , 0 discarded packets
0 unicasts, 0 multicasts, 0 broadcasts
0 input errors, 0 FCS error, 0 symbol error, 0 false carrier
0 runts, 0 giants
0 packets output, 0 bytes, 0 discarded packets
0 unicasts, 0 multicasts, 0 broadcasts
0 output errors, 0 deferred, 0 collisions
0 late collisions
Total entries: 1.
! Show statistic dynamic interface
Switch(config-if-ethernet-0/0/1)#show statistics dynamic interface
Port Statistics
port link
Sat Jan 1 00:39:37 2000
Tx Pkt
Tx Byte
Status Count
Count
Rx Pkt
Count
Rx Byte
Count
Rx
Rx
Bcast
Mcast
===================================================================
=========
e0/0/1 down 0
e0/0/2 down 0
PDF pdfFactory Pro
www.fineprint.cn
Page 17 of 19
e0/0/3 down 0
e0/0/4 down 0
e0/0/5 down 0
e0/0/6 down 0
e0/0/7 down 0
e0/0/8 down 0
e0/0/9 down 0
e0/0/10 down 0
e0/0/11 down 0
e0/0/12 down 0
e0/0/13 down 0
e0/0/14 down 0
e0/0/15 down 0
e0/0/16 down 0
e0/0/17 down 0
============0->Clear Counters U->page up D->page down

CR->exit============
! Show utilization interface
Switch(config-if-ethernet-0/0/1)#show utilization interface
Link Utilization Averages
port
link
Receive
Sat Jan 1 00:43:44 2000

Peak Rx
Transmit Peak Tx
Status pkts/sec pkts/sec pkts/sec pkts/sec

==================================================================
e0/0/1
down
e0/0/2
down
e0/0/3
down
e0/0/4
down
e0/0/5
down
e0/0/6
down
PDF pdfFactory Pro
www.fineprint.cn
Page 18 of 19
e0/0/7
down
e0/0/8
down
e0/0/9
down
e0/0/10 down
e0/0/11 down
e0/0/12 down
e0/0/13 down
e0/0/14 down
e0/0/15 down
e0/0/16 down
e0/0/17 down
====spacebar->toggle screen U->page up D->page down CR->exit====

! Clear interface
Switch(config-if-ethernet-0/0/1)#clear interface
clear current port statistics information record successfully !
PDF pdfFactory Pro
www.fineprint.cn
Page 19 of 19
Ethernet Port Mirroring Configuration
Ethernet Port Mirroring

Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 8
magnetic, optical, chemical, manual or otherwise without the prior written consent of XXXX Communication
Technology Co., Ltd.
XXXX values and appreciates comments you may have concerning our products or this document. Please
address comments to:

Tel: (86)
Fax: (86) URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 8
XXXX Feedback Form

services.
Document
Title
Product
Docume
Version
nt
1.0
Revision
Number
Evaluate
Presentation:
this
(Introductions, procedures, illustrations, completeness, arrangement,
document
appearance)
Good
Fair
Average
Poor
Accessibility:
Good
Fair
Average
Poor
Editorial:
Good
Your
Fair
Average
Poor
suggestion
Make more concise
s to
Improve Contents
Improve arrangement
improve
the
document
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 8
Contents
Chapter 1 Ethernet Port Mirroring Configuration ................................................... 5
1.1 Configure Ethernet Port Mirroring ................................................................................. 5
1.1.1 Overview ............................................................................................................. 5
1.1.2 Mirroring .............................................................................................................. 5
1.1.3 Configuring Port Mirroring .................................................................................. 6
1.1.4 Mirroring Configuration ....................................................................................... 6
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 8
Chapter 1 Ethernet Port Mirroring Configuration

1.1 Configure Ethernet Port Mirroring
1.1.1 Overview
Mirroring refers to the process of copying packets that meet the specified rules to a
destination port. Generally, a destination port is connected to a data detect device, which
users can use to analyze the mirrored packets for monitoring and troubleshooting the
network.
Figure 1-1 mirroring

1.1.1.1 Traffic Mirroring
Traffic mirroring maps traffic flows that match specific ACLs to the specified destination
port for packet analysis and monitoring. Before configuring traffic mirroring, you need to
define ACLs required for flow identification.
1.1.1.2 Port Mirroring
Port mirroring refers to the process of copying the packets received or sent by the
specified port to the destination port.
1.1.2 Mirroring
Switch support one-to-one and multiple-to-one mirroring.
Mirrored: mirror source can be port or packet sent or received by CPU
Mirror: For GPON series switch, mirror port can be only one. If multiple mirror port is
configured, the last will be effective.
Note:
Mirror port cannot be used as a normal port.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 8
1.1.3 Configuring Port Mirroring

Table 1-1 Mirroring functions and related command
Function
Specifications
Related command
Link
Mirroring
Traffic
mirroring
mirrored-to
QoS
configuratio
n
Port mirroring
mirror destination-interface
no mirrored-to
mirror source-interface
Configuring
Port
Mirroring
1.1.4 Mirroring Configuration

For mirroring features, see section Overview.
1.1.4.1 Configuring Traffic Mirroring
i. Configuration prerequisites
ACLs for identifying traffics have been defined. For defining ACLs, see the description
on the ACL module in QoS.
The destination port has been defined.
The port on which to perform traffic mirroring configuration and the direction of traffic
mirroring has been determined.
ii. Configuration procedure
Perform the configuration in global configuration mode.
Table 1-2 Configure traffic mirroring
Operation
Command
Configure traffic mirroring
mirrored-to
Description
{
ip-group
{ acl-number | acl-name }
[
subitem
subitem
link-group
{ acl-number |
acl-name
subitem
subitem
interface
ethernet interface-num
Cancel traffic mirroring
no mirrored-to { ip-group
{ acl-number |
[
subitem
acl-name
acl-name }
subitem
link-group
The command is for traffic

mirroring on the packets
which meet ACL rules
(only be effective on ACL
permit
rules).
The
destination port should be
specified when using this
command for the first time.
{ acl-number |
}
subitem
subitem ] }
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 8
Note:
ip-group { acl-number | acl-name } [ subitem subitem ]: Specifies a basic or
an advanced ACL. The acl-number argument ranges from 2000 to
3999;acl-name: Name of a string, start with letters without space and
quotation mark;subitem: option parameter for specifying the subitem in acl-list,
in the range of 0 to 127.
link-group { acl-number | acl-name } [ subitem subitem ]: Specifies a Layer
2 ACL. The acl-number argument ranges from 4000 to 4999; acl-name:
Name of a string, start with letters without space and quotation mark;subitem:
option parameter for specifying the subitem in acl-list, in the range of 0 to 127.
interface ethernet { interface-num }: Specifies destination port (also called
monitor port) of traffic.
iii.
Configuration example
! Mirror acl-list 2000 to Ethernet 0/0/1.
Switch(config)#access-list 2000 permit 1.1.1.1 0
Config ACL subitem successfully.
Switch(config)#mirrored-to ip-group 2000 interface ethernet 0/0/1
Config mirrored-to successfully .
1.1.4.2 Configuring Port Mirroring

i.
Configuration prerequisites
The source port is specified and whether the packets to be mirrored are ingress or
egress is specified: ingress: only mirrors the packets received via the port; egress: only
mirrors the packets sent by the port; both: mirrors the packets received and sent by the
port at the same time.
The destination port is specified.
ii. Configuration procedure

Perform the following configuration in global configuration mode.
Table 1-3 Configure port mirroring
Operation
Command
Description
Configure destination port

(so called monitor port)
mirror
destination-interface
interface-num
This command will cancel

original port mirroring.
Configure source port (so

called mirrored port)
mirror source-interface
{ interface-list | cpu } { both |
egress | ingress }
both means both ingress

and egress; cpu means
mirroring cpu packets.
Show port mirroring
show mirror
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 8
Note:
A port cannot be monitor and mirrored port at the same time.
iii.
Configuration example
! Mirror egress of ethernet 0/0/1 to ethernet 0/0/12 to ethernet 0/1/1
Switch(config)#mirror destination-interface ethernet 0/1/1
Config monitor port successfully !
Switch(config)#mirror source-interface ethernet 0/0/1 to ethernet 0/0/12
egress
Config mirrored port successfully !
! Mirror cpu both to ethernet 0/1/2
Switch(config)#mirror destination-interface ethernet 0/1/2
Config monitor port successfully !
Switch(config)#mirror source-interface cpu both
Config mirrored port successfully !
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 8
Port Utilization Alarm

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 6

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 6
XXXX Feedback Form

services.
Document
Title
Product
Docume
Version
nt
1.0
Revision
Number
Evaluate
Presentation:
this
document
appearance)
Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestion
Make more concise
s to
Improve Contents
Add more step-by-step
improve
procedures/tutorials
the
document
Improve arrangement
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 6
Contents
Chapter1 Configuring Port Utilization Alarm .............................................................................. 5
1.1
Brief Introduction to Device Utilization Alarm ......................................................... 5
1.2
Configuring Device Utilization Alarm ....................................................................... 5
1.2.1
Configuring Port Utilization Alarm ................................................................ 5
1.2.2
Configuring CPU Utilization Alarm ............................................................... 5
1.2.3
Displaying and Debugging Device Utilization Alarm ................................. 6
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 6
Chapter1 Configuring Port Utilization Alarm

1.1Brief Introduction to Device Utilization Alarm
The device utilization alarm is used to monitor port bandwidth, CPU occupation and alarm
when congestion in order to administrator aware the running status between the network
and device.
l Exceed: when port bandwidth utilization over exceed, it triggers congestion alarm.
l Normal: when port bandwidth utilization less exceed, it triggers recover alarm CPU
utilization alarm also can set two trigger values, details as below:
l Busy: when CPU utilization over busy, it triggers alarm of CPU busyness
l Unbusy: when CPU utilization less busy, it triggers alarm of CPU idle Notes, all
alarms will show in the list of Syslog.
1.2Configuring Device Utilization Alarm

1.2.1 Configuring Port Utilization Alarm
Using below commands to configure port utilization. Enable port utilization in system and
port mode by default. The exceed value equals 850M, the normal value equals 600M.
Table 1-1 configuring port utilization alarm
Operation
Command
Remark
Enter global
configure terminal
configuration mode
Enable(disable)port
utilization alarm with
(no)alarm all-packets
required
system mode
Enter port configuration
interface ethernet interface-num
Enable(disable)port
utilization alarm with
(no)alarm all-packets
Required
port mode
alarm all-packets threshold {exceed thresold |
Configure alarm value
Optional
normal thresold }
1.2.2 Configuring CPU Utilization Alarm

Using below commands to configure CPU utilization. Enable CPU utilization by default.
The busy value equals 90%, the unbusy value equals 60%
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 6
Operation
Enter global
configuration mode
Enable(disable) CPU
utilization alarm
Configure congestion
value
Table 1-2 configuring CPU utilization alarm

Command
Remark
configure terminal
alarm cpu
Required
alarm cpu threshold {busy thresold |unbusy

thresold }
optional
1.2.3 Displaying and Debugging Device Utilization Alarm

After finishing above configuration, you can show configuration by below commands.
Table 1-3 displaying and debugging device utilization alarm
Operation
Command
show alarm cpu
Remark
Perform
either of the
show alarm all-packets
commands
Perform
either of the
Display the enable status and

alarm value of CPU utilization
alarm
Display port utilization in system
mode
Display
port
utilization
value in port mode
and
show alarm all-packets interface

[ethernet interface-num]
commands
PDF pdfFactory Pro
commands
Perform
either of the
www.fineprint.cn
Page 6 of 6
Link Aggregation Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 15

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 15
XXXX Feedback Form

services.
Document
Title
Product
Docume
Version
nt
1.0
Revision
Number
Evaluate
Presentation:
this
document
appearance)
Good
Fair
Average
Poor
Accessibility:
Good
Fair
Average
Poor
Editorial:
Good
Your
Fair
Average
Poor
suggestion
Make more concise
s to
Improve Contents
Improve arrangement
improve
the
document
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
Contents
Chapter 1 Link Aggregation Configuration ............................................................ 5
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 15

1.1 Overview ....................................................................................................................... 5
1.1.1 Introduction to Link Aggregation ......................................................................... 5
1.1.2 Introduction to LACP .......................................................................................... 6
1.1.3 Operation Key (O-Key) ....................................................................................... 6
1.1.4 Static Aggregation Group .................................................................................... 6
1.1.5 Dynamic LACP Aggregation Group .................................................................... 7
1.2 Redundancy of Interconnected Device ........................................................................ 8
1.3 Load-balancing Policy .................................................................................................. 9
1.4 Link Aggregation Configuration .................................................................................... 9
1.4.1 Configuring a Static Aggregation Group ............................................................. 9
1.4.2 Configuring a Dynamic LACP Aggregation Group ........................................... 10
1.4.3 Displaying and Maintaining Link Aggregation Configuration ............................ 11
1.5 LACP Configuration Example ..................................................................................... 12
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 15
Chapter 1 Link Aggregation Configuration

1.1
Overview
1.1.1 Introduction to Link Aggregation

Link aggregation means aggregating several ports together to form an aggregation group,
so as to implement outgoing/incoming load sharing among the member ports in the group
and to enhance the connection reliability.
Depending on different aggregation modes, aggregation groups fall into two types: static
LACP and dynamic LACP. Depending on whether or not load sharing is implemented,
aggregation groups can be load-sharing or non-load-sharing aggregation groups.
Figure 1-1 Network diagram for link aggregation configuration
For the member ports in an aggregation group, their basic configuration must be the same.
The basic configuration includes STP, QoS, VLAN, port attributes, and other associated
settings.
STP configuration, including STP status (enabled or disabled), link attribute
(point-to-point or not), STP priority, maximum transmission speed, loop prevention status.
QoS configuration, including traffic limiting, priority marking, default 802.1p priority,
traffic monitor, traffic redirection, traffic statistics, and so on.
VLAN configuration, including permitted VLANs, and default VLAN ID, tag vlan list for
hybrid port and allowed vlan list for trunk port.
Port attribute configuration, including port rate, duplex mode, and link type (Trunk,
Hybrid or Access). The ports for a static aggregation group must have the same rate and
link type, and the ports for a dynamic aggregation group must have the same rate, duplex
mode (full duplex) and link type.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 15
1.1.2
Introduction to LACP
The purpose of link aggregation control protocol (LACP) is to implement dynamic link
aggregation and disaggregation. This protocol is based on IEEE802.3ad and uses
LACPDUs (link aggregation control protocol data units) to interact with its peer.
After LACP is enabled on a port, LACP notifies the following information of the port to its
peer by sending LACPDUs: priority and MAC address of this system, priority, number and
operation key (it is so called O-Key) of the port. Upon receiving the information, the peer
compares the information with the information of other ports on the peer device to
determine the ports that can be aggregated with the receiving port. In this way, the two
parties can reach an agreement in adding/removing the port to/from a dynamic
aggregation group.
1.1.3 Operation Key (O-Key)

An operation key of an aggregation port is a configuration combination generated by
system depending on the configurations of the port (rate, duplex mode, other basic
configuration, and administrative key) when the port is aggregated.
1) The ports in the same aggregation group must have the same operation key (O-Key)
and administrative key (A-Key).
2) The administrative key (A-Key) and operation key (
O-Key) of an LACP-enable
aggregation port is equal to its aggregation group ID+1.
3) The administrative key (A-Key) and operation key (
O-Key) of an LACP-enable
aggregation port cannot be modified.
4) The operation key (O-Key) which is contained in LACPDU of an LACP-enable
aggregation port is the same as its peer.
1.1.4 Static Aggregation Group

1.1.1.1 Introduction to Static Aggregation
A static aggregation group is manually created. All its member ports are manually added
and can be manually removed. Each static aggregation group must contain at least one
port. When a static aggregation group contains only one port, you cannot remove the
whole aggregation group unless you remove the port.
LACP is disabled on the member ports of static aggregation groups, and enabling LACP
on such a port will not take effect.
1.1.1.2 Port status of Static Aggregation Group
A port in a static aggregation group is only in one state: on, which means the port in a
static aggregation group must transceive packets. There can be at most 8 ports in a static
aggregation group.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 15
1.1.5 Dynamic LACP Aggregation Group

1.1.1.3 Introduction to Dynamic LACP Aggregation Group
A dynamic LACP aggregation group is also manually created. All its member ports are
manually added and can be manually removed. Each dynamic aggregation group must
contain at least one port. When a dynamic aggregation group contains only one port, you
cannot remove the whole aggregation group unless you remove the port.
LACP is enabled on the member ports of dynamic aggregation groups, and disabling
LACP on such a port will not take effect.
1.1.1.4 Mode of Dynamic Aggregation Group
The mode of dynamic aggregation group can be active or passive. It is manually set by
users. The dynamic aggregation group in active mode will actively send LACPDUs;
group in passive mode will only response LACPDUs passively. When interconnecting with
another device, static mode can only interconnect with static mode; active mode can
interconnect with both active and passive mode, but passive mode can only interconnect
with active mode. The default mode is ACTIVE.
1.1.1.5 Port Status of Dynamic Aggregation Group
A port in a dynamic aggregation group can be in one of the three states: bundle (bndl),
standby, and no-bundle (no-bndl). In dynamic aggregation group, only bundled ports can
transceive LACP protocol packets; others cannot.
Note:
In an aggregation group, the bundled port with the minimum port number
serves as the master port of the group, and other bundled ports serve as
member ports of the group.
No-bundled ports are the ports which fail to form link aggregation with other
ports in the dynamic aggregation.
There is a limit on the number of bundled ports in an aggregation group. Therefore, if the
number of the member ports that can be set as bundled ports in an aggregation group
exceeds the maximum number supported by the device, the system will negotiate with its
peer end, to determine the states of the member ports according to the port IDs of the
preferred device (that is, the device with smaller system ID). The following is the
negotiation procedure:
1) Compare device IDs (system priority + system MAC address) between the two parties.
First compare the two system priorities, then the two system MAC addresses if the system
priorities are equal. The device with smaller device ID will be considered as the preferred
one.
2) Compare port IDs (port priority + port number) on the preferred device. The
comparison between two port IDs is as follows: First compare the two port priorities, then
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 15

the two port numbers if the two port priorities are equal; the port with the smallest port ID
is the bundled port and the left ports are standby ports.
1.1.1.6 Configuring System Priority
LACP determines the bundled and standby states of the dynamic aggregation group
members according to the priority of the port ID on the end with the preferred device ID.
The device ID consists of system priority and system MAC address, that is, device ID =
system priority + system MAC address.
When two device IDs are compared, the system priorities are compared first, and the
system MAC addresses are compared when the system priorities are the same. The
device with smaller device ID will be considered as the preferred one.
Note:
Changing the system priority of a device may change the preferred device
between the two parties, and may further change the states (bundled or
standby) of the member ports of dynamic aggregation groups.
1.1.1.7 Configuring Port Priority
LACP determines the bundled and standby states of the dynamic aggregation group
members according to the port IDs on the device with the preferred device ID. When the
number of members in an aggregation group exceeds the number of bundled ports
supported by the device in each group, LACP determines the bundled and standby states
of the ports according to the port IDs. The ports with superior port IDs will be set to
bundled state and the ports with inferior port IDs will be set to standby state.
The port ID consists of port priority and port number, that is, port ID = port priority + port
number. When two port IDs are compared, the port priorities are compared first, and the
port numbers are compared if the port priorities are the same. The port with smaller port
ID is considered as the preferred one.
1.2
Redundancy of Interconnected Device
LACP provides link redundancy mechanism to guarantee the redundancy conformity of

the two interconnected devices and user can configure the redundant link which is
realized by system and port priority. The steps are as following:
Step 1 Selection reference. The two devices know the LACP sys-id and system MAC
address of each other through LACPDUs exchanges. The system priorities are compared
first, and the system MAC addresses are compared when the system priorities are the
same. The device with smaller device ID will be considered as the preferred one.
Step 2 Redundant link. The port priorities are compared first, and the port numbers are
compared if the port priorities are the same. The port with smaller port ID is considered as
the preferred one.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 15
1.3
Load-balancing Policy
Load-balancing policy is specific physical link selection strategy when sending packets,
which can be source MAC, destination MAC, source and destination MAC, source IP,
destination IP, and source and destination IP. The default strategy is source MAC.
1.4
Link aggregation configuration includes:
Configuring a Static Aggregation Group
Configuring a Dynamic LACP Aggregation Group
Displaying and Maintaining Link Aggregation Configuration
1.4.1 Configuring a Static Aggregation Group

You can create a static aggregation group, or remove an existing static aggregation group
(before that, all the member ports in the group are removed).
You can manually add/remove a port to/from a static aggregation group, and a port can
only be manually added/removed to/from a static aggregation group.
Table 1-1 Configure a manual aggregation group
Operation
Command
Description
Create a static
aggregation group
channel-group
channel-group-number
ranges from 0 to 12
If the group has already
existed, turn to step 2.
Configure
load-balancing
policy
channel-group load-balance
{dst-ip|dst-mac|src-dst-ip|src-dst
-mac|src-ip|src-mac}
Enter interface
configuration
mode
interface ethernet interface_num
Enter the port mode which

you want to add to the
aggregation group.
Enter interface
range
configuration
mode
interface range ethernet

interface_list
If there are multiple ports to

be added, enter interface
range mode.
Add a port to the

aggregation group
channel-group
channel-group-number mode on
should be existed .
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 15

Delete a port from
an aggregation
group
no channel-group
Back to global
configuration
mode
exit
Delete a static
aggregation group
no channel-group
This command used in

global configuration mode is
for deleting a static
aggregation group.
This command used in

interface configuration
mode is for deleting a port
from an aggregation group.
Delete all ports from the
group first before deleting
the group.
1.4.2 Configuring a Dynamic LACP Aggregation Group

You can manually add/remove a port to/from a dynamic aggregation group, and a port can
only be manually added/removed to/from a dynamic aggregation group.
Table 1-1 Configure a dynamic LACP aggregation groups
Step
Operation
Command
Description
Create a
dynamic
aggregation
group
channel-group
channel-group-number ranges from

0 to 12
Configure
load-balancin
g policy
channel-group
load-balance
{dst-ip|dst-mac|src-dst-i
p|src-dst-mac|src-ip|srcmac}
The default policy is source mac.
Configure
system
priority
lacp system-priority
priority
priority ranges from 1 to 65535. The

default priority is 32768.
4(1)
Enter
interface
configuration
interface ethernet
interface_num
Enter the port mode which you want

to add to the aggregation group.
If the group has already existed, turn

to step 2.
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 15

mode
4(2)
Enter
interface
range
configuration
mode
interface range ethernet

interface_list
If there are multiple ports to be

added, enter interface range mode.
Add a port to
the
aggregation
group
channel-group
channel-group-number should be
existed .
Configure
port priority
lacp port-priority priority
priority ranges from 1 to 65535. The

default priority is 128.
Delete a port
from an
aggregation
group
no channel-group
This command used in global

configuration mode is for deleting a
static aggregation group.
Back to
global
configuration
mode
exit
Delete a
dynamic
aggregation
group
no channel-group
mode {active | passive}
This command used in interface

configuration mode is for deleting a
port from an aggregation group.
Delete all ports from the group first
before deleting the group.
1.4.3 Displaying and Maintaining Link Aggregation
Configuration
After the above configuration, execute the show command in any mode to display the
running status after the link aggregation configuration and verify your configuration.
Table 1-1 Display and maintain link aggregation configuration
Operation
Command
Show system LACP show lacp sys-id

ID
PDF pdfFactory Pro
www.fineprint.cn
Description
System
LACP-ID
consists of 16-bit system
priority and 48-bit system
Page 11 of 15

MAC.
Show port member
info
of
the
aggregation group
show lacp internal

[channel-group-number
]
Show neighbor port

info
of
the
aggregation group
show lacp neighbor

[channel-group-number
]
1.5
LACP Configuration Example
I. Network requirements
As shown in Figure 1-1, the link between switch-A and switch-B should be more reliable.
switch-A and switch-B should realize load-balance.
II. Network diagram
Figure 1-2 LACP network diagram

III. Configuration procedure
1. Create channel-group
#Configure switch-A
switch-A#configure terminal
switch-A(config)#channel-group 1
#Configure switch-B
switch-B#configure terminal
switch-B(config)#channel-group 1
2. Configure channel-group load-balance
#Configure switch-A
switch-A(config)#channel-group load-balance src-dst-mac
#Configure switch-B
switch-B(config)#channel-group load-balance src-dst-mac
3. Configure LACP system and port priority
#Configure switch-A
switch-A(config)#lacp system-priority 1024
switch-A(config)#interface range ethernet 0/0/1 to ethernet 0/0/2
switch-A(config-if-range)#lacp port-priority 64
switch-A(config-if-range)#exit
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 15

#Configure switch-B
switch-B(config)#lacp system-priority 2048
switch-B(config)#interface range ethernet 0/0/3 to ethernet 0/0/4
switch-B(config-if-range)#lacp port-priority 256
switch-B(config-if-range)#exit
4. Add port member for channel-group
(1) Static
#Configure switch-A
switch-A(config-if-range)#channel-group 1 mode on
Remember to re-config mac-addresses associated with port e0/0/1
#Configure switch-B
switch-B(config-if-range)#channel-group 1 mode on
(2) Dynamic
#Configure switch-A
switch-A(config-if-range)#channel-group 1 mode active
#Configure switch-B
switch-B(config-if-range)#channel-group 1 mode passive
5. Check the configuration
(1) show lacp internal
#show lacp internal of switch-A
switch-A(config-if-range)#show lacp internal
Load balance: src-dst-mac
Channel: 1, static channel
Port
State A-Key O-Key Priority
e0/0/1 bndl
e0/0/2 bndl
-
Logic-port
1
1
Actor-state
-
actor-state: activity/timeout/aggregation/synchronization
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 15

collecting/distributing/defaulted/expired
#show lacp internal of switch-A
switch-A(config-if-range)#show lacp internal
Channel: 1, dynamic channel
Port
State
A-Key O-Key Priority
e0/0/1 bndl
2
2
64
e0/0/2 bndl
2
2
64
Logic-port Actor-state
1
10111100
1
10111100
#show lacp internal of switch-B
switch-B(config-if-range)#show lacp internal
Channel: 1, dynamic channel
Port
State
A-Key O-Key Priority
e0/0/3 bndl
2
2
256
e0/0/4 bndl
2
2
256
Logic-port Actor-state
3
00111100
3
00111100
(2) Show LACP neighbor
#Show LACP neighbor of switch-A
switch-A(config-if-range)#show lacp neighbor
Channel: 1
Local
Port Key Pri
ID
Timeout
e0/0/1 3
2
256
000a5a020305 82(90)
e0/0/2 4
2
256
000a5a020305 80(90)
Nei-state
00111100
00111100
nei-state: activity/timeout/aggregation/synchronization
#Show LACP neighbor of switch-B
switch-B(config-if-range)#show lacp neighbor
Channel: 1
Local
Port Key Pri
ID
Timeout
e0/0/3 1
2
64
000a5a010203 71(90)
e0/0/4 2
2
64
000a5a010203 69(90)
PDF pdfFactory Pro
www.fineprint.cn
Nei-state
10111100
10111100
Page 14 of 15
nei-state: activity/timeout/aggregation/synchronization
(3) Show system ID
#Show switch-A system ID
switch-A(config-if-range)#show lacp sys-id
1024,000a5a010203
#Show switch-B system ID
switch-B(config-if-range)#show lacp sys-id
2048,000a5a020305
6. Delete port member from channel-group
#Configure switch-A
switch-A(config-if-range)#no channel-group 1
switch-A(config-if-range)#exit
#Configure switch-B
switch-B(config-if-range)#no channel-group 1
switch-B(config-if-range)#exit
7. Delete channel-group
#Configure switch-A
switch-A(config)#no channel-group 1
#Configure switch-B
switch-B(config)#no channel-group 1
PDF pdfFactory Pro
www.fineprint.cn
Page 15 of 15
Port Isolation Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 6
reserves the right to revise this document and to make changes from time to time in its content without being
obligated to notify any person of such revisions or changes.

Tel: (86)
Fax: (86)
URL:
Email:
All other products or services mentioned herein may be registered trademarks, trademarks, or service marks
of their respective manufacturers, companies, or organizations.
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 6
XXXX Feedback Form

services.
Document
Title
Product
Version
Evaluate
this
document
Docume
nt
Revision
Number
1.0
Presentation:
appearance)
Good
Fair
Average
Poor
Accessibility:
Good
Fair
Average
Poor
Editorial:
Good
Your
suggestion
s to
improve
the
document
Fair
Average
Poor

Make more concise
Improve Contents
Improve arrangement
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 6
Content
Chapter 1 Port Isolation Configuration ........................................................................................... 1
1.1 Introduction to Port Isolation .................................................................................................. 1
1.2 Port Isolation Configuration ................................................................................................... 1
1.2.1 Port Isolation Configuration ........................................................................................ 1
1.2.2 Port-isolation Monitor and Maintenance ..................................................................... 1
1.3 Port-isolation Configuration Example .................................................................................... 2
1.3.1 Port-isolation Configuration Example ......................................................................... 2
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 6
Chapter 1 Port Isolation Configuration

1.1 Introduction to Port Isolation
To implement Layer 2 isolation, you can add different ports to different VLANs. However,
this will waste the limited VLAN resource. With port isolation, the ports can be isolated
within the same VLAN. Thus, you need only to add the ports to the isolation group to
implement Layer 2 isolation. This provides you with more secure and flexible networking
schemes.
On the current device:
l Currently, only one isolation group is supported on a device, which is created
automatically by the system as isolation group. The user cannot remove the isolation group
or create other isolation groups.
l The number of the ports an isolation group can contain is total port number-1.
Because isolated ports are downlink ports. There should be at least one uplink port.
& Note:
When a port in an aggregation group is configured as the member of isolation
group, the other ports of the aggregation group will not be downlink ports.
1.2 Port Isolation Configuration

1.2.1 Port Isolation Configuration
Add a port to port-isolation group. The isolated port members cannot communicate with
each other, but can only communicate with un-isolated port. Use no port-isolation
command to delete a port from the isolated group.
Table 1-1 Configure port isolation
Operation
mode
Configure port isolation
Command
Remarks
configure terminal
isolate-port interface-number
Required
1.2.2 Port-isolation Monitor and Maintenance

After finishing above configuration, user can check the configurations by command below.
Table 1-2 Port-isolation monitor and maintenance
Operation
Command
On
Show isolate-port configuration
show isolate-port
Remarks
any
configuration
mode
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 6
1.3 Port-isolation Configuration Example

1.3.1 Port-isolation Configuration Example
User PC1, PC2, PC3 connect to switch e0/0/2, e0/0/3, e0/0/4. Switch connects to Internet
by e0/0/1. User PC1, PC2, PC3 need independent data exchange.
II. Networking diagram

Switch#configure terminal
Switch(config)#isolate-port ethernet 0/0/2 to ethernet 0/0/4
Add port isolation downlink port successfully.
Switch(config)#show isolate-port
Port isolation downlink port :
e0/0/2-e0/0/4
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 6
VLAN Configuration
VLAN Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 11
VLAN Configuration

comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 11
VLAN Configuration
XXXX Feedback Form

services.
Document
Basic Configuration of Ports
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Improve Contents Add more step-by-step procedures/tutorials
Improve arrangement Add more technical information
Include images
Add more detail Improve index
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 11
VLAN Configuration
Content
Chapter 1 VLAN Configuration ............................................................................................... 5
1.1 VLAN Overview ................................................................................................................... 5
1.2 VLAN Principles ................................................................................................................... 5
1.3 802.1Q VLAN ....................................................................................................................... 6
1.3.1 VLAN Link Type of Ethernet Ports ............................................................................ 6
1.3.2 Default VLAN ............................................................................................................ 7
1.3.3 Handling Packets ...................................................................................................... 7
Chapter 2 VLAN Configuration ............................................................................................... 8
2.1 Default VLAN Configuration ................................................................................................ 8
2.2 Create and Modify VLAN..................................................................................................... 8
2.2 Delete Port Members from a VLAN .................................................................................... 9
2.3 Delete VLAN ...................................................................................................................... 10
2.4 VLAN Configuration Example ............................................................................................ 10
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 11
VLAN Configuration
Chapter 1 VLAN Configuration

1.1 VLAN Overview
Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not
physically into segments to implement the virtual workgroups. IEEE issued the IEEE
802.1Q in 1999, which was intended to standardize VLAN implementation solutions.
Through VLAN technology, network managers can logically divide the physical LAN
into different broadcast domains. Every VLAN contains a group of workstations with
the same demands. The workstations of a VLAN do not have to belong to the same
physical LAN segment.
With VLAN technology, the broadcast and unicast traffic within a VLAN will not be
forwarded to other VLANs, therefore, it is very helpful in controlling network traffic,
saving device investment, simplifying network management and improving security.
Figure 1-1 Vlan implementation
A VLAN can span across multiple switches, or even routers. This enables hosts in a
VLAN to be dispersed in a looser way. That is, hosts in a VLAN can belong to different
physical network segment.
Compared with the traditional Ethernet, VLAN enjoys the following advantages.
1) Broadcasts are confined to VLANs. This decreases bandwidth utilization and
improves network performance.
2) Network security is improved. VLANs cannot communicate with each other
directly. That is, a host in a VLAN cannot access resources in another VLAN directly,
unless routers or Layer 3 switches are used.
3) Network configuration workload for the host is reduced. VLAN can be used to
group specific hosts. When the physical position of a host changes within the range
of the VLAN, you need not change its network configuration.
1.2 VLAN Principles

VLAN tags in the packets are necessary for the switch to identify packets of different
VLANs. The switch works at Layer 2 (Layer 3 switches are not discussed in this
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 11
VLAN Configuration
chapter) and it can identify the data link layer encapsulation of the packet only, so
you can add the VLAN tag field into only the data link layer encapsulation if
necessary.
In 1999, IEEE issues the IEEE 802.1Q protocol to standardize VLAN implementation,
defining the structure of VLAN-tagged packets.
IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encapsulated after the
destination MAC address and source MAC address to show the information about
VLAN.
Figure 1-2 Format of VLAN tag
As shown in Figure 1-2, a VLAN tag contains four fields, including TPID (Tag Protocol
Identifier), priority, CFI (Canonical Format Indicator), and VID (VLAN ID).
TPID is a 16-bit field, indicating that this data frame is VLAN-tagged. By
default, it is 0x8100.
Priority is a 3-bit field, referring to 802.1p priority. Refer to section QoS &
QoS profile for details.
CFI is a 1-bit field, indicating whether the MAC address is encapsulated in
the standard format in different transmission media. This field is not described in
detail in this chapter.
VID (VLAN ID) is a 12-bit field, indicating the ID of the VLAN to which this
packet belongs. It is in the range of 0 to 4,095. Generally, 0 and 4,095 is not used, so
the field is in the range of 1 to 4,094.
VLAN ID identifies the VLAN to which a packet belongs. When the switch receives an
un-VLAN-tagged packet, it will encapsulate a VLAN tag with the default VLAN ID of
the inbound port for the packet, and the packet will be assigned to the default VLAN
of the inbound port for transmission. For the details about setting the default VLAN
of a port, refer to section 02-Port Configuration
1.3 802.1Q VLAN

1.3.1 VLAN Link Type of Ethernet Ports
An Ethernet port can operate in one of the three link types:
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 11
VLAN Configuration
Access: An access port only belongs to one VLAN, normally used to connect user
device.
Trunk: A trunk port can belong to more than one VLAN. It can receive/send
packets from/to multiple VLANs and is generally used to connect another switch. The
packet sent from this port can only be with tag label.
Figure 1-1 Hybrid: A hybrid port can belong to multiple VLANs, can receive, or
send packets for multiple VLANs, used to connect either user or network devices. It
allows packets of multiple VLANs to be sent with or without the Tag label
1.3.2 Default VLAN
Details refer to 02-Port configuration.
1.3.3 Handling Packets
Different ports have different ways to handle the packet. Details are in Table 1-1
Table 1-1 Different port handles different packet
Port
Ingress
type
Untagged
Egress
Tagged packet
packet
Access
Receive it and
If VID of the
Strip the Tag and transmit the packet
port
add a tag with
packet is equal
as the VID of the packet is equal to
VID being
to the port
the port permitted VID
equal to PVID.
permitted VID,
receive it; if VID
port permitted untag VID, remove
is different,
the tag and transmit it; If VID of the
discard it.
packet is equal to the port permitted
Hybrid
port
tag VID, keep the tag and transmit it.

port permitted VID, keep the tag and
transmit it.
Trunk
port
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 11
VLAN Configuration
Chapter 2 VLAN Configuration

2.1 Default VLAN Configuration
Table 2-1 Default VLAN configuration
Parameter
Default
Description
The vlan-id argument ranges from
Existed VLAN
1 to 4,094.
VLAN 1
VLAN 1 is the default VLAN of all

ports.
VLAN description
VLAN description is characters
Port member of VLAN
ranged from 1 to 32.
All ports are the members

of VLAN 1.
2.2 Create and Modify VLAN

Switch supports 4094 VLANs.
Perform following commands in privilege mode.
Table 2-2 Create and modify VLAN
Operation
Enter
Command
global
configuration mode
Description
configure terminal
Create a vlan and enter
If the VLAN to be created
vlan configuration mode
exists, enter the VLAN mode

directly. Otherwise, create the
VLAN vlan-list
VLAN first, and then enter the

VLAN mode.
Vlan-id allowed to configure is
in the range of 1 to 4094.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 11
VLAN Configuration
Vlan-list can be in the form of

discrete number, a sequence
number, or the combination
of discrete and sequence
number, discrete number of
which is separate by comma,
and sequence number of
which is separate by
subtraction sign, such as: 2, 5,
8, 10-20.
Add port member to a
switchport ethenet
vlan
device-num/slot-num/portnum
Configure
vlan
description
description vlan-name
By default, vlan description is

empty.
Display the related

show vlan vlan-id / brief
information about VLAN
2.2 Delete Port Members from a VLAN

Table 2-3 Delete port members from a VLAN
Operation
Enter
global
Command
configuration
Description
configure terminal
Enter vlan configuration mode
vlan vlan-list
Delete port member from
no switchport { all |
VLAN
ethernet port_list }
mode
Display the related


PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 11
VLAN Configuration
Note:
A port whose VLAN should not the default VLAN.
2.3 Delete VLAN

Table 2-4 Delete vlan
Operation
Enter
global
Command
configuration
mode
Delete VLAN
Description
configure terminal
no vlan {vlan-list |all}
Display the related


Note:
After perform no vlan all, system will delete all vlan except VLAN 1. In other words,
VLAN 1 cannot be deleted.
The VLAN to be removed cannot exist in the multicast group. So please remove the
related multicast group first.
2.4 VLAN Configuration Example

i.
Networking Requirements
Create VLAN2 and VLAN3. Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to

VLAN2 and add GigabitEthernet0/0/3 and GigabitEthernet0/0/4 to VLAN3. Delete
GigabitEthernet0/0/1 to GigabitEthernet0/0/4 from VLAN1.
ii.
Networking diagram
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 11
VLAN Configuration
iii.
Networking configuration
! Create VLAN 2 and enter it.

Switch(config)# vlan 2
! Add Ethernet0/01 and Ethernet0/0/2 to VLAN2.
Switch(config-if-vlan)#switchport ethernet 0/0/1 ethernet 0/0/2
! Create VLAN 3 and enter it.
Switch(config)# vlan 3
! Add Ethernet0/0/3 and Ethernet0/0/4 to VLAN3.
Switch(config-if-vlan)#switchport ethernet 0/0/3 ethernet 0/0/4
! Set the default vlan of Ethernet0/0/1and Ethernet0/0/2
Switch(config-if-range)# switchport default vlan 2
! Set the default vlan of Ethernet0/0/3 and Ethernet0/0/4
Switch(config-if-range)# switchport default vlan 3
! Enter VLAN view and delete Ethernet0/0/1 to Ethernet0/0/4 from VLAN1.
Switch(config-if-vlan)#no switchport ethernet 0/0/1 to ethernet 0/0/4
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 11
GVRP Configuration
GVRP Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 11
GVRP Configuration

comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 11
GVRP Configuration
XXXX Feedback Form

services.
Document
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Include images
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 11
GVRP Configuration
Content
Chapter 1 GVRP Configuration .......................................................................................................... 5
1.1 Brief Introduction to GVRP.................................................................................................. 5
1. GARP ................................................................................................................................. 5
1.2 Configuring GVRP ................................................................................................................ 6
1.2.1
Brief Introduction to GVRP Configuration ............................................................... 6
1.2.2
Startup GVRP ............................................................................................................ 6
1.2.3
Configuring VLAN Forwarded by GVRP.................................................................... 6
1.2.4
Displaying and Debugging ........................................................................................ 6
1.2.5
GVRP Configuration Examples ................................................................................. 7
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 11
GVRP Configuration
Chapter 1 GVRP Configuration

1.1 Brief Introduction to GVRP
1. GARP
Generic Attribute Registration Protocol (GARP) provides a mechanism that allows
participants in a GARP application to distribute, propagate and register with other
participants in a bridged LAN that attributes specific to the GARP applications, such
as the VLAN or multicast address attribute.
GARP itself does not exist on a device as an entity. GARP-compliant application
entities are called a GARP application. It primarily applies to GVRP and GMRP. When
a GARP application entity is present on a port on your device, this port is regarded as
a GARP application.
The GARP mechanism allows the configuration of a GARP participant to propagate
throughout a LAN quickly. In GARP, a GARP participant registers or deregisters its
attributes with other participants by making or withdrawing declarations of
attributes and at the same time, based on received declarations or withdrawals
handles attributes of other participants.
GARP participants exchange attributes primarily by sending the following three types
of messages:Join.Leave and LeaveAll.
l Join to announce the willingness to register some attribute with other
participants.
l
Leave to announce the willingness to deregister with other participants.
LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of a

LeaveAll timer, which starts upon the startup of a GARP application entity.
Together with Join messages and Leave messages help GARP participants complete
attribute registration and deregistration. All the attributes messages can forward to
all switches in the same network.
GARP application entities send protocol data units (PDU) with a particular multicast
MAC address as destination. Based on this address, a device can identify to which
GARP application, GARP for example, should a GARP PDU be delivered.
GARP is described in IEEE 802.1Q.
2. GVRP
GVRP is a GARP application. It functions based on the operating mechanism of GARP
to maintain and propagate dynamic VLAN registration information for the GVRP
devices on the network. It thus ensures that all GVRP participants on a bridged LAN
maintain the same VLAN registration information. The VLAN registration information
propagated by GVRP includes both manually configured local static entries and
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 11
GVRP Configuration
dynamic entries from other devices.
1.2 Configuring GVRP

1.2.1 Brief Introduction to GVRP Configuration
Table 1-1 GVRP configuration
Configuration
Configure GVRP
Display and maintain GVRP
Remark
Startup GVRP
Required
Configure VLAN under required
GVRP
optional
Detailed
configuration
1.2.2
1.2.3
1.2.4
1.2.2 Startup GVRP

Before enabling GVRP on a port, you must enable GVRP globally because it disables
in default.
Notes: you need to configure the port trunk to enable GVRP.
Operation
mode
Enable GVRP in global
configuration mode
mode
Enable GVRP in port

configuration mode
Table 1-2 startup GVRP

Command
configure terminal
Remark
-
gvrp
required
interface ethernet
device/slot/port
gvrp
required
1.2.3 Configuring VLAN Forwarded by GVRP

Obviously VLAN registration information forwarded by GVRP can be the local
configuration static VLAN, or be learned by GVRP dynamic protocols. But when the
administrator names, the permit VLANs can pass through the port to send GVRP
packets.
Table 1-3 Configure VLAN forwarded by GVRP
Operation
Command
Enter global configuration configure terminal
mode
Configure VLAN forwarded garp permit vlan vlan-list
by GVRP
Remark
required
1.2.4 Displaying and Debugging

You can show the configuration through below commands when you finish all above
configuration.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 11
GVRP Configuration
Table 1-4 displaying GVRP and debugging

Operation
Command
show gvrp
Show GVRP enable globally
Show port enable maintained show gvrp interface [ethernet
device/slot/port]
by GVRP
show garp permit vlan
Show GVRP permit VLAN
Remark
Perform in
any
configuratio
n mode
1.2.5 GVRP Configuration Examples

As below, S1 and S3 forward respective static VLAN information to S2 by GVRP
protocol, S2 forwards to each other with local static and learning VLAN from GVRP. At
the end, S1,S2,S3 can share the dynamic VLAN information .
Picture 1-1 network

Configuration procedure:
!Configure S1
***************************************************************
!Preparation before configure
Switch(config)#vlan 2,3,4
Switch(config-if-vlan)#interface e 0/0/1
Switch(config-if-ethernet-0/0/1)#exit
!Configure GVRP
Switch(config)#gvrp
Turn on GVRP successfully.
Switch(config)#garp permit vlan 2,3,4
Switch(config)#interface e 0/0/1
Switch(config-if-ethernet-0/0/1)#gvrp
!Verify GVRP configuration
Switch(config)#show gvrp
GVRP state : enable
Switch(config)#show gvrp interface ethernet 0/0/1
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 11
GVRP Configuration
port
GVRP status
e0/0/1
enable
Total entries: 1.
Switch(config)#show garp permit vlan
VLAN 1 is Garp default permit VLAN
Other Garp permit VLAN : 2-4
***************************************************************
!Configure S2
***************************************************************
Switch(config)#vlan 5,6
Switch(config-if-vlan)#exit
Switch(config-if-range)# switchport mode trunk
Switch(config-if-range)#exit
!Configure GVRP
Switch(config)#gvrp
Turn on GVRP successfully
Switch(config-if-range)#gvrp.
Switch(config)#garp permit vlan 5,6
GVRP state : enable
Switch(config)#show gvrp interface ethernet 0/0/2 ethernet 0/0/3
port
GVRP status
e0/0/2
enable
e0/0/3
enable
Total entries: 2.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 11
GVRP Configuration
***************************************************************
!Configure S3
***************************************************************
!Configure GVRP
Switch(config)#gvrp
GVRP state : enable
Switch(config)#show gvrp interface ethernet 0/0/4
port
GVRP status
e0/0/4
enable
Total entries: 1.
***************************************************************
After finishing the configuration, you can show VLAN to check the VLAN
register information learned by GVRP
!VLAN5,6,7,8 is learned by GVRP when showing S1 VLAN information
Switch(config)#show vlan
show VLAN information
VLAN ID
:1
VLAN status
: static
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 11
GVRP Configuration
VLAN member
: e0/0/1-e0/2/2
Static tagged ports
: e0/0/1
Static untagged Ports
: e0/0/2-e0/2/2
Dynamic tagged ports

VLAN ID
:2
VLAN status
: static
VLAN member
: e0/0/1.
Static tagged ports
: e0/0/1.

VLAN ID
:3
VLAN status
: static
VLAN member
: e0/0/1.
Static tagged ports
: e0/0/1.

VLAN ID
:4
VLAN status
: static
VLAN member
: e0/0/1.
Static tagged ports
: e0/0/1.

VLAN ID
:5
VLAN status
: dynamic
VLAN member
: e0/0/1
Static tagged ports
: e0/0/1
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 11
GVRP Configuration

VLAN ID
:6
VLAN status
: dynamic
VLAN member
: e0/0/1
Static tagged ports
: e0/0/1

VLAN ID
:7
VLAN status
: dynamic
VLAN member
: e0/0/1
Static tagged ports
: e0/0/1

VLAN ID
:8
VLAN status
: dynamic
VLAN member
: e0/0/1
Static tagged ports
: e0/0/1
Total entries: 8 vlan.
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 11
ARP Configuration
ARP Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 11
ARP Configuration

comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 11
ARP Configuration
XXXX Feedback Form

services.
Document
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Include images
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 11
ARP Configuration
Contents
Chapter 1 ARP Configuration ......................................................................................................... 5
1.1 ARP Overview ...................................................................................................................... 5
1.1.1 ARP Function ............................................................................................................ 5
1.1.2 ARP Message Format ............................................................................................... 6
1.2 Configuring ARP Attack Spoofing ........................................................................................ 7
1.2.1 Brief Introduction to ARP Spoofing .......................................................................... 7
1.2.2 ARP Anti-Spoofing Protection .................................................................................. 7
1.2.3 Configuring Anti-Spoofing ........................................................................................ 8
1.2.4 Configuring ARP Packet Source MAC Address Consistency Check ........................... 8
1.2.5 Configuring Default of Anti-Spoofing ....................................................................... 9
1.2.6 Displaying and Maintain Anti-spoofing .................................................................... 9
1.3 Configuring against ARP Flood ............................................................................................ 9
1.3.1 ARP Flood ................................................................................................................. 9
1.3.2 Configuring against ARP Flood ................................................................................. 9
1.3.3 Configuring against ARP Flood ............................................................................... 10
1.3.4 Displaying and Maintain against ARP Flood ........................................................... 11
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 11
ARP Configuration
Chapter 1
ARP Configuration
1.1 ARP Overview

1.1.1 ARP Function
Address Resolution Protocol (ARP) is used to resolve an IP address into a data link
layer address.
An IP address is the address of a host at the network layer. To send a network layer
packet to a destination host, the device must know the data link layer address (such
as the MAC address) of the destination host. To this end, the IP address must be
resolved into the corresponding data link layer address.
Unless otherwise stated, the data link layer addresses that appear in this chapter
refer to the 48-bit Ethernet MAC addresses.
ARP Address Resolution Process as below:
Suppose that Host A and Host B are on the same subnet and that Host A sends a
message to Host B, as show in Figure 1-2. The resolution process is as follows:
1. Host A looks in its ARP mapping table to see whether there is an ARP entry for
Host B. If Host A finds it, Host A uses the MAC address in the entry to
encapsulate the IP packet into a data link layer frame and sends the frame to
Host B.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an
ARP request, in which the source IP address and source MAC address are
respectively the IP address and MAC address of Host A and the destination IP
address and MAC address are respectively the IP address of Host B and an
all-zero MAC address. Because the ARP request is sent in broadcast mode, all
hosts on this subnet can receive the request, but only the requested host
(namely, Host B) will process the request.
3. Host B compares its own IP address with the destination IP address in the ARP
request. If they are the same, Host B saves the source IP address and source
MAC address into its ARP mapping table, encapsulates its MAC address into an
ARP reply, and unicasts the reply to Host A.
4. After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP
mapping table for subsequent packet forwarding. Meanwhile, Host A
encapsulates the IP packet and sends it out.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 11
ARP Configuration
Figure 1-1 ARP address resolution process
When Host A and Host B are not on the same subnet, Host A first sends an ARP
request to the gateway. The destination IP address in the ARP request is the IP
address of the gateway. After obtaining the MAC address of the gateway from an ARP
reply, Host A encapsulates the packet and sends it to the gateway. Subsequently, the
gateway broadcasts the ARP request, in which the destination IP address is the one of
Host B. After obtaining the MAC address of Host B from another ARP reply, the
gateway sends the packet to Host B.
1.1.2 ARP Message Format
Figure 1-1 ARP Message Format
The following explains the fields in Figure 1-1.

Hardware type: This field specifies the hardware address type. The value 1
represents Ethernet.
Protocol type: This field specifies the type of the protocol address to be mapped. The
hexadecimal value 0x0800 represents IP.
Hardware address length and protocol address length: They respectively specify the
length of a hardware address and a protocol address, in bytes. For an Ethernet
address, the value of the hardware address length field is "6. For an IP(v4) address,
the value of the protocol address length field is 4.
OP: Operation code. This field specifies the type of ARP message. The value 1
represents an ARP request and 2 represents an ARP reply.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 11
ARP Configuration
Sender hardware address: This field specifies the hardware address of the device
sending the message.
Sender protocol address: This field specifies the protocol address of the device
sending the message.
Target hardware address: This field specifies the hardware address of the device the
message is being sent to.
Target protocol address: This field specifies the protocol address of the device the
message is being sent to.
1.2 Configuring ARP Attack Spoofing

1.2.1 Brief Introduction to ARP Spoofing
ARP provides no security mechanism and thus is prone to network attacks. An
attacker can construct and send ARP packets, thus threatening network security.
A forged ARP packet has the following characteristics:
l The sender MAC address or target MAC address in the ARP message is
inconsistent with the source MAC or destination MAC address in the Ethernet frame.
l The mapping between the sender IP address and the sender MAC address in the
forged ARP message is not the true IP-to-MAC address binding of a valid client.
ARP attacks bring many malicious effects. Network communications become
unstable, users cannot access the Internet, and serious industrial accidents may even
occur. ARP attacks may also intercept accounts and passwords of services such as
games, network banks, and file services.
1.2.2 ARP Anti-Spoofing Protection
ARP spoofing attacks to protection, the key is to identify and prohibit forwarding
spoofed ARP packets. From the principle of ARP spoofing, we can see, to prevent ARP
spoofing attack requires two ways, first to prevent the virus disguised as the gateway
host, it will cause the entire segment of the user can not access; followed by
preventing the virus from the host masquerade as another host, eavesdropping data
or cause the same network segment cant communicate between the individual host.
MyPower S3100 series switches provide active defense ARP spoofing function, in
practical applications, the network hosts the first communication, the switch will
record the ARP table entries, entries in the message of the sender IP, MAC, VID and
port correspondence.
To prevent the above mentioned ARP attacks, MyPower S3100 launches a
comprehensive ARP attack protection solution.
An access switch is a critical point to prevent ARP attacks, as ARP attacks generally
arise from the host side. To prevent ARP attacks, the access switches must be able to
l Establish correct ARP entries, detect and filter out forged ARP packets, and
ensure the validity of ARP packets it forwards
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 11
ARP Configuration
Suppress the burst impact of ARP packets.
After configuring the access switches properly, you do not need to deploy ARP attack
protection configuration on the gateway. This relieves the burden from the gateway.
If the access switches do not support ARP attack protection, or the hosts are
connected to a gateway directly, the gateway must be configured to
l
Create correct ARP entries and prevent them from being modified.
l Suppress the burst impact of ARP packets or the IP packets that will trigger
sending of ARP requests.
The merits of configuring ARP attack protection on the gateway are that this gateway
configuration hardly affects the switches and can properly support the existing
network, thus effectively protecting user investment
1.2.3 Configuring Anti-Spoofing
Table 1-2 Configure anti-spoofing
Command
Step
step1
Operation
configure terminal
Enable ARP anti-spoofing
Step2
arp anti-spoofing
Step3
arp anti-spoofing
{diacard | flood}
Step4
end
return to privilege mode
Step5
copy
running-config
startup-config
save modified configuration
unknown
Configure the method of unknown

static ARP packet
1.2.4 Configuring ARP Packet Source MAC Address Consistency Check

This feature enables a gateway device to filter out ARP packets with a source MAC
address in the Ethernet header different from the sender MAC address in the
message body, so that the gateway device can learn correct ARP entries.
By default, system disables gateway spoofing.
Step
Table 1-4 Configure ARP Packet Source MAC Address Consistency Check
Command
Operation
step1
configure terminal
step2
arp anti-spoofing valid-check
Configure ARP Packet Source MAC

Address Consistency Check
step3
show arp anti-spoofing
validation operation
step4
end
return to privilege mode
step5
copy
startup-config
running-config
PDF pdfFactory Pro
www.fineprint.cn
save modified configuration
Page 8 of 11
ARP Configuration
1.2.5 Configuring Default of Anti-Spoofing

Table 1-5 Configure default of anti-spoofing
Function
Default
arp anti-spoofing
disable
Configure ARP Packet Source MAC Address

Consistency Check
enable
arp anti-spoofing unknown {diacard | flood}
discard
1.2.6 Displaying and Maintain Anti-spoofing

Table 1-6 Configure default of anti-spoofing
Command
Operation
Display the status of anti-spoofing
show arp anti-spoofing
Display users whether add into black hole
show mac-address-table blackhole
1.3 Configuring against ARP Flood

1.3.1 ARP Flood
Flood attacks are based on the principle of the general flow of a large number of
attack packets in the network equipment such as routers, switches, and servers,
leading to depletion of network equipment, leaving the CPU down the network.
Flood attacks are based on the principle of the general flow of a large number of
attack packets in the network equipment such as routers, switches and servers,
leading to depletion of network equipment, leaving the CPU down the network.
1.3.2 Configuring against ARP Flood
ARP flood attack is aimed mainly at the impact of network device's CPU, the core CPU
resources leading to depletion. To defend this type of attack, the switch must
determine in advance and to prohibit flood packet forwarding.
MyPower S3100's ARP anti-flood function to identify each ARP traffic, according to
the ARP rate setting security thresholds to determine whether the ARP flood attack,
when a host's ARP traffic exceeds a set threshold, the switch will be considered a
flood attack , immediately pulled into the black host of the virus, banned from the
host and all packet forwarding.
In order to facilitate the management of the network administrator to maintain,
MyPower S3100, while the automatic protection will be saved in the system log
related to alarms. For disabled users, administrators can set automatic or manual
recovery.
In the MyPower S3100 switch on the entire process is as follows:
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 11
ARP Configuration
1. Enable ARP anti-flood function will be broadcast ARP packets received on

the CPU, according to an ARP packet source MAC address to identify the
different streams.
2. Set security ARP rate, if the rate exceeds the threshold, the switch that is
ARP attack.
3. If you select the above command deny-all, when an ARP traffic exceeds
the threshold set, the switch will determine the source MAC address, the
MAC address to the black hole list of addresses to ban this address to
forward all subsequent messages.
4. If you select the above command deny-arp, ARP traffic when more than a
set threshold, the switch will be judged based on the source MAC
address, the address against all subsequent handling of ARP packets.
5. For recovery to be disabled in the user's forwarding, administrators can
set up automatic or manual recovery recovery time in two ways.
1.3.3 Configuring against ARP Flood
Command
Table 1-7 Configure against ARP flood

Operation
Enter global
configuration mode
configure terminal
Enable ARP flooding
arp anti-flood
Configure
safety
trigger threshold
Remark
required
optional
arp anti-flood threshold threshold
By default, the safety

trigger threshold 16PPS
optional
Configure approach for

the attacker
arp anti-flood action {deny-arp|deny-all}

threshold threshold
By default, for the

attacker's approach to
deny ARP
optional
Configure
automatically banned
user recovery time
Banned user manual

resume forwarding..
arp anti-flood recover-time time
By default, the user

automatically
banned
recovery time of 10
minutes.
arp anti-flood recover {H:H:H:H:H:H | all}
PDF pdfFactory Pro
Configurable time range

is <0-1440> minutes, set
to 0, said to be manually
restored.
www.fineprint.cn
optional
Page 10 of 11
ARP Configuration
1.3.4 Displaying and Maintain against ARP Flood

Operation
Display
ARP
Command
anti-flood
configuration and attackers list
show arp anti-flood
PDF pdfFactory Pro
www.fineprint.cn
Remark
Perform either of
the commands
Page 11 of 11
IGMP Snooping Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 16

comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 16
XXXX Feedback Form

services.
Document
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Include images
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 16
Contents
Chapter 1 IGMP Snooping................................................................................................................. 5
1.1 Brief Introduction to IGMP Snooping.................................................................................. 5
1.2 IGMP Snooping Configuration............................................................................................. 5
1.2.1 Brief Configuration to IGMP Snooping ..................................................................... 5
1.2.2 Enable IGMP Snooping............................................................................................. 6
1.2.3 Configuring IGMP Snooping Timer .......................................................................... 6
1.2.4 Configuring Port Fast-leave ...................................................................................... 6
1.2.5 Configuring Number of Multicast Group Allowed Learning ..................................... 7
1.2.6 Configuring IGMP Snooping Querier........................................................................ 7
1.2.7 Configuring IGMP Snooping Multicast Learning Strategy ........................................ 8
1.2.8 Configuring IGMP Snooping Router-Port ................................................................. 9
1.2.9 Configuring IGMP Snooping Port Multicast VLAN.................................................... 9
1.2.10 Configuring Host Port Record MAC Functions ....................................................... 9
1.2.11 Configuring Port of Dropped Query Packets or Not ............................................. 10
1.2.12 Configuring Port of Discarded Packets Report or Not .......................................... 10
1.2.13 Configuring Multicast Preview ............................................................................. 10
1.2.14 Configuring Profile of Black and White List .......................................................... 11
1.2.15 Displaying and Maintenance of IGMP Snooping .................................................. 12
1.3 IGMP Snooping Configuration Examples .......................................................................... 12
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 16
Chapter 1 IGMP Snooping

1.1 Brief Introduction to IGMP Snooping
IGMP (Internet Group Management Protocol) is a part of IP protocol which is used to
support and manage the IP multicast between host and multicast router. IP multicast
allows transferring IP data to a host collection formed by multicast group. The
relationship of multicast group member is dynamic and host can dynamically add or
exit this group to reduce network load to the minimum to realize the effective data
transmission in network.
IGMP Snooping is used to monitor IGMP packet between host and routers. It can
dynamically create, maintain, and delete multicast address table according to the
adding and leaving of the group members. At that time, multicast frame can transfer
packet according to his own multicast address table.
1.2 IGMP Snooping Configuration

1.2.1 Brief Configuration to IGMP Snooping
Table 1-1 Brief configuration of IGMP Snooping
Remark
Detailed
configuration
Enable IGMP Snooping
required
3.2.2
Configure IGMP Snooping multicast interface

aging time
optional
3.2.3
Configure
IGMP
max-response-time
Snooping
optional
3.2.3
Configure
fast-leave
interface
optional
3.2.4
Configure the number of the multicast group

allowed learning
optional
3.2.5
Configure IGMP-Snooping multicast learning

strategy
optional
3.2.6
Configure IGMP-Snooping CSS
optional
3.2.7
Configure route-port
optional
3.2.8
Configure IGMP Snooping multicast VLAN
optional
3.2.9
Configuration Task
IGMP
Snooping
basic
configuration
Modify and
optimize
IGMP
Snooping
configuration
IGMP
Snooping
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 16

Configure port record host MAC
optional
3.2.10
Configure port whether waive research

packets or not
optional
3.2.11
Configure port whether waive report packets

or not
optional
3.2.12
Configure multicast preview
optional
3.2.13
Configure IGMP Snooping profile name list
optional
3.2.14
optional
3.2.15
Display and maintain IGMP Snooping
1.2.2 Enable IGMP Snooping

Table 1-2 Brief configuration of IGMP Snooping
Command
Operation
configure terminal
Enable IGMP Snooping
igmp-snooping
Remark
-
1.2.3 Configuring IGMP Snooping Timer

Table 1-3 Configure IGMP Snooping timer
Command
Operation
configure terminal
Remark
optional
Configure
IGMP
Snooping
multicast interface aging time
igmp-snooping
time
host-aging-time By default, dynamic

interface aging time
is300S
Configure maximum leave time
igmp-snooping
max-response-time time
optional
by default, maximum
leave time is 10S
1.2.4 Configuring Port Fast-leave

Under normal circumstances, IGMP-Snooping on IGMP leave message is received
directly will not remove the port from the multicast group, but to wait some time
before the port from the multicast group.
Enabling quickly delete function, IGMP-Snooping IGMP leave packet received,
directly to the port from the multicast group. When the port is only one user, can be
quickly removed to save bandwidth
Table 1-4 Configure port fast-leave
Command
Operation
PDF pdfFactory Pro
www.fineprint.cn
Remark
Page 6 of 16

configure terminal
optional
Configure port fast-leave
igmp-snooping fast-leave
By default, port fast-leave

disables
1.2.5 Configuring Number of Multicast Group Allowed Learning

Use igmp-snooping group-limit command to configure the number of the multicast
group allowed learning.
Table 1-5 Configure the number of the multicast group allowed learning
Command
Operation
Remark

mode
configure terminal
optional
Configure the number of the

multicast
group
allowed
learning
igmp-snooping
number
group-limit
By default, the number of

the multicast group allowed
learning
is
NUM_MULTICAST_GROUPS
1.2.6 Configuring IGMP Snooping Querier

In an IP multicast network running IGMP, a multicast router or Layer 3 multicast
switch is responsible for sending IGMP general queries, so that all Layer 3 multicast
devices can establish and maintain multicast forwarding entries, thus to forward
multicast traffic correctly at the network layer .This router or Layer 3 switch is called
IGMP querier.
However, a Layer 2 multicast switch does not support IGMP, and therefore cannot
send general queries by default. By enabling IGMP Snooping on a Layer 2 switch in a
VLAN where multicast traffic needs to be Layer-2 switched only and no multicast
routers are present, the Layer 2 switch will act as the IGMP Snooping querier to send
IGMP queries, thus allowing multicast forwarding entries to be established and
maintained at the data link layer.
Table 1-6 Configure IGMP Snooping querier
Command
Operation

mode
configure terminal
Configuration is not black and
igmp-snooping {permit | deny}
PDF pdfFactory Pro
www.fineprint.cn
remark
optional
Page 7 of 16

white list in the multicast group
to learn the rules of the default
{group all | vlan vid}
By default, not black and

white list in the multicast
group to learn the rules
for the learning of all
multicast group
optional
Configure the port multicast

black list

group-range MAC multi-count
num vlan vid
Configure the port to

learn (not learn) VID of
the start of continuous
num mac multicast
groups
optional

group MAC vlan vid
By default, any multicast

group are not black and
white list are added
1.2.7 Configuring IGMP Snooping Multicast Learning Strategy

Configured multicast learning strategies, the administrator can control the router
only to learn the specific multicast group. If a multicast group is added to the
blacklist, then the router will not learn the multicast group; the contrary, in the
white list in the router can learn multicast group.
Table 1-7 Configuring IGMP Snooping multicast learning strategy
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal
Open the IGMP-Snooping

querier
igmp-snooping querier
Configuring VLAN general

query messages
igmp-snooping querier-vlan vid
Optional
Configured
to
send
general query message
interval
igmp-snooping query-interval interval
Optional
Configuration is generally
the maximum query
response
time
of
message
igmp-snooping query-max-respond time
Optional
Configured
to
send
general inquiries packet
source IP address
igmp-snooping general-query source-ip IP
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 16
1.2.8 Configuring IGMP Snooping Router-Port

You can configure the router port will be automatically added to the dynamic IGMP
Snooping Multicast learn to make routing port also has a multicast packet
forwarding capability.
When the switch receives a host membership report sent packets, the port will be
forwarded to the route.
Table 1-8 Configuring Routing port
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal
Configure hybrid routing

port
igmp-snooping route-port forward
Optional
Configure
dynamic
routing port aging time
igmp-snooping router-port-age {on | off | age-time}
Optional
Configure static routing

port
igmp-snooping route-port vlan vid interface {All |

ethernet interface-num}
Optiona
1.2.9 Configuring IGMP Snooping Port Multicast VLAN

Multicast VLAN on the port function, regardless of the port receiving the IGMP
messages belong to which VLAN, the switch will be modified as a multicast VLAN.
Table 1-9 Configure IGMP Snooping port multicast VLAN
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal

mode
Configure
IGMP
Snooping port multicast
VLAN
igmp-snooping multicast vlan vid
Optional
1.2.10 Configuring Host Port Record MAC Functions

When this feature is enabled on the port, the switch will record the source packet
IGMP report MAC address.
Table 1-10 Configure the host port record MAC functions
Operation
Enter
global
configuration mode
Command
configure terminal
PDF pdfFactory Pro
www.fineprint.cn
Remarks
Page 9 of 16

mode
Configure the host port

record MAC
igmp-snooping record-host
Optional
1.2.11 Configuring Port of Dropped Query Packets or Not

When this feature is enabled on a port, the switch drops the IGMP query message.
Default port to receive all IGMP packets.
Table 1-11 Configure port of dropped query packets or not
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal

mode
Discard
the
query
message
to
the
configuration port
igmp-snooping drop query
Optional

receive
the
query
message
no igmp-snooping drop query
Optional
1.2.12 Configuring Port of Discarded Packets Report or Not

When this feature is enabled on a port, the switch drops the IGMP report message.
Default port to receive all IGMP packets.
Table 1-12 Configure port of discarded packets report or not
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal

mode
Configure
the
port
discarded packets report
igmp-snooping drop report
Optional

receive a report with
no igmp-snooping drop report
Optional
1.2.13 Configuring Multicast Preview
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 16
Multicast IGMP Snooping provides preview feature, users can configure the
multicast channel preview, you can configure a single multicast length preview,
preview interval, duration, and reset to allow preview times.
Table 1-13 Configure multicast preview
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal
Configuring
preview
igmp-snooping preview
Multicast
Configure
multicast
channel preview
igmp-snooping preview group-ip IP vlan vid interface

Optional
Configuration when the

long single preview,
preview
interval,
duration and allows
preview preview reset
the number of
igmp-snooping preview {time-once time-once

time-interval time-interval time-reset time-reset
permit-times preview-times }
Optional
1.2.14 Configuring Profile of Black and White List

IGMP Snooping provides the way black and white list feature profile, first in global
configuration mode to create a number of profile, then the port configuration mode
to configure the port reference profile list. Users can configure the IGMP Snooping
profile of the type and scope, which refers to the type of permit / deny, you can use
the multicast IP address range or MAC address to configure. IGMP Snooping profile
only the port referenced to take effect, the configuration port reference profile, the
more the type of profile must be the same between that port can only refer to the
same type (permit or deny) the profile. When the port is referenced permit the
profile, the profile can only learn the definition of the corresponding multicast group;
when the port reference deny the profile, the profile can be defined in addition to
learning outside of all multicast group; when the port does not refer to any profile, in
accordance with Normally learning multicast group.
Table 1-14 Configure profile of black and white list
Operation
Command
Remarks
Enter
global
configuration mode
configure terminal
Create a profile, and

enter
profile
configuration mode
igmp-snooping profile profile-id
Configuration
types
profile limit {permit | deny}
profile
PDF pdfFactory Pro
www.fineprint.cn
Optional
Page 11 of 16

Configuration profile ip
range
ip range start-ip end-ip [vlan vlan-id]
Optional
Range of configuration
profile mac
mac range start-mac end-mac [vlan vlan-id]
Optional

mode
Reference configuration
profile
igmp-snooping profile refer profile-list
Optional
1.2.15 Displaying and Maintenance of IGMP Snooping

After completing the above configuration, can use the following command to view
configuration.
Table 1-14 Configure displaying and maintenance of IGMP Snooping
Operation
Command
See the related configuration IGMP

Snooping
static
router
port
configuration
Display Record in host MAC
Display information about multicast
preview
Display the current state of multicast
channel preview
Display
profile
information
Display multicast group
show igmp-snooping
show igmp-snooping router-dynamic
See dynamic routing port

Display
Remarks
configuration
show igmp-snooping router-static

show igmp-snooping record-host
[interface ethernet interface-num]
show igmp-snooping preview
Performs
either of the
commands
show igmp-snooping preview status

show igmp-snooping profile
[interface ethernet interface-num]
[profile-list]
show multicast [interface ethernet
interface-num]
1.3 IGMP Snooping Configuration Examples

IGMP Snooping configuration examples as below:
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 16
Multicast
Source Router
Ethernet0/0/4
Host-A
Ethernet0/0/2
Ethernet0/0/1
S-switch-A
Host-B
Ethernet0/0/3
Host-C
Figure 1-1
1. Network requirements
As shown in the figure 1-1, Host-A, Host-B, Host-C hosts separately belong to VLAN2,
VLAN3, VLAN4.Three hosts separately receive the data of the multicast address
224.0.1.1-224.0.1.3 per configuring.
2. Configuration steps
Configuring S-switch-A
#Configure VLAN2 to 4, and add the ports separately into VlAN2,3,4 of Ethernet0/0/1,
Ethernet0/0/2 and Ethernet0/0/3.
S-switch-A(config)#vlan 2
S-switch-A(config-if-vlan)#switchport ethernet 0/0/1
S-switch-A(config-if-vlan)#exit
#Enable igmp snooping
S-switch-A(config)#igmp-snooping
When Host-A, Host-B, Host-C forward IGMP report to S-switch-A, S-switch-A will
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 16
learn corresponding multicast table entry port; When the Multicast Source Router
send igmp query time to the S-switch-A message, S-switch-A will learn the
appropriate router port entry.
Show the switch learned multicast group
S-switch-A(config)#show multicast
show multicast table information
MAC Address
: 01:00:5e:00:01:01
VLAN ID
:2
Static port list
:.
IGMP port list
: e0/0/1
Dynamic port list
:
MAC Address
VLAN ID
Static port list
IGMP port list
Dynamic port list
: 01:00:5e:00:01:02
:3
:.
: e0/0/2
:
MAC Address
VLAN ID
Static port list
IGMP port list
Dynamic port list
: 01:00:5e:00:01:03
:4
:
: e0/0/3.
:
Total entries: 3 .
S-switch-A(config)#show igmp-snooping router-dynamic
Port
VID
Age
Type
e0/0/4
2
284
{ STATIC }
e0/0/4
3
284
{ STATIC }
e0/0/4
4
284
{ STATIC }
Total Record: 3
When Multicast Source Router sends 224.0.1.1-224.0.1.3 multicast serve data flow,
S-switch-A will forward corresponding to Host-A, Host-B, Host-C.
Static multicast configuration examples:
Configuration steps:
Configuring S-switch-A
#configure VLAN 2 to 4, and add the ports into VLAN2, 3, 4 of Ethernet0/0/1,
Ethernet0/0/2 and Ethernet0/0/3.
PDF pdfFactory Pro
www.fineprint.cn
Page 14 of 16
#Add the ports into the VLAN2 to VLAN4 of Ethernet0/0/4, configure Ethernet0/0/4 as
static router port.
S-switch-A(config)#vlan 2-4
S-switch-A(config)#igmp-snooping route-port vlan 2 interface ethernet 0/0/4
#configure static multicast group
S-switch-A(config)#multicast mac-address 01:00:5e:00:01:01 vlan 2
S-switch-A(config)#multicast mac-address 01:00:5e:00:01:01 vlan 2 interface
ethernet 0/0/1
ethernet 0/0/2
ethernet 0/0/3
Show the switch learned multicast groups
S-switch-A(config)#show multicast
MAC Address
: 01:00:5e:00:01:01
VLAN ID
:2
Static port list
:.e0/0/1
IGMP port list
:
Dynamic port list
:
MAC Address
VLAN ID
Static port list
IGMP port list
Dynamic port list
: 01:00:5e:00:01:02
:3
: e0/0/2
:
:
MAC Address
VLAN ID
: 01:00:5e:00:01:03
:4
PDF pdfFactory Pro
www.fineprint.cn
Page 15 of 16
Static port list

IGMP port list
Dynamic port list
: e0/0/3
:
:
Total entries: 3 .
S-switch-A(config)#show igmp-snooping router-static
Port
VID
Age
Type
e0/0/4
2
no age
{ STATIC }
e0/0/4
3
no age
{ STATIC }
e0/0/4
4
no age
{ STATIC }
Total Record: 3
When Multicast Source Router sends 224.0.1.1-224.0.1.3 multicast serve data flow,
S-switch-A will forward corresponding to Host-A, Host-B, Host-C.
PDF pdfFactory Pro
www.fineprint.cn
Page 16 of 16
GMRP Configuration
GMRP Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 10
GMRP Configuration

XXXX makes no representations or warranties with respect to this document contents and specifically disclaims any
implied warranties of merchantability or fitness for any specific purpose. Further, XXXX reserves the right to revise
this document and to make changes from time to time in its content without being obligated to notify any person of
such revisions or changes.
comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 10
GMRP Configuration
XXXX Feedback Form

Your opinion helps us improve the quality of our product documentation and offer better services.
Document
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Include images
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 10
GMRP Configuration
Content
Chapter 1 GMRP Configuration......................................................................................................... 5
1.1 Brief Introduction to GMRP ................................................................................................ 5
1.2 GMRP Configuration ........................................................................................................... 5
1.2.1 Enabling GMRP......................................................................................................... 5
1.2.2 Add Requisite Static Route Forwarded by GMRP ..................................................... 5
1.2.3 Displaying and Maintain GMRP................................................................................ 6
1.2.4 GMRP Configuring Examples.................................................................................... 6
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 10
GMRP Configuration
Chapter 1 GMRP Configuration

1.1 Brief Introduction to GMRP
GMRP (GARP Multicast Registration Protocol) is a kind of application of GARP
(Generic Attribute Registration Protocol), which is based on GARP working
mechanism to maintain the dynamic multicast register information in switch. All
switches supported GMRP can receive multicast register information from other
switches and upgrade local multicast register information dynamically and transfer it
to other switches to make the consistency of multicast information of devices
supported GMRP in the same switching network. Multicast register information
transferred by GMRP includes local manual configuration of static multicast register
information and the dynamic multicast register information of other switch.
1.2 GMRP Configuration

1.2.1 Enabling GMRP
Enable GMRP needs in both globally and port configuration. By default, GMRP
disable in both globally and port configuration.
Table 1-1 Enable GMRP
Operation
Command
Remark
Enter globally configuration mode
configure terminal
Enable GMRP in global configuration

mode
gmrp
required
interface ethernet
device/slot/port
Enable GMRP in port configuration

mode
gmrp
required
1.2.2 Add Requisite Static Route Forwarded by GMRP

It forwards dynamically broadcast learning from GMRP when startup GMRP, but it is
necessary for administrator to configure manually when GMRP forwards local static
broadcast.
Table 1-2 Add requisite static route forwarded by GMRP
Operation
Command
configure terminal
Add requisite static route forwarded by garp permit multicast

GMRP
mac-address mac vlan
PDF pdfFactory Pro
www.fineprint.cn
Remark
required
Page 5 of 10
GMRP Configuration
vid
1.2.3 Displaying and Maintain GMRP

After finishing above configuration, you can use below commands to show GMRP
client configuration.
Table 1-3 Display and maintain GMRP
Operation
Command
display GMRP in globally configuration mode
show gmrp
Display GMRP in port configuration mode
show gmrp interface

[ethernet interface-n
um]
Display GMRP permit multicast
show garp permit

multicast
Display local broadcast (including static and

learning broadcast by GMRP )
show multicast
Remark
Perform either of the

commands
1.2.4 GMRP Configuring Examples

As shown below, S1 and S3 by GMRP protocol packets to its own static multicast
information circular to S2, S2 by GMRP packets will be learned by GMRP multicast
information circular to go out in the end, making S1, S2, S3 the multicast information
to be synchronized.
Figure 1-1 network
Configuration steps:
!Configuration on S1
*************************************************************
!Before configuration
Switch(config-if-vlan)#switchport ethernet 0/0/1 to ethernet 0/0/10
Switch(config)#multicast mac-address 01:00:5e:01:01:01 vlan 111
adding multicast group successfully !
Switch(config)#multicast mac-address 01:00:5e:01:01:01 vlan 111 interface
ethernet 0/0/1 to ethernet 0/0/10
adding multicast group port successfully !
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 10
GMRP Configuration
!Configure GMRP
Switch(config)#gvrp
Switch(config)#gmrp
Turn on GMRP successfully.
Switch(config)#garp permit multicast mac-address 01:00:5e:01:01:01 vlan
111
Switch(config-if-ethernet-0/0/1)#gmrp
!GVRP configuration verification
Switch(config)#show gmrp
GMRP status : enable
Switch(config)#show gmrp interface ethernet 0/0/1
port
GMRP status
e0/0/1 enable
Total entries: 1.
Switch(config)#show garp permit multicast
GARP permit multicast:
vlan 111, mac 01:00:5e:01:01:01
*************************************************************
*************************************************************
Switch(config-if-range)#switchport mode trunk
!Configure GMRP
Switch(config)#gvrp
Turn on GVRP successfully
Switch(config)#gmrp
Switch(config-if-range)#gvrp
Switch(config-if-range)#gmrp
GMRP state : enable
Switch(config)#show gmrp interface ethernet 0/0/2 ethernet 0/0/3
port
GMRP status
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 10
GMRP Configuration
e0/0/2 enable
e0/0/3 enable
Total entries: 2.
*************************************************************
*************************************************************
Switch(config-if-vlan)#switchport ethernet 0/0/1 to ethernet 0/0/10
Switch(config)#multicast mac-address 01:00:5e:03:03:03 vlan 333
adding multicast group successfully !
Switch(config)#multicast mac-address 01:00:5e:03:03:03 vlan 333 interface
ethernet 0/0/1 to ethernet 0/0/10
adding multicast group port successfully !
!Configure GMRP
Switch(config)#gvrp
Switch(config)#gmrp
Switch(config)#garp permit multicast mac-address 01:00:5e:03:03:03 vlan
333
Switch(config-if-ethernet-0/0/4)#gmrp
GMRP status : enable
Switch(config)#show gmrp interface ethernet 0/0/4
port
GMRP status
e0/0/4 enable
Total entries: 1.
Switch(config)#show garp permit multicast
GARP permit multicast:
vlan 333, mac 01:00:5e:03:03:03
*************************************************************
After configuration is complete, you can show multicast command to view
the function of learning to GMRP multicast registration information.
!View the multicast information in S1 can be found, 01:00:5 e: 03:03:03 is
learned by GMRP multicast.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 10
GMRP Configuration
Switch(config)#show multicast
MAC Address
: 01:00:5e:01:01:01
VLAN ID
: 111
Static port list : e0/0/1-e0/0/10.
IGMP port list
:
Dynamic port list :
MAC Address
: 01:00:5e:03:03:03
VLAN ID
: 333
Static port list :
IGMP port list
:
Dynamic port list : e0/0/1.
Total entries: 2 .
! To view the multicast information on S3 can be found, 01:00:5 e: 01:01:01
and 01:00:5 e: 03:03:03 through learning to GMRP multicast.
MAC Address
: 01:00:5e:01:01:01
VLAN ID
: 111
Static port list :
IGMP port list
:
MAC Address
: 01:00:5e:03:03:03
VLAN ID
: 333
Static port list :
IGMP port list
:
Total entries: 2 .
!View multicast information on S3 can be found, 01:00:5 e: 01:01:01 by
GMRP multicast learn.
MAC Address
: 01:00:5e:01:01:01
VLAN ID
: 111
Static port list :
IGMP port list
:
MAC Address
VLAN ID
Static port list
: 01:00:5e:03:03:03
: 333
: e0/0/1-e0/0/10.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 10
GMRP Configuration
IGMP port list

:
Dynamic port list :
Total entries: 2 .
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 10
DHCP Configuration
DHCP Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 16
DHCP Configuration

comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 16
DHCP Configuration
XXXX Feedback Form
services.
Document
Title
Product
Version
Evaluate this
document
Documen
t Revision
Number
1.0
Presentation:
Good
Fair
Average
Poor
Accessibility:
Good
Fair
Average
Poor
Editorial:
Good
Your
suggestions
to improve
the
document
Fair
Average
Poor

Improve Contents
Make more concise

Improve arrangement
Include images
Add more detail
Improve index

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 16
DHCP Configuration
Content
Chapter 1
DHCP Configuration ........................................................................................................ 1
1.1 DHCP Overview ........................................................................................................................ 1
1.2 DHCP IP Address Assignment .................................................................................................... 1
1.2.1 IP Address Assignment Policy ......................................................................................... 1
1.2.2 Obtaining IP Addresses Dynamically ................................................................................ 2
1.2.3 DHCP Packet Format ...................................................................................................... 3
1.3 DHCP Relay .............................................................................................................................. 5
1.3.1 Usage of DHCP Relay...................................................................................................... 5
1.3.2 DHCP Relay Fundamentals ............................................................................................. 5
1.4 Configure DHCP Relay ............................................................................................................... 6
Chapter 2
DHCP Snooping .............................................................................................................. 7
2.1 Introduction to DHCP Snooping ................................................................................................. 7
2.2 DHCP Snooping Configuration ................................................................................................... 7
2.3 DHCP-Snooping Security Configuration ...................................................................................... 8
2.3.1 Configure Max Clients Number ....................................................................................... 8
2.3.2 Configure IP-Source-Guard ............................................................................................. 8
2.4 Displaying and Debugging DHCP-Snooping ................................................................................. 9
2.5 DHCP-Snooping Configuration Example...................................................................................... 9
Chapter 3
DHCP Option 82 ........................................................................................................... 11
3.1 Introduction to option 82 supporting ....................................................................................... 11
3.2 DHCP Option82 Configuration ................................................................................................. 11
3.2.1 Enable DHCP Option82 ................................................................................................. 11
3.2.2 Displaying and Debugging DHCP Option82..................................................................... 12
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 16
DHCP Configuration
Chapter 1 DHCP Configuration

1.1 DHCP Overview
With networks getting larger in size and more complicated in structure, lack of
available IP addresses becomes the common situation the network administrators
have to face, and network configuration becomes a tough task for the network
administrators. With the emerging of wireless networks and the using of laptops, the
position change of hosts and frequent change of IP addresses also require new
technology. Dynamic host configuration protocol (DHCP) is developed in this
background.
DHCP adopts a client/server model, where DHCP clients send requests to DHCP
servers for configuration parameters; and the DHCP servers return the
corresponding configuration information such as IP addresses to configure IP
addresses dynamically. A typical DHCP application includes one DHCP server and
multiple clients (such as PCs and laptops), as shown in Picture 1-1.
Picture 1-1.
Typical DHCP application
1.2 DHCP IP Address Assignment

1.2.1 IP Address Assignment Policy
Currently, DHCP provides the following three IP address assignment policies to meet
the requirements of different clients:
Manual assignment. The administrator statically binds IP addresses to few clients
with special uses (such as WWW server). Then the DHCP server assigns these fixed IP
addresses to the clients.
Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP
addresses will be occupied by the DHCP clients permanently.
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 16
DHCP Configuration
Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for
predetermined period of time. In this case, a DHCP client must apply for an IP
address at the expiration of the period. This policy applies to most clients.
1.2.2 Obtaining IP Addresses Dynamically
Interaction between a DHCP client and a DHCP server is as shown in Picture 1-2.
Picture 1-2.
Interaction between a DHCP client and a DHCP server
There are three different modes for DHCP client to obtain IP address in different
stage:
(1) Initial login for DHCP client
There are four stages for the initial login of DHCP client:
Discover. In this phase, the DHCP client tries to find a DHCP server by
broadcasting a DHCP-DISCOVER packet.
Offer. In this phase, the DHCP server offers an IP address. Each DHCP server that
receives the DHCP-DISCOVER packet chooses an unassigned IP address from the
address pool based on the IP address assignment policy and then broadcasts a
DHCP-OFFER packet to the DHCP client.
Select: In this phase, the DHCP client selects an IP address. If more than one
DHCP server sends DHCP-OFFER packets to the DHCP client, the DHCP client only
accepts the DHCP-OFFER packet that first arrives, and then broadcasts a
DHCP-REQUEST packet containing the assigned IP address carried in the
DHCP-OFFER packet.
Acknowledge: Upon receiving the DHCP-REQUEST packet, the DHCP server
returns a DHCP-ACK packet to the DHCP client to confirm the assignment of the IP
address to the client. When the client receives the DHCP-ACK packet, it broadcasts
an ARP packet with the assigned IP address as the destination address to detect the
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 16
DHCP Configuration
assigned IP address, and uses the IP address only if it does not receive any response
within a specified period.
The IP addresses offered by other DHCP servers (if any) are not used by the DHCP
client and are still available to other clients.
(2) The next login for DHCP client
When DHCP client relogin, there are two types of situation:
The last-assigned IP address is not occupied. Broadcast a DHCP-REQUEST packet
containing the assigned IP address, the DHCP server returns a DHCP-ACK packet to
the DHCP client to confirm the assignment of the IP address to the client.
The last-assigned IP address is occupied. Broadcast a DHCP-REQUEST packet
containing the assigned IP address, the DHCP server returns a DHCP-NAK packet to
refuse the assignment of the IP address to the client. The client will re-send
DHCP_Discover packet to request a new IP address.
(3) Updating IP Address Lease
After a DHCP server dynamically assigns an IP address to a DHCP client, the IP
address keeps valid only within a specified lease time and will be reclaimed by the
DHCP server when the lease expires. If the DHCP client wants to use the IP address
for a longer time, it must update the IP lease.
By default, a DHCP client updates its IP address lease automatically by unicasting a
DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The
DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP
lease if the server can assign the same IP address to the client. Otherwise, the DHCP
server responds with a DHCP-NAK packet to notify the DHCP client that the IP
address will be reclaimed when the lease time expires.
If the DHCP client fails to update its IP address lease when half of the lease time
elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet
to the DHCP server again when seven-eighths of the lease time elapses. The DHCP
server performs the same operations as those described in the previous section.
1.2.3 DHCP Packet Format
DHCP has eight types of packets. They have the same format, but the values of some
fields in the packets are different. The DHCP packet format is based on that of the
BOOTP packets. The following table describes the packet format (the number in the
brackets indicates the field length, in bytes):
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 16
DHCP Configuration
Picture 1-3.
DHCP packet format
The field meanings are illustrated as follows:

op: Operation types of DHCP packets: 1 for request packets and 2 for response
packets.
htype, hlen: Hardware address type and length of the DHCP client.
hops: Number of DHCP relays which a DHCP packet passes. For each DHCP relay that
the DHCP request packet passes, the field value increases by 1.
xid: Random number that the client selects when it initiates a request. The number is
used to identify an address-requesting process.
secs: Elapsed time after the DHCP client initiates a DHCP request.
flags: The first bit is the broadcast response flag bit. It is used to identify that the
DHCP response packet is sent in the unicast or broadcast mode. Other bits are
reserved.
ciaddr: IP address of a DHCP client.
yiaddr: IP address that the DHCP server assigns to a client.
siaddr: IP address of the DHCP server.
giaddr: IP address of the first DHCP relay that the DHCP client passes after it sent the
request packet.
chaddr: Hardware address of the DHCP client.
sname: Name of the DHCP server.
file: Name of the start configuration file that the DHCP server specifies for the DHCP
client.
option: Optional variable-length fields, including packet type, valid lease time, IP
address of a DNS server, and IP address of the WINS server.
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 16
DHCP Configuration
1.3 DHCP Relay

1.3.1 Usage of DHCP Relay
Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is
only applicable to the situation that DHCP clients and DHCP servers are in the same
network segment, that is, you need to deploy at least one DHCP server for each
network segment, which is far from economical.
DHCP Relay is designed to address this problem. It enables DHCP clients in a subnet
to communicate with the DHCP server in another subnet so that the DHCP clients
can obtain IP addresses. In this case, the DHCP clients in multiple networks can use
the same DHCP server, which can decrease your cost and provide a centralized
administration.
1.3.2 DHCP Relay Fundamentals
Picture 1-4.
Typical DHCP relay application
DHCP relays can transparently transmit broadcast packets on DHCP clients or servers
to the DHCP servers or clients in other network segments.
In the process of dynamic IP address assignment through the DHCP relay, the DHCP
client and DHCP server interoperate with each other in a similar way as they do
without the DHCP relay. The following sections only describe the forwarding process
of the DHCP relay. For the interaction process of the packets, see 1.2.2 Obtaining IP
Addresses Dynamically.
The DHCP client broadcasts the DHCP-DISCOVER packet.
After receiving the packets, the network device providing the DHCP relay function
unicasts the packet to the designated DHCP server based on the configuration.
The DHCP server assigns IP addresses, and then broadcasts the configuration
information to the client through the DHCP relay. The sending mode is determined
by the flag in the DHCP-DISCOVER packets from the client. For detailed information,
refer to section 1.3 DHCP Packet Format.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 16
DHCP Configuration
1.4 Configure DHCP Relay

Table 1-1 Configure DHCP Relay
Operation
mode
Enable DHCP Relay
Enter vlan configuration mode
Configure vlan ipaddres
Configure vlan DHCP server
Command
configure terminal
dhcp-relay
vlan <vid>
interface
ip
<ip>
<mask>
<gateway>
dhcpserver { ip | backupip } <ip>
PDF pdfFactory Pro
www.fineprint.cn
Remarks
required
required
required
required
Page 6 of 16
DHCP Configuration
Chapter 2 DHCP Snooping

2.1 Introduction to DHCP Snooping
For the sake of security, the IP addresses used by online DHCP clients need to be
tracked for the administrator to verify the corresponding relationship between the IP
addresses the DHCP clients obtained from DHCP servers and the MAC addresses of
the DHCP clients. Switches can track DHCP client IP addresses through the DHCP
snooping function, which listens DHCP broadcast packets.
DHCP snooping listens the following two types of packets to retrieve the IP addresses
the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP
clients:
DHCP-ACK packet
DHCP-REQUEST packet
When an unauthorized DHCP server exists in the network, a DHCP client may obtains
an illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid
DHCP servers, you can specify a port to be a trusted port or an untrusted port by the
DHCP snooping function.
Trusted ports can be used to connect DHCP servers or ports of other switches.
Untrusted ports can be used to connect DHCP clients or networks.
Untrusted ports drop the DHCP-ACK and DHCP-OFFER packets received from DHCP
servers. Trusted ports forward any received DHCP packets to ensure that DHCP
clients can obtain IP addresses from valid DHCP servers.
2.2 DHCP Snooping Configuration

Perform following commands in global configuration mode.
Table 1-1 Configure the DHCP snooping function
Operation
Enable DHCP-Snooping
mode
Configure port connected to
DHCP server direction to be
Trust
Command
Description
dhcp-snooping
By default, DHCP-Snooping is
disabled.
interface Ethernet
(device/slot/port)
port_id
dhcp-snooping trust
PDF pdfFactory Pro
www.fineprint.cn
By default, all ports are

untrust port.
Page 7 of 16
DHCP Configuration
2.3 DHCP-Snooping Security Configuration

2.3.1 Configure Max Clients Number
A private DHCP server on a network also answers IP address request packets and
assigns IP addresses to DHCP clients. However, the IP addresses they assigned may
conflict with those of other hosts. As a result, users cannot normally access networks.
This kind of DHCP servers are known as private DHCP servers. Therefore,
administrators can:
Restrict the DHCP-Client number connected to switch port. So only the clients
connected to the same port with the attacker will suffer the attack.
Restrict the DHCP-Client number in specified VLAN. So only the clients in the same
VLAN with the attacker will suffer the attack.
This function should be work with DHCP-Snooping. Perform following commands in
interface configuration mode.
Table 1-2 Configure max clients number
Operation
Command
Configure max DHCP-Client

number connected to switch
port
dhcp-snooping
<0-2048>
Enter VLAN mode
vlan vlan_list
Configure max DHCP-Client

number in specified VLAN.
dhcp-snooping
<0-2048>
Description
max-clients
max-clients
By
default,
the
max
DHCP-Client
number
connected to switch port is
2048.
By
default,
the
max
DHCP-Client
number
in
specified VLAN is 2048.
2.3.2 Configure IP-Source-Guard

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a
malicious host from impersonating a legitimate host by assuming the legitimate
host's IP address. The feature uses dynamic DHCP snooping and static IP source
binding to match IP addresses to hosts on untrusted Layer 2 access ports. When
using IP-Source-Guard, pay attention:
DHCP-Snooping has been enabled
Use this function in Trust port
After enabling IP-Source-Guard, all traffic with that IP source address is permitted
from that trusted client. Traffic from other hosts is denied. This filtering limits a host's
ability to attack the network by claiming a neighbor host's IP address. The filtering
info can be source MAC, source IP and source port number.
Perform following commands in global configuration mode:
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 16
DHCP Configuration
Operation
Configure
IP-source-guard bind
table
Enter
interface
configuration mode
Enable
IP-Source-Guard on
Trust port
Table 1-3 Configure IP-Source-Guard

Command
Description
ip-source-guard bind {ip A.B.C.D |mac
HH:HH:HH:HH:HH:HH |interface ethernet
device-num<0>/slot-num<0-2>/port-num
<1-48>}
interface ethernet device/slot/port

ip-source-guard
By default, ip-source-guard
on port is disabled.
Caution:
IP source guard filters packets based on the following types of binding entries:
Source IP
Source IP + source MAC
Source IP + source MAC + source port
2.4 Displaying and Debugging DHCP-Snooping

After the above configurations, you can verify the configurations by executing the
show command in any configuration mode.
Table 1-4 Displaying and Debugging DHCP-Snooping
Operation
Display DHCP-Snooping
clients
status in interface
status in VLAN
Display IP-Source-Guard
status in interface
Display source IP binding
table of IP-Source-Guard
Command
show dhcp-snooping clients
show
dhcp-snooping
interface
device-num<0>/slot-num<0-2>/port-num<1-48>]
[ethernet
show dhcp-snooping vlan

show ip-source-guard
show ip-source-guard bind [ip A.B.C.D]
2.5 DHCP-Snooping Configuration Example

As shown in Picture 1-6, the GigabitEthernet0/0/1 port of Switch is connected to

DHCP Server. A network segment containing some DHCP clients is connected to the
GigabitEthernet 0/0/2 port of Switch.
The DHCP snooping function is enabled on Switch.
The GigabitEthernet1/0/1 port of Switch is a trusted port.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 16
DHCP Configuration
II. Network diagram
Picture 1-5.
DHCP-Snooping Configuration Example
All following commands are performed in Switch acting as a DHCP-Snooping device.

1. Enter global configuration mode
Switch(config)#
2. Enable DHCP-Snooping
Switch(config)#dhcp-snooping
Config DHCP Snooping successfully.
3. Enter interface configuration mode of Ethernet0/0/1
4. Set Ethernet0/0/1 to be Trust
Switch(config-if-ethernet-0/0/1)#dhcp-snooping trust
Config DHCP Snooping mode of port successfully.
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 16
DHCP Configuration
Chapter 3 DHCP Option 82

3.1 Introduction to option 82 supporting
Option: A length-variable field in DHCP packets, carrying information such as part of
the lease information and packet type. It includes at least one option and at most
255 options.
Option 82: Also known as relay agent information option. This option is a part of the
Option field in DHCP packet. According to RFC3046, option 82 lies before option 255
and after the other options. Option 82 includes at least one sub-option and at most
255 sub-options. Currently, the commonly used sub-options in option 82 are
sub-option 1 and sub-option 2.
Sub-option 1: A sub-option of option 82. Sub-option 1 represents the agent circuit ID,
namely Circuit ID. It holds the port number and VLAN-ID of the switch port
connected to the DHCP client, and is usually configured on the DHCP relay. Generally,
sub-option 1 and sub-option 2 must be used together to identify information about a
DHCP source.
Sub-option 2: A sub-option of option 82. Sub-option 2 represents the remote agent
ID, namely Remote ID. It holds the MAC address of the DHCP relay, and is usually
configured on the DHCP relay. Generally, sub-option 1 and sub-option 2 must be used
together to identify information about a DHCP source.
3.2 DHCP Option82 Configuration

3.2.1 Enable DHCP Option82
To enable option 82, you need to perform the corresponding configuration on the
DHCP server and the DHCP relay.
If the packet contains option 82, the DHCP relay processes the packet depending on
the configured policy:
Drop: Specifies to discard the DHCP request packets that carry option 82.
Keep: Specifies to remain the DHCP request packets that carry option 82
unchanged.
Replace: Specifies to replace the option 82 carried by a DHCP request packet
with that of the DHCP relay.
Perform following commands in global configuration mode:
Table 1-5 Enable DHCP Option82
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 16
DHCP Configuration
Operation
Command
Enable DHCP Option82
dhcp option82
Configure the strategy for the

DHCP relay to process
request packets containing
option 82
dhcp
option82
{drop|keep|replace}
strategy
Description
By default, DHCP Option82
is disabled.
By default, the DHCP relay
replaces the option 82
carried by a DHCP request
packet with its own option
82.
3.2.2 Displaying and Debugging DHCP Option82

Table 1-6 Displaying and Debugging DHCP Option82
Operation
Display DHCP option82
Command
show dhcp option82
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 16
ACL Configuration
ACL Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 13
ACL Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 13
ACL Configuration
XXXX Feedback Form
services.
Document
Title
Product
Version
Evaluate this
document
Documen
t Revision
Number
1.0
Presentation:
Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
the
document

Make more concise
Improve arrangement
Include images
Add more detail
Improve index

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 13
ACL Configuration
Contents
Chapter 1 ACL Configuring ..................................................................................................................... 5
1.1 Brief Introduction to ACL .......................................................................................................... 5
1.1.1 Configuring Match Order................................................................................................ 5
1.1.2 Switch Support ACL ........................................................................................................ 6
1.2 Configuring Time Range ............................................................................................................ 6
1.2.1 Configuration Procedure ................................................................................................ 6
1.2.2 Configuration Examples ................................................................................................. 7
1.3 Configuring a Basic ACL ............................................................................................................. 7
1.3.2 Configuration Examples ................................................................................................. 8
1.4 Define Extended ACL ................................................................................................................ 8
1.4.2 Configuration Procedure .............................................................................................. 10
1.5 Define Layer 2 ACL ................................................................................................................. 10
1.5.1 Configuring Layer 2 ACL ............................................................................................... 10
1.5.2 Configuration Examples ............................................................................................... 11
1.6 Activate ACL .......................................................................................................................... 11
1.6.1 Configuration Examples ............................................................................................... 12
1.6.2 Activate ACL successfully .Active ACL Binding................................................................. 12
1.7 Displaying and Debugging ACL ................................................................................................. 12
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 13
ACL Configuration
Chapter 1 ACL Configuring

1.1 Brief Introduction to ACL
As network scale and network traffic are increasingly growing, network security and
bandwidth allocation become more and more critical to network management.
Packet filtering can be used to efficiently prevent illegal users from accessing
networks and to control network traffic and save network resources. Access control
lists (ACL) are often used to filter packets with configured matching rules.
ACLs are sets of rules (or sets of permit or deny statements) that decide what
packets can pass and what should be rejected based on matching criteria such as
source MAC address, destination MAC address, source IP address, destination IP
address, and port number.
When an ACL is assigned to a piece of hardware and referenced by a QoS policy for
traffic classification, the switch does not take action according to the traffic behavior
definition on a packet that does not match the ACL.
ACL according to application identified by ACL numbers, fall into three categories,
l Basic ACL: Source IP address
l Extended ACL: Source IP address, destination IP address, protocol carried on IP,
and other Layer 3 or Layer 4 protocol header information
l Layer 2 ACL: Layer 2 protocol header fields such as source MAC address,
destination MAC address, 802.1p priority, and link layer protocol type
1.1.1 Configuring Match Order
An ACL consists of multiple rules, each of which specifies different matching criteria.
These criteria may have overlapping or conflicting parts. This is where the order in
which a packet is matched against the rules comes to rescue.
Two match orders are available for ACLs:
l config: where packets are compared against ACL rules in the order in which they
are configured.
l auto: where depth-first match is performed. The term depth-first match has
different meanings for different types of ACLs. Depth-first match for a basic ACL
For example, now configuring 2 types of ACL as below:
Switch(config)#access-list 2000 deny any
l If it is the configuration mode, sub-item 0 is the first command. You can see as
below configuration:
Switch(config)#show access-list config 1
Standard IP Access List 1, match-order is config, 2 rule:
0
deny
any
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 13
ACL Configuration
1 permit 1.1.1.1 0.0.0.0

l If it is the auto mode, sub-item 0 is the longest ACL match rule. You can see as
below configuration:
Standard IP Access List 1, match-order is auto, 2 rule:
0 permit 1.1.1.1 0.0.0.0
1 deny
any
Notes, ACL must enable. Switches must obey first enable then active. Please refer
to Chapter 1.6 for detailed configuration.
1.1.2 Switch Support ACL
Switch support ACL as below:
l Basic ACL
l Extended ACL
l Layer 2 AC
1.2 Configuring Time Range

There are two kinds of configuration: configure absolute time range and periodic
time range. Configuring absolute is in the form of year, month, date, hour and
minute. Configuring periodic time range is in the form of day of week, hour and
minute.
1.2.1 Configuration Procedure
Command
new build time range and enter time
range mode
Table 1-1 Configuration procedure

Operation
remark
configure terminal
time-range name
Configure absolute start
absolute start HH:MM:SS YYYY/MM/DD [end

HH:MM:SS YYYY/MM/DD]
Configure periodic start
periodic days-of-the-week hh:mm:ss to

[ day-of-the-week ] hh:mm:ss
require
d
Note that:
Periodic time range created using the time-range time-name start-time to end-time
days command. A time range thus created recurs periodically on the day or days of
the week.
Absolute time range created using the time-range time-name {from time1 date1 [ to
time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time
range thus created does not recur. For example, to create an absolute time range
that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may
use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.
Compound time range created using the time-range time-name start-time to
end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 13
ACL Configuration
time range thus created recurs on the day or days of the week only within the
specified period. For example, to create a time range that is active from 12:00 to
14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59,
you may use the time-range test 12:00 to 14:00 Wednesday from 00:00 01/01/2004
to 23:59 12/31/2004 command.
You may create individual time ranges identified with the same name. They are
regarded as one time range whose active period is the result of ORing periodic ones,
ORing absolute ones, and ANDing periodic and absolute ones.
With no start time specified, the time range is from the earliest time that the system
can express (that is, 00:00 01/01/1970) to the end time. With no end time specified,
the time range is from the time the configuration takes effect to the latest time that
the system can express (that is, 24:00 12/31/2100).
Up to 256 time ranges can be defined.
1.2.2 Configuration Examples
1. Create an absolute time range from 16:00, Jan 3, 2009 to 16:00, Jan 5, 2009
Switch(config)#time-range b
Config time range successfully.
Switch(config-timerange-b)#absolute start 16:00:00 2009/1/3 end 16:00:00
2009/1/5
Config absolute range successfully .
Switch(config-timerange-b)#show time-range name b
Current time is: 02:46:43 2009/01/31
Saturday
time-range: b ( Inactive )
absolute: start 16:00:00 2009/01/03 end 16:00:00 2009/01/05
2. Create a periodic time range that is active from 8:00 to 18:00 every working day.
Switch(config)#time-range b
Config time range successfully.
Switch(config-timerange-b)#periodic weekdays 8:00:00 to 18:00:00
Config periodic range successfully .
Switch(config-timerange-b)#show time-range name b
Current time is: 02:47:56 2009/01/31 Saturday
time-range: b ( Inactive )
periodic: weekdays 08:00
to
18:00
1.3 Configuring a Basic ACL

Basic ACLs filter packets based on source IP address. They are numbered in the range
1 to 99. At most 99 ACL with number mark and at most 1000 ACL with name mark.
At most 128 rules for each ACL at the same time. If you want to reference a time
range to a rule, define it with the time-range command first.
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 13
ACL Configuration

Follow these steps to configure a basic ACL
Table 1-2 Configure basic ACL based on digital identification

Command
Operation
configure terminal
Define sub-item match rule
access-list num match-order { config |

auto }
Define basic ACL
access-list num { permit | deny }

{ source-IPv4/v6 source-wildcard | any |
ipv6any } [ time-range name ]
remark
optional
by
default ,sys
tem
is
config
required
Table 1-3 Configure basic ACL based on name identification

Command
Operation
configure terminal
mode
remark
optional
name
match-order
by
default ,system
is config
Define sub-item match rule
access-list standard
{ config | auto }
Define basic ACL and enter

configuration mode
access-list standard name
required
Configure ACL rule
{ permit | deny } { source-IPv4/v6 sourcewildcard | any | ipv6any } [ time-range

name ]
required

!Define a basic ACL with number mark to deny packet with source IP 10.0.0.1
Switch(config)#access-list 1 deny 10.0.0.1 0
!Define a basic ACL with name mark to deny packet with source IP 10.0.0.2
Switch(config)#access-list standard stdacl
Switch(config-std-nacl-stdacl)#deny 10.0.0.2 0
1.4 Define Extended ACL

Switch can define at most 100 extended ACL with the number ID (the number is in
the range of 100 to 199), at most 1000 extended ACL with the name ID. It can define
128 sub-rules for an ACL (this rule can suit both ACL with name ID and number ID).
Follow these steps to configure a extended ACL
Table 1-4 Configure extended ACL based on digital identification
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 13
ACL Configuration
Command
mode
Operation
Remark
configure terminal
Define sub-item match

rule
access-list num match-order { config

| auto }
optional
by
default ,syst
em is config
Define extended ACL

[
protocol
]
[
established
]
{ source-IPv4/v6 source-wildcard | any |
ipv6any } [ port [ portmask ] ] { destIPv4/v6 dest-wildcard | any | ipv6any }
[ port [ portmask ] ] { [ precedence
precedence ] [ tos tos ] | [ dscp dscp ] }
[ time-range name ]
required
Table 1-5 Configure extended ACL based on name identification

Command
Operation
Remark
configure terminal
mode
optional
access-list
extended
name by
Define subitem match rule
match-order { config | auto }
default ,syst
em is config
Define extended ACL
access-list extended name
and enter configuration
required
mode
Configure ACL rule
{ permit | deny } [ protocol ]

[ established ] { source-IPv4/v6
source-wildcard | any | ipv6any } [ port
[
portmask
]
]
{
dest-IPv4/v6
dest-wildcard | any | ipv6any } [ port
[ portmask ] ]
{ [ precedence
precedence ] [ tos tos ] | [ dscp dscp ] }
[ time-range name ]
required
Detailed parameters of extended ACL as below Table 1-6:

Parameters
Function
Remark
A number in the range
of 1 to 255
IP protocol type carried
Represented by name,
protocol
you can select GRE,
ICMP, IGMP, IPinIP,
OSPF, TCP, UDP
sour-address
sour-wildcard used to
determine the packet's
{ sour-address
source IP address.
Dotted decimal
ACL rules specified the source
notation;
address information
sour-wildcard of 0
sour-wildcard|any }
means that the host
address
any source address.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 13
ACL Configuration
{ dest-addr
The purpose of ACL rules specified
address information
dest-wildcard| any}
address.
port
TCP / UDP port number
precedence precedence
priority precedence message
tos tos
tos priority packets
dscp dscp
time-range name
dest-addr dest-wildcard
used to determine the
packet destination
address, in dotted
decimal notation;
dest-wildcard is 0, the
host address
Any is any destination
DSCP priority
Level ranges from 0 to 63
fragment fragmentation information
Create a time range
IP precedence values
range from 0 to 7
ToS priority ranges from
0 to 15
Rule applies only to
non-first fragment
packet effective

!Create extended ACL based on digital identification to deny the FTP packets
with source address 10.0.0.1 .
Switch(config)#access-list 100 deny tcp 10.0.0.1 0 ftp any
!Create extended ACL based on name identification to deny the FTP packets with
source address 10.0.0.1.
Switch (config)#access-list extended extacl
Switch(config-ext-nacl-extacl)#deny tcp 10.0.0.2 0 ftp any
1.5 Define Layer 2 ACL

Switch can define at most 100 layer 2 ACL with the number ID (the number is in the
range of 200 to 299), at most 1000 layer 2 ACL with the name ID. It can define 128
sub-rules for an ACL (this rule can suit both ACL with name ID and number ID). Layer
2 ACL only classifies data packet according to the source MAC address, source VLAN
ID, layer protocol type, layer packet received and retransmission interface and
destination MAC address of layer 2 frame head of data packet and analyze the
matching data packet.
1.5.1 Configuring Layer 2 ACL
Follow these steps to configure a Layer 2 ACL
Table 1-7 Configure Layer 2 ACL based on digital identification
Command
Operation
PDF pdfFactory Pro
www.fineprint.cn
Remark
Page 10 of 13
ACL Configuration
Enter global
configuration mode
configure terminal
Define sub-item match

rule
access-list num match-order { config

| auto }
optional
by
default ,system
is config
Define Layer 2 ACL

[ protocol ] [ cos vlan-pri ] ingress
{ { [ source-vlan-id ] [ source-mac-addr
source-mac-wildcard ] [ interface
interface-num ] } | any } egress
{ { [ dest-mac-addr dest-mac-wildcard ]
[ interface interface-num | cpu ] } |
any } [ time-range name ]
required
Table 1-8 Configure Layer 2 ACL based on name identification

Command
Operation
Remark
Enter global
configure terminal
configuration mode
optional
Define sub-item match access-list link name match-order by
{ config | auto }
rule
default ,system
is config
Define Layer 2 ACL and
access-list link name
enter configuration
required
mode
Configure ACL rule
{ permit | deny } [ protocol ] [ cos

vlan-pri ] ingress { { [ source-vlan-id ]
[
source-mac-addr
source-mac-wildcard ] [ interface
interface- num ] } | any } egress
{ { [ dest-mac-addr dest-mac-wildcard ]
[ interface interface-num | cpu ] } |
any } [ time-range name ]
required

!Create Layer 2 ACL based on digital identification to deny the MAC with ARP
address 00:00:00:00:00:01.
Switch(config)#access-list 200 deny arp ingress 00:00:00:00:00:01 0 egress any
!Create Layer 2 ACL based on name identification to deny the MAC with ARP
address 00:00:00:00:00:02.
Switch(config)#access-list link lnkacl
Switch (config-link-nacl-lnkacl)#deny arp ingress 00:00:00:00:00:02 0 egress any
1.6 Activate ACL

Switch obey the rule of First enable then active
Command
Table 1-9 Activate ACL

Operation
configure terminal
PDF pdfFactory Pro
www.fineprint.cn
Remark
Page 11 of 13
ACL Configuration
mode
Active ACL
access-group [ip-group name|num]

[subitem num] [link-group name|num]
[subitem num]
required

Switches only permit with source IP address 1.1.1.1
Standard IP Access List 2000, match-order is config, 2 rule:
0 deny
any
1 permit 1.1.1.1 0.0.0.0
!Configuration steps
Switch(config)#access-group ip-group 2000
Activate ACL successfully .
Standard IP Access List 1, match-order is auto, 2 rule:
0 permit 1.1.1.1 0.0.0.0
1 deny
any
Switch(config)#access-group ip-group 1 subitem 1
Switch(config)#access-group ip-group 1 subitem 0
1.6.2 Activate ACL successfully .Active ACL Binding
IP+MAC+Port binds through ACL binding active.
!Configuration request
MAC is 00:00:00:00:00:01, IP address of 1.1.1.1 the user can only enter from e0/0/1
mouth.
Switch(config)#access-list 4000 permit ingress 00:00:00:00:00:01 0 interface
ethernet 0/0/1 egress any
Switch(config)#access-group ip-group 2000 link-group 4000
1.7 Displaying and Debugging ACL

After finishing above configuration, you can see configuration as below commands.
Command
Display ACL statistics
Table 1-10 Display and debug ACL

Operation
show access-list config statistic
PDF pdfFactory Pro
www.fineprint.cn
Remark
perform either of
Page 12 of 13
ACL Configuration
Display ACL configuration

Display ACL
show access-list config {all|num|name

name}
show access-list runtime {all|num|name
name}
PDF pdfFactory Pro
www.fineprint.cn
the commands
Page 13 of 13
Storm-control Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 0 of 5

revise this document and to make changes from time to time in its content without being obligated to notify
any person of such revisions or changes.

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 5
Content
Chapter 1
Storm-control Configuration ........................................................................................... 3
1.1 Storm-control Overview............................................................................................................ 3
1.2 Storm-Control Configuration ..................................................................................................... 3
1.2.1 Configure Storm-Control ................................................................................................ 3
1.2.2 Storm-control Monitor and Maintenance ........................................................................ 4
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 5
Chapter 1 Storm-control Configuration

1.1 Storm-control Overview
When there is loop or malicious attacker in the network, there will be plenty of
packets, which occupy the bandwidth and even affect the network. Storm-control
will avoid too much packets appear in the network. Restrict the speed rate of port
receiving broadcast/multicast/ unknown unicast packets and unknown unicast
packets received by all ports. By default, all frames storm control target rate is
256Kbps, Broadcast storm control is Enable; Multicast storm control is Disable;
Unicast storm control is Disable.
1.2 Storm-Control Configuration

1.2.1 Configure Storm-Control
Storm-Control configuration is configured in global configuration mode and
enable/disable in interface configuration mode, that is, administrator can enable it
per port.
Table 1-1 Configure Storm-control
Operation
Command
configure terminal
Storm-control type {broadcast
Configure storm-control type
|multicast |dlf}
Remarks
Required
The
threshol
Configure storm-control rate
storm-control rate rate
d can be
1/2,1/4,1/
8,1/16
Enter
interface
configuration
interface ethernet slot/port
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 5
mode
Enable storm-control
storm-control
Required
1.2.2 Storm-control Monitor and Maintenance

After finishing above configuration, user can check the configurations by command
below.
Table 1-2 Storm-control monitor and maintenance
Operation
Command
Remarks
On
Show interface
show interface ethernet slot/port
any
configuration
mode
& Note:
If there is no configuration for storm-control, there will be no info show for that.
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 5
QoS Configuration
QoS Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 15
QoS Configuration

comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 15
QoS Configuration
XXXX Feedback Form

services.
Document
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Include images
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 15
QoS Configuration
Contents
Chapter 1 QoS Configuration ......................................................................................................... 5
1.1 Brief Introduction to QoS .................................................................................................... 5
1.1.1 Traffic........................................................................................................................ 5
1.1.2 Traffic Classification .................................................................................................. 5
1.1.3 Priority...................................................................................................................... 6
1.1.4 Access Control List.................................................................................................... 8
1.1.5 Packet Filtration ....................................................................................................... 8
1.1.6 Flow Monitor............................................................................................................ 8
1.1.7 Interface Speed Limitation ....................................................................................... 8
1.1.8 Redirection ............................................................................................................... 8
1.1.9 Priority Mark ............................................................................................................ 8
1.1.10 Choose Interface Outputting Queue for Packet ..................................................... 8
1.1.11 Queue Scheduler.................................................................................................... 9
1.1.12 Cos-map Relationship of Hardware Priority Queue and Priority of IEEE802.1p
Protocol ............................................................................................................................. 9
1.1.13 Flow Mirror .......................................................................................................... 10
1.1.14 Statistics Based on Flow ....................................................................................... 10
1.1.15 Copy Packet to CPU .............................................................................................. 10
1.2 QOS Configuration ............................................................................................................ 10
1.2.1 Configuring Flow Monitor ...................................................................................... 10
1.2.2 Configure Two Rate Three Color Marker................................................................ 10
1.2.3 Configuring Interface Line Rate.............................................................................. 11
1.2.4 Configuring Packet Redirection .............................................................................. 11
1.2.5 Configuring Traffic Copy to CPU ............................................................................. 11
1.2.6 Configuring Traffic Priority ..................................................................................... 12
1.2.7 Configuring Queue-Scheduler ................................................................................ 12
1.2.8 Configuring Cos-map Relationship of Hardware Priority Queue and Priority of
IEEE802.1p Protocol ........................................................................................................ 12
1.2.9 Configuring Mapping Relationship between DSCP and 8 Priority in IEEE 802.1p .. 13
1.2.10 Configuring Flow Statistic..................................................................................... 14
1.2.11 Configuring Flow Mirror ....................................................................................... 14
1.2.12 Displaying and Maintain QoS ............................................................................... 14
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 15
QoS Configuration
Chapter 1
QoS Configuration
1.1 Brief Introduction to QoS

In traditional IP networks, packets are treated equally. That is, the FIFO (first in first
out) policy is adopted for packet processing. Network resources required for packet
forwarding is determined by the order in which packets arrive. All the packets share
the resources of the network. Network resources available to the packets completely
depend on the time they arrive. This service policy is known as Best-effort, which
delivers the packets to their destination with the best effort, with no assurance and
guarantee for delivery delay, jitter, packet loss ratio, reliability, and so on.
With the fast development of computer networks, more and more networks are
connected into Internet. Users hope to get better services, such as dedicated
bandwidth, transfer delay, jitter voice, image, important data which enrich network
service resources and always face network congestion. Internet users bring forward
higher requirements for QoS. Ethernet technology is the widest network technology
in the world recently. Now, Ethernet becomes the leading technology in every
independent LAN, and many LAN in the form of Ethernet have become a part of
internet. With the development of Ethernet technology, Ethernet connecting will
become one of main connecting for internet users. To execute end-to-end QoS
solution has to consider the service guarantee of Ethernet QoS, which needs
Ethernet device applies to Ethernet technology to provide different levels of QoS
guarantee for different types of service flow, especially the service flow highly
requiring delay and jitter.
1.1.1 Traffic
Traffic means all packets through switch.
1.1.2 Traffic Classification
Traffic classification is to identify packets conforming to certain characters according
to certain rules. It is the basis and prerequisite for proving differentiated services. A
traffic classification rule can use the precedence bits in the type of service (ToS) field
of the IP packet header to identify traffic with different precedence characteristics. A
traffic classification rule can also classify traffic according to the traffic classification
policy set by the network administrator, such as the combination of source address,
destination address, MAC address, IP protocol, or the port numbers of the
application. Traffic classification is generally based on the information in the packet
header and rarely based on the content of the packet.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 15
QoS Configuration
1.1.3 Priority
(1) 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where
the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2.
As shown in the chapter of VLAN configuration. Each host supported 802.1Q protocol
forwards packets which are from Ethernet frame source address add a 4-byte tag
header. Figure as 1-1.
Figure 1-1 802.1Q tag
As shown in the figure above, PRI segment is 802.1p priority. It consists of 3bits
whose range from 0~7. The three bits point the frame priority. The tag including 8
formats gives the precedence to forward the packets.
cos (decimal)
0
1
2
3
4
5
6
7
Table 1-1 Description on 802.1Q values

cos (binary)
Description
000
spare
001
background
010
best-effort
011
excellent-effort
100
controlled-load
101
video
110
voice
111
network-management
(2)IP precedence, TOS precedence, and DSCP values

The TOS field in the IP header contains eight bits: the first three bits represent IP
precedence; the subsequent four bits represent a ToS value and 1 bit with currently
unused defaults 0. The four bits of TOS packets are grouped into four classes: the
smallest time delay, maximum rate, highly reliability, minimum cost. Only 1 bit can be
set, if the DSCP values equal 0, that means normal service.
Figure 1-2 IP precedence and TOS precedence
IP precedence contains 8 formats.

Table 1-2 Description on IP Precedence
IP Precedence (decimal)
IP Precedence (binary)
Description
0
000
routine
1
001
priority
2
010
immediate
3
011
flash
4
100
flash-override
5
101
critical
6
110
internet
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 15
QoS Configuration
7
111
network
TOS precedence contains 5 formats.

TOS (decimal)
0
1
2
4
8
Table 1-3 Description on TOS Precedence

TOS (binary)
Description
0000
normal
0001
min-monetary-cost
0010
max-reliability
0100
max-throughput
1000
min-delay
According to RFC 2474, the ToS field is redefined as the differentiated services (DS)
field, where a DSCP value is represented by the first six bits (0 to 5) and ranges from 0
to 63. The remaining two bits (6 and 7) are reserved.
Figure 1-3 DSCP values
In a network in the Diff-Serve model, traffic is grouped into the following classes, and
packets are processed according to their DSCP values
l Expedited forwarding (EF) class: In this class, packets are forwarded regardless of
link share of other traffic. The class is suitable for preferential services requiring low
delay, low packet loss, low jitter, and high bandwidth.
l Assured forwarding (AF) class: This class is divided into four subclasses (AF 1 to
AF 4), each containing three drop priorities for more granular classification. The QoS
level of the AF class is lower than that of the EF class.
l Class selector (CS) class: This class is derived from the IP ToS field and includes
eight subclasses.
l Best effort (BE) class: This class is a special CS class that does not provide any
assurance. AF traffic exceeding the limit is degraded to the BE class. All IP network
traffic belongs to this class by default.
DSCP (decimal)
0
46
10
18
26
34
8
16
24
32
40
48
56
Table 1-4 Description on DSCP values

DSCP (binary)
keys
000000
be
101110
ef
001010
af1
010010
af2
011010
af3
100010
af4
001000
cs1
010000
cs2
011000
cs3
100000
cs4
cs5
101000
110000
111000
PDF pdfFactory Pro
www.fineprint.cn
cs6
cs7
Page 7 of 15
QoS Configuration
1.1.4 Access Control List

To classify flow is to provide service distinctively which must be connected resource
distributing. To adopt which kind of flow control is related to the stage it is in and the
current load of the network. For example: monitor packet according to the promised
average speed rate when the packet is in the network and queue scheduling manage
the packet before it is out of the node.
1.1.5 Packet Filtration
Packet filtration is to filtrate service flow, such as deny, that is, deny the service flow
which is matching the traffic classification, and permit other flows to pass. System
adopts complicated flow classification to filtrate all kinds of information of service
layer 2 packets to deny useless, unreliable, and doubtable service flow to strengthen
network security.
Two key points of realizing packet filtration:
Step 1: Classify ingress flows according to some regulation;
Step 2: Filtrate distinct flow by denying. Deny is default accessing control.
1.1.6 Flow Monitor
In order to serve customers better with the limited network resources, QoS can
monitor service flow of specified user in ingress interface, which can adapt to the
distributed network resources.
1.1.7 Interface Speed Limitation
Interface speed limitation is the speed limit based on interface which limits the total
speed rate of interface outputting packet.
1.1.8 Redirection
User can re-specify the packet transmission interface based on the need of its own
QoS strategies.
1.1.9 Priority Mark
Ethernet switch can provide priority mark service for specified packet, which includes:
TOS, DSCP, 802.1p. These priority marks can adapt different QoS model and can be
defined in these different models.
1.1.10 Choose Interface Outputting Queue for Packet
Ethernet switch can choose corresponding outputting queue for specified packets.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 15
QoS Configuration
1.1.11 Queue Scheduler

It adopts queue scheduler to solve the problem of resource contention of many
packets when network congestion. There are three queue scheduler matchings:
Strict-Priority Queue (PQ), Weighted Round Robin (WRR) and WRR with maximum
delay.
(1)PQ
PQ (Priority Queuing) is designed for key service application. Key service possesses an
important feature, that is, require the precedent service to reduce the response
delay when network congestion. Priority queue divides all packets into 4 levels, that
is, superior priority, middle priority, normal priority and inferior priority (3, 2, 1, 0),
and their priority levels reduce in turn.
When queue scheduler, PQ precedently transmits the packets in superior priority
according to the priority level. Transmit packet in inferior priority when the superior
one is empty. Put the key service in the superior one, and non-key service (such as
email)in inferior one to guarantee the packets in superior group can be first
transmitted and non-key service can be transmitted in the spare time.
The shortage of PQ is: when there is network congestion, there are more packets in
superior group for a long time, the packets in inferior priority will wait longer.
(2)WRR
WRR queue scheduler divides a port into 4 or 8 outputting queues (S2926V-O has 4
queues, that is, 3, 2, 1, 0) and each scheduler is in turn to guarantee the service time
for each queue. WRR can configure a weighted value (that is, w3, w2, w1, w0 in turn)
which means the percentage of obtaining the resources. For example: There is a port
of 100M. Configure its WRR queue scheduler value to be 50, 30, 10, 10
(corresponding w3, w2, w1, w0 in turn) to guarantee the inferior priority queue to
gain at least 10Mbit/s bandwidth, to avoid the shortage of PQ queue scheduler in
which packets may not gain the service.
WRR possesses another advantage. The scheduler of many queues is in turn, but the
time for service is not fixed-if some queue is free, it will change to the next queue
scheduler to make full use of bandwidth resources.
(3) SP+ WRR
Superior priority or less priority use SP algorithm, others use WRR algorithm.
1.1.12 Cos-map Relationship of Hardware Priority Queue and Priority of
IEEE802.1p Protocol
System will map between 802.1p protocol priority of packet and hardware queue
priority. For each packet, system will map it to specified hardware queue priority
according to 802.1p protocol priority of packet.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 15
QoS Configuration
1.1.13 Flow Mirror

Flow mirror means coping specified data packet to monitor interface to detect
network and exclude failure.
1.1.14 Statistics Based on Flow
Statistics based on flow can statistic and analyze the packets customer interested in.
1.1.15 Copy Packet to CPU
User can copy specified packet to CPU according to the need of its QoS strategies.
System realizes QoS function according to accessing control list, which includes: flow
monitor, interface speed limit, packet redirection, priority mark, queue scheduler,
flow mirror, flow statistics, and coping packet to CPU.
1.2 QOS Configuration

1.2.1 Configuring Flow Monitor
Flow monitor is restriction to flow rate which can monitor the speed of a flow
entering switch. If the flow is beyond specified specification, it will take actions, such
as dropping packet or reconfigure their priority.
Table 1-5 Configure flow rate
Command
remark
configure terminal

mode
optional, perform
either of the
globally and port
mode
Configure flow rate
rate-limit { input | output } { [ ip-group { num |

name } [ subitem subitem ] ] [ link-group { num |
name } [ subitem subitem ] ] } target-rate
optional
Operation
Enter
globally
configuration mode
1.2.2 Configure Two Rate Three Color Marker

Two Rate Three Color Marker is defined in RFC 2698. There is 4 parameter for it: CIR, CBS,
PIR and PBS.
Table 1-1 Configure Two Rate Three Color Marker
Operation
Command
Enter
globally
configure terminal
configuration mode
Configure Two Rate
two-rate-policer policer-id cir cir cbs cbs
Three Color Marker
pir pir pbs pbs [ color-aware ] [ drop-red ]
Enter
port
configuration mode
PDF pdfFactory Pro
www.fineprint.cn
remark
optional
optional,
perform
either of the
globally and
Page 10 of 15
QoS Configuration
port mode
rate-limit { input | output } { [ ip-group
{ num | name } [ subitem subitem ] ]
[ link-group { num | name } [ subitem
subitem ] ] } two-rate-policer policer-id
Configure Two Rate

Three Color Marker
optional
1.2.3 Configuring Interface Line Rate

Line-limit is the speed limit based on interface which restricts the total speed of
packet outputting.
Operation
Table 1-6 Configure interface line rate

Command
remark
Enter globally configuration

mode
configure terminal
Enter port configuration mode
Configure egress rate
bandwidth-control
target-rate
egress
optional
Configure ingress rate
bandwidth-control
target-rate
ingress
optional
1.2.4 Configuring Packet Redirection

Packet redirection configuration is redirecting packet to be transmitted to some
egress.
Table 1-7 Configure interface line rate
Command
remark
Operation
configure terminal
Configure packet redirection
traffic-redirect { [ ip-group { num

| name } [ subitem subitem ] ]
[ link-group { num | name }
[ subitem subitem ] ] }
{ [ interface interface-num |
cpu ] }
optional
1.2.5 Configuring Traffic Copy to CPU

Switch automatically copies to CPU after configuring traffic copy to CPU.
Operation
Table 1-8 Configure traffic copy to CPU

Command

Configure traffic copy to CPU
configure terminal
traffic-copy-to-cpu { [ ip-group
{ num | name } [ subitem
subitem ] ] [ link-group { num |
name } [ subitem subitem ] ] }
optional
PDF pdfFactory Pro
remark
www.fineprint.cn
Page 11 of 15
QoS Configuration
1.2.6 Configuring Traffic Priority

Traffic priority configuration is the strategy of remark priority for matching packet in
ACL, and the marked priority can be filled in the domain which reflects priority in
packet head.
Table 1-9 Configure traffic priority
Command
Operation
remark
configure terminal
Configure traffic priority
traffic-priority { [ ip-group { num

| name} [ subitem subitem ] ]
[ subitem subitem ] ] } { [ dscp
dscp-value ] [ cos { pre-value |
from-ipprec } ] [ local-precedence
pre-value ] }
optional
1.2.7 Configuring Queue-Scheduler

When network congestion, it must use queue-scheduler to solve the problem of
resource competition. System supports 3 kinds of queue-scheduler, that is SP, WRR
and full SP+WRR.
By default is SP in system.
Table 1-10 Configure queue-scheduler
Command
Operation
remark
configure terminal
Configure SP
queue-scheduler strict-priority
optional
Configure WRR
queue-scheduler
wrr
queue1-weight queue2-weight
optional
Configure SR+WRR
queue-scheduler
sp-wrr
queue3-weight
optional
1.2.8 Configuring Cos-map Relationship of Hardware Priority Queue and Priority

of IEEE802.1p Protocol
The cos-map relationship of hardware priority queue and priority of IEEE802.1p
protocol is one - to - one correspondence. Administrators change the cos-map
relationship of hardware priority queue and priority of IEEE802.1p protocol timely
when the one-to-one correspondence shifting.
By default, the cos-map relationship of hardware priority queue and priority of
IEEE802.1p protocol as below:
802.1p
Table 1-11 802.1p and he cos-map relationship of hardware priority queue

hardware priority queue
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 15
QoS Configuration
1
Administrators also change the cos-map relationship of hardware priority queue and
priority of IEEE802.1p protocol according to the actual network.
Table 1-12 Modifying 802.1p and he cos-map relationship of hardware priority queue
Operation
Command
remark
configure terminal
Modify
802.1p and he cos-map
relationship of hardware priority queue
queue-scheduler
queue-number
packed-priority
cos-map
optional
1.2.9 Configuring Mapping Relationship between DSCP and 8 Priority in IEEE

802.1p
The same situation as 1.2.7, by default, the relation between DSCP and 8 priority in
IEEE 802.1p as below;
SCP
Table 1-13 Relation between DSCP and 8 priority in IEEE 802.1p

hardware
hardware
hardware
hardware
priority
DSCP
priority
DSCP
priority
DSCP
priority queue
queue
queue
queue
16
32
48
17
33
49
18
34
50
19
35
51
20
36
52
21
37
53
22
38
54
23
39
55
24
40
56
25
41
57
10
26
42
58
11
27
43
59
12
28
44
60
13
29
45
61
14
30
46
62
15
31
47
63
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 15
QoS Configuration
Administrators also change the mapping relationship between DSCP and 8 priority in
IEEE 802.1p according to the actual network.
Table 1-14 Configuring the relation between DSCP and 8 priority in IEEE 802.1p
Operation
Command
remark
Enter
mode
globally
configuration
Startup the relation between

DSCP and 8 priority in IEEE
802.1p
configure terminal
queue-scheduler dscp-map
required
by default, it is disable.
Modify the relation between
DSCP and 8 priority in IEEE
802.1p
queue-scheduler dscp-map
dscp-value 802.1p-priority
optional
1.2.10 Configuring Flow Statistic

Flow statistic configuration is used to statistic specified service flow packet. The
statistic is accumulated value and reset to zero when re-configuring.
Operation
Table 1-16 Configure flow statistic

Command
Enter
globally
configuration mode
Configure flow staticstic
reset to Zero
configure terminal
traffic-statistic { [ ip-group
{ num | name } [ subitem
subitem ] ] [ link-group { num
| name } [ subitem
subitem ] ] }
clear traffic-statistic { [ all |
[ ip-group { num | name }
[ subitem subitem ] ]
[ subitem subitem ] ] ] }
remark
-
optional
optional
1.2.11 Configuring Flow Mirror

Flow mirror is copying the service flow which matches ACL rules to specified monitor
interface to analyze and monitor packet.
1.2.12 Displaying and Maintain QoS
After finishing above configuration, please use below commands to show the
configuration.
PDF pdfFactory Pro
www.fineprint.cn
Page 14 of 15
QoS Configuration
Table 1-17
Operation
Display and maintain QoS

Command
Display all the informaion of QoS
show qos-info all
Display QoS statistic
show qos-info statistic
Display quue-scheduler
parameters
mode
and
show queue-scheduler
Display the cos-map relationship of

hardware priority queue and priority of
IEEE802.1p protocol
show queue-scheduler cos-map
Display the dscp-map relationship of

hardware priority queue and priority of
IEEE802.1p protocol
show queue-scheduler dscp-map
Display all QoS port configuration
show qos-interface [interface-num ] all
Display rate-limit parameters
show qos-interface
rate-limit
Display interface line rate parameters
show bandwidth-control interface

Ethernet [interface-num]
Display
QoS
parameters
show qos-interface statistic
interface
statistic
[interface-num
Display traffic-priority parameters
show qos-info traffic-priority
Display traffic-redirect parameters
show qos-info traffic-redirect
Display packet redirection
show qos-info traffic-statistic
Display information of traffic copy to

CPU
show qos-info traffic-copy-to-cpu
PDF pdfFactory Pro
remark
www.fineprint.cn
perform
either of
the
comman
ds
Page 15 of 15
RSTP Configuration
STP Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 27
RSTP Configuration

comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 27
RSTP Configuration
Content
Chapter 1
STP Configuration .......................................................................................................... 1
1.1 STP Overview .......................................................................................................................... 1
1.1.1 Function of STP ............................................................................................................. 1
1.1.2 Protocol Packets of STP ................................................................................................. 1
1.1.3 Basic Concepts in STP .................................................................................................... 1
1.1.4 Spanning-Tree Interface States....................................................................................... 2
1.2 How STP Works ....................................................................................................................... 3
1.3 Implement RSTP on Ethernet Switch ....................................................................................... 12
1.4 Configure RSTP ...................................................................................................................... 13
1.4.1 RSTP Configuration Task List ........................................................................................ 13
1.4.2 Enable RSTP ................................................................................................................ 14
1.4.3 Configure STP Bridge Priority ....................................................................................... 14
1.4.4 Configure Time Parameter ........................................................................................... 14
1.4.5 Configure STP Path Cost............................................................................................... 15
1.4.6 Configure STP Port Priority ........................................................................................... 16
1.4.7 Configure STP mcheck ................................................................................................. 16
1.4.8 Configure STP Point-to-Point Mode .............................................................................. 17
1.4.9 Configure STP Portfast ................................................................................................. 17
1.4.10 Configure STP Transit Limit ........................................................................................ 17
1.4.11 RSTP Monitor and Maintenance ................................................................................. 18
1.5 STP Configuration Example ..................................................................................................... 18
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 27
RSTP Configuration
Chapter 1 STP Configuration

1.1 STP Overview
1.1.1 Function of STP
Spanning Tree Protocol (STP) is applied in loop network to block some undesirable
redundant paths with certain algorithms and prune the network into a loop-free tree,
thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
1.1.2 Protocol Packets of STP
STP uses bridge protocol data units (BPDUs), also known as configuration messages, as
its protocol packets.
STP identifies the network topology by transmitting BPDUs between STP-compliant
network devices. BPDUs contain sufficient information for the network devices to
complete the spanning tree calculation.
In STP, BPDUs come in two types:
l Configuration BPDUs, used for calculating spanning trees and maintaining the
spanning tree topology.
l Topology change notification (TCN) BPDUs, used for notifying concerned devices of
network topology changes, if any.
1.1.3 Basic Concepts in STP
1. Root Bridge
A tree network must have a root; hence the concept of root bridge has been
introduced in STP.
There is one and only one root bridge in the entire network, and the root bridge can
change alone with changes of the network topology. Therefore, the root bridge is not
fixed.
Upon network convergence, the root bridge generates and sends out configuration
BPDUs at a certain interval, and other devices just forward the BPDUs. This mechanism
ensures topological stability.
2. Root Port
PDF pdfFactory Pro
Page 1 of 27
www.fineprint.cn
RSTP Configuration
On a non-root bridge device, the root port is the port nearest to the root bridge. The
root port is responsible for communication with the root bridge. A non-root-bridge
device has one and only one root port. The root bridge has no root port.
3. Designated Bridge
For a device, Designated Bridge is the device directly connected with this device and
responsible for forwarding BPDUs; For a LAN, Designated Bridge is the device
responsible for forwarding BPDUs to this LAN segment.
4. Designated Port
For a device, Designated Port is the port through which the designated bridge forwards
BPDUs to this device; For a LAN, Designated Port is the port through which the
designated bridge forwards BPDUs to this LAN segment.
5. Path cost
Path cost is a reference value used for link selection in STP. By calculating the path cost,
STP selects relatively robust links and blocks redundant links, and finally prunes the
network into loop-free tree structure.
1.1.4 Spanning-Tree Interface States
Each Layer 2 interface on a switch using spanning tree exists in one of these states:
l Disabled
The interface is not participating in spanning tree because of a shutdown port, no link on
the port, or no spanning-tree instance running on the port.
l Blocking
The interface does not participate in frame forwarding.
l Listening
The first transitional state after the blocking state when the spanning tree determines
that the interface should participate in frame forwarding.
l Learning
The interface prepares to participate in frame forwarding.
l Forwarding
The interface forwards frames.
An interface moves through these states:
From initialization to blocking
From blocking to listening or to disabled
From listening to learning or to disabled
From learning to forwarding or to disabled
From forwarding to disabled
Figure 1-1 Spanning-Tree Interface States
PDF pdfFactory Pro
Page 2 of 27
www.fineprint.cn
RSTP Configuration
When you power up the switch, spanning tree is enabled by default, and every interface in
the switch, VLAN, or network goes through the blocking state and the transitory states of
listening and learning. Spanning tree stabilizes each interface at the forwarding or blocking
state.
When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this
process occurs:
1. The interface is in the listening state while spanning tree waits for protocol
information to transition the interface to the blocking state.
2. While spanning tree waits the forward-delay timer to expire, it moves the
interface to the learning state and resets the forward-delay timer.
3. In the learning state, the interface continues to block frame forwarding as
the switch learns end-station location information for the forwarding
database.
4. When the forward-delay timer expires, spanning tree moves the interface to
the forwarding state, where both learning and frame forwarding are
enabled.
1.2 How STP Works

STP identifies the network topology by transmitting configuration BPDUs between network
devices. Configuration BPDUs contain sufficient information for network devices to complete
the spanning tree calculation. Important fields in a configuration BPDU include:
l
Root bridge ID: consisting of root bridge priority and MAC address.
Root path cost: the cost of the shortest path to the root bridge.
Designated bridge ID: designated bridge priority plus MAC address.
Designated port ID, designated port priority plus port name.
Message age: age of the configuration BPDU while it propagates in the network.
Max age: maximum age of the configuration BPDU maintained in the device.
PDF pdfFactory Pro
Page 3 of 27
www.fineprint.cn
RSTP Configuration
Hello time: configuration BPDU interval.
Forward delay: forward delay of the port.

& Note:
For the convenience of description, the description and examples below involve
only four parts of a configuration BPDU:
l
Root bridge ID (in the form of device priority)
Root path cost
Designated bridge ID (in the form of device priority)
Designated port ID (in the form of port name)
1) Specific calculation process of the STP algorithm

l
Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root bridge, in
which the root path cost is 0, designated bridge ID is the device ID, and the designated port
is the local port.
l
Selection of the optimum configuration BPDU
Each device sends out its configuration BPDU and receives configuration BPDUs from other
devices.
The process of selecting the optimum configuration BPDU is as follows:
Figure 1-2 Selection of the optimum configuration BPDU
Step
1
Description
Upon receiving a configuration BPDU on a port, the device performs the following
processing:
l
If the received configuration BPDU has a lower priority than that of the
configuration BPDU generated by the port, the device will discard the received
configuration BPDU without doing any processing on the configuration BPDU of
this port.
If the received configuration BPDU has a higher priority than that of the
configuration BPDU generated by the port, the device will replace the content of
the configuration BPDU generated by the port with the content of the received
configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses the
PDF pdfFactory Pro
Page 4 of 27
www.fineprint.cn
RSTP Configuration
optimum configuration BPDU.

& Note:
Principle for configuration BPDU comparison:
The configuration BPDU that has the lowest root bridge ID has the highest
priority.
If all configuration BPDUs have the same root bridge ID, they will be
compared for their root path costs. If the root path cost in a configuration
BPDU plus the path cost corresponding to this port is S, the configuration
BPDU with the smallest S value has the highest priority.
If all configuration BPDUs have the same root path cost, they will be
compared for their designated bridge IDs, then their designated port IDs,
and then the IDs of the ports on which they are received. The smaller the
ID, the higher message priority.
Selection of the root bridge
At network initialization, each STP-compliant device on the network assumes itself to be the
root bridge, with the root bridge ID being its own device ID. By exchanging configuration
BPDUs, the devices compare one anothers root bridge ID. The device with the smallest root
bridge ID is elected as the root bridge.
l
Selection of the root port and designated ports
The process of selecting the root port and designated ports is as follows:
Table 1-1 Selection of the root port and designated ports
Step
Description
A non-root-ridge device regards the port on which it received the optimum

configuration BPDU as the root port.
Based on the configuration BPDU and the path cost of the root port, the device
calculates a designated port configuration BPDU for each of the rest ports.
l
The root bridge ID is replaced with that of the configuration BPDU of the root
port.
The root path cost is replaced with that of the configuration BPDU of the root
port plus the path cost corresponding to the root port.
The designated bridge ID is replaced with the ID of this device.
The designated port ID is replaced with the ID of this port.
PDF pdfFactory Pro
Page 5 of 27
www.fineprint.cn
RSTP Configuration
The device compares the calculated configuration BPDU with the configuration BPDU
on the port of which the port role is to be defined, and does different things
according to the comparison result:
l
If the calculated configuration BPDU is superior, the device will consider this port
as the designated port, and the configuration BPDU on the port will be replaced
with the calculated configuration BPDU, which will be sent out periodically.
If the configuration BPDU on the port is superior, the device will block this port
without updating its configuration BPDU, so that the port will only receive
BPDUs, but not send any, and will not forward data.
& Note:
When the network topology is stable, only the root port and designated ports
forward traffic, while other ports are all in the blocked state- they only
receive STP packets but do not forward user traffic.
Once the root bridge, the root port on each non-root bridge and designated ports have been
unsuccessfully elected, the entire tree-shaped topology has been constructed.
The following is an example of how the STP algorithm works. The specific network diagram is
shown in Figure 1-3. In the feature, the priority of Device A is 0, the priority of Device B is 1,
the priority of Device C is 2, and the path costs of these links are 5, 10 and 4 respectively.
Figure 1-3 Network diagram for the STP algorithm
PDF pdfFactory Pro
Page 6 of 27
www.fineprint.cn
RSTP Configuration
Initial state of each device
The following table shows the initial state of each device.

Table 1-2 Initial state of each device
Device
Port name
BPDU of port
Device A
AP1
{0, 0, 0, AP1}
AP2
{0, 0, 0, AP2}
BP1
{1, 0, 1, BP1}
BP2
{1, 0, 1, BP2}
CP1
{2, 0, 2, CP1}
CP2
{2, 0, 2, CP2}
Device B
Device C
Comparison process and result on each device
The following table shows the comparison process and result on each device.
Table 1-3 Comparison process and result on each device
Device
BPDU of port after

comparison
Comparison process
PDF pdfFactory Pro
Page 7 of 27
www.fineprint.cn
RSTP Configuration
Device A
Device B
Port AP1 receives the configuration BPDU of

AP1: {0, 0, 0, AP1}
Device B {1, 0, 1, BP1}. Device A finds that the
configuration BPDU of the local port {0, 0, 0, AP1} AP2: {0, 0, 0, AP2}
is superior to the configuration received
message, and discards the received configuration
BPDU.
Port AP2 receives the configuration BPDU of

Device C {2, 0, 2, CP1}. Device A finds that the
BPDU of the local port {0, 0, 0, AP2} is superior
to the received configuration BPDU, and
discards the received configuration BPDU.
Device A finds that both the root bridge and

designated bridge in the configuration BPDUs of
all its ports are Device A itself, so it assumes
itself to be the root bridge. In this case, it does
not make any change to the configuration BPDU
of each port, and starts sending out
configuration BPDUs periodically.
Port BP1 receives the configuration BPDU of

Device A {0, 0, 0, AP1}. Device B finds that the
received configuration BPDU is superior to the
configuration BPDU of the local port {1, 0, 1,
BP1}, and updates the configuration BPDU of
BP1.
BP2: {1, 0, 1, BP2}
Port BP2 receives the configuration BPDU of

Device C {2, 0, 2, CP2}. Device B finds that the
configuration BPDU of the local port {1, 0, 1, BP2}
is superior to the received configuration BPDU,
and discards the received configuration BPDU
PDF pdfFactory Pro
BP1: {0, 0, 0, AP1}
Page 8 of 27
www.fineprint.cn
RSTP Configuration
Device C
Device B compares the configuration BPDUs of all Root port BP1:

its ports, and determines that the configuration
BPDU of BP1 is the optimum configuration BPDU. {0, 0, 0, AP1}
Then, it uses BP1 as the root port, the
Designated port
configuration BPDUs of which will not be
changed.
BP2:
Based on the configuration BPDU of BP1 and the

path cost of the root port (5), Device B calculates
a designated port configuration BPDU for BP2 {0,
5, 1, BP2}.
Device B compares the calculated configuration

BPDU {0, 5, 1, BP2} with the configuration BPDU
of BP2. If the calculated BPDU is superior, BP2
will act as the designated port, and the
configuration BPDU on this port will be replaced
with the calculated configuration BPDU, which
will be sent out periodically.
Port CP1 receives the configuration BPDU of

Device A {0, 0, 0, AP2}. Device C finds that the
received configuration BPDU is superior to the
CP1}, and updates the configuration BPDU of
CP1.
CP1: {0, 0, 0, AP2}

CP2: {1, 0, 1, BP2}
Port CP2 receives the configuration BPDU of port

BP2 of Device B {1, 0, 1, BP2} before the message
was updated. Device C finds that the received
configuration BPDU is superior to the
CP2}, and updates the configuration BPDU of
CP2.
PDF pdfFactory Pro
{0, 5, 1, BP2}
Page 9 of 27
www.fineprint.cn
RSTP Configuration
By comparison:
l
The configuration BPDU of CP1 is elected as the

optimum configuration BPDU, so CP1 is identified
as the root port, the configuration BPDUs of
which will not be changed.
Root port CP1: {0, 0, 0,

AP2}
Designated port CP2:
{0, 10, 2, CP2}
Device C compares the calculated designated

port configuration BPDU {0, 10, 2, CP2} with the
configuration BPDU of CP2, and CP2 becomes the
designated port, and the configuration BPDU of
this port will be replaced with the calculated
configuration BPDU.
Next, port CP2 receives the updated configuration

CP1: {0, 0, 0, AP2}
BPDU of Device B {0, 5, 1, BP2}. Because the received
configuration BPDU is superior to its old one, Device C CP2: {0, 5, 1, BP2}
launches a BPDU update process.
At the same time, port CP1 receives configuration
BPDUs periodically from Device A. Device C does not
launch an update process after comparison.
Blocked port CP2: {0, 0,
0, AP2}
By comparison:
l
Because the root path cost of CP2 (9) (root path

cost of the BPDU (5) plus path cost corresponding Root port CP2: {0, 5, 1,
BP2}
to CP2 (4)) is smaller than the root path cost of
CP1 (10) (root path cost of the BPDU (0) + path
cost corresponding to CP2 (10)), the BPDU of CP2
is elected as the optimum BPDU, and CP2 is
elected as the root port, the messages of which
will not be changed.
After comparison between the configuration

BPDU of CP1 and the calculated designated port
configuration BPDU, port CP1 is blocked, with the
configuration BPDU of the port remaining
unchanged, and the port will not receive data
from Device A until a spanning tree calculation
process is triggered by a new condition, for
example, the link from Device B to Device C
becomes down.
PDF pdfFactory Pro
Page 10 of 27
www.fineprint.cn
RSTP Configuration
After the comparison processes described in the table above, a spanning tree with Device A
as the root bridge is stabilized, as shown in Figure 1-4.
Figure 1-4
The final calculated spanning tree
& Note:
To facilitate description, the spanning tree calculation process in this example is
simplified, while the actual process is more complicated.
2) The BPDU forwarding mechanism in STP

l
Upon network initiation, every switch regards itself as the root bridge, generates
configuration BPDUs with itself as the root, and sends the configuration BPDUs at a
regular interval of hello time.
If it is the root port that received the configuration BPDU and the received configuration
BPDU is superior to the configuration BPDU of the port, the device will increase
message age carried in the configuration BPDU by a certain rule and start a timer to
time the configuration BPDU while it sends out this configuration BPDU through the
designated port.
If the configuration BPDU received on the designated port has a lower priority than the
configuration BPDU of the local port, the port will immediately send out its better
configuration BPDU in response.
If a path becomes faulty, the root port on this path will no longer receive new
configuration BPDUs and the old configuration BPDUs will be discarded due to timeout.
In this case, the device will generate a configuration BPDU with itself as the root and
sends out the BPDU. This triggers a new spanning tree calculation process so that a new
path is established to restore the network connectivity.
However, the newly calculated configuration BPDU will not be propagated throughout the
network immediately, so the old root ports and designated ports that have not detected the
topology change continue forwarding data along the old path. If the new root port and
PDF pdfFactory Pro
Page 11 of 27
www.fineprint.cn
RSTP Configuration
designated port begin to forward data as soon as they are elected, a temporary loop may
occur.
3) STP timers
STP calculations need three important timing parameters: forward delay, hello time, and
max age.
l Forward delay is the delay time for device state transition. A path failure will cause
re-calculation of the spanning tree, and the spanning tree structure will change
accordingly. However, the new configuration BPDU as the calculation result cannot be
propagated throughout the network immediately. If the newly elected root port and
designated ports start to forward data right away, a temporary loop is likely to occur. For
this reason, as a mechanism for state transition in STP, a newly elected root port or
designated port requires twice the forward delay time before transitioning to the
forwarding state, when the new configuration BPDU has been propagated throughout
the network.
l Hello time is the time interval at which a device sends hello packets to the
surrounding devices to ensure that the paths are fault-free.
l Max age is a parameter used to determine whether a configuration BPDU held by
the device has expired. A configuration BPDU beyond the max age will be discarded.
1.3 Implement RSTP on Ethernet Switch

The Ethernet Switch implements the Rapid Spanning Tree Protocol (RSTP), i.e., the
enhancement of STP. The Forward Delay for the root ports and designated ports to enter
forwarding state is greatly reduced in certain conditions, thereby shortening the time period
for stabilizing the network topology.
To achieve the rapid transition of the root port state, the following requirement should be
met: The old root port on this switch has stopped data forwarding and the designated port
in the upstream has begun forwarding data.
The conditions for rapid state transition of the designated port are:
l
The port is an Edge port that does not connect with any switch directly or
indirectly. If the designated port is an edge port, it can switch to forwarding
state directly without immediately forwarding data.
The port is connected with the point-to-point link, that is, it is the master
port in aggregation ports or full duplex port. It is feasible to configure a
point-to-point connection. However, errors may occur and therefore this
configuration is not recommended. If the designated port is connected with
the point-to-point link, it can enter the forwarding state right after
handshaking with the downstream switch and receiving the response.
The switch that uses RSTP is compatible with the one using STP. Both protocol packets can
be identified by the switch running RSTP and used in spanning tree calculation.
PDF pdfFactory Pro
Page 12 of 27
www.fineprint.cn
RSTP Configuration
& Note:
RSTP is the protocol of single spanning tree. A switching network only has one
spanning tree. To guarantee the normal communication inside a VLAN, the
devices of a VLAN shall have routes to one another on the Spanning Tree,
otherwise, the communication inside the VLAN will be affected if some links
inside a VLAN are blocked.
For some VLAN that cannot be arranged along the spanning tree paths for some
special requirements, you have to disable RSTP on the switch port
corresponding to the VLAN.
1.4 Configure RSTP

1.4.1 RSTP Configuration Task List
Table 1-4 RSTP Configuration Task List
Configuration Task List
RSTP basic configuration
Remarks
Enable STP
Required
1.4.2
Select the working mode
Required
1.4.2
Configure STP bridge priority
Optional
1.4.3
Optional
1.4.4
Configure STP forward-delay
Optional
1.4.4
Configure STP max-age
Optional
1.4.4
Configure STP path cost
Optional
1.4.5
Configure STP port priority
Optional
1.4.6
Configure STP mcheck
Optional
1.4.7
Optional
1.4.8
Configure STP portfast
Optional
1.4.9
Configure STP transit limit
Optional
1.4.10
Configure
Hello-packet
sending interval
Configure RSTP
Configure STP point-to-point

mode
PDF pdfFactory Pro
Page 13 of 27
www.fineprint.cn
RSTP Configuration
Show RSTP
Optional
1.4.11
1.4.2 Enable RSTP

After enabling STP globally, all ports will be defaulted to join the STP topology
calculating by default. If some port is not allowed to take part in the STP calculation,
administrator can use no spanning-tree command in interface configuration mode to
disable STP on this port.
Table 1-5 Enable STP
Command
Operation
mode
Enable STP globally
Select STP mode
Enter interface
configuration mode
Enable/disable STP on
port
Remarks
configure terminal
spanning-tree
spanning-tree mode stp
interface ethernet
device/slot/port
Required
Optional
(no)spanning-tree
Optional
& Note:
When enable STP globally, the system is working under RSTP mode.
1.4.3 Configure STP Bridge Priority

The priority of bridge determines this switch can be root or not. If this switch is needed
to be the root, the priority can be configured inferior.
By default, the switch bridge priority is 32768.
Operation
Table 1-6 Configure STP priority

Command

configure terminal
mode
spanning-tree priority
Configure STP priority
priority
Remarks
bridge
Optional
1.4.4 Configure Time Parameter

There are three time parameters: Forward Delay, Hello Time and Max Age.
PDF pdfFactory Pro
Page 14 of 27
www.fineprint.cn
RSTP Configuration
User can configure these three parameters for RSTP calculation.

Table 1-7 Configure the time parameter
Operation
Command
configure terminal
mode
Configure
Hello-packet spanning-tree
hello-time
sending interval
seconds
forward-time
Configure STP forward-delay spanning-tree
seconds
Configure STP max-age
spanning-tree max-age seconds
Remarks
Optional
Optional
Optional
& Note:
l Too long Hello Time may cause link failure thought by network bridge for
losing packets of the link to restart accounting STP; too smaller Hello Time may
cause network bridge frequently to send configuration packet to strengthen the
load of network and CPU. Hello Time ranges from 1 to 10 seconds. It is
suggested to use the default time of 2 seconds. Hello Time Forward Delay-2.
l If Forward Delay is configured too small, temporary redundancy will be
caused; if Forward Delay is configured too large, network will not be restored
linking for a long time. Forward Delay ranges from 4 to 30 seconds. The default
forward delay time, 15 seconds is suggested to use. Forward DelayHello Time +
2.
l Max Age is used to configure the longest aging interval of STP. Lose packet
when over-timing. The STP will be frequently accounts and take crowded
network to be link fault, if the value is too small. If the value is too large, the link
fault cannot be known timely. Max Age is determined by diameter of network,
and the default time of 20 seconds is suggested. 2*(Hello Time + 1) Max Age
2*(ForwardDelay 1) When enable STP globally, the system is working under
RSTP mode.
1.4.5 Configure STP Path Cost

Configure interface STP path cost and choose the path with the smallest path cost to be
the effective path.
The path cost is related to the link speed rate. The larger the speed rate is, the less the
cost is. STP can auto-detect the link speed rate of current interface and converse it to be
the cost.
Configure port path cost will make STP re-calculating. The value of the path cost is
1-65535. It is suggested using the default vaule, which makes the STP to calculate the
PDF pdfFactory Pro
Page 15 of 27
www.fineprint.cn
RSTP Configuration
current port cost by itself. By default, the path cost is determined by the current port
speed.
When the port is 10M, the default cost is 200,000; when the port is 100M, the default
cost is 20,000; 1000M, 2,000.
Table 1-8 Configure STP path cost
Operation
Command
mode
mode
Configure STP path cost
configure terminal
interface
ethernet
interface-num
spanning-tree cost path-cost
Remarks
Optional
Optional
1.4.6 Configure STP Port Priority

Specify specified port in STP by configuring port priority. Generally, the smaller the value
is, the superior the priority is, and the port will be more possible to be included in STP. If
the priorities are the same, the port number is considered.
The smaller the value is, the superior the priority is, and the port is easier to be the root
interface. Change the port priority may cause the re-calculating of the STP. The port
priority ranges from 0 to 255. The default port priority is 128.
Table 1-9 Configure STP port priority
Operation
Command
configure terminal
mode
Enter interface configuration interface
ethernet
mode
interface-num
spanning-tree
port-priority
Configure STP port priority
priority
Remarks
Optional
1.4.7 Configure STP mcheck

Switch working under RSTP mode can be connected to switch with STP. But when the
neighbor is working under RSTP, the two connected ports are still work under STP mode.
Mcheck is for force port sending RSTP packet to make sure the two neighbor ports can
be working under RSTP. If yes, the working mode will turn to be RSTP.
Enter
Table 1-10 Configure STP mcheck

Operation
Command
global configuration configure terminal
PDF pdfFactory Pro
Remarks
-
Page 16 of 27
www.fineprint.cn
RSTP Configuration
mode
mode
Configure STP mcheck
interface
ethernet
interface-num
spanning-tree mcheck
Optional
1.4.8 Configure STP Point-to-Point Mode

In rstp, the requirement of interface quickly in transmission status is that the interface
must be point to point link not media sharing link. It can be specified interface link mode
manually and can also judge it by network bridge.
Table 1-11 Configure STP point-to-point mode
Operation
Command
mode
mode
Configure switch auto-check
the point-to-point
mode forcetrue
mode forcefalse
Remarks
configure terminal
spanning-tree
auto
spanning-tree
forcetrue
spanning-tree
forcefalse
point-to-point
Optional
point-to-point
Optional
point-to-point
Optional
1.4.9 Configure STP Portfast

Edge port is the port connecting to the host which can be in transmission status in very
short time after linkup, but once the port receiving STP packet, it will shift to be
non-edge port.
Table 1-12 Configure STP portfast
Operation
Command
mode
mode
Configure STP portfast
Remarks
configure terminal
interface
ethernet
interface-num
spanning-tree portfast
Optional
1.4.10 Configure STP Transit Limit

Restrict STP occupying bandwidth by restricting the speed of sending BPDU packet. The
speed is determined by the number of BPDU sent in each hello time.
By default, port will send 3 BPDU packets in every Hello time interval.
PDF pdfFactory Pro
Page 17 of 27
www.fineprint.cn
RSTP Configuration
Table 1-13 Configure STP transit limit

Operation
Command
configure terminal
mode
Enter interface
configuration mode
transit-limit
Configure STP transit limit spanning-tree
transit-limit
Remarks
Optional
1.4.11 RSTP Monitor and Maintenance

After finishing above configuration, user can check the configurations by command
below.
Table 1-14 RSTP monitor and maintenance
Operation
Command
show spanning-tree interface [brief

Show STP interface [ethernet device/slot/port]]
Remarks
On
any
configurati
on mode
1.5 STP Configuration Example

As shown in following figure, S-switch-A is core switch as the root. S-switch-B is the
bridge. The link between S-switch-A and S-switch-B is backup link. When there is failure
between S-switch-B and S-switch-C, the link between S-switch-A and S-switch-B can
work normally.
II. Network diagram
The default STP mode is RSTP. Enable global RSTP and use its default time parameter.
Configure Switch A
PDF pdfFactory Pro
Page 18 of 27
www.fineprint.cn
RSTP Configuration
#configure Ethernet0/0/1 and Ethernet0/0/2 to be trunk, and enable root-guard

S-switch-A(config)#interface range ethernet 0/0/1 ethernet 0/0/2
S-switch-A(config-if-range)#switchport mode trunk
S-switch-A(config-if-range)#spanning-tree root-guard
S-switch-A(config-if-range)#exit
# configure S-switch-A priority to be 0 to make sure S-switch-A is root
S-switch-A(config)#spanning-tree priority 0
# Enable global RSTP
S-switch-A(config)#spanning-tree
Configure Switch B
#configure Ethernet0/0/1 and Ethernet0/0/2 to be trunk
S-switch-B(config)#interface range ethernet 0/0/1 ethernet 0/0/2
S-switch-B(config-if-range)#switchport mode trunk
S-switch-B(config-if-range)#exit
# configure S-switch-B priority to be 4096 to make sure S-switch-B is bridge. Configure
cost of Ethernet0/0/1 and Ethernet0/0/2 to be 10
S-switch-B(config)#spanning-tree priority 4096
S-switch-B(config)#interface range ethernet 0/0/1 ethernet 0/0/2
S-switch-B(config-if-range)#spanning-tree cost 10
S-switch-B(config-if-range)#exit
S-switch-B(config)#spanning-tree
Configure Switch C
#configure Ethernet0/0/1 and Ethernet0/0/2 to be trunk
S-switch-C(config)#interface range ethernet 0/0/1 ethernet 0/0/2
S-switch-C(config-if-range)#switchport mode trunk
PDF pdfFactory Pro
Page 19 of 27
www.fineprint.cn
RSTP Configuration
S-switch-C(config-if-range)#exit
#Configure cost of Ethernet0/0/1 and Ethernet0/0/2 to be 10 to make sure link between
S-switch-B and S-switch-C to be main link
S-switch-C(config)#interface range ethernet 0/0/1 ethernet 0/0/2
S-switch-C(config-if-range)#spanning-tree cost 10
S-switch-C(config-if-range)#exit
S-switch-C(config)#spanning-tree
Check the configuration
# S-switch-A
S-switch-A(config)#show spanning-tree interface ethernet 0/0/1 ethernet 0/0/2
The bridge is executing the IEEE Rapid Spanning Tree protocol
The bridge has priority 0, MAC address: 000a.5a13.b13d
Configured Hello Time 2 second(s), Max Age 20 second(s),
Forward Delay 15 second(s)
Root Bridge has priority 0, MAC address 000a.5a13.b13d
Path cost to root bridge is 0
Stp top change 3 times
Port e0/0/1 of bridge is Forwarding
Spanning tree protocol is enabled
remote loop detect is disabled
The port is a DesignatedPort
Port path cost 200000
Port priority 128
root guard enabled and port is not in root-inconsistent state
Designated bridge has priority 0, MAC address 000a.5a13.b13d
The Port is a non-edge port
Connected to a point-to-point LAN segment
PDF pdfFactory Pro
Page 20 of 27
www.fineprint.cn
RSTP Configuration
Maximum transmission limit is 3 BPDUs per hello time

Times: Hello Time 2 second(s), Max Age 20 second(s)
Forward Delay 15 second(s), Message Age 0
sent BPDU:
54
TCN: 0, RST: 54, Config BPDU: 0

received BPDU: 10
Port priority 128
root guard enabled and port is not in root-inconsistent state
sent BPDU:
16

received BPDU: 3
# S-switch-B
S-switch-B(config)#show spanning-tree interface ethernet 0/0/1 ethernet 0/0/2
The bridge has priority 4096, MAC address: 0000.0077.8899
PDF pdfFactory Pro
Page 21 of 27
www.fineprint.cn
RSTP Configuration

The port is a RootPort
Port path cost 10
Port priority 128
root guard disabled and port is not in root-inconsistent state
sent BPDU:
21

received BPDU: 204
Port path cost 10
Port priority 128
Designated bridge has priority 4096, MAC address 0000.0077.8899
PDF pdfFactory Pro
Page 22 of 27
www.fineprint.cn
RSTP Configuration

sent BPDU:
191

received BPDU: 13
# S-switch-C
S-switch-C(config)#show spanning-tree interface ethernet 0/0/1 ethernet 0/0/
2
The bridge has priority 32768, MAC address: 000a.5a13.f48e
Port e0/0/1 of bridge is Discarding
The port is a AlternatePort
Port priority 128
PDF pdfFactory Pro
Page 23 of 27
www.fineprint.cn
RSTP Configuration
sent BPDU:

received BPDU: 396
The port is a RootPort
Port path cost 10
Port priority 128
Designated bridge has priority 4096, MAC address 0000.0077.8899
sent BPDU:

received BPDU: 418
PDF pdfFactory Pro
Page 24 of 27
www.fineprint.cn
802.1x Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 13
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 13
XXXX Feedback Form

services.
Document
Title
Product
Documen
Version
t Revision
1.0
Number
Evaluate this
Presentation:
document

Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestions
to improve
Include images
the
document
Make more concise

Name
Company
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 13
Contents
Chapter1 Configuring 802.1X ........................................................................................................ 5
1.1 Brief Introduction to 802.1X Configuration......................................................................... 5
1.1.1 Architecture of 802.1X ............................................................................................. 5
1.1.2 Rule of 802.1x .......................................................................................................... 7
1.1.3 Configuring AAA ............................................................................................................... 8
1.1.4 Configuring RADIUS Server ...................................................................................... 8
1.1.5 Configuring Local User ............................................................................................. 8
1.1.6 Configuring Domain ................................................................................................. 9
1.1.7 Configuring RADIUS Features ................................................................................... 9
1.1 Configuring 802.1X ............................................................................................................ 11
1.1.8 Configuring EAP...................................................................................................... 11
1.1.9 Enable 802.1x ......................................................................................................... 11
1.1.10 Configuring 802.1x Parameters for a Port ............................................................ 11
1.1.11 Configuring Re-Authentication............................................................................. 12
1.1.12 Configuring Watch Feature .................................................................................. 12
1.1.13 Configuring User Features .................................................................................... 12
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 13
Chapter1 Configuring 802.1X

1.1 Brief Introduction to 802.1X Configuration
IEEE 802.1X is the accessing management protocol standard based on interface
accessing control passed in June, 2001. Traditional LAN does not provide accessing
authentication. Users access the devices and resources in LAN when connecting to
the LAN, which is a security hidden trouble. For application of motional office and
CPN, device provider hopes to control and configure users connecting. There is also
the need for accounting.
IEEE 802.1X is a network accessing control technology based on interface which is
the accessing devices authentication and control by physical accessing level of LAN
devices. Physical accessing level here means the interface of LAN Switch devices.
When getting authentication, switch is the in-between (agency) of client and
authentication server. It obtains users identity from client of accessing switch and
verifies the information through authentication server. If the authentication passes,
this user is allowed to access LAN resources or it will be refused.
1.1.1 Architecture of 802.1X
802.1X operates in the typical client/server model and defines three entities:
supplicant system, authenticator system, and authentication server system, as
shown in figure 1-1.
l Supplicant system: A system at one end of the LAN segment, which is
authenticated by the authenticator system at the other end. A supplicant system is
usually a user-end device and initiates 802.1x authentication through 802.1x client
software supporting the EAP over LANs (EAPOL) protocol.
l Authenticator system: A system at the other end of the LAN segment, which
authenticates the connected supplicant system. An authenticator system is usually an
802.1x-enabled network device and provides ports (physical or logical) for supplicants
to access the LAN.
l Authentication server system: The system providing authentication, authorization,
and accounting services for the authenticator system. The authentication server,
usually a Remote Authentication Dial-in User Service (RADIUS) server, maintains user
information like username, password, VLAN that the user belongs to, committed
access rate (CAR) parameters, priority, and ACLs.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 13
Figure 1-1 Architecture of 802.1x
The above systems involve three basic concepts: PAE, controlled port, control
direction.
1. PAE
Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and
protocol operations.
l The authenticator PAE uses the authentication server to authenticate a supplicant
trying to access the LAN and controls the status of the controlled port according to the
authentication result, putting the controlled port in the authorized or unauthorized
state. In authorized state, the port allows user data to pass, enabling the supplicant(s)
to access the network resources; while in unauthorized state, the port denies all data
of the supplicant(s).
l The supplicant PAE responds to the authentication request of the authenticator
PAE and provides authentication information. The supplicant PAE can also send
authentication requests and logoff requests to the authenticator.
2. Controlled port and uncontrolled port
An authenticator provides ports for supplicants to access the LAN. Each of the ports
can be regarded as two logical ports: a controlled port and an uncontrolled port.
l The uncontrolled port is always open in both the inbound and outbound
directions to allow EAPOL protocol frames to pass, guaranteeing that the supplicant
can always send and receive authentication frames.
l The controlled port is open to allow normal traffic to pass only when it is in the
authorized state.
l The controlled port and uncontrolled port are two parts of the same port. Any
frames arriving at the port are visible to both of them.
3. Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from
the supplicant or just the traffic from the supplicant.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 13
1.1.2 Rule of 802.1x

The 802.1x authentication system employs the Extensible Authentication Protocol
(EAP) to exchange authentication information between the supplicant PAE,
authenticator PAE, and authentication server.
At present, the EAP relay mode supports four authentication methods: EAP-MD5,
EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security),
and PEAP (Protected Extensible Authentication Protocol).
1. When a user launches the 802.1x client software and enters the registered
username and password, the 802.1x client software generates an
EAPOL-Start frame and sends it to the authenticator to initiate an
authentication process.
2. Upon receiving the EAPOL-Start frame, the authenticator responds with an
EAP-Request/Identity packet for the username of the supplicant.
3. When the supplicant receives the EAP-Request/Identity packet, it
encapsulates the username in an EAP-Response/Identity packet and sends
the packet to the authenticator.
4. Upon receiving the EAP-Response/Identity packet, the authenticator relays
the packet in a RADIUS Access-Request packet to the authentication server.
5. When receiving the RADIUS Access-Request packet, the RADIUS server
compares the identify information against its user information table to
obtain the corresponding password information. Then, it encrypts the
password information using a randomly generated challenge, and sends the
challenge information through a RADIUS Access-Challenge packet to the
authenticator.
6. After receiving the RADIUS Access-Challenge packet, the authenticator
relays the contained EAP-Request/MD5 Challenge packet to the supplicant.
7. When receiving the EAP-Request/MD5 Challenge packet, the supplicant
uses the offered challenge to encrypt the password part (this process is not
reversible), creates an EAP-Response/MD5 Challenge packet, and then
sends the packet to the authenticator.
8. After receiving the EAP-Response/MD5 Challenge packet, the authenticator
relays the packet in a RADIUS Access-Request packet to the authentication
server.
9. When receiving the RADIUS Access-Request packet, the RADIUS server
compares the password information encapsulated in the packet with that
generated by itself. If the two are identical, the authentication server
considers the user valid and sends to the authenticator a RADIUS
Access-Accept packet.
10. Upon receiving the RADIUS Access-Accept packet, the authenticator opens
the port to grant the access request of the supplicant. After the supplicant
gets online, the authenticator periodically sends handshake requests to the
supplicant to check whether the supplicant is still online. By default, if two
consecutive handshake attempts end up with failure, the authenticator
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 13
concludes that the supplicant has gone offline and performs the necessary
operations, guaranteeing that the authenticator always knows when a
supplicant goes offline.
11. The supplicant can also send an EAPOL-Logoff frame to the authenticator to
go offline unsolicitedly. In this case, the authenticator changes the status of
the port from authorized to unauthorized and sends an EAP-Failure frame to
the supplicant.
1.1.3
Configuring AAA
Finish necessary configuration of domain and RDIUS project of 802.1X

authentication.
1.1.4 Configuring RADIUS Server
RADIUS server saves valid users identity. When authentication, system transfers
users identity to RADIUS server and transfer the validation to user .User accessing to
system can access LAN resources after authentication of RADIUS server.
Operation
Table1-1 Configure RADIUS server

Command
Remark
configure terminal
Enter AAA mode
aaa
required
Enter RAIDUS configuration
radius host name
required
Configure primary RADIUS
primary-auth-ip ipaddr port
required
Configure second RADIUS
second-auth-ip ipaddr port
optional
Configure key string of primary RADIUS
auth-secret-key keystring
required
Configure key string of second RADIUS
acct -secret-key keystring
optional
Configure NAS-RAIDUS address
nas-ipaddress ipaddr
optional
Setup the username format
username-format { with-domain |
without-domain }
optional
Configure accounting
realtime-account
optional
Configure the times of accouting
realtime-account time
optional
1.1.5 Configuring Local User

Client need configure local user name and password.
Operation
Table 1-2 Configure local user

Command
Remark
configure terminal
Enter AAA mode
aaa
required
Configure local user
local-user username name password pwd

[ vlan vid ]
required
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 13
1.1.6 Configuring Domain

Client need provide username and password when authentication. Username
contains users ISP information, domain and ISP corresponded. The main information of
domain is the RADIUS server authentication and accounting the user should be.
Operation
Table 1-3 Configure Domain

Command
Remark
configure terminal
Enter AAA mode
aaa
required
Configure default Domain
default domain-name domain-name
required
setup Domain
domain name
required
Configure default Domain scheme
scheme { local | radius [ local ] }
required
choice RADIUS name
radius host binding radius-name
optional
configure access limit users
access-limit { enable number | disable }
optional
active the state
state
required
{ active | block }
1.1.7 Configuring RADIUS Features

Configuring RADIUS some compatible or special features as below:
Table 1-4 Configure RADIUS features
Operation
Command
Remark
configure terminal
Enter AAA mode
aaa
required
Enable user re-authentication, when it executives,

the device restarts after a user authentication to
the RADIUS server sends Accounting-On message,
notify the RADIUS server to force the device goes
offline.
accounting-on { enable
sen-num | disable }
optional
h3c-cams { enable |
disable }
optional
accounting function
radius accounting
optional
Accounting packets without response need cut off

users
radius server-disconnect
drop 1x
optional
port priority
radius 8021p enable
optional
H3C Cams compatible under this feature can

uprate-value / dnrate-value to configure the
upstream bandwidth / downstream bandwidth of
the Vendor Specific attribute name of the attribute
number.
This feature can be under the RADIUS attribute
client-version to the version of configuration
information to send the client to the RADIUS
server.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 13
This feature is turned on, if the user authentication

passes, it will be modified by the user where the
priority of the port.
This feature is by default the property name in the

Vendor Specific attribute number to 77, with radius
config-attribute you can modify the properties of
numbers.
Port PVID
passes , it will be modified by the user where port
PVID is
This function is fixed by the Tunnel-Pvt-Group-ID
attribute names, which requires a string of the
property value, this string for the VLAN by name
descriptor matches the VLAN value.
radius vlan enable
optional
radius
mac-address-number
enable
optional
radius bandwidth-limit
enable
optional
Limit port of MAC address numbers

passes, the user will modify the port about the
limiting number of MAC address learning.
This feature is by default the property name in the
Vendor Specific attribute number to 50, with radius
config-attribute you can modify the properties of
numbers.
Limit port bandwidth
passes, the user will modify the port bandwidth
limitation. Upstream bandwidth control carries out
per attribute number 75 in Vendor specific
attribution and be modified attribution by using
radius config-attribute. Downstream bandwidth
control carries out per attribute number 76 in
Vendor specific attribution and be modified
attribution by using radius config-attribute.
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 13
By default unit is kbps, can be modified through

radius config-attribute access-bandwidth unit.
1.1 Configuring 802.1X

1.1.8 Configuring EAP
The 802.1X authentication can be initiated by either a supplicant or the
authenticator system. A supplicant can initiate authentication by launching the
802.1x client software to send an EAPOL-Start frame to the authenticator system,
while an authenticator system can initiate authentication by unsolicitedly sending an
EAP-Request/Identity packet to an unauthenticated supplicant.
Table 1-4 Configure EAP
Command
Operation
configure terminal
set the protocol type between system

and RADIUS
dot1x eap-finish | eap-transfer
Remark
optional
1.1.9 Enable 802.1x

802.1x provides a user identity authentication scheme. However, 802.1x cannot
implement the authentication scheme solely by itself. RADIUS or local authentication
must be configured to work with 802.1x
Enabling 802.1S authentication, users connected to the system can access to LAN per
passing the authentication.
Table 1-5 Enable 802.1x
Command
Remark
configure terminal
Enable 802.1x
dot1x method { macbased | portbased }
Operation
required
1.1.10 Configuring 802.1x Parameters for a Port

The 802.1x proxy detection function depends on the online user handshake function.
Be sure to enable handshake before enabling proxy detection and to disable proxy
detection before disabling handshake.
Table 1-6 Configure 802.1x parameters for a port
Operation
Command
configure terminal
Configure 802.1x parameters for a port
dot1x port-control { auto |

forceauthorized | forceunauthorized }
PDF pdfFactory Pro
www.fineprint.cn
Remark
required
Page 11 of 13
[ interface-list ]
1.1.11 Configuring Re-Authentication

In EAP-FINISH way, the port supports re-authentication. After the user is
authenticated, the port can be configured to immediately re-certification, or periodic
re-certification.
operation
Table 1-7 Configure re-authentication

Command
Remarks
Enter global
configuration mode
configure terminal
Immediately
re-certification
dot1x re-authenticate [interface-list]
Optional
Periodic
re-authentication
enabled on a port
dot1x re-authentication [interface-list]
Optional
Periodic
re-authentication time
configuration port
dot1x timeout re-authperiod time [interface-list]
Optional
1.1.12 Configuring Watch Feature

Opening function, the port without the user's circumstances, will watch regularly
sends a 1x packet, triggering the following 802.1x user authentication.
Table 1-8 Configure watch feature
Operation
Command
Remarks
Enter global
configuration mode
configure terminal
Open the watch function
dot1x daemon [interface-list]
Optional
Configuration time
between sending packets
Watch
dot1x daemon time time [interface-list]
Optional
1.1.13 Configuring User Features

The operations mainly conclude of the number of users for port configuration, user
and delete users, and heartbeat detection operations.
Table 1-9 Configure user feature
Operation
Command
Enter global
configuration mode
configure terminal
Configuration allows the
dot1x max-user [interface-list]
PDF pdfFactory Pro
www.fineprint.cn
Remarks
Optional
Page 12 of 13
maximum number of
users through the
authentication
Deletes the specified
users online
dot1x user cut {username name | mac-address mac

[vlan vid]}
Optional
Open heartbeat
detection
dot1x detect [interface-list]
Optional
Heartbeat detection time

configuration
dot1x detect interval time
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 13
OSPF Configuration
OSPF Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 13
OSPF Configuration

comments to:
Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 13
OSPF Configuration
Contents
Contents ..................................................................................................................................... 3
Chapter 1 OSPF Configuration ................................................................................................. 4
1.1 OSPF Description ................................................................................................................. 4
1.1.1 Configuring OSPF ............................................................................................... 5

1.1.2 Basic OSPF Configuration ................................................................................... 6
1.1.3 OSPF Parameter Configuration ........................................................................... 6
1.1.4 OSPF Interface Configuration ............................................................................. 6
1.1.5 OSPF Area Configuration .................................................................................... 8
1.1.6 Configuration Examples .................................................................................... 10
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 13
OSPF Configuration
Chapter 1 OSPF Configuration

1.1 OSPF Description
Open Shortest Path First (OSPF) is an interior routing protocol, which is develop
ed by IETF based on the link state detection and shortest path first technologie
s. In an IP network, OSPF dynamically discovers and advertise routes by collectin
g and transmitting the link states of autonomous systems (ASs). It supports inter
face-based packet authentication for purposes of route calculation security and e
mploys IP multicast to send and receive packets.
Each OSPF router maintains a database that describes the topological structure o
f an AS. The database is a collection of link-state advertisements (LSAs) of all th
e routers. Every router always broadcasts the local state information across the
entire AS. If two or more routers exist in a multi-access network, a designated
router (DR) and a backup designated router (BDR) must be elected. The DR is r
esponsible for broadcasting the LSAs of the network. With a DR, a multi-address
access network may require less neighbor relationships to be established betwe
en routers. OSPF allows an AS to be divided into areas, between which routing
information is further abstracted. As a result, smaller network bandwidth will be
occupied.
OSPF uses four types of routes, which are listed in order of priority as follows:
Intra-area routes
Inter-area routes
Type 1 external routes
Type 2 external routes
Intra-area and inter-area routes describe the network structure of an AS, while
external routes depict how routes are distributed to destinations outside an AS.
Generally, type 1 external routes are based on the information imported by OSP
F from other interior routing protocols and comparable to OSPF routes in routin
g cost; type 2 external routes are based on the information imported by OSPF f
rom exterior routing protocols and the costs of such routes are far greater than
those of OSPF routes. Therefore, route calculation only takes the external costs
into consideration.
Based on the link state database (LSDB), each router builds a shortest path tree
with itself as the root, which presents the routes to every node in an AS. An
external route emerges as a leaf node and can also be marked by the router t
hat broadcasts the external route so that additional information about an AS is
recorded.
All the OSPF areas are connected to the backbone area, which is identified by
0.0.0.0. OSPF areas must be logically continuous. To achieve this end, virtual co
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 13
OSPF Configuration
nnection is introduced to the backbone area to ensure the logical connectivity o

f areas even if they are physically separated.
All the routers in an area must accept the parameter settings of the area. Ther
efore, the configuration of routers in the same area must be performed in cons
ideration of the parameter settings of the area. A configuration error may lead
to the failure of information transfer between adjacent routers and even routing
failures or routing loops.
1.1.1 Configuring OSPF
Table 1-1 OSPF configuration tasks
Configuration Task
Description
Details
Enables/Disables OSPF.
Mandatory
1.2.1
Configures the ID of a router.
Mandatory
1.2.2
Specifies an interface and area ID.
Mandatory
1.2.2
Mandatory
1.2.2
Configures an interface type.
Mandatory
1.2.3
Configures the interface overhead.
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
Configures an OSPF stub area.
Optional
1.2.4
Configures an OSPF NSSA area.
Optional
1.2.4
Optional
1.2.4
Optional
1.2.4
Optional
1.2.4
Optional
1.2.4
Optional
1.2.4
Basic OSPF configuration
OSPF parameter configuration
Configures the authentication type fo

r an area.
Sets the priority of an interface in

DR election.
Sets the interval of sending Hello pa
ckets for an interface.
OSPF interface configuration
Sets the timeout time of the neighb

oring router.
Sets the interval of LSA retransmissi
on between two adjacent routers.
Sets the time for sending a link stat
e update packet.
Sets a password for packet authentic
ation.
Configures route aggregation in an O

SPF area.
Configures an OSPF virtual connectio
OSPF area configuration
n.
Imports routes of other protocols int
o OSPF.
Imports the default route into OSPF.
Configures the parameters for receivi
ng external routes.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 13
OSPF Configuration
1.1.2 Basic OSPF Configuration

Table 1-2 Basic OSPF configuration
Operation
Command
Remarks
Enters global configuration mode.
router rip
no router rip
1.1.3 OSPF Parameter Configuration

OSPF divides an AS into different areas, based on which routers are logically cla
ssified into different groups. Area border routers (ABRs) may belong to different
areas. A network segment belongs to only one area, that is, the homing area
of an OSPF interface must be specified. An area is identified by an area ID. Ro
utes between areas are transmitted by ABRs.
In addition, all the routers in an area must unanimously accept the parameter s
ettings of the area. Therefore, the configuration of routers in the same area mu
st be performed in consideration of the parameter settings of the area. A confi
guration error may lead to the failure of information transfer between adjacent
routers and even routing failures or routing loops.
Table 1-3 OSPF parameter configuration
Operation
Command
Remarks
router id router-id
no router id
Runs the command in OSPF configuration mo
network address wildcard-mask area ar
de.
ea-id
Runs the command in OSPF configuration mo
no network address wildcard-mask are
de.
a area-id
Configures the authentication type for an are
area area-id authentication [ message-
a.
digest ]
Restores the authentication type of an interf

ace to no authentication.
no area area-id authentication
1.1.4 OSPF Interface Configuration

OSPF calculates routes based on the topological structure of the network adjace
nt to the local router. Each router describes the topology of its adjacent networ
k and transmits it to the other routers. According to the link layer protocol, OS
PF classifies networks into the following four types:
Broadcast networks: When Ethernet or FDDI is used as the link layer protocol,
OSPF considers that the network type is broadcast by default.
Non Broadcast MultiAccess (NBMA) networks: When ATM is used as the link lay
er protocol, OSPF considers that the network type is NBMA by default.
Point-to-Multipoint networks: This network type will be considered as default in
no case. It is always a substitute of other network types through forcible chang
e. An NBMA network that is not fully meshed is often changed to a point-to-m
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 13
OSPF Configuration
ultipoint network.
Point-to-Point networks: When PPP, LAPB, or POS is used as the link layer proto
col, OSPF considers that the network type is Point-to-Point by default.
The ATM network is a typical NBMA network. A polling interval can be configur
ed to specify the interval of sending Hello packets before a router establishes a
neighbor relationship with its neighboring router.
On a broadcast network incapable of multi-address access, you can configure th
e interface type to nonbroadcast.
If some routers are not directly reachable on an NBMA network, you can config
ure the interface type to point-to-multipoint.
If a router has only one peer router on an NBMA network, you can set the int
erface type to point-to-point.
The differences between an NBMA network and a point-to-multipoint network ar
e as follows:
In OSPF, an NBMA network refers to a non-broadcast multi-access network that
is fully meshed. A point-to-multipoint network may not be fully meshed.
A DR and a BDR must be elected on an NBMA network but are not involved o
n a point-to-multipoint network.
NBMA is a default network type. For example, if the link layer protocol is ATM,
OSPF considers that the network type is NBMA by default no matter whether
the network is fully meshed. Point-to-multipoint is not a default network type.
No link layer protocol is viewed as a point-to-multipoint protocol. You can use t
his network type through a forcible change. An NBMA network that is not fully
meshed is often changed to a point-to-multipoint network.
On an NBMA network, packets are transmitted in unicast mode, which requires
you to configure neighbor relationship manually. On a point-to-multipoint networ
k, packets are transmitted in multicast mode.
An Ethernet switch uses Ethernet as the link layer protocol, so OSPF regards th
at the network type is broadcast. Do not change the network type of an Ethern
et switch at discretion.
Table 1-4 OSPF interface configuration
Operation
Command
Remarks
ip ospf network { broadcast | non-bro

Sets the network type of an interface.
adcast | point-to-multipoint | point-to-
point }
Restores the network type of an interface to
the default value.
Sets the cost of sending packets through a V
LAN interface.
Restores the packet sending cost of a VLAN
no ip ospf network
ip ospf cost cost

no ip ospf cost
interface to the default value.

Sets the priority of an interface in DR electi
ip ospf priority value
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 13
OSPF Configuration
Operation
Command
Remarks
on.
Restores the default priority of an interface.
Sets the interval of sending Hello packets for
an interface.
Restores the interval of sending Hello packets
for an interface to the default value.
Sets the timeout time of the neighboring ro
uter.
Restores the timeout time of the neighboring
router to the default value.
Sets the interval of LSA retransmission betwe
en two adjacent routers.
no ip ospf priority
ip ospf hello-interval seconds
no ip ospf hello-interval
ip ospf dead-interval seconds
no ip ospf dead-interval
ip ospf retransmit-interval seconds
Restores the interval of LSA retransmission b

etween two adjacent routers to the default
no ip ospf retransmit-interval
value.
Sets the time for sending a link state update
packet.
Restores the time for sending a link state up
date packet to the default value.
ip ospf transmit-delay seconds

no ip ospf transmit-delay
Sets a password for plaintext authentication.
ip ospf authentication-key password
Disables plaintext authentication.
no ip ospf authentication-key
Sets a password for MD5 authentication.

Disables MD5 authentication.
ip ospf message-digest-key key-id md5

key
no ip ospf message-digest-key
1.1.5 OSPF Area Configuration

A stub area is a special LSA area in which ABRs do not distribute the external
routes they have received. In stub areas, both the size of routing tables and th
e amount of the routing information are drastically reduced.
Any area that meets certain conditions can be configured into a stub area. Gen
erally, a stub area is located at the border of an AS. It may be a non-backbon
e area with only one ABR or a non-backbone area with multiple ABRs between
which no virtual connection is configured.
To make a stub area reachable for other ASs, the ABR in the stub area generat
es a default route (0.0.0.0) and advertises it to non-ABR routers in this area.
When configuring a stub area, note the following points:
l
A backbone area cannot be a stub area and a virtual connection is not allowed in a st
ub area.
All the routers in a stub area must be configured to indicate that they are located in
a stub area.
No ASBR is allowed in a stub area, that is, routes from outside the AS where the stub
area resides cannot be advertised within the stub area.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 13
OSPF Configuration
Table 1-5 OSPF area configuration

Operation
Command
Remarks
Configures a stub area.
area area-id stub [ no-summary ]
Cancels the stub area configuration.
no area area-id stub
Configures the cost of the default route to

a stub area.
Cancels the cost configuration for the defa
ult route to a stub area.
area area-id default-cost cost

no area area-id default-cost
Configures an NSSA area.
area area-id nssa [ no-summary ]
Cancels the NSSA area configuration.
no area area-id nssa
Configures the cost of the default route to

an NSSA area.
Cancels the cost configuration for the defa
ult route to an NSSA area.
area area-id default-cost cost

no area area-id default-cost
Configures route aggregation in an OSPF ar
area area-id range address mask [ ad
ea.
vertise | notadvertise ]
Removes route aggregation in an OSPF are

a.
no area area-id range address mask

area area-id virtual-link router-id [ {
hello-interval seconds | retransmit- in
Creates and configures a virtual connection.
terval seconds | transmit-delay secon

ds | dead-interval seconds | { authe
ntication-key password | message-dig
est-key keyid md5 key } } * ]
Cancels a virtual connection.
no area area-id virtual-link router-id
Imports routes of other protocols into OSP

F.
redistribute protocol [ metric metric ]

[ type { 1 | 2 } ] [ tag tag-value ]
[ prefix-list prefix-list-name]
Disables the import of routes of other prot

ocols into OSPF.
no redistribute protocol
default-information originate [ always
Imports the default route to OSPF.
] [ metric metric-value ] [ type type

-value ]
Disables the import of the default route.

Configures a default metric value for recept
ion of external routes.
Cancels the default metric value configurati
on for reception of external routes.
Configures the default type of external rout
no default-information originate
default redistribute metric metric
no default redistribute metric
default redistribute type { 1 | 2 }
es to be received.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 13
OSPF Configuration
Operation
Command
Remarks
By default, the
metric value i
s 1 and type i
Cancels the default type configuration for t

he external routes to be received.
s 2 for the ex
no default redistribute type
ternal routes t
o be received
by an OSPF ro
uter.
ip ospf distribute-list prefix-list prefixFilters the learned routes.
list-name in
no ip ospf distribute-list prefix-list in
ip ospf distribute-list prefix-list prefixlist-name out
Filters the advertised routes.
no ip ospf distribute-list prefix-list ou

t
Receives the routes from a specified neighb

oring Ethernet router.
ip ospf distribute-list gateway prefix-li

st-name in
no ip ospf distribute-list gateway in
Enables BFD for link state monitoring.
ip ospf bfd
Disables BFD.
no ip ospf bfd

! To configure MD5 authentication for OSPF area 1, run the following command:
Switch(config-router-ospf)#area 0.0.0.1 authentication message-digest
! To configure the cost of the default route 192.168.0.100 to 10, run the following comman
d:
Switch(config-router-ospf)#area 192.168.0.100 default-cost 10
! To aggregate the routes 202.38.160.0/24 and 202.38.180.0/24 into a route 202.38.0.0/16, ru
n the following command:
Switch(config-router-ospf)#network 202.38.160.3 255.255.255.0 area 1.1.1.1
Switch(config-router-ospf)#area 1.1.1.1 range 202.38.0.0 255.255.0.0
! To configure area 1.1.1.1 as a stub area, run the following command:
Switch(config-router-ospf)#area 1.1.1.1 stub
! To configure area 1.1.1.1 as an NSSA area, run the following command:
Switch(config-router-ospf)#area 1.1.1.1 nssa
! To configure a virtual connection, for which the transit area is 1.1.1.1 and router-id of th
e peer router is 10.11.5.2, run the following command:
Switch(config-router-ospf)#area 1.1.1.1 virtual-link 10.11.5.2
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 13
OSPF Configuration
! To configure that an ASE LSA is generated for a default route if any, run the following co
mmand:
Switch(config-router-ospf)#default-information originate
! To configure that an ASE LSA is generated for the default route and advertised to OSPF r
outing domains even if no default route exists, run the following command:
Switch(config-router-ospf)#default-information originate always
! To set the default routing metric value of an imported external route to 10, run the follo
wing command:
Switch(config-router-ospf)#default redistribute metric 10
! To configure that OSPF imports type 1 external routes by default, run the following comm
and:
Switch(config-router-ospf)#default redistribute type 1
! To set the password for plaintext authentication on VLAN interface 3 to abc123, run the f
ollowing command:
Switch(config-if-vlanInterface-3)#ip ospf authentication-key abc123
! To set the cost of running OSPF on VLAN interface 3 to 10, run the following command:
Switch(config-if-vlanInterface-3)#ip ospf cost 10
! To set the timeout time of the neighboring router on VLAN interface 3 to 60s, run the fo
llowing command:
Switch(config-if-vlanInterface-3)#ip ospf dead-interval 60
! To set the interval of transmitting OSPF Hello packets for VLAN interface 3 to 15s, run th
e following command:
Switch(config-if-vlanInterface-3)#ip ospf hello-interval 15
! To set the password for MD5 authentication on VLAN interface 3 to abc123, run the follo
wing command:
Switch(config-if-vlanInterface-3)#ip ospf message-digest-key 12 md5 abc123
! To configure VLAN interface 2 as a non-broadcast interface, run the following command:
Switch(config-if-vlanInterface-2)#ip ospf network non-broadcast
! To set the priority of VLAN interface 3 to 100, run the following command:
Switch(config-if-vlanInterface-3)#ip ospf priority 100
! To set the interval of retransmitting LSAs between VLAN interface 3 and its adjacent route
rs to 8s, run the following command:
Switch(config-if-vlanInterface-3)#ip ospf retransmit-interval 8
! To set the LSA transmission delay of VLAN interface 3 to 3s, run the following command:
Switch(config-if-vlanInterface-3)#ip ospf transmit-delay 3
! To run OSPF on the interfaces whose primary IP address is 192.168.0.100 and inverse mas
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 13
OSPF Configuration
k is 0.0.0.255 and set the ID of the area where these interfaces reside to 1.1.1.1, run the f
ollowing command:
! To import RIP routes into OSPF, run the following command:
Switch(config-router-ospf)#redistribute rip
! To use address prefix lists to match the routes learned by VLAN interface 2, run the follo
wing command:
Switch(config-if-vlanInterface-2)#ip ospf distribute-list prefix-list check in
! To enable OSPF BFD on VLAN interface 2, run the following command:
Switch(config-if-vlanInterface-2)#ip ospf bfd
! To set the router ID of a switch to 192.168.0.100, run the following command:
Switch(config)#router id 192.168.0.100
! To enable OSPF on a switch, run the following command:
Switch(config)#router ospf
! To disable OSPF on a switch, run the following command:
Switch(config)#no router ospf
! To display OSPF information, run the following command:
Switch(config)#show ip ospf
! To display the information of OSPF border routers, run the following command:
Switch(config)#show ip ospf border-routers
Switch(config-if-vlanInterface-2)#show ip ospf cumulative
! To display the information of OSPF LSDBs, run the following command:
Switch(config)#show ip ospf database
! To display the information of OSPF errors, run the following command:
Switch(config-if-vlanInterface-2)#show ip ospf error
! To display the information of OSPF interfaces, run the following command:
Switch(config)#show ip ospf interface
! To display the information of all the OSPF neighbors, run the following command:
Switch(config)#show ip ospf neighbor
! To display the information of an OSPF request list, run the following command:
Switch(config)#show ip ospf request-list
! To display the information of an OSPF retransmission list, run the following command:
Switch(config)#show ip ospf retrans-list
! To display the information of an OSPF virtual connection, run the following command:
Switch(config)#show ip ospf virtual-link
! To display the router ID, run the following command:
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 13
OSPF Configuration
Switch(config)#show router id
! To display the configured prefix lists, run the following command:
Switch(config)#show ip ospf distribute-link
d:
Switch(config)#show ip route rip
! To display the information of all the OSPF routing tables, run the following command:
Switch(config)#show ip route ospf
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 13
BFD Configuration
BFD Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 7
BFD Configuration
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 7
BFD Configuration
Contents
Contents ...................................................................... 3
Chapter 1 BFD Configuration ..................................................... 4
1.1 BFD Description ......................................................... 4
1.2 BFD Configuration ....................................................... 4
1.2.1 Configuring BFD ................................................... 4
1.2.2 Basic BFD Configuration ............................................. 4
1.2.3 Configuring BFD Parameters and Mode ................................ 5
1.2.4 Displaying and Maintaining BFD Configurations .......................... 5
1.2.5 Configuration Examples ............................................. 6
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 7
BFD Configuration
Chapter 1 BFD Configuration

1.1
BFD Description
Bidirectional Forwarding Detection (BFD) periodically checks the status of the peers
of a session and notifies a routing protocol of a fault if any immediately. Then the
routing protocol responds with a fast reroute action. Generally, the BFD interval is
shorter than 1s and therefore the convergence time of routing protocols is reduced.
For this reason, BFD can help routing protocols such as OSPF, RIP, and BGP to detect
the reachability of neighbors or link failures, which realizes fast reroute and ensures
link reliability.
1.2
BFD Configuration
1.2.1 Configuring BFD
Table 1-1 BFD configuration tasks

Configuration Task
Basic BFD configuration
Description
Performs the following configuration in
VLAN
Mandatory
1.2.2
Optional
1.2.3
Optional
1.2.3
Configures the BFD multiplier.
Optional
1.2.3
Configures the initial mode of BFD sessions.
Optional
1.2.3
Optional
1.2.3
Optional
1.2.3
Views the information of all the BFD sessions.
Mandatory
1.2.4
Views the BFD configuration of each interface.
Mandatory
1.2.4
interface mode.
Configures the desired minimum transmission
interval of BFD.
Configures the minimum request receiving
interval of BFD.
Configuring
BFD
parameters
and mode
Configures whether BFD sessions can enter the

demand mode.
Clears the statistics of the sent and received
packets for an interface.
Viewing BFD configurations
Details
1.2.2 Basic BFD Configuration
Table 1-2 Basic BFD configuration

Operation
Command
Runs the command in VLAN interface mode.
ip ospf bfd
Runs the command in VLAN interface mode.
no ip ospf bfd
PDF pdfFactory Pro
www.fineprint.cn
Remarks
OSPF BFD is disabled by
Page 4 of 7
BFD Configuration
Operation
Command
Remarks
default.
Currently,
only
OSPF BFD is supported.
1.2.3 Configuring BFD Parameters and Mode
Table 1-3 Configuring BFD parameters and mode

Operation
Configures
the
desired
Command
minimum
transmission interval of BFD.

Restores the desired minimum transmission
interval of BFD to the default value.
Configures the minimum request receiving
interval of BFD.
Restores the minimum request receiving
interval of BFD to the default value.
Configures the BFD multiplier.
bfd min-transmit-interval
Remarks
XX
no bfd min-transmit-interval
The default value is 400 ms.
bfd min-receive-interval XX
no bfd min-receive-interval
The default value is 400 ms.
bfd detect-multiplier XX
Restores the BFD multiplier to the default

value.
Configures whether BFD sessions can enter
the demand mode.
no bfd detect-multiplier
bfd demand { on | off }
Restores the configuration of whether BFD

sessions can enter the demand mode to the
no bfd demand
default value.
The default value is off (not

allowed).
bfd session init-mode { passive |
Configures the initial mode of BFD sessions.
active}
Restores the initial mode of BFD sessions to

the default value.
Clears the statistics of the sent and received
packets in BFD sessions through an interface.
no bfd session init-mode
The default value is active.
clear bfd statistics
Notes:
value: desired minimum packet transmission interval of an interface. It ranges from 200 to 1000
ms and is 400 ms by default.
Packet transmission interval = max(Desired minimum transmission interval, Minimum receiving
interval) x a percentage (from 70% to 90%)
1.2.4 Displaying and Maintaining BFD Configurations
Table 1-3 Displaying and maintaining BFD configurations

Operation
Command
PDF pdfFactory Pro
www.fineprint.cn
Remarks
Page 5 of 7
BFD Configuration
Views the information of all the BFD
sessions.
Views the BFD configuration of each
interface.
show bfd session [verbose]

show bfd interface [verbose]

! To enable OSPF BFD on interface vlan 1, run the following command:
Switch(config-if-vlanInterface-1)#ip ospf bfd
! To disable OSPF BFD on interface vlan 1, run the following command:
Switch(config-if-vlanInterface-1)#no ip ospf bfd
! To configure the desired minimum transmission interval of interface vlan 1 to 800 ms, run the
following command:
Switch(config-if-vlanInterface-1)#bfd min-transmit-interval 800
! To restore the desired minimum transmission interval of interface vlan 1 to the default value,
run the following command:
Switch(config-if-vlanInterface-1)#no bfd min-transmit-interval
! To configure the minimum request receiving interval of interface vlan 1 to 800 ms, run the
following command:
Switch(config-if-vlanInterface-1)#bfd min-receive-interval 800
! To restore the minimum request receiving interval of interface vlan 1 to the default value, run
the following command:
Switch(config-if-vlanInterface-1)#no bfd min-receive-interval
! To configure the number of allowable invalid BFD control packets to 8 on interface vlan 1, run
Switch(config-if-vlanInterface-1)#bfd detect-multiplier 8
! To restore the number of allowable invalid BFD control packets to the default value on interface
vlan 1, run the following command:
Switch(config-if-vlanInterface-1)#no bfd detect-multiplier
! To configure whether BFD sessions can enter the demand mode on interface vlan 1, run the
following command:
Switch(config-if-vlanInterface-1)#bfd demand on
! To configure that BFD sessions cannot enter the demand mode on interface vlan 1, run the
following command:
Switch(config-if-vlanInterface-1)#bfd demand off
! To configure BFD sessions to be passive on interface vlan 1, run the following command:
Switch(config-if-vlanInterface-1)#bfd session init-mode passive
! To configure BFD sessions to be active on interface vlan 1, run the following command:
Switch(config-if-vlanInterface-1)#bfd session init-mode active
Switch(config-if-vlanInterface-1)#clear bfd statistics
! To display the information of all the sessions, run the following command:
Switch(config)#show bfd session
! To display the detailed information of all the sessions, run the following command:
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 7
BFD Configuration
Switch(config)#show bfd session verbose
! To display the BFD parameters of each interface, run the following command:
show bfd interface
! To display the BFD parameter details of each interface, run the following command:
show bfd interface verbose
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 7
PIM Configuration
PIM Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 10
PIM Configuration
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 10
PIM Configuration
Contents
Contents ...................................................................... 3
Chapter 1 PIM Configuration ..................................................... 4
1.1 PIM Description ......................................................... 4
1.1.1 Principles of PIM-DM ............................................... 4
1.1.2 Principles of PIM-SM ............................................... 5
1.1.3 Principles of PIM-SSM .............................................. 6
1.2 PIM Configuration ....................................................... 6
1.2.1 Configuring PIM ................................................... 6
1.2.2 Basic PIM Configuration ............................................. 7
1.2.3 Advanced PIM Configuration ......................................... 7
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 10
PIM Configuration
Chapter 1 PIM Configuration

1.1
PIM Description
Protocol Independent Multicast-Dense Mode (PIM-DM) is a dense-mode multicast routing

protocol, which is applicable to small-sized networks. In a PIM-DM network, members of a
multicast group are densely distributed.
1.1.1 Principles of PIM-DM

The operation of PIM-DM can be understood as neighbor discovery, flooding-prune, and graft.
(1) Neighbor discovery
Upon startup, a PIM-DM router needs to discover neighbors by sending Hello packets. The
relationships between PIM-DM capable network nodes are maintained through exchange of
Hello packets. In PIM-DM, Hello packets are sent periodically.
(2) Flooding&Prune
PIM-DM assumes that all the hosts on a network are ready to receive multicast data. A
packet is transmitted from multicast source S to multicast group G. After receiving this
multicast packet, the router performs an RPF check based on the unicast routing table and
creates an (S,G) entry if the RPF check is successful. Then the router floods the packet to all
the downstream PIM-DM nodes in the network. The router discards the packet if the RPF
check fails (the multicast packet is from an incorrect interface). In the flooding process, an
(S,G) entry will be created in the PIM-DM multicast domain.
If no downstream node is a multicast group member, the router sends a Prune message to
notify the upstream node that data should not be sent to downstream nodes any more.
After receiving the Prune message, the upstream node removes the interface that sends the
multicast packet from the outbound interface list matching the (S,G) entry. Eventually, a
Shortest Path Tree (SPT) with S as the root is created. The prune process is initiated by a leaf
router.
The whole process is called the flooding&prune process. A timeout mechanism is made
available on a pruned router so that the router may initiate a flooding&prune process again
if the prune process times out. The flooding&prune mechanism of PIM-DM operates
periodically over and over again.
In the flooding&prune process, PIM-DM performs RPF check and builds a multicast
forwarding tree with the data source as the root based on the current unicast routing tables.
When a multicast packet arrives, the router first judges whether the path of the multicast
packet is correct. If the interface where the packet arrives is what specified in the unicast
route, the path is considered correct. Otherwise, the multicast packet is discarded as a
redundant packet and will not be forwarded in multicast mode. The unicast route may be
discovered by any unicast routing protocol such as RIP and OSPF instead of a specific routing
Page 4 of 10
PDF pdfFactory Pro
www.fineprint.cn
PIM Configuration
protocol.
(3) Assert
As shown in the following figure, multicast routers A and B are on the same LAN segment
and they have their respective paths to multicast source S. After receiving a multicast packet
from S, both of them will forward the packet on the LAN. As a result, the downstream
multicast router C will receive two identical multicast packets.
An upstream router uses the Assert mechanism to select the only forwarder. The upstream
router sends Assert messages to select the best route. If two or more paths have the same
priority and metric value, the router with the largest IP address is selected as the upstream
neighbor of the (S,G) entry and is responsible for forwarding the (S,G) multicast packet.
Multicast packet forwarded

by the upstream node
Receiver
Assert mechanism
(4) Graft
When the pruned downstream node needs to enter the forwarding state again, it sends a
Graft message to the upstream node. Before configuring the features of IGMP, you must
enable the multicast routing function.
(5) SRM
To avoid repeated flooding&prune actions, the SRM is added to new protocol standards. The
router in direct connection with the multicast source sends state update packets periodically.
After receiving a state update packet, the PIM-capable router refreshes the prune state.
1.1.2 Principles of PIM-SM

The operation of Protocol Independent Multicast-Sparse Mode (PIM-SM) can be understood as
neighbor discovery, rendezvous point tree (RPT) generation, multicast source registration, and
SPT switch. The neighbor discovery of PIM-SM is the same as that of PIM-DM.
(6) RPT generation
When a host joins a multicast group (G), the leaf router which is directly connected with the
host if detecting receivers of G by sending IGMP packets, calculates an RP for G and sends a
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 10
PIM Configuration
Join message to an upper-level node of the RP for participating in the multicast group. Every
router between the leaf router and the RP will generate a (*,G) entry in its forwarding table
and therefore they will forward any packets destined for G regardless of where the packets
come from. When the RP receives a packet bound for G, the packet will later be sent to the
leaf router along the established path and then reach the host. Finally an RPT with the RP as
the root is created.
(7) Multicast source registration
When multicast source S is sending a multicast packet to multicast group G, the PIM-SM
router which is directly connected with S encapsulates the multicast packet into a
registration packet and then sends it to an RP in unicast mode. If multiple PIM-SM routers
exist on a network segment, the designated router (DR) sends the multicast packet.
1.1.3 Principles of PIM-SSM

PIM-Source Specific Multicast (PIM-SSM) is dependent on PIM-SM and they may coexist on a
router. Whether PIM-SSM or PIM-SM is used is subject to the multicast address in a data or
protocol packet. IANA assigns SSM an address segment (232.0.0.0 to 232.255.255.255). The
multicast groups on this address segment will not join an RPT but is processed by SSM. In
PIM-SSM, Hello packets are also transmitted periodically between routers for neighbor discovery
and DR election.
Usually IGMPv3 is deployed on the host to establish and maintain multicast group memberships.
Compared with IGMPv2, IGMPv3 is designed with the source-based filtering function. This
function allows a host to receive only the data from a specific group and even from a specific
source in this group. Based on a received IS_IN packet of IGMPv3, the SSM-enabled router learns
that a host on the network connected with the interface receiving the IS_IN packet wants to
receive (S,G) packets. This router unicasts a PIM (S,G) Join message to the next-hop router of the
multicast source hop by hop and thereby an SPT can be established between the multicast source
and the last-hop router. When the multicast source is sending multicast data, the data reaches
the receiver along the SPT.
If a host supports only IGMPv1/IGMPv2, you can configure SSM mapping on the router connected
with the host to convert the (*,G) Join messages of IGMPv1/IGMPv2 into (S,G) Join messages.
1.2
PIM Configuration
1.2.1 Configuring PIM

The operations listed in Table 1-1 must be performed sequentially during PIM configuration. It is
recommended that PIM-DM be enabled on all the interfaces of a non-border router running in
PIM-DM domains. In contrast, PIM-SM does not need to be enabled on every interface.
Table 1-1 PIM configuration tasks
Configuration Task
PDF pdfFactory Pro
www.fineprint.cn
Description
Details
Page 6 of 10
PIM Configuration
Configuration Task
Basic PIM configuration
Description
Details
Enables EFM.
Mandatory
1.2.2
Configures EFM mode.
Mandatory
1.2.2
Optional
1.2.3
Enables a multicast protocol.
Optional
1.2.3
Enables PIM-DM or PIM-SM.
Optional
1.2.3
Optional
1.2.3
Optional
1.2.3
Optional
1.2.3
Optional
1.2.3
Optional
1.2.3
Configures a static RP.
Optional
1.2.3
Specifies a candidate BSR.
Optional
1.2.3
Specifies a candidate RP.
Optional
1.2.3
Configures the SPT switching threshold.
Optional
1.2.3
Optional
1.2.3
Configures the transmission interval of Hello

packets.
Sets the domain border of a bootstrap router

(BSR).
Enters the PIM mode.
Configures multicast source (group)-based
Advanced PIM
filtering.
configuration
Configures PIM neighbor filtering.

Configures the maximum of PIM neighbors for
an interface.
Configures the range of an SSM multicast

group.
1.2.2 Basic PIM Configuration
Table 1-2 Basic PIM configuration

Operation
Command
Remarks
Enables PIM-DM on an interface.
ip pim dense-mode
Disables PIM-DM on an interface.
no ip pim dense-mode
Enables PIM-SM on an interface.
ip pim sparse-mode
Disables PIM-SM on an interface.
no ip pim sparse-mode
Note: Enable a multicast protocol before PIM-SM on an interface.
1.2.3 Advanced PIM Configuration
Table 1-3 Advanced PIM configuration

Operation
Command
Configures the transmission interval of Hello
Remarks
ip pim query-interval seconds
Restores the default transmission interval.
i no ip pim query-interval
Configures an interface as the border of a BSR.
ip pim bsr-border
packets.
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 10
PIM Configuration
Operation
Command
Deletes the BSR border configuration of an

interface.
no ip pim bsr-border
Enters the PIM mode.
pim
Exits the PIM mode.
exit
Filters the received multicast packets based on

the source.
source-policy acl-number
Cancels source-based filtering.
no source-policy
Filters PIM neighbors.
ip pim neighbor-policy acl-number
Cancels PIM neighbor filtering.
no ip pim neighbor-policy
Configures the maximum of PIM neighbors for an

interface.
Remarks
ip pim neighbor-limit limit
Restores the default value.
no ip pim neighbor-limit
Configures a static RP.
static-rp address
Deletes a static RP.
no static-rp
bsr-candidate interface-type
Configures a C-BSR.
interface-number hash-mask-length
priority
Deletes a C-BSR.
no bsr-candidate
rp-candidate interface-type
Configures a C-RP.
interface-number group-list acl-number

priority
rp-candidate interface-type
Deletes a C-RP.
interface-number group-list acl-number
Configures a switching threshold.
spt-threshold { immediately | infinity }
Restores the default switching threshold.
no spt-threshold
Displays the information of PIM interfaces.
show ip pim interface [ vlan-interface vid ]
Displays the information of PIM neighbors.
show ip pim neighbor
Displays the multicast routing tables learned by
show ip mroute group-address [ static |
PIM, including static and dynamic routing entries.
dynamic ]
Displays dynamic and static RPs of PIM.
show ip pim rp-info group-address
Displays the information of BSRs, including the

elected BSR and local C-BSRs.
show ip pim bs
Displays the range of SSM group addresses.
show ip pim ssm range
Configures the range of an SSM multicast group.
ssm {default | range access-list}
Deletes the configuration of the range of an SSM

multicast group.
no ssm {default | range access-list}
Note: Be sure to enable PIM on an interface before configuring the PIM attributes of the
interface. This point must be noted when you use the commands for configuring interface
attributes and will not be given again.
Ensure that all the devices in the domain are configured with the same range of SSM multicast
group addresses. Otherwise, multicast information cannot be transmitted using the SSM
model.
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 10
PIM Configuration
If members of an SSM multicast group send Join messages over IGMPv1 or IGMPv2, (*,G) Join
messages will not be triggered.

! To configure the last member query interval to 60s on interface 1, run the following command:
Switch(config-if-vlanInterface-1)#ip pim query-interval 60
! To run PIM-SM on VLAN interface 1, run the following command:
Switch(config-if-vlanInterface-1)#ip pim sparse-mode
! To enable the bsr-border function on a PIM-SM interface, run the following command:
Switch(config-if-vlanInterface-1)#ip pim bsr-border
! To enter the PIM mode, run the following command:
Switch(config)#mroute pim
! To display multicast routing tables, run the following command:
Switch(config-if-vlanInterface-1)#show ip mroute
! To display a PIM neighbor list, run the following command:
Switch(config-if-vlanInterface-1)# show ip pim neighbor
! To display the information of PIM interfaces, run the following command:
Switch(config-if-vlanInterface-1)#show ip pim interface
! To display the information of all the PIM RPs, run the following command:
Switch(config-if-vlanInterface-1)#show ip pim rp-info
! To display the information of the current BSRs, run the following command:
Switch(config-if-vlanInterface-1)#show ip pim bsr
! To configure a switch to forward only the multicast packets from 192.168.1.1, run the following
commands:
Switch (config)# access-list 1 permit 192.168.1.1 0
Switch(config-pim) # source-policy 1
! To configure a static RP to 192.168.1.1, run the following command:
Switch(config-pim) # static-rp 192.168.1.1
! To configure VLAN interface 1 of a switch as a C-BSR, run the following command:
Switch(config-pim) # bsr-candidate vlan-interface 1 10 10
! To configure VLAN interface 1 of a switch as a C-RP, run the following command:
Switch(config-pim) # rp-candidate vlan-interface 1 group-list 1 10
! To configure the switching threshold of a switch to infinity, run the following command:
Switch(config-pim) # spt-threshold infinity
The following describes how to configure the SSM service by using an ACL to specify an address
range.
access-list 4 permit 224.2.151.141
mroute pim
ssm range 4
The following describes how to view the information of an SSM group address range.
Switch# show ip pim ssm range
Group Address
Mask Length ACL
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 10
PIM Configuration
237.0.0.0
8
1
Totle ssm group range entries:1.
The following shows the default SSM group address range.
Switch# show ip pim ssm range
Group Address
Mask Length Desc
232.0.0.0
8
default
The following displays the information when no SSM group address range is configured.
Switch # show ip pim ssm range
No configged ssm group range.
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 10
VRRP Configuration
VRRP Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 7
VRRP Configuration
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 7
VRRP Configuration
Contents
Contents ...................................................................... 3
Chapter 1 VRRP Configuration .................................................... 4
1.1 VRRP Description........................................................ 4
1.2 VRRP Configuration ...................................................... 4
1.2.1 Configuring VRRP .................................................. 4
1.2.2 Basic VRRP Configuration............................................ 5
1.2.3 Configuring VRRP Parameters ........................................ 5
1.2.4 Displays and Maintaining VRRP Configurations ........................... 7
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 7
VRRP Configuration
Chapter 1 VRRP Configuration

1.1
VRRP Description
On a TCP/IP network, routes must be configured between two devices without a physical
connection to ensure their communication. Currently, routes can be specified through dynamic
learning by means of a routing protocol (such as RIP and OSPF) or static configuration. It is
impractical to run a dynamic routing protocol on every terminal. Most client operating systems
do not support the dynamic routing and they are still under the restraint of management
overhead, convergence degree, and security even if they can be configured with a routing
protocol. Usually, static routes are configured for IP terminals by specifying one or more default
gateways. Static routing simplifies network management and reduces the communication
overhead of terminals. However, if a switch functioning as a default gateway is damaged, the
communication in which the switch is used as the next-hop host will inevitably be interrupted. A
terminal will not be switched to a new gateway even if there are multiple default gateways until it
is restarted. Virtual Router Redundancy Protocol (VRRP) can rectify the defect of static routing.
VRRP introduces two pairs of concepts: VRRP switch and virtual switch, master switch and backup
switch. A VRRP switch is a real switch where VRRP runs, while a virtual switch is a logical switch
created by VRRP. A group of VRRP switches form a virtual switch, which is also called a backup
group. The virtual switch is represented as a logical switch with a unique IP address and MAC
address. Switches in a VRRP group are classified into master switches and backup switches. A
VRRP group has only one master switch and one or more backup switches. VRRP selects a master
switch from the switch group. The master switch responds to ARP requests and forwards IP
packets, and the other switches are standby as a backup. If the master switch is faulty due to
some reason, a backup switch will become the master one within several seconds. Such a
switchover is completed very quickly without requiring you to change the IP address or MAC
address, and therefore it is transparent to terminal users.
1.2
VRRP Configuration
1.2.1 Configuring VRRP
Table 1-1 VRRP configuration tasks

Configuration Task
Basic VRRP configuration
Mandatory
1.2.2
Sets the priority of a backup group.
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
Mandatory
1.2.3
backup groups.
Sets the timer of a backup group.
Enables the function of pinging a virtual IP
address.
PDF pdfFactory Pro
Details
Adds or deletes a virtual IP address.
Sets the preemption mode and delay for

Configuring VRRP parameters
Description
www.fineprint.cn
Page 4 of 7
VRRP Configuration
Configuration Task
Description
Configures an interface to be monitored for a

backup group.
Displaying and maintaining VRRP
configurations
Displays and maintains VRRP configurations.
Details
Mandatory
1.2.3
Mandatory
1.2.4
1.2.2 Basic VRRP Configuration

The ip vrrp vrid vip command is used to assign a virtual switch (or a backup group) an IP address
on the local network segment. The no form of this command is used to remove the virtual IP
address of a backup group from the virtual IP address list.
Table 1-2 Basic VRRP configuration
Operation
Command
Runs the command in VLAN/superVLAN interface configuration

mode.
Runs the command in VLAN/superVLAN interface configuration
mode.
Remarks
ip vrrp vrid vip
no ip vrrp vrid [vip]
Description:
The backup group number ranges from 1 to 255. A virtual address can be an unassigned IP
address on the network segment where the backup group resides or the IP address of an
interface belonging to the backup group. A maximum of 255 backup groups can be configured.
The IP address of the switch itself can be configured. In this case, the switch is known as an IP
address owner. When the first IP address is assigned to a backup group, VRRP creates the
backup group. Other virtual IP addresses configured for the backup group will only be added to
the virtual IP address list of the backup group. A backup group can be configured with eight IP
addresses at most. A backup group will be deleted together with the last virtual IP address.
That is, this backup group does not exist on the interface and all configurations of the backup
group will no longer take effect.
[Example]:
! To configure a backup group whose virtual IP address is 192.168.1.1 on VLAN interface 1, run
Switch(config-if-vlanInterface-1)#ip vrrp 1 192.168.1.1
1.2.3 Configuring VRRP Parameters

The master switch in a backup group will not be replaced unless it is faulty even if another switch
is configured with a higher priority later. However, if the preemption mechanism is applied, a
switch will become the master switch if its priority is higher than that of the master switch and
the original master switch will become a backup switch accordingly. When preemption is enabled,
you can set the delay of preemption. Then a backup switch becomes master after the delay. A
backup switch will become the master switch if it does not receive a packet from the original
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 7
VRRP Configuration
master switch. However, if a network has unstable performance, a backup switch may not receive
a packet due to network congestion but the master switch is still working properly. In this
situation, the backup switch will receive a packet from the master switch after waiting a short
time. As a result, frequent switchovers can be avoided. The delay ranges from 0 to 255 seconds.
The master switch sends VRRP packets within the VRRP backup group at an interval specified by
adver_interval to indicate that it is working properly. If the backup switch does not receive a
VRRP packet from the master switch within a period of time specified by master_down_interval,
it regards that the master switch is faulty and changes its state to Master.
You can modify the value of adver_interval by running a timer setting command. The value of
master_down_interval is three times that of adver_interval. An abnormal switchover may occur
in the event of extremely large traffic or variance in timer settings between switches. To solve this
problem, you can set adver_interval to a greater value or modify the preemption delay. The
value of adver_interval is in the unit of second.
Table 1-3 Configuring VRRP parameters
Operation
Command
Runs the command in VLAN/superVLAN interface
vrrp priority vrid
configuration mode.
priority

configuration mode.
no vrrp priority vrid
vrrp preempt vrid
configuration mode.
[ delay delay ]

configuration mode.
vrrp timer vrid
configuration mode.
adver-interval
configuration mode.
The priority ranges from 0 to

255. A larger value indicates
a higher priority.
-
no vrrp preempt vrid

Remarks
no vrrp timer vrid

By default, the function of
Runs the command in global configuration mode.
vrrp ping-enable
pinging a virtual IP address

is disabled.
Runs the command in global configuration mode.

configuration mode
no vrrp ping-enable
vrrp track
no vrrp track
configuration mode
Note: The priority of the IP address owner cannot be changed and is always 255.
[Parameter description]
vrid: virtual group ID, in the range of 1 to 255;
vlan-id: ID of the VLAN to which a VLAN interface belongs;
supervlan-id: ID of the super VLAN to which a superVLAN interface belongs;
pri-value: priority to be reduced if the interface under monitoring is down.
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 7
VRRP Configuration
1.2.4 Displays and Maintaining VRRP Configurations
Table 1-4 Displaying and maintaining VRRP configurations.

Operation
Runs the command in any mode.
Command
Remarks
show vrrp [ vlan-interface vlan-id [ vrid ] ]

! To configure the advertisement interval of backup group 1 to 1s, run the following command:
Switch(config-if-vlanInterface-1)#vrrp priority 1 200
! To enable a non-IP address owner to respond to ping requests, run the following command:
Switch(config)#vrrp ping-enable
! To configure the preemption mode and delay for a backup group, run the following command:
Switch(config-if-vlanInterface-1)#vrrp preempt 1 delay 3
! To configure the priority of a switch in backup group 1 to 200, run the following command:
Switch(config-if-vlanInterface-1)#vrrp timer 1 1
! To configure that the priority is reduced by 20 if VLAN interface 2 of backup group 1 under
monitoring is down, run the following command:
Switch(config-if-vlanInterface-1)#vrrp track 1 vlan-if 2 reduced 20
! To display the VRRP information configured on a switch, run the following command:
Switch#show vrrp
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 7
VLAN Extended Attribute Configuration
VLAN Extended Attribute

Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 8
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 8
Contents
Contents ...................................................................... 3
Chapter 1 VLAN Extended Attribute Configuration .................................... 4
1.1 Introduction to VLAN Extended Attributes .................................... 4
1.2 VLAN Extended Attribute Configuration ...................................... 4
1.2.1 VLAN Extended Attribute Configuration List ............................. 4
1.2.2 MAC Address-Based VLAN Configuration ............................... 4
1.2.3 Protocol-Based VLAN Configuration ................................... 4
1.2.4 Configuring the VLAN Conversion Function .............................. 5
1.2.5 Configuring the N:1 VLAN Conversion Function .......................... 6
1.2.6 Configuring the vlan-trunking Function ................................. 7
1.2.7 Configuring the vlan-swap Function ................................... 7
1.3 Configuration Instance ................................................... 8
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 8
Chapter 1 VLAN Extended Attribute

Configuration
1.1
Introduction to VLAN Extended Attributes
After a packet enters the switch, the PVID of the specified port of the switch is used as the VLAN
ID of the packet. In addition, the VLAN ID can be specified based on other schemes, including:
l
MAC address-based VLAN
l
Protocol-based VLAN
l
VLAN ID conversion based on the VLAN conversion table
1.2
1.2.1 VLAN Extended Attribute Configuration List

Table 1-1 MAC address-based VLAN configuration list
Configuration Task
Description
Detailed Configuration
Configuring a MAC address-based VLAN table
Mandatory
1.2.2
Configuring the protocol-based VLAN function
Mandatory
1.2.3
Configuring the VLAN conversion function
Mandatory
1.2.4
Configuring the N:1 VLAN conversion function
Mandatory
1.2.5
1.2.2 MAC Address-Based VLAN Configuration

Packets are assigned a VLAN ID and 802.1q priority based on their source MAC addresses.
Table 1-2 MAC address-based basic VLAN configuration
Operation
Command
Remarks
Enter the global configuration mode.
configure terminal
N/A
Configure the vlan-mac table and allocate the

VLAN ID and priority for the corresponding
MAC address based on the configuration table.
vlan-mac-table mac-address vlan

priority
Optional
Delete the configured vlan-mac entries.
no vlan-mac-table [ mac-address ]
Optional
1.2.3 Protocol-Based VLAN Configuration

PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 8

Each packet is assigned a VLAN ID based on the protocol. The above-mentioned protocol refers to
the frame type (snap-llc and non-snap-llc defined in ethernetv2,802.3) and the value of the
Ethernet type (for example, 0806 for ARP).
Protocol-based VLAN configuration involves:
l
In global configuration mode, configure the contents in the vlan-protocol table to specify the
frame type and Ethernet type. A total of 12 entries can be configured.
l
In port mode, specify a VLAN ID for a vlan-protocol entry and enable the protocol-based
VLAN function for the port.
Table 1-3 Protocol-based VLAN configuration
Operation
Command
Remarks
configure terminal
N/A
Configure the protocol-based vlan table

and match packets based on the
configured protocol number.
vlan-protocol table index <id>

ethertype <type> protocol
<encapsulation>
OptionalA total
of 12 entries
can be
configured.
Delete the configured protocol-based

VLAN entries.
no vlan-protocol table [ index <id> ]
Optional
Enter the port configuration mode.
N/A
Specify the VLAN IDs to be allocated to

the protocol-based VLAN entries
configured in global configuration mode
under this port.
vlan-protocol table index <id> vlan

<vid>
Optional
Delete the protocol-based VLAN entries

under this port and stop allocating the
VLAN ID to the protocol number
specified by the entry.
no vlan-protocol table [ index <id> ]
Optional
Enable the protocol-based VLAN

function of the port.
vlan-protocol
Optional
Disable the protocol-based VLAN

no vlan-protocol
Optional
1.2.4 Configuring the VLAN Conversion Function

VLAN conversion covers the ingress process and egress process. Different VLAN conversion tables
are used in these two processes.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 8

Table 1-4 Configuring the VLAN conversion function
Operation
Command
Remarks
configure terminal
N/A
Configure the start VLAN in the

VLAN conversion table and the new
VLAN ID.
vlan-translate { ingress | egress } table

<startvid> <endvid> <new vid>
Optional
Delete VLAN conversion entries.
no vlan-translate { ingress | egress } table

[<startvid> <endvid>]
Optional
N/A
Enable the VLAN conversion

function of the port and perform
conversion based on the rules
configured in global configuration
mode.
vlan-translate { ingress | egress }
Optional
Disable the VLAN conversion

no vlan-translate { ingress | egress }
Optional
1.2.5 Configuring the N:1 VLAN Conversion Function

The N:1 VLAN conversion function is used when users A, B, and C use VLAN A, VLAN B, and VLAN
C respectively but the upstream server uses VLAN D. In this case, VLANs A to C need to be
converted into VLAN D for upstream data streams and VLAN D needs to be converted into VLANs
A to C for downstream data streams.
For upstream data streams, the vlan-translate egress function is required for VLAN conversion at
the egress.
For downstream data streams, the following schemes can be used to configure VLAN conversion:
l
Static configuration: Run the acl command to match the MAC and IP addresses of the user
for VLAN conversion.
l
Dynamic configuration: Enable DHCP Snooping for N:1 VLAN function and perform
automatic matching based on the user information obtained by using the DHCP snooping
function for VLAN conversion.
Table 1-5 Configuring the N:1 VLAN conversion function
Operation
Command

Enable the automatic N:1 VLAN
conversion function for downstream data
in the dhcp-snooping command in the
system.
configure terminal
N/A
dhcp-snooping nto1-vlan
Optional (The DHCP

snooping function
must be first
enabled.)
PDF pdfFactory Pro
Remarks
www.fineprint.cn
Page 6 of 8

Disable the automatic N:1 VLAN
conversion function for downstream data
in the dhcp-snooping command in the
system.
no dhcp-snooping nto1-vlan
Optional
1.2.6 Configuring the vlan-trunking Function

This switch supports the function of transparently transmitting packets with an unknown VLAN.
It neither modifies the packets to be transparently transmitted nor learns the MAC address for
the packets with an unknown VLAN.
One device can be configured with only one VLAN transparent transmission group. Each
transparent transmission group includes two ports that still process the packets with an existing
VLAN based on the VLAN processing flow. The packet with an unknown VLAN is directly
forwarded to another port, with no other operations performed.
Table 1-6 Configuring the vlan-trunking function
Operation
Command
Remarks
configure terminal
N/A
Configure a vlan-trunking group and

specify two interconnection ports.
vlan-trunking ethernet interface-num

Optional
Delete the vlan-trunking group.
no vlan-trunking
Optional
show vlan-trunking
This command
can be run in all
modes.
Display the current vlan-trunking

group.
1.2.7 Configuring the vlan-swap Function

The switch supports the vlan-swap function based on port configurations to replace the VLAN ID
of the packet whose VLAN ID is within the configured range with a new VLAN ID.
The effects of the vlan-swap function are the same as those of the vlan-translate function except
that the vlan-translate function is globally configured and enabled under the port and the
vlan-swap function is implemented directly by using ACL resources.
Table 1-7 Configuring the vlan-swap function
Operation
Command
Remarks
configure terminal
N/A
N/A
Modify the VLAN ID of the packet

whose VLAN ID ranges from startvid
vlan-swap <startvid> <endvid> <new

vid>
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 8

and endvid to a new VLAN ID.
Delete the vlan-swap function under
the port.
no vlan-swap {all | <startvid>

<endvid> <new vid>}
Optional
Display information about the

configured vlan-swap function.
show vlan-swap
This command
can be run in all
modes.
1.3
1)
2)
3)
4)
5)
Configuration Instance
To configure a MAC address-based VLAN entry and add a tag with the VLAN ID being 5 and
802.1q priority being 4 for the untagged packet whose source MAC address is
00:01:7f:00:01:02, run the following command:
Switch (config)#vlan-mac-table 00:01:7f:00:01:02 5 4
To configure a protocol-based VLAN entry and add a tag with the VLAN ID being 5 for the
untagged packet with the frame type being Ethernet II, Ethernet type being 0x900, and
ingress port number being 4, run the following commands:
Switch (config)# vlan-protocol table index 0 ethertype 900 protocol ethernetv2
Switch (config)#interface ethernet 0/0/4
Switch (config-if-ethernet-0/0/4)#vlan-protocol table index 0 vlan 5
Switch (config-if-ethernet-0/0/4)#vlan-protocol
To change the VLAN ID of the packet entering the switch from port 4 from 5 to 8, run the
following commands:
Switch (config)#vlan-translate ingress table 5 5 8
Switch (config)#interface ethernet 0/0/4
Switch (config-if-ethernet-0/0/4)#vlan-translate ingress
To configure port 1 and port 4 as the vlan-trunking port group of the device, run the
following commands:
Switch(config)#vlan-trunking ethernet 0/0/1 ethernet 0/0/4
Switch(config)#sho vlan-trunking
vlan trunking : ethernet 0/0/1 ethernet 0/0/4
To change the VLAN ID of the packets with the VLAN ID ranging from 2 to 6 and the ingress
port number being 4 to 8, run the following commands:
Switch(config-if-ethernet-0/0/4)#vlan-swap 2 6 8
Switch(config)#show vlan-swap
port ID original start vlan
original end vlan
swap vlan
0/0/4
2
6
8
Total entries: 1 .
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 8
L3 Function Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 12
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 12
Contents
Contents ...................................................................... 3
Chapter 1 L3 Function Configuration ............................................... 4
1.1 Introduction to L3 Functions ............................................... 4
1.2 L3 Function Configuration ................................................. 4
1.2.1 L3 Function Configuration List ........................................ 4
1.2.2 Planning VLANs and Creating L3 Interfaces .............................. 4
1.2.3 Configuring the Forwarding Mode ..................................... 5
1.2.4 Creating VLAN Interfaces for Common VLANs............................ 5
1.2.5 Creating SuperVLAN Interfaces and Adding VLANs to the SuperVLAN ......... 6
1.2.6 Configuring IP Addresses for VLAN or SuperVLAN Interfaces ................ 6
1.2.7 Configuring an IP Address Range for VLAN or SuperVLAN Interfaces .......... 7
1.2.8 Configuring the ARP Proxy ........................................... 8
1.2.9 Displaying VLAN and SuperVLAN Interface Information .................... 8
1.2.10 Configuring URPF ................................................. 9
1.2.11 Disabling the Function of Sending ICMP Packets with an Unreachable
Destination Host on Interfaces ............................................ 9
1.3 Configuration Instance .................................................. 10
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 12
Chapter 1 L3 Function Configuration

1.1
Introduction to L3 Functions
GPON is a 10-Gigabit intelligent routing switch based on the application specific integrated circuit
(ASIC) technology and supports layer 2 (L2) and layer 3 (L3) forwarding. It performs L2 forwarding
when hosts in the same virtual local area network (VLAN) access each other and L3 forwarding
when hosts in different VLANs access each other.
1.2
1.2.1 L3 Function Configuration List

Table 1-1 L3 function configuration list
Configuration Task
Description
Detailed
Configuration
Planning VLANs and creating L3 interfaces
Mandatory
1.2.2
Configuring the forwarding mode
Mandatory
1.2.3
Creating VLAN interfaces for common VLANs
Mandatory
1.2.4
Creating superVLAN interfaces and adding VLANs to the

superVLAN
Mandatory
1.2.5
Configuring IP addresses for VLAN or superVLAN interfaces
Mandatory
1.2.6
Configuring an IP address range for VLAN or superVLAN

interfaces
Mandatory
1.2.7
Configuring the Address Resolution Protocol (ARP) proxy
Mandatory
1.2.8
Displaying interface configurations
Mandatory
1.2.9
Configuring unicast reverse path forwarding (URPF)
Mandatory
1.2.10
Disabling the function of sending Internet Control Message

Protocol (ICMP) packets with an unreachable destination host
on interfaces
Mandatory
1.2.11
1.2.2 Planning VLANs and Creating L3 Interfaces

For details about VLAN planning, see VLAN configurations.
L3 interfaces are classified into common VLAN interfaces and superVLAN interfaces. Common
VLAN interfaces are created on VLANs and superVLAN interfaces on superVLANs (superVLANs do
not exist or contain any port). A superVLAN can contain multiple sub VLANs that exist. The
Page 4 of 12
PDF pdfFactory Pro
www.fineprint.cn
system supports a maximum of 256 L3 interfaces, including a maximum of 128 superVLAN
interfaces.
There are a maximum of 256 VLANs contained in all L3 interfaces and each VLAN can exist only in
one L3 interface. In a superVLAN, an interface can be untagged only in one sub VLAN and must
be tagged in other sub VLANs.
For details about the commands for creating L3 interfaces, see section 1.2.4.
1.2.3 Configuring the Forwarding Mode

GPON supports stream forwarding and network topology-based forwarding. In stream
forwarding mode, GPON identifies the failed route or the unreachable destination host route
and sends packets to the CPU for further processing. In network topology-based forwarding
mode, GPON directly discards the packets. By default, GPON works in stream forwarding
mode.
Table 1-3 Configuring the forwarding mode
Operation
Command
Remarks
configure terminal
N/A
Set the packet forwarding mode in the

system to stream forwarding.
ip def cpu
Optional
Set the packet forwarding mode in the

system to network topology-based
forwarding.
no ip def cpu
Optional
Display the configured packet forwarding

mode.
show ip def cpu
This command can be

run in all modes.
1.2.4 Creating VLAN Interfaces for Common VLANs

A VLAN interface needs to be configured for each VLAN that performs L3 forwarding or the VLAN
needs to be added to the superVLAN.
Table 1-4 Configuring the VLAN conversion function
Operation
Command
Remarks
configure terminal
N/A
Create a VLAN interface with the VLAN

ID being vid and enter the VLAN
interface vlan-interface <vid>
Optional
Return to the global configuration

mode.
exit
N/A
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 12
Delete the VLAN interface with the
VLAN ID being vid.
no interface vlan-interface <vid>
Optional
1.2.5 Creating SuperVLAN Interfaces and Adding VLANs to the
SuperVLAN
SuperVLAN interfaces are used for communication between hosts in different VLANs in the same
network segment. SuperVLAN interfaces are implemented through the ARP proxy.
Table 1-5 Creating superVLAN interfaces and adding VLANs to the superVLAN
Operation
Command
Remarks
configure terminal
N/A
Create a superVLAN interface with the

interface ID being vid and enter the
superVLAN interface configuration mode.
interface supervlan-interface
<vid>
Optional
Return to the global configuration mode.
exit
N/A
Delete the superVLAN interface with the

interface ID being vid.
no interface
supervlan-interface <vid>
Optional
Configure sub VLANs for the superVLAN

interface.
subvlan <vid>
Optional
Delete the sub VLANs configured for the

superVLAN interface.
no subvlan <vid>
Optional
1.2.6 Configuring IP Addresses for VLAN or SuperVLAN Interfaces

Each VLAN or superVLAN interface can be configured with a maximum of 32 IP addresses and the
IP addresses of VLAN or superVLAN interfaces cannot be in the same network segment. The first
IP address of an interface will be automatically selected as the primary IP address. When the
primary IP address is deleted, the interface automatically selects another IP address as the
primary IP address or a configured IP address can be manually specified as the primary IP address.
For example, if the IP address of VLAN interface 1 is 10.11.0.1/16, the IP addresses of other
interfaces must not be in the 10.11.0.0/16 network segment (such as 10.11.1.1/24).
Table 1-6 Configuring IP addresses for VLAN or superVLAN interfaces
Operation
Command
Remarks
configure terminal
N/A
Enter the VLAN or superVLAN
N/A
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 12
interface supervlan-interface <vid>
Configure an IP address and a mask

for the interface.
ip address <ipaddress> <ipaddress

mask>
Optional
Delete all IP addresses of the

interface.
no ip address
Optional
Delete the specified IP address of

the interface.
no ip address <ipaddress> <ipaddress

mask>
Optional
Configure the primary IP address for

the interface.
ip address primary <ipaddress>
Optional
1.2.7 Configuring an IP Address Range for VLAN or SuperVLAN
Interfaces
Each VLAN or superVLAN interface can be configured with a maximum of eight IP address ranges.
After an IP address range is configured, only the ARP entries within this range can be learnt so as
to restrict user access. When a VLAN or superVLAN interface is deleted, relevant configurations
are automatically deleted.
For superVLAN interfaces, sub VLANs can be specified at the same time so that the set address
range is applicable only to these sub VLANs.
Table 1-7 Configuring the IP address range for VLAN or superVLAN interfaces
Operation
Command
configure terminal
Enter the VLAN or superVLAN interface

configuration mode.

interface supervlan-interface <vid>
Remarks
N/A
N/A
Configure the IP address range

supported by this interface, ranging
from startip to endip.
ip address range startip endip
Optional
Delete all IP address ranges supported

by the interface.
no ip address range
Optional
Delete the specified IP address ranges

supported by the interface.
no ip address range startip endip
Optional
Configure the IP address range for sub

VLANs of the superVLAN.
ip address range startip endip vlan

<vlanid>
Optional
Delete the IP address ranges of the sub

VLANs of the superVLAN.
no ip address range startip endip

vlan <vlanid>
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 7 of 12
1.2.8 Configuring the ARP Proxy

ARP request packets are broadcast packets and cannot pass through VLANs. If the ARP proxy
function is enabled, ARP interaction is supported between hosts in sub VLANs of the same
superVLAN. When the ARP proxy is disabled, the hosts of the sub VLANs in the superVLAN
interface cannot communicate with each other.
By default, the ARP request packets from all sub VLANs are processed in the preceding manner. In
addition, relevant commands can be used to prevent the ARP request packets from a sub VLAN
from being broadcast to other sub VLANs when they are processed by the ARP proxy.
Table 1-8 Configuring the ARP proxy
Operation
Command
Remarks
Enter the VLAN configuration mode.
vlan <vlanid>
N/A
Enable the arp-proxy function for the VLAN.
arp-proxy
Optional
Disable the arp-proxy function for the VLAN.
no arp-proxy
Optional
Enable the arp-proxy broadcast function for the

VLAN.
arp-proxy broadcast
Optional
Disable the arp-proxy broadcast function for the

VLAN.
no arp-proxy broadcast
Optional
show arp-proxy
This command
can be run in all
modes.
show arp-proxy broadcast
This command
can be run in all
modes.
Display the information about the ARP proxy

configured in the system.
Display information about the ARP proxy
broadcast function configured in the system.
1.2.9 Displaying VLAN and SuperVLAN Interface Information

GPON integrates VLAN interface information and superVLAN interface information. They can be
viewed by running a unified display command.
Table 1-9 Displaying VLAN and superVLAN interface information
Operation
Display information about
the VLAN and superVLAN
interfaces currently
configured in the system.
Command
show ip interface [[vlan-interface <vlanid> ] |
[supervlan-interface <supervlanid> ]]
PDF pdfFactory Pro
www.fineprint.cn
Remarks
This command
can be run in all
modes.
Page 8 of 12
1.2.10 Configuring URPF

URPF aims to prevent network attack behaviors based on source address spoofing. URPF obtains
the source address and ingress interface of a packet and uses the source address as the
destination address to query the routing table for the matching route. The packet is forwarded if
it meets conditions and discarded if it does not meet conditions. Two URPF modes are supported:
l Strict mode: In this mode, the source address must exist in the routing table and the egress
interface of the source address of the packet is the same as the ingress interface of the
packet.
l Loose mode: In this mode, the system only checks whether the source address of the packet
exists in the unicast routing table. If yes, the packet is forwarded.
Table 1-10 Configuring URPF
Operation
Command
configure terminal
Remarks
N/A
Enter the VLAN or superVLAN

<vid>
N/A
Enable URPF for this interface and

specify the URPF mode.
urpf {loose | strict}
Optional
Disable URPF for this interface.
no urpf
Optional
Display URPF information in the

system.
show urpf
This command can

be run in all modes.
1.2.11 Disabling the Function of Sending ICMP Packets with an
Unreachable Destination Host on Interfaces

To avoid attacks from address scanning software similar to ip-scan, users can disable the function
of sending ICMP packets with an unreachable host on interfaces.
Table 1-11 Disabling the function of sending ICMP packets with an unreachable destination host
on interfaces
Operation
Command
configure terminal
Enter the VLAN or superVLAN interface

configuration mode.
N/A

<vid>
PDF pdfFactory Pro
Remarks
www.fineprint.cn
N/A
Page 9 of 12
Enable the function of this interface for
sending ICMP packets with an
unreachable destination
ip icmp unreachable
Optional
Disable the function of this interface for

sending ICMP packets with an
no ip icmp unreachable
Optional
show ip icmp unreachable
This command
can be run in all
modes.
Display the configuration of the function

of sending ICMP packets with an
1.3
1)
2)
To globally disable the stream forwarding mode, run the following commands::
Switch (config)#no ip def cpu
Switch(config)#sho ip def cpu
Routing def routes and def hosts to CPU:FALSE
If you need to:
Create a VLAN interface (VLAN interface 2) and a superVLAN interface (superVLAN interface
2).
Configure IP address 10.11.0.1/16 for VLAN interface 2 and IP address 10.12.0.1/16 for
superVLAN interface 2. SuperVLAN interface 2 contains sub VLANs 3 and 4.
Set the allowed IP address range to 10.11.0.2 - 10.11.0.200 for VLAN interface 2 and
10.12.0.2 - 10.12.0.200 for superVLAN interface 2.
Enable the ARP proxy function for VLAN interface 2 and superVLAN interface 2 and disable
the function of forwarding the ARP proxy packets on superVLAN interface 2 to other VLANs.
Set strict URPF for VLAN interface 2 and loose URPF for superVLAN interface 2.
Disable the function of sending ICMP packets with an unreachable destination host on
superVLAN interface 2.
Run the following commands:
Switch(config)#interface vlan-interface 2
Create vlan-interface successfully!
Switch(config-if-vlanInterface-2)#exit
Switch(config)#interface supervlan-interface 2
Create success!
Switch(config-if-superVLANInterface-2)#exit
Switch(config-if-vlanInterface-2)#ip address 10.11.0.1 255.255.0.0
This ipaddress will be the primary ipaddress of this interface.
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 12
Config ipaddress successfully!
Switch(config-if-superVLANInterface-2)#ip address 10.12.0.1 255.255.0.0
This ipaddress will be the primary ipaddress of this interface.
Switch(config)#vlan 3-4
Switch(config-if-superVLANInterface-2)#subvlan 3-4
Switch(config-if-vlanInterface-2)#ip address range 10.11.0.2 10.11.0.200
Switch(config-if-superVLANInterface-2)#ip address range 10.12.0.2 10.12.0.200
Switch(config-if-vlan)#arp-proxy
Config arp-proxy enable successfully.
Switch(config-if-vlan)#vlan 3-4
Switch(config-if-vlan)#no arp-proxy broadcast
Config arp-proxy broadcast disable successfully.
Switch(config-if-vlanInterface-2)#urpf strict
Configure URPF strict mode successfully.
Switch(config-if-superVLANInterface-2)#urpf loose
Configure URPF loose mode successfully.
Switch(config-if-superVLANInterface-2)#no ip icmp unreachable
Disable sending ICMP-unreachable on this interface successfully.
Switch(config)#sho ip interface
Show informations of interface
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 12
The mac-address of interface is 00:00:00:02:02:02
Interface name
: VLAN-IF2
Primary ipaddress : 10.11.0.1/255.255.0.0
Secondary ipaddress : None
VLAN
:2
Address-range
: 10.11.0.2-10.11.0.200,
Interface status
: Down
Interface name
: superVLAN-IF2
Primary ipaddress : 10.12.0.1/255.255.0.0
Secondary ipaddress : None
VLAN
: 3-4
Address-range
: 10.12.0.2-10.12.0.200,
Interface status
: Down
Total entries: 3 interface.
Switch(config)#sho arp-proxy
The arp-proxy in below vlan-list is open:
VLAN 2
Switch(config)#sho arp-proxy broadcast
The arp-proxy broadcast in below vlan-list is disabled:
VLAN 3 : VLAN 4
Switch(config)#show urpf
Interface
URPF Status
VLAN-IF2
Strict Mode
superVLAN-IF2
Loose Mode
Switch(config)#sho ip icmp unreachable
Interface: VLAN-IF2
Send ICMP-Unreachable: enable
Interface: superVLAN-IF2
Send ICMP-Unreachable: disable
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 12
Syslog Function Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 13
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 13
Contents
Contents ...................................................................... 3
Chapter 1 Syslog Function Configuration............................................ 4
1.1 Syslog Introduction ...................................................... 4
1.1 Syslog Function Configuration.............................................. 4
1.1.1 Syslog Function Configuration List ..................................... 4
1.1.2 Enabling/Disabling the Syslog Function for the Equipment.................. 5
1.1.3 Configuring the Function of Displaying the Sequence Number in Syslog Outputs 5
1.1.4 Configuring the Time Stamp Type in Syslog Outputs ....................... 6
1.1.5 Configuring the Function of Outputting Syslog Information to Terminals ...... 6
1.1.6 Configuring the Function of Outputting Syslog Information to the History Buffer 7
1.1.7 Configuring the Function of Outputting Syslog Information to the Flash Storage 8
1.1.8 Configuring the Function of Outputting Syslog Information to the Log Host .... 9
1.1.9 Configuring the Function of Outputting Syslog Information to the SNMP Agent 10
1.1.10 Configuring the Module Debugging Function .......................... 11
1.2 Configuration Instance .................................................. 11
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 13
Chapter 1 Syslog Function

Configuration
1.1 Syslog Introduction
As the information center of the system, the Syslog processes and outputs information in a
unified manner.
Other modules in the system send information to be outputted to the Syslog. The Syslog
determines the output format based on user configurations and outputs information to the
specified display device based on information output functions and filtering rules in user
configurations.
Syslog information producers (modules outputting information) only need to output information
to the Syslog, without concerning whether information needs to be outputted to the console,
telnet terminal, or log host (Syslog server). Information consumers (the console, telnet terminal,
history buffer, log host, and SNMP agent) can select the desired information and discard the
unwanted information based on their demands, on condition that proper filtering rules are
configured.
1.1
1.1.1 Syslog Function Configuration List

Table 1-1 Syslog function configuration list
Configuration Task
Description
Detailed
Configuration
Enabling/Disabling the Syslog function for the equipment
Mandatory
1.2.2
Configuring the function of displaying the sequence

number in Syslog outputs
Mandatory
1.2.3
Configuring the time stamp type in Syslog outputs
Mandatory
1.2.4
Configuring the function of outputting Syslog information

to terminals
Mandatory
1.2.5

to the history buffer
Mandatory
1.2.6

to the flash storage
Mandatory
1.2.7

to the log host
Mandatory
1.2.8
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 13

to the SNMP agent
Mandatory
1.2.9
Configuring the module debugging function
Mandatory
1.2.10
1.1.2 Enabling/Disabling the Syslog Function for the Equipment

In global configuration mode, enable or disable the Syslog function. When the Syslog function is
disabled, no information is outputted. By default, the logging function is enabled on the
equipment.
Table 1-2 Enabling/Disabling the Syslog function for the equipment
Operation
Command
Remarks
configure terminal
N/A
Enable the log output function of the system.
logging
Optional
Disable the log output function of the system.
no logging
Optional
Display log configurations of the system.
show logging
This command can

be run in all modes.
1.1.3 Configuring the Function of Displaying the Sequence Number in
Syslog Outputs
In global configuration mode, set to or not to display the global sequence number in Syslog
outputs.
Table 1-3 Configuring the function of displaying the sequence number in Syslog outputs
Operation
Enter the global
configuration mode.
Command
Remarks
configure terminal
N/A
Enable the function of

displaying log sequence
numbers.
logging
sequence-numbers
OptionalWhen the function of displaying

log sequence numbers is enabled, the
output logs are sorted by sequence
number.
Disable the function of

displaying log sequence
numbers.
no logging
sequence-numbers
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 13
1.1.4 Configuring the Time Stamp Type in Syslog Outputs

In global configuration mode, configure the time stamp type in Syslog outputs. The time stamp
type can be set to notime, uptime, or datetime.
The default value is uptime.
Table 1-4 Configuring the time stamp type in Syslog outputs
Operation
Command
Remarks
configure terminal
N/A
Enable the function of displaying the

time stamp of logs and configure the
time display format.
logging timestamps { notime |

uptime | datetime }
Optional
Restore the default setting of

displaying the time stamp of logs.
no logging timestamps
Optional
1.1.5 Configuring the Function of Outputting Syslog Information to
Terminals
In global configuration mode, configure the information output function, information display
function, and filtering rules for outputting Syslog information to terminals. By default, Syslog
information is outputted only to the buffer and not outputted to the console or terminal.
Table 1-5 Configuring the function of outputting Syslog information to terminals
Operation
Command
Remarks
configure terminal
Enable the log output function and output

logs to the specified terminal. When
monitor-num is set to 0, logs are outputted
to the console. When monitor-num is set to
15, logs are outputted to telnet terminals.
logging monitor { all |

monitor-num }
Optional
Disable the function of outputting logs to a

or all terminals. When monitor-num is set to
0, logs are outputted to the console. When
monitor-num is set to 15, logs are
outputted to telnet terminals.
no logging monitor { all

| monitor-num }
Optional
Return to the privileged mode.
exit
Enable the function of displaying system
terminal monitor
Optional (enabled by
default)The setting
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 13

Operation
Command
information.
Remarks
affects only the
current login of the
current terminal and is
invalid for other
terminals or the next
login of the current
terminal.
Disable the function of displaying system

information to prevent outputting any logs
to the current terminal.
no terminal monitor
OptionalThe setting
affects only the
current login of the
current terminal and is
invalid for other
terminals or the next
login of the current
terminal.
Configure the filtering rules of logs to be

outputted to terminals. Specify the level and
module whose logs are outputted to the
specified terminal.
logging monitor { all |

monitor-no } { level |
none | level-list { level
[ to level ] } &<1-8> }
[ module { xxx | } * ]
Optional
Delete the filtering rules of logs to be

outputted to the terminals in the system and
restore the default configuration.
no logging monitor { all

| monitor-no } filter
Optional
Note: In module { xxx | }, xxx indicates the module name and indicates that other module
names are omitted.
1.1.6 Configuring the Function of Outputting Syslog Information to the
History Buffer
In global configuration mode, configure the information output function and filtering rules for
outputting Syslog information to the history buffer. By default, the function is enabled.
Table 1-6 Configuring the function of outputting Syslog information to the history buffer
Operation
Enable the function of outputting logs
to the buffer.
Command
configure terminal
N/A
logging buffered
Optional
(enabled by
default)
PDF pdfFactory Pro
Remarks
www.fineprint.cn
Page 7 of 13

Disable the function of outputting logs
to the buffer.
no logging buffered
Optional
Configure the filtering rules of logs to

be outputted to the buffer. Specify the
level and module whose logs are
outputted to the buffer.
logging buffered { level | none |

level-list { level [ to level ] } &<1-8> }
Optional
Delete the filtering rules of logs to be

outputted to the buffer in the system
and restore the default configuration.
no logging buffered filter
Optional
names are omitted.
Flash Storage
outputting Syslog information to the flash storage. By default, Syslog information is not saved to
the flash storage. In addition, the interval of saving Syslog information to the flash storage cannot
be configured and the system saves Syslog information once every 30 minutes by default.
Table 1-7 Configuring the function of outputting Syslog information to the flash storage
Operation
Command
Remarks
Enter the global configuration

mode.
configure terminal
N/A
Enable the function of outputting

logs to the flash storage.
logging flash
Optional
Disable the function of outputting

logs to the flash storage.
no logging flash
Optional
(disabled by
default)
Configure the filtering rules of logs

to be outputted to the flash
storage. Specify the level and
module whose logs are outputted
to the flash storage.
logging flash { level | none | level-list

{ level [ to level ] } &<1-8> } [ module
{ xxx | } * ]
Optional
Delete the filtering rules of logs to

be outputted to the flash storage
in the system and restore the
default configuration.
no logging flash filter
Optional
Page 8 of 13
PDF pdfFactory Pro
www.fineprint.cn

names are omitted.
Log Host
In global configuration mode, configure the server address, information output function, filtering
rules, logging tool, and fixed source address for outputting Syslog information to the log host.
Table 1-8 Configuring the function of outputting Syslog information to the log host
Operation
mode.
Command
Remarks
configure terminal
N/A
Configure the IP address of

the log host.
logging ip-address
OptionalA maximum
of 15 server IP
addresses can be
configured.
Delete the IP address

configured for the log host.
no logging ip-address
Optional
Enable the function of

outputting logs to the
specified host.
logging host { all | ip-address }
Optional

outputting logs to the
specified host.
no logging host { all | ip-address }
Optional
Configure the filtering rules of

logs to be outputted to the
host. Specify the level and
module whose logs are
outputted to the host.
logging host { all | ip-address } { level |

none | level-list { level [ to level ] }
&<1-8> } [ module { xxx | } * ]
Optional
Delete the filtering rules of

logs to be outputted to the
host in the system and restore
the default configuration.
no logging host { all | ip-address } filter
Optional
Configure the logging tool of

the system.
logging facility { xxx | }
Optional
Delete the configured logging

tool name and restore the
original setting (localuse7).
no logging facility
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 13

Operation
Configure the fixed source
address of log output.
ip-address must be set to an
interface address of the
equipment.
Command
logging source ip-address
Remarks
Optional
Optional

outputting logs from the fixed
source address.
After the function is

disabled, logs will be
externally sent
through the existing
IP interface
addresses in the
system.
no logging source
names are omitted.
In facility { xxx | }, xxx indicates the name of the logging tool and indicates that other tool
names are omitted.
SNMP Agent
outputting Syslog information to the SNMP agent.
To send Syslog information to the SNMP workstation as Trap packets, you must configure the Trap
host address. For details, see SNMP configuration.
By default, the function is disabled.
Table 1-9 Configuring the function of outputting Syslog information to the SNMP agent
Operation
Command
Remarks

mode.
configure terminal
N/A

logs to the SNMP agent.
logging snmp-agent
Optional

logs to the SNMP agent.
no logging snmp-agent
Optional
Configure the filtering rules of logs

to be outputted to the SNMP
agent. Specify the level and
logging snmp-agent { level | none |

level-list { level [ to level ] } &<1-8> }
Optional
PDF pdfFactory Pro
www.fineprint.cn
Page 10 of 13

module whose logs are outputted
to the SNMP agent.
Delete the filtering rules of logs to
be outputted to the SNMP agent in
the system and restore the default
configuration.
no logging snmp-agent filter
Optional
names are omitted.
1.1.10 Configuring the Module Debugging Function

In global configuration mode, enable/disable the module debugging function. By default, the
module debugging function is disabled.
Table 1-10 Configuring the module debugging function
Operation
Command
Remarks

mode.
configure terminal
N/A

the debugging information about
the specified module to logs.
debug { all | { xxx | } * }
Optional

the debugging information about
the specified module.
no debug { all | { xxx | } * }
Optional
show debug
This command
can be run in all
modes.
Display the current configuration

of the function of outputting
debugging information.
Note: xxx indicates the module name and indicates that other module names are omitted.
1.2
If you need to:

Globally enable the function of outputting Syslog information to the console and terminal and
display the logs of stp and device modules with the level ranging from 0 to 4.
Enable the function of displaying the log sequence number and the function of displaying logs by
datetime.
Enable the function of synchronously outputting logs to the flash storage and set to display
information about all modules whose level is 3 and 4 in the history buffer.
Enable the function of outputting logs to the host (192.168.1.3) and set the logging tool to ftp
and the source address to 192.168.1.11.
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 13

Enable the function of outputting logs to the SNMP agent and the function of outputting the
debugging information about the stp and dot1x modules.
Run the following commands:
Switch(config)#logging
Switch(config)#logging monitor 0
Switch(config)#logging monitor 0 level-list 0 to 4 module stp device
Switch(config)#logging sequence-numbers
Switch(config)#logging timestamps datetime
Switch(config)#logging flash
Switch(config)#logging buffered level-list 3 4
Switch(config)#logging 192.168.1.3
Set ip address of syslog server successfully.
Switch(config)#logging host 192.168.1.3
Switch(config)#logging facility ftp
Switch(config)#logging source 192.168.1.11
The ip address does not belong to this device.
Switch(config-if-vlan)#interface vlan-interface 2
Switch(config-if-vlanInterface-2)#ip address 192.168.1.11 255.255.255.0
Switch(config)#logging source 192.168.1.11
Switch(config)#logging snmp-agent
Switch(config)#debug stp dot1x
Switch(config)#show logging
state: on;
logging sequence-numbers: on;
logging timestamps: datetime;
logging language: english
logging monitor:
Console: state: on; display: off; 96 logged; 0 lost; 0 overflow.
logging buffered: state: on; 249 logged;
0 lost;
0 overflow.
logging flash: state: on; 37 logged;
0 lost;
0 overflow.
logging loghost:
logging facility: ftp;logging source: 192.168.1.11
1.1.1.1:
state: on; 23 logged;
0 lost;
0 overflow.
192.168.1.3: state: on; 12 logged;
0 lost;
0 overflow.
logging SNMP Agent: state: on; 0 logged;
0 lost;
0 overflow.
Switch(config)#
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 13
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 13
Monitor Link Function Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 6
comments to:

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 6
Contents
Contents ...................................................................... 3
Chapter 1 Monitor Link Function Configuration ...................................... 4
1.1 Introduction to the Monitor Link Function .................................... 4
1.2 Monitor Link Function Configuration ........................................ 4
1.2.1 Monitor Link Function Configuration List ............................... 4
1.2.2 Enabling or Disabling the Monitor Link Function of the Port (or the Aggregation
Group) ............................................................... 4
1.2.3 Displaying Information About the Monitor Link Group ..................... 5
1.3 Configuration Instance ................................................... 6
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 6
Chapter 1 Monitor Link Function

Configuration
1.1
Introduction to the Monitor Link Function
The Monitor Link function enables the switch to perceive the status change (up/down) of the
ports on the indirectly-connected link so as to link a group of ports. The Monitor Link function is
used to cooperate with the networking applications of the layer 2 topology protocol to monitor
the uplink of the device and trigger the status change (up/down) of the downlink based on the
status change (up/down) of the uplink, thereby triggering the switching to the backup link
controlled by the topology protocol on the downstream device.
Monitor Link group:
The Monitor Link group consists of the uplink and downlink and the members and roles are
configured by users. The uplink and downlink can have multiple member ports but each member
port must belong to only one Monitor Link group. Member ports can be Ethernet ports or
aggregation ports.
Uplink:
The uplink is the monitored link in the Monitor Link group. The Monitor Link group is down when
it does not contain uplink members or all uplink member ports are down. The Monitor Link group
is up as long as any of the uplink members is up.
Downlink:
The downlink is the linked link in the Monitor Link group. When the status (up/down) of the
Monitor Link group changes, the Monitor Link function changes the status of the downlink
member port accordingly based on the status of the Monitor Link group.
1.2
1.2.1 Monitor Link Function Configuration List

Table 1-1 Monitor Link function configuration list
Configuration Task
Description
Detailed
Configuration
Enabling or disabling the Monitor Link function of the

port (or the aggregation group)
Mandatory
1.2.2
Displaying information about the Monitor Link group
Mandatory
1.2.3
1.2.2 Enabling or Disabling the Monitor Link Function of the Port (or
the Aggregation Group)

PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 6

Enable or disable the Monitor Link function for the port in port configuration mode and for the
aggregation group in global configuration mode. The Monitor Link function is disabled by default.
Table 1-2 Enabling or disabling the Monitor Link function of the port (or the aggregation group)
Operation
Command
Remarks

mode.
configure terminal
N/A
interface ethernet
interface-num
N/A
Optional(group-ID: ID of
the Monitor Link group
Add the current port to the

Monitor Link group with the group
number being group-ID and then
specify the port type (uplink or
downlink).
switchport monitor-link-group
group-ID {uplink |downlink}
uplink: The uplink is

configured.
downlink: The downlink
is configured.)
Delete the current port from the

number being group-ID.
no switchport
monitor-link-group group-ID
Optional(group-ID:
Monitor Link group)
Return to the global configuration

mode.
exit
N/A
Add the aggregation group

channel-group-number to the
number being group-ID and then
specify the type (uplink or
downlink).
channel-group
{uplink |downlink}
Delete the aggregation group

channel-group-number from the
number being group-ID.
no channel-group
Optional(channel-group
-number: number of the
aggregation group
(group-ID: Monitor Link
group)
Optional(channel-group
-number: number of the
aggregation group
(group-ID: Monitor Link
group)
1.2.3 Displaying Information About the Monitor Link Group

All Monitor Link groups created in the system and their uplink/downlink configurations and
connection status can be displayed in any mode.
Table 1-3 Displaying information about the Monitor Link group
Operation
Command
PDF pdfFactory Pro
www.fineprint.cn
Remarks
Page 5 of 6

Display information about the
configured Monitor Link group in
the system.
1.3
show monitor-link-group
This command can be

run in all modes.
To configure port 0/2/1 as the uplink port and aggregation group 1 as the downlink port in the
Monitor Link group with aggregation group 1 containing ports 4 to 8, run the following
commands:
Switch(config)#
Switch(config)#channel-group 1
Switch(config-if-range)#channel-group 1 mode on
Switch(config)#channel-group 1 monitor-link-group 1 downlink
Switch(config-if-ethernet-0/2/1)#switchport monitor-link-group 1 uplink
Switch(config)#show monitor-link-group
Monitor-link Group
-------------------------------------------------Group 1:
UplinkID
UplinkStatus
e0/2/1
DOWN
DownlinkID
DownlinkStatus
ch-1
DOWN
Switch(config)#
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 6
OLT Slot Management
OLT Slot Management

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 6
OLT Slot Management

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 6
OLT Slot Management
XXXX Feedback Form

services.
Document
Title
Product
Docume
Version
nt
1.0
Revision
Number
Evaluate
Presentation:
this
document
appearance)
Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestion
Make more concise
s to
Improve Contents
improve
the
document
Improve arrangement
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 6
OLT Slot Management
Contents
Contents ............................................................................................................................... 4
Chapter 1 OLT Slot Management ........................................................................................ 5
1.1 OLT slot introduction ............................................................................................... 5
1.2 Configure OLT slot Management............................................................................ 5
1.2.1 OLT slot configuration tasks......................................................................... 5
1.2.2 Configure slot linecard type .......................................................................... 5
1.2.3 Show slot linecard type ................................................................................ 6
1.2.4 Show ONT under OLT.................................................................................. 6
1.2.5 Configuration Examples ............................................................................... 6
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 6
OLT Slot Management
Chapter 1 OLT Slot Management

1.1 OLT slot introduction
GL5600-08P is a flexible configured box-style device, which provides eight GPON ports,
sixteen GE ports (eight Gigabit optical ports + eight Gigabit electrical ports which are
MDI/MDIX adaptive) and one 10-Gigabit sub-board (with two 10G optical ports), supports
a variety of power supply modes: 220V AC, 48V DC, 220V AC + 48V DC, 48V DC + 48V
DC, and 220V AC + 220V AC
1.2 Configure OLT slot Management

1.2.1 OLT slot configuration
tasks
Table 1-1 OLT slot configuration task

Configuration Task
Description
Details
Mandatory
1.2.2
Show OLT slot
Optional
1.2.3
Show ONT under OLT
Optional
1.2.4
OLT
slot
basic
Configure slot linecard type
configuration
1.2.2 Configure slot linecard type

Table 1-2 Configure slot linecard type
Operation
Enter
the
Command
global
configure terminal
Remarks
-
configuration mode.
Optional:
Configure slot linecard type
set slot slot-id type { ge-24 | gpon-16 | 10ge }
gpon-16 by
default
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 6
OLT Slot Management
1.2.3 Show slot linecard type

Table 1-3 Show slot linecard type
Operation
Command
Remarks
Optional:
Show slot line card type
show slot type
In global configuration
mode
Note: only when specified slot type is the same as the real linecard type, the slot
can work.
1.2.4 Show ONT under OLT

Table 1-4 Show ONT under OLT
Operation
Enters the global configuration
Command
Remarks
configure terminal
Show ONT under OLT
show ont brief
Optional
Enter PON port mode
Interface pon interface-num
Show ONT under PON port
show ont brief
Optional
mode.
1.2.5 Configuration
Examples
Insert a GPON linecard in Slot 5

1. Step
Configure linecard type in slot 5.
GPON(config)#set slot 5 type gpon-16
2. Show slot type
GPON(config)#show slot type
slot
config type
current type status
SC-0
SC
SC
ONLINE
SC-1
NULL
NULL
DOWN
LINE-2 GPON-08(8 GPON, 8 GE) NULL
DOWN
PDF pdfFactory Pro
www.fineprint.cn
Page 6 of 6
PON Configuration
PON Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 9
PON Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 9
PON Configuration
XXXX Feedback Form

services.
Document
Title
Product
Docume
Version
nt
1.0
Revision
Number
Evaluate
Presentation:
this
document
appearance)
Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestion
Make more concise
s to
Improve Contents
improve
the
document
Improve arrangement
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 9
PON Configuration
Contents
Chapter 1 PON Configuration ...................................................................................................... 5
1 PON Introduction ................................................................................................................ 5
2 Configure PON ............................................................................................................... 5
2.1
PON Configuration Task ................................................................................... 5
2.2 ONT Registration Authentication Configuration .................................................. 5
2.4
Uplink bandwidth DBA Configuration .............................................................. 7
2.5
Related Configuration ........................................................................................ 8
2.6
Example for uplink DBA template configuration ............................................ 9
2.7
Example PON MAC table.................................................................................. 9
2.8
Example for configuring packet head of downlink traffic .............................. 9
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 9
PON Configuration
Chapter 1 PON Configuration

1 PON Introduction
This chapter contains: ONT registration authentication configuration, uplink bandwidth
DBA configuration, PON port MAC table configuration and data channel configuration in
uplink and downlink.
2 Configure PON
2.1 PON Configuration Task
Table 1-1 PON Configuration Task
ONT registration
authentication
MAC table on PON port
Uplink bandwidth DBA
Related configuration
ONT registration authentication configuration
Mandatory
1.2.2
MAC table configuration
Optional
1.2.3
Show MAC table
Optional
1.2.3
Mandatory
1.2.4
Show uplink DBA template
Optional
1.2.4
Show packet statistcs on PON port
Optional
1.2.5
Configure uplink/downlink packet COS
Optional
Uplink DBA template configuration
REMAP
Modify traffic head of uplink/downlink packet
Optional
1.2.5
1.2.5
2.2 ONT Registration Authentication Configuration

Authentication configuration is for permitting ONT registration. Currently, there are 2 kinds
of authentication: SN-based and SN+Password. SN-based can be auto-authentication
and preserved configuration. When SN-based authentication enabled, ONT SN entry will
determine the permission of ONT registration; when enabling SN+Password, SN and
Password entry will determine the permission of ONT registration.
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 9
PON Configuration
Table 1-2 ONT Registration Authentication Configuration
Configuration
Enable auto-find
ont-auto-find [ interval-time interval-time ]
Disable auto-find
no ont-auto-find
Enable auto-authentication
ont-auto-auth
Disable auto-authentication
no ont-auto-auth
Enters the global

configuration mode.
Enter PON port configuration
mode
Enable auto-find on PON
port
Disable auto-find on PON
port
Enable auto-authentication
on PON port
Disable auto-authentication
on PON port
Optional
Mandatory
Optional
interface pon interface-num
ont-auto-find [ interval-time interval-time ]
no ont-auto-find
ont-auto-auth
no ont-auto-auth
ont-authenticate mode { sn | sn-password }
Configure not allow specific
ont-state disable vendor_id
SN online
specific_vendor_id
online
Mandatory
configure terminal
ONT authentication mode
Configure allow specific SN
Task
ont-state enable vendor_id specific_vendor_id
Mandatory
Optional
Mandatory
Optional
Not support now

sn-password
Optional
Optional
2.3 Configure GPON MAC table

Each PON port has a 4k MAC table.
Table 1-3 Configure GPON MAC table
Configuration Task
Enter the global
configuration mode
Enter PON port
configuration mode
Configure MAC aging time
and learning mode under
PON port
configure terminal
Optional
Optional
mac-address-table gpon age-time
By default,
age_time
age-time300s
{ learning-mode-normal |
learning-mode-move
learning-mode-move }
PDF pdfFactory Pro
Description
www.fineprint.cn
Page 6 of 9
PON Configuration
vlan-tag MAC
address which is not
mac-address-table gpon dlf { drop |
Configure action for searching
found in MAC table,
assign-def-gempid <gempid> |
MAC table failed
will be forwarding
according to vid
vlan-tag }
corresponded
gempid
mac-address-table gpon add
Optional
{ dynamic | static } mac vlan vid

Configure MAC entry
gempid gempid
under PON port
mac-address-table gpon del mac vid
Optional
vid [ index index ]

Show MAC table under PON port
show mac-address-table gpon info
Optional
Show MAC entry under PON port
show mac-address-table gpon
Optional
Enters the global configuration
configure terminal
mode.
Show MAC table under PON port
show mac-address-table gpon
Optional

Show MAC entry under PON port
show mac-address-table gpon info
Optional
[interface pon interface-num ]
2.4 Uplink bandwidth DBA Configuration

Configure uplink bandwidth DBA template in global configuration mode.
Table 1-4 Uplink bandwidth DBA configuration
Operation
Enter into global
configuration mode
Command
Remark
configure terminal
dba-profile profile-name type { 1 fixed
fixed-bandwidth | 2 assured assured-bandwidth
|3
Create /modify DBA

template
assured assured-bandwidth max max-bandwidth
kbits/s
|4
max max-bandwidth | 5 fixed fixed-bandwidth
assured assured-bandwidth max
max-bandwidth }
Delete DBA template
no dba-profile { profile_name | all }
Show DBA template
show gpon dba-profile
PDF pdfFactory Pro
www.fineprint.cn
Optional
Optical
Page 7 of 9
PON Configuration
2.5 Related Configuration

Some related configuration about PON, such as packet statistics on PON port,
downlink
Table 1-5 Related configuration
Operation
Enter into global
configuration mode
Command
configure terminal
Enter PON port

configuration mode
Show packet statistics

under PON port
show statistic gpon
us cos-remap priority pbits
priorityport priority
bpitstraffic cos
value
Optional
Configure COS REMAP

of
downlink traffic
Optional
Optional
Configure COS REMAP

of
uplink traffic
Remark
ds cos-remap pbits priority
priorityport priority
bpitstraffic cos
value
Show COS REMAP of

uplink traffic
show us cos-remap
Optional
Show COS REMAP of

downlink traffic
show ds cos-remap
Optional
us action flow_id { transparent |

add-outer-vlan |
Modify packet head of
uplink traffic
add-outer-vlan-wit-cfi-0 |
add-inner-vlan |
retag-outer-vlan |
Optional
By default
transparent
remark-outer-vlan }
Configure the
modification
mode of downlink traffic
ds modify mode { vid | gempid }
ds action vid_gempid outer

Modify packet head of
downlink traffic
{ transparent | remove
| modify } [ inner {transparent |
remove | modify} ]
Configure gempid
ds gempid-remap init_gempid
PDF pdfFactory Pro
www.fineprint.cn
Optional
Optional
By default
transparent
Optional
Page 8 of 9
PON Configuration
mapping
on downlink traffic
final_gempid
Show uplink action
show us action
Optional
Show downlink action
show ds action
Optional
2.6 Example for uplink DBA template configuration

1Configuration Steps
Bandwidth granularity is 64Kbps.
GPON(config)#dba-profile bandwidth1 type 3 assured 1000 max 2000
Show configured DBA template
GPON(config)#show gpon dba-profile
==================================================
name type fix assured max
bandwidth1 3 128 1024 2048
===================================================
2.7 Example PON MAC table

1Requirement for configuring PON MAC table
Configure MAC table aging time to be 600s. And configure MAC address learning
action to be move.
GPON(config)#interface pon 5/1
GPON(config-if-pon-5/1)#mac-address-table gpon age-time 600 learning-mode-move
2.8 Example for configuring packet head of downlink traffic

1Requirement
Downlink traffic whose gemportid=300, modify outer tag =gemportid
GPON(config)#interface pon 5/1
GPON(config-if-pon-5/1)#ds action 300 outer modify
Show modification action
GPON(config-if-pon-5/1)#show ds action
vid/gempid outer vlan command inner vlan command
300 modify transparent
Total entries: 1.
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 9
OLT Slot Management
ONT Management Configuration

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 1 of 13
OLT Slot Management

Tel: (86)
Fax: (86)
URL:
Email:
PDF pdfFactory Pro
www.fineprint.cn
Page 2 of 13
OLT Slot Management
XXXX Feedback Form

services.
Document
Title
Product
Docume
Version
nt
1.0
Revision
Number
Evaluate
Presentation:
this
document
appearance)
Good
Fair Average Poor
Accessibility:
Good
Fair Average Poor
Editorial:
Good
Fair Average Poor
Your
suggestion
Make more concise
s to
Improve Contents
improve
the
document
Improve arrangement
Include images
Add more detail
Improve index

Name
Compan
y
Postcode
Address
Telephone
E-mail
PDF pdfFactory Pro
www.fineprint.cn
Page 3 of 13
OLT Slot Management
Contents
PDF pdfFactory Pro
www.fineprint.cn
Page 4 of 13
OLT Slot Management
Chapter
ONT
Management
Configuration
1.1 ONT Management Introduction
ONT Management is divided into embeded OAM, PLOAM and OMCI. Embeded
OAM(broadband authority, security key interaction and DBA ) and physical OAMPLOAM
PON management function such as test distinction, ONT active, OMCC build and alarm
transition related commands can execute.
ONT OMCI manages service configuration issued, configuring VLAN management of ONT,
controllable multicast service management, ONT upgrade Management.
1.2 ONT Management Configuration

1.2.1 ONT Management Task
Table 1-1 ONT Management Task
Remark
Details
Need
1.2.2
Optical
1.2.3
Configure ONTuplink bandwidth
Need
1.2.4
Configure tcont
Need
1.2.5
Configure gemportid
Need
1.2.6
Configure service-port
Need
1.2.7
Configure mapping gemportid
Need
1.2.8
Configure VLAN
Need
1.2.9
Reboot ONT
Optical
1.2.10
ONT upgrade
Optical
1.2.11
Show ONT
Optical
1.2.12
Show ONTuplink bandwidth
Optical
1.2.13
Configuration Task
Pre-configure ONT
Active/Re-active ONT
Configure ONT
ONT
upgrade
configuration
ONT Configure Show
PDF pdfFactory Pro
www.fineprint.cn
Page 5 of 13
OLT Slot Management
1.2.2 Pre-configure ONT

In ont sn assigns ont id, it makes sure specific ONT can successfully ONT register.
Table 1-2 Pre-configure ONT
Operation
Enter into global
configuration mode
Enter into ONT
configuration
Command
Remark
configure terminal
ont ont-id
ont-preconfig sn vendor_id specific_vendor_id
Pre-configure ONT SN
[ password password ] [ fec {disbale| enbale }
Optical
berinterval-time_omci port_id ]
Delete ONT SN
Pre-configuration
no ont-preconfig
Optical
1.2.3 Active/De-active ONT

Table 1-3 Active/De-active ONT
Operation
Enter into global
configuration mode
Enter into ONT
configuration
Command
Remark
configure terminal
ont ont-id
Active ONT
ont-state active
Optical
De-active ONT
ont-state deactive
Optical
1.2.4 Configure ONTuplink bandwidth

Before configure ONT uplink bandwidth, please firstly configure DBA bandwidth.
Table 1-4 Configure ONT uplink bandwidth
Operation
Enter into global
configuration mode
Enter into ONT
configuration mode
Command
configure terminal
ont ont-id
PDF pdfFactory Pro
Remark
www.fineprint.cn
Page 6 of 13
OLT Slot Management

Bind DBA
ont-tcont tcontid bind traffic profile-name
Unbind DBA
no ont-tcont tcontid
Optical
Show ont binding DBA
show ont-tcont
Optical
Need
1.2.5 Configure tcont

TCONT: Transmission Container. Tcont is used to load the data stream transmission
container. ONT can configure up to 3 TCONT.
Table 1-5 Configure tcont
Operation
Enter into global
configuration mode
Enter into ONT
configuration mode
Command
Remark
configure terminal
ont ont-id
TCONT
tcont tcont-id
TCONT
no tcont tcont-id
Need
Optical
1.2.6 Configure gemportid

Table 1-6 Configure gemportid
Operation
Enter into global
configuration mode
Enter into ONT
configuration mode
Command
Remark
configure terminal
ont ont-id
Enter into ONT TCONT

tcont tcont-id
Need
Configure gemportid
gemportid gemport-id
Need
Delete gemportid
no gemportid gemport-id
configuration mode
PDF pdfFactory Pro
www.fineprint.cn
Optical
Page 7 of 13
OLT Slot Management
1.2.7 Configure service-port

Table 1-7 Configure service-port
Operation
Enter into global
configuration mode
Enter into ONT
configuration mode
Command
Remark
configure terminal
ont ont-id
Choose service-port
service-port serviceport-id
Delete service-port
no service-port serviceport-id
Need
Optical
1.2.8 Configure mapping gemportid

In service-port mode, this is mapping for configuring gemportid and priority, no enter
means 0~7 mapping.
Table 1-8 Configure mapping gemportid
Operation
Enter into global
configuration mode
Enter into ONT
configuration mode
Command
Remark
configure terminal
ont ont-id
Enter into ONT

service-port
configuration mode
Specific pri mapping
gemportid
mapping pri -id gemportid gemport-id
Need
no mapping pri -id gemportid gemport-id
Need
mapping gemportid gemport-id
Need
no mapping gemportid gemport-id
Need
Delete specific pri

mapping gemportid
Configure mapping
gemportid
Delete mapping
gemportid
PDF pdfFactory Pro
www.fineprint.cn
Page 8 of 13
OLT Slot Management
1.2.9 Configure VLAN

VLAN transparent mode is port-based vlan action to achieve transparent transmission of
uplink and downlink data stream function.
vlan trunk port vlan model is based on action to achieve upstream untag packet
forwarding marked default vlanDownstream strips default vlan then forward, discard
packets without vlan tag. Downlink packet data stream tag which is brought vlan is allowed
to pass through the port forwarding, or discarded.
default vlan is not coexist with vlan list configure, but both must be at the service port vlan
list in configuration too. Remove vlan trunk mode is to operation is to restore vlan
transparent mode.
Table 1-9
Configure VLAN
Operation
Enter into global configuration
mode
Enter into ONT configuration
mode
Enter into ONT service-port
configuration mode
Command
Remark
configure terminal
ont ont-id
Configure vlan list
vlan vlanlist
Optical
Delete vlan list
no vlan vlanlist
Optical

mode
mode
Enter into ONT ethport port
configuration mode
configure terminal
ont ont-id

Optical
By
Configure
vlan transparent
mode
vlan mode transparent
default
transprae
nt mode
Configure
vlan trunk mode
Delete vlan trunk mode

Configure vlan trunk mode
default vlan
Delete vlan trunk mode
default vlan
vlan mode trunk
Optical
no vlan mode
Optical
trunk default vlan vlan-id
Optical
no trunk default vlan
Optical
PDF pdfFactory Pro
www.fineprint.cn
Page 9 of 13
OLT Slot Management

Configure vlan trunk mode
vlan list
Delete vlan trunk mode vlan
list
trunk vlan vlan-list
Optical
no trunk vlan [ vlan-list | all ]
Optical
1.2.10 Reboot ONT

Table 1-10 Configure VLAN
Operation
Command

mode
mode
RebootONT
Remark
configure terminal
ont ont-id
ont-reboot
Optical
1.2.11 ONT upgrade

Load the ONT image through TFTP, FTP into the OLT, then give online ONT upgrade.
Table 1-11 ONT upgrade
Operation
Enter into global
configuration mode
Command
Remark
configure terminal
tftpserver-ipv4
Download ONT image
load ont-image tftp tftpserver-ipv4
TFTP IP address
command from TFTP
filename
filenamewill
upload file
tftpserver-ipv4
Download ONT image
load ont-image ftp ftpserver-ipv4
command from FTP
filename username password
TFTP IP address
filenamewill
upload file
Enter into ONT

configuration mode
ONT upgrade
ont ont-id
ont-update
PDF pdfFactory Pro
www.fineprint.cn
Optical
Page 10 of 13
OLT Slot Management
1.2.12 Show ONT

Use below command to receive registration ONT, includes SN,Status,Password, Omci
port,Ber, Us FEC,Deactive reason for ONT.
Table 1-12 Show ONT

Operation
Command

mode
Remark
configure terminal
ont ont-id
mode
Show ONT
show ont-status
Optical
1.2.13 Show ONT uplink bandwidth
Table 1-13 Show ONT uplink bandwidth

Operation
Command

mode
mode
Show ONT uplink bandwidth
1.2.14 ONT vlan trunk
Remark
configure terminal
ont ont-id
show tcont tcontid
Optical
data service application examples
1Network requirement
In chassis OLT slot 5 pon 5/6 registered ONT5/6/1 data services. Configuration
requirementRequires ONT can forward with vlan tag equal to 200, Requires untag
packets came up from the ONT, add a default packet vlan tag equal to 100, downlink with
vlan100 strips vlan, untag forwards and configure to above requirements.
2Configuration steps
PDF pdfFactory Pro
www.fineprint.cn
Page 11 of 13
OLT Slot Management

#ONT 5/6/1 already register
#Add PON5/6 to vlan 100,200
GPON(config)#vlan 100
GPON(config-if-vlan)#switchport pon 5/6
GPON(config-if-vlan)#vlan 200
GPON(config-if-vlan)#switchport pon 5/6
GPON(config-if-vlan)#exit
#Configure dba bandwidth
GPON(config)#dba-profile 1 type 3 assured 1024 max 2048
# Configure tcont 1 ,service port 1 ,gemportid 500, permit vlan 100,200 from
service port1
GPON(config)#ont 5/6/1
GPON(ont-5/6/1)#tcont 1
GPON(ont-5/6/1-tcont-1)#gemportid 500
GPON(ont-5/6/1-tcont-1)#exit
GPON(ont-5/6/1)#service-port 1
GPON(ont-5/6/1-service-port-1)#mapping gemportid 500
GPON(ont-5/6/1-service-port-1)#vlan 100,200
GPON(ont-5/6/1-service-port-1)#exit
GPON(ont-5/6/1)#interface ethernet 0/1
GPON(ont-5/6/1-eth-0/1)#vlan mode trunk
GPON(ont-5/6/1-eth-0/1)#trunk default vlan 100
GPON(ont-5/6/1-eth-0/1)#trunk vlan 200
GPON(ont-5/6/1-eth-0/1)#exit
#Configure ONT bind DBA bandwidth
GPON(ont-5/6/1)#ont-tcont 1 bind traffic 1
#Show ONT configuration
GPON(ont-5/6/1)#show running-config ontmnt
![ONTMNT]
PDF pdfFactory Pro
www.fineprint.cn
Page 12 of 13
OLT Slot Management

ont-tcont 1 bind traffic 1
exit
ont 5/6/1
tcont 1
gemportid 500
exit
service-port 1
mapping gemportid 500
vlan 100,200
exit
interface ethernet 0/1
vlan mode trunk
trunk default vlan 100
trunk vlan 200
exit
ont-tcont 1 bind traffic 1
exit
PDF pdfFactory Pro
www.fineprint.cn
Page 13 of 13

GL5600-08P User Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GL5600-08P User Manual

Uploaded by

Copyright:

Available Formats

Getting Started Operation

Getting Started Operation

Communication Technology Co., Ltd

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

Getting Started Operation

All rights reserved. Printed in the Peoples Republic of China.

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

Getting Started Operation

XXXX Feedback Form

(Introductions, procedures, illustrations, completeness, arrangement, appearance)

Please check suggestions to improve this document:

Make more concise

Add more step-by-step procedures/tutorials

Add more technical information

Make it less technical

Add more detail

If you wish to be contacted, complete the following:

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

Getting Started Operation

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

Getting Started Operation

Chapter 1 Logging in Ethernet Switch

Set up Configuration Environment through Telnet

Telnet Ethernet Switch through Ethernet Switch

1.1 Set up Configuration Environment via Console Port

Figure 1-2 Set up new connection

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

Getting Started Operation

Figure 1-3 Configure the port for connection

Figure 1-4 Set communication parameters

1.2 Set up Configuration Environment through Telnet

PDF pdfFactory Pro

Getting Started Operation

Workstation PC ( for configuring the switch

Figure 1-1 Set up configuration environment through telnet

Figure 1-2 Run Telnet

1.2.2 Telnet Ethernet Switch through Ethernet Switch

PDF pdfFactory Pro

Getting Started Operation

Figure 1-1 Provide Telnet Client service

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

Getting Started Operation

Chapter 2 Command Line Interface

Feature and functions of CLI

2.1 Introduction of Command Line Interface

2.2 Command Line Configuration Mode

PDF pdfFactory Pro

Getting Started Operation

Enter right after

Key in enable in user

Show the basic

XXXX Confidential & Proprietary Information

PDF pdfFactory Pro

exit and end

Getting Started Operation

Key in aaa in global

Key in radius host

Key in domain test.com