3Com

®
Stackable Switch
Family
Advanced Configuration Examples
Switch 5500
Switch 5500G
Switch 4500
Switch 4200G
Switch 4210
www.3Com.com
Part Number: 10016491 Rev. AA
Published: January 2008
3Com Corporation
350 Campus Drive
Marlborough, MA
USA 01752-3064
Copyright © 2006-2008, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any
form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without
written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item”
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
CONTENTS
ABOUT THIS GUIDE
Conventions 5
Related Documentation 6
1 DHCP CONFIGURATION EXAMPLES
Supported DHCP Functions 7
Configuration Guide 8
DHCP Server Configuration Example 15
DHCP Relay Agent/Snooping Configuration Examples 17
Precautions 24
Protocols and Standards 25
2 QACL CONFIGURATION EXAMPLES
Supported QACL Functions 27
Configuration Guide 28
Network Environment 31
Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example 31
Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus
Congestion Avoidance plus Packet Priority Trust 33
Configuration Example of Traffic Measurement plus Port Redirection 35
Configuration Example of Local Traffic Mirroring 37
Precautions 38
Other Functions Referencing ACL Rules 39
Configuration Example of WEB Cache Redirection 40
Configuration Example of WEB Cache Redirection 40
3 802.1X CONFIGURATION EXAMPLE
Introduction to 802.1X 43
Features Configuration 43
802.1X Configuration Commands 44
Enterprise Network Access Authentication Configuration Example 45
Network Application Analysis 45
Network Diagram 45
Configuration Procedure 46
4 SSH CONFIGURATION EXAMPLE
Introduction to SSH 61
Support for SSH Functions 61
SSH Configuration 62
SSH Configuration Commands 62
Configuring an 3Com Switch as an SSH Server 63
Configuring an 3Com Switch as an SSH Client 66
SSH Configuration Example 69
5 ROUTING OVERVIEW
Overview 87
Configuration Example 87
Configuration Examples 113
Comprehensive Configuration Example 128
Network Requirements 128
Configuration Procedure 131
Displaying the Whole Configuration on Devices 145
Verifying the Configuration 153
Precautions 156
6 MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Multicast Protocol Overview 159
Support of Multicast Features 161
Configuration Guidance 161
PIM-DM plus IGMP plus IGMP Snooping Configuration Example 173
PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 179
IGMP Snooping-Only Configuration Examples 185
MSDP Configuration Examples 189
7 VLAN CONFIGURATION EXAMPLES
VLAN Support Matrix 195
Configuration Guide 196
VLAN Configuration Example 199
Precautions 206
Protocols and Standards 206
8 VLAN CONFIGURATION EXAMPLES
Voice VLAN Support Matrix 207
Voice VLAN Configuration Examples 209
Protocols and Standards 217
ABOUT THIS GUIDE
Provides advanced configuration examples for the 3Com stackable switches,
which includes the following:
■ 3Com Switch 5500
■ 3Com Switch 5500G
■ 3Com Switch 4500
■ 3Com Switch 4200G
■ 3Com Switch 4210
This guide is intended for Qualified Service personnel who are responsible for
configuring, using, and managing the switches. It assumes a working knowledge
of local area network (LAN) operations and familiarity with communication
protocols that are used to interconnect LANs.
n
Always download the Release Notes for your product from the 3Com World Wide
Web site and check for the latest updates to software and product
documentation:
http://www.3com.com
Conventions Table 1 lists icon conventions that are used throughout this guide.
Related
Documentation
The following manuals offer additional information necessary for managing your
Stackable Switch. Consult the documents that apply to the switch model that you
are using.
■ 3Com Switch Family Command Reference Guides — Provide detailed
descriptions of command line interface (CLI) commands, that you require to
manage your Stackable Switch.
Table 1 Notice Icons
Icon Notice Type Description
n
Information note Information that describes important features or
instructions.
c
Caution Information that alerts you to potential loss of data
or potential damage to an application, system, or
device.
w
Warning Information that alerts you to potential personal
injury.
6 ABOUT THIS GUIDE
■ 3Com Switch Family Configuration Guides— Describe how to configure your
Stackable Switch using the supported protocols and CLI commands.
■ 3Com Switch Family Quick Reference Guides — Provide a summary of
command line interface (CLI) commands that are required for you to manage
your Stackable Switch .
■ 3Com Stackable Switch Family Release Notes — Contain the latest information
about your product. If information in this guide differs from information in the
release notes, use the information in the Release Notes.
These documents are available in Adobe Acrobat Reader Portable Document
Format (PDF) on the 3Com World Wide Web site:
http://www.3com.com/
Products Supported by
this Document
Table 2 Supported Products
Product Orderable
SKU
Description
4210 3CR17331-91 Switch 4210 9-Port
4210 3CR17332-91 Switch 4210 18-Port
4210 3CR17333-91 Switch 4210 26-Port
4210 3CR17334-91 Switch 4210 52-Port
4210 3CR17341-91 Switch 4210 PWR 9-Port
4210 3CR17342-91 Switch 4210 PWR 18-Port
4210 3CR17343-91 Switch 4210 PWR 26-Port
4500 3CR17561-91 Switch 4500 26-Port
4500 3CR17562-91 Switch 4500 50-Port
4500 3CR17571-91 Switch 4500 PWR 26-Port
4500 3CR17572-91 Switch 4500 PWR 50-Port
5500 3CR17161-91 Switch 5500-EI 28-Port
5500 3CR17162-91 Switch 5500-EI 52-Port
5500 3CR17171-91 Switch 5500-EI PWR 28-Port
5500 3CR17172-91 Switch 5500-EI PWR 52-Port
4200G 3CR17660-91 Switch 4200G 12-Port
4200G 3CR17661-91 Switch 4200G 24-Port
4200G 3CR17662-91 Switch 4200G 48-Port
4200G 3CR17671-91 Switch 4200G PWR 24-Port
5500G 3CR17250-91 Switch 5500G-EI 24 Port
5500G 3CR17251-91 Switch 5500G-EI 48-Port
5500G 3CR17252-91 Switch 5500G-EI PWR 24-Port
5500G 3CR17253-91 Switch 5500G-EI PWR 48-Port
Products Supported by this Document 7
8 ABOUT THIS GUIDE
1
DHCP CONFIGURATION EXAMPLES
Keywords:
DHCP, Option 82
Abstract:
This document describes DHCP configuration and application on Ethernet
switches in specific networking environments. Based on the different roles played
by the devices in the network, the functions and applications of DHCP server,
DHCP relay agent, DHCP snooping, and DHCP Option 82 are covered.
Acronym:
DHCP (Dynamic Host Configuration Protocol).
Supported DHCP
Functions
DHCP Functions
Supported by the 3Com
Stackable Switches
Depending on the models, the 3Com stackable switches can support part or all of
the following DHCP functions:
The DHCP server provides the:
■ Global address pool/interface address pool
■ IP address lease configuration
■ Allocation of subnet masks, gateway addresses, DNS server addresses, and
WINS server addresses to DHCP clients
■ Static bindings for special addresses
■ DHCP server security functions, including detecting unauthorized DHCP servers
and duplicate IP addresses
The DHCP relay agent includes the:
Table 1 DHCP functions supported by the 3Com stackable switches
Function \Model DHCP server DHCP relay agent DHCP snooping
Switch 5500 ● ● ●
Switch 4500 - ● ●
Switch 5500Gs ● ● ●
Switch 4200 - - ●
Switch 4200G - - ●
Switch 4210 - - ●
8 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
■ DHCP relay agent
■ DHCP relay agent security functions, including address checking, DHCP server
handshaking, and periodic updates of client address entries
The DHCP snooping includes the:
■ DHCP snooping
■ DHCP snooping security functions, including DHCP snooping entry update and
ARP source checking
■ DHCP Snooping, Option 82
n
Refer to respective user manuals for detailed descriptions of the DHCP functions
supported by different models.
Configuration Guide
n
■ This configuration varies depending on your switch’s model. The example in
this section uses the Switch 5500. Refer to configuration guide for your
switch’s model for further information. This example provides only basic
configuration steps Refer to the appropriate Configuration Guide and
Command Reference Guide for the function’s operating principles and
applications.
Configuring the DHCP
Server
The DHCP server can be configured to assign IP addresses from a global or
interface address pool. These two configuration methods are applicable to the
following environments:
■ If the DHCP server and DHCP clients are on the same network segment, both
methods can be applied.
■ If the DHCP server and DHCP clients are on different network segments, the
DHCP server can only be configured to assign IP addresses from a global
address pool.
1 Use the following commands to configure the DHCP server to assign IP addresses
from a global address pool.
Table 2 Configure IP address allocation from a global address pool
Operation Command Description
Enter system view system-view -
Enable the DHCP service dhcp enable Optional
By default, the DHCP service
is enabled.
Create a DHCP address pool and enter
DHCP address pool view
dhcp server
ip-pool
pool-name
Required
By default, no global DHCP
address pool is created.
Configure an IP address range for dynamic
allocation
network
ip-address
[ mask-length |
mask mask ]
Required
By default, no IP address
range is configured for
dynamic allocation.
Configuration Guide 9
Configure the lease period of dynamically
allocated IP addresses
expired { day day
[ hour hour
[ minute
minute ] ] |
unlimited }
Optional
IP address lease period
defaults to one day.
Configure a domain name for DHCP
clients
domain-name
domain-name
Required
By default, no domain name
is configured for DHCP
clients.
Configure DNS server addresses for DHCP
clients
dns-list
ip-address&<1-8>
Required
By default, no DNS server
addresses are configured.
Configure WINS server addresses for DHCP
clients
nbns-list
ip-address&<1-8>
Required
By default, no WINS server
addresses are configured.
Specify a NetBIOS node type for DHCP
clients
netbios-type
{ b-node |
h-node | m-node
| p-node }
Optional
By default, the DHCP clients
are h-nodes if the command
is not specified.
Configure gateway addresses for DHCP
clients
gateway-list
ip-address&<1-8>
Required
By default, no gateway
address is configured.
Configure a self-defined DHCP option option code
{ ascii ascii-string |
hex
hex-string&<1-10
> | ip-address
ip-address&<1-8>
}
Required
By default, no self-defined
option is configured.
Confi
gure
a
static
bindi
ng
Return to system view quit Optional
By default, no MAC address
or client ID is bound to an IP
address statically.
Note:
■ To configure a static
binding, you need to
specify the IP address and
the MAC address or client
ID.
■ A static address pool can
be configured with only
one IP address-to-MAC or
IP address-to-client ID
binding.
Create an address pool for the
static address binding
dhcp server
ip-pool
pool-name
Specify the IP address of the static
binding
static-bind
ip-address
ip-address
[ mask-length |
mask mask ]
Specify the
MAC address
or the client ID
of the static
binding
Specify the MAC
address of the
static binding
static-bind
mac-address
mac-address
Specify the client
ID of the static
binding
static-bind
client-identifier
client-identifier
Return to system view quit --
Specify the IP addresses to be excluded
from automatic allocation
dhcp server
forbidden-ip
low-ip-address
[ high-ip-address ]
Optional
By default, all the IP
addresses in a DHCP address
pool are available for dynamic
allocation.
Table 2 Configure IP address allocation from a global address pool
Operation Command Description
10 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
2 Use the following commands to configure IP address allocation through the
interface address pool.
Configure
the global
address
pool mode
On the current interface interface
VLAN-interface
VLAN-interface-
number
Optional
By default, an interface
operates in the global address
pool mode.
dhcp select
global
quit
On multiple interfaces in
system view
dhcp select
global
{ interface
VLAN-interface
VLAN-interface-
number [ to
interface-type
interface-number
] | all }
Enable the detection of unauthorized
DHCP servers
dhcp server
detect
Required
By default, the detection of
unauthorized DHCP servers is
disabled.
Configure
duplicate IP
address
detection
Set the maximum number of
ping packets sent by the
DHCP server for each IP
address
dhcp server ping
packets number
Optional
The default maximum
number is 2.
Set a response timeout for
each ping packet
dhcp server ping
timeout
milliseconds
Optional
The default timeout is 500
milliseconds.
Enable the DHCP server to support Option
82
dhcp server
relay
information
enable
Optional
By default, the DHCP server
supports Option 82.
Table 2 Configure IP address allocation from a global address pool
Operation Command Description
Table 3 Configure IP address allocation through the interface address pool
Operation Command Description
Enter system view system-view -
Enable the DHCP service dhcp enable Optional
By default, the DHCP service
is enabled.
Configure multiple or all the VLAN
interfaces to operate in interface address
pool mode
dhcp select
interface
{ interface
vlan-interface
vlan-interface-num
ber [ to
vlan-interface
vlan-interface-num
ber ] | all }
Optional
Configuration Guide 11
Configure a VLAN interface to operate in
interface address pool mode
interface
interface-type
interface-number
Required
By default, a VLAN interface
operates in global address
pool mode. dhcp select
interface
Bind an IP address statically to a client
MAC address or client ID
dhcp server
static-bind
ip-address
ip-address
{ client-identifier
client-identifier |
mac-address
mac-address }
Optional
By default, no static binding is
configured
Config
ure the
lease
period
of
dynami
cally
allocat
ed IP
addres
ses
On the current interface dhcp server
expired { day day
[ hour hour
[ minute
minute ] ] |
unlimited }
Optional
IP address lease period
defaults to one day.
On multiple interfaces in system
view
quit
dhcp server
expired { day day
[ hour hour
[ minute
minute ] ] |
unlimited }
{ interface
interface-type
interface-number
[ to interface-type
interface-number ]
| all }
Return to system view quit -
Specify the IP addresses to be excluded
from automatic allocation
dhcp server
forbidden-ip
low-ip-address
[ high-ip-address ]
Optional
By default, all the IP addresses
in an interface address pool
are available for dynamic
allocation.
Configure a domain
name for DHCP
clients
On one interface interface
vlan-interface
vlan-interface-num
ber
Optional
By default, no domain name
is configured for DHCP
clients.
dhcp server
domain-name
domain-name
quit
On multiple
interfaces
dhcp server
domain-name
domain-name
{ interface
vlan-interface
vlan-interface-num
ber [ to
vlan-interface
vlan-interface-num
ber ] | all }
Table 3 Configure IP address allocation through the interface address pool
Operation Command Description
12 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
Configure DNS
server addresses for
DHCP clients
On one interface interface
vlan-interface
vlan-interface-num
ber
Optional
By default, no DNS server
address is configured.
dhcp server
dns-list
ip-address&<1-8>
quit
On multiple
interfaces
dhcp server
dns-list
ip-address&<1-8>
{ interface
vlan-interface
vlan-interface-num
ber [ to
vlan-interface
vlan-interface-num
ber ] | all }
Configure WINS
server addresses for
DHCP clients
On one interface interface
vlan-interface
vlan-interface-num
ber
Optional
By default, no WINS server
addresses are configured.
dhcp server
nbns-list
ip-address&<1-8>
quit
On multiple
interfaces
dhcp server
nbns-list
ip-address&<1-8>
{ interface
vlan-interface
vlan-interface-num
ber [ to
interface-type
interface-number ]
| all }
Define a NetBIOS
node type for DHCP
clients
On one interface interface
interface-type
interface-number
Optional
By default, no NetBIOS node
type is specified and a DHCP
client uses the h-node type. dhcp server
netbios-type
{ b-node | h-node
| m-node |
p-node }
quit
On multiple
interfaces
dhcp server
netbios-type
{ b-node | h-node
| m-node |
p-node }
{ interface
interface-type
interface-number
[ to interface-type
interface-number ]
| all }
Table 3 Configure IP address allocation through the interface address pool
Operation Command Description
Configuration Guide 13
Configuring the DHCP
Relay Agent
Use the following commands to configure the DHCP relay agent.
Configure a
self-defined DHCP
option
On one interface interface
interface-type
interface-number
Optional
By default, no self-defined
option is configured.
dhcp server
option code
{ ascii ascii-string |
hex
hex-string&<1-10>
| ip-address
ip-address&<1-8>
}
quit
On multiple
interfaces
dhcp server
option code
{ ascii ascii-string |
hex
hex-string&<1-10>
| ip-address
ip-address&<1-8>
} { interface
interface-type
interface-number
[ to interface-type
interface-number ]
| all }
Enable the detection of unauthorized
DHCP servers
dhcp server
detect
Optional
By default, the detection of
unauthorized DHCP servers is
disabled.
Configure duplicate
IP address detection
Set the maximum
number of ping
packets sent by the
DHCP server for
each IP address
dhcp server ping
packets number
Optional
The default maximum
number is 2.
Set a response
timeout for each
ping packet
dhcp server ping
timeout
milliseconds
Optional
The default timeout is 500
milliseconds.
Enable the DHCP server to support Option
82
dhcp server relay
information
enable
Optional
By default, the DHCP server
supports Option 82.
Table 3 Configure IP address allocation through the interface address pool
Operation Command Description
Table 4 Configure DHCP relay agent
Operation Command Description
Enter system view system-view -
Enable the DHCP service dhcp enable Optional
By default, the DHCP service is
enabled.
Configure DHCP server IP
addresses for a DHCP server
group
dhcp-server groupNo ip
ip-address&<1-8>
Required
By default, no DHCP server IP
address is configured for a
DHCP server group.
14 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
Configuring DHCP
Snooping
Use the following commands to configure DHCP snooping:
Configure a DHCP user
address entry
dhcp-security static
ip-address mac-address
Optional
By default, no DHCP user
address entry is configured.
Enable DHCP relay agent
handshake
dhcp relay hand enable Optional
By default, DHCP relay agent
handshake is enabled.
Configure the interval at
which the DHCP relay agent
updates dynamic client
address entries
dhcp-security tracker
{ interval | auto }
Optional
By default, the update interval
is calculated automatically
according to the number of
the DHCP client entries.
Enable the detection on
unauthorized DHCP servers
dhcp-server detect Required
By default, the detection of
unauthorized DHCP servers is
disabled.
Enable the DHCP relay agent
to support Option 82
dhcp relay information
enable
Required
By default, the DHCP relay
agent does not support
Option 82.
Configure a strategy for the
DHCP relay agent to handle
request packets containing
Option 82
dhcp relay information
strategy { drop | keep |
replace }
Optional
By default, the strategy is
replace.
Enter VLAN interface view interface interface-type
interface-number
-
Associate the interface to a
DHCP server group
dhcp-server groupNo Required
By default, a VLAN interface is
not associated to any DHCP
server group.
Enable the address checking
function for the DHCP relay
agent
address-check enable Required
By default, the address
checking function is disabled
for the DHCP relay agent.
Table 4 Configure DHCP relay agent
Operation Command Description
Table 5 Configure DHCP snooping
Operation Command Description
Enter system view system-view -
Enable DHCP snooping dhcp-snooping Required
By default, DHCP snooping is
disabled.
Enter Ethernet port view interface
eth\gig-interface-type
unit/0/0port-number
-
Specify the port connected to
the DHCP server as a trusted
port
dhcp-snooping trust Optional
By default, all the ports of a
switch are untrusted ports.
DHCP Server Configuration Example 15
DHCP Server
Configuration
Example
Network Requirements A Switch 5500 serves as the DHCP server in the corporate headquarters (HQ) to
allocate IP addresses to the workstations in the HQ and a branch, and it also acts
as the gateway to forward packets from the HQ. The network requirements are as
follows:
■ Assign the HQ the IP addresses in the 10.214.10.0/24 network segment, with a
lease period of two days, and exclude the IP addresses of the DNS server, WINS
server, and mail server from allocation.
■ Assign IP addresses to the DNS server, WINS server, and the mail server in HQ
through static bindings.
■ Assign the workstations in the Branch the IP addresses in the 10.210.10.0/24
network segment, with a lease period of three days, and assign the file server
in the Branch an IP address through a static IP-to-MAC binding.
■ Assign the addresses of the gateway, DNS server, and the WINS server along
with an IP address to each workstation in the HQ and Branch.
■ Enable the detection of unauthorized DHCP servers to prevent any
unauthorized DHCP server from allocating invalid addresses.
Network Diagram Figure 1 Network diagram for DHCP server configuration

DHCP Relay
Gateway
DHCP
Client
WlNS
Server
DNS
Server
Mail
Server
10 . 214 . 10 . 5
002 e - 8 d 20 - 54 c 6
10 . 214 . 10 . 3
000 d - 85 c 7 - 4 e 20
10 . 214 . 10 . 4
0013 - 4 ca 8 - 9 b 71
DHCP
Client 1
DHCP
Client 2
File Server
10 . 210 . 10 . 4
000 d - 88 f 8 - 4 e 71
Branch
HQ
lP network
VLAN - int 10
VLAN - int 100
16 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
Configuration Procedure Software Version Used
This example uses the Switch 5500 running software version 3.2.
Configuring DHCP server
■ Configure address allocation for the devices in the HQ.
# Configure the IP address of VLAN-interface10 on the DHCP server in the HQ.
<3Com> system-view
[3Com] interface Vlan-interface 10
[3Com-Vlan-interface10] ip address 10.214.10.1 24
# Configure the interface to operate in the interface address pool mode, assigning
the IP addresses in the 10.214.10.0/24 network segment to the devices in the HQ.
[3Com-Vlan-interface10] dhcp select interface
# Configure the address lease period of the address pool, and configure the IP
addresses of the DNS server and WINS server.
[3Com-Vlan-interface10] dhcp server expired day 2
[3Com-Vlan-interface10] dhcp server dns-list 10.214.10.3
[3Com-Vlan-interface10] dhcp server nbst-list 10.214.10.4
No gateway needs to be configured for the clients because an interface operating
in the interface address pool mode automatically serves as the gateway for DHCP
clients and sends the requested information to the clients.
# Assign IP addresses to the DNS server, WINS server, and mail server through
IP-to-MAC bindings.
[3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214.10
.3 mac-address 000d-85c7-4e20
[3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214.10
.4 mac-address 0013-4ca8-9b71
[3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214.10
.5 mac-address 002e08d20-54c6
# Exclude the static IP addresses of the DNS server, WINS server, and mail server
from allocation.
[3Com-Vlan-interface10] quit
[3Com] dhcp server forbidden-ip 10.214.10.3 10.214.10.5
■ Configure address allocation for the devices in the Branch.
# Create a global address pool named “br” for the Branch, and specify the range
and lease period of the IP addresses for allocation.
[3Com] dhcp server ip-pool br
[3Com-dhcp-pool-br] network 10.210.10.0 mask 255.255.255.0
[3Com-dhcp-pool-br] expired day 3
# Create a static binding address pool named “br-static”, and assign the file server
in the Branch an IP address through an IP-to-MAC binding.
DHCP Relay Agent/Snooping Configuration Examples 17
[3Com-dhcp-pool-br] quit
[3Com] dhcp server ip-pool br-static
[3Com-dhcp-pool-br-static] static-bind ip-address 10.214.10.4 mask 2
55.255.255.0
[3Com-dhcp-pool-br-static] static-bind mac-address 000d-88f8-4e71
# Specify the gateway address, DNS server address, and the WINS server address
for the workstations in the Branch.
[3Com-dhcp-pool-br-static] quit
[3Com] dhcp server ip-pool br
[3Com-dhcp-pool-br] gateway-list 10.210.10.1
[3Com-dhcp-pool-br] dns-list 10.214.10.3
[3Com-dhcp-pool-br] nbst-list 10.214.10.4
# Exclude the static IP address of the gateway in the Branch from allocation.
[3Com-dhcp-pool-br] quit
[3Com] dhcp server forbidden-ip 10.210.10.1
# Enable the detection of unauthorized DHCP servers.
[3Com] dhcp server detect
# Configure VLAN-interface100 to operate in the global address pool mode.
[3Com] interface Vlan-interface 100
[3Com-Vlan-interface100] dhcp select global
Note that:
After DHCP configuration is complete, IP addresses can be assigned to the
workstations in the Branch only when a route is active between the HQ and the
Branch.
Configuring the DHCP relay agent
This section mainly describes the DHCP server configuration. The following shows
the basic DHCP relay agent configuration that ensures the DHCP relay agent to
relay DHCP requests to the DHCP server. For details about DHCP relay agent
configuration, see “DHCP Relay Agent/Snooping Configuration Examples” on
page 17.
<3Com> system-view
[3Com] dhcp-server 1 ip 10.214.10.1
[3Com] interface Vlan-interface 5 (define Vlan 5 in configuration
above)
[3Com-Vlan-interface5] dhcp-server 1
DHCP Relay
Agent/Snooping
Configuration
Examples
Network Requirements A Cisco Catalyst 3745 switch is deployed in the HQ and serves as the DHCP server
to assign IP addresses to the workstations in the Office branch. The branches are
18 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
connected to an XRN (Expandable resilient network) Fabric that serves as the
central node and the DHCP relay agent to forward the DHCP requests from the
workstations. Meanwhile, a lab DHCP server is used to assign IP addresses to the
devices in the labs. The network requirements are as follows:
■ Configure the DHCP server in the HQ to assign the IP addresses in the
192.168.10.0/24 network segment to the workstations in the Office branch,
with a lease period of 12 hours. Configure the IP addresses of the DNS server
and WINS server as 192.169.100.2 and 192.168.100.3 respectively.
■ The XRN Fabric is connected to the branches and is comprised of four switches.
It serves as the DHCP relay agent to forward the DHCP requests from the
workstations in the Office and the devices in the labs. It is enabled to detect
unauthorized DHCP servers.
■ An Ethernet switch in Lab1 serves as the Lab DHCP server to assign the IP
addresses in the 192.168.17.0/24 network segment to the devices in Lab1,
with a lease period of one day, and to assign the IP addresses in the
192.168.19.0/24 network segment to Lab2, with a lease period of two days.
The lab DHCP server and the XRN Fabric are interconnected through the
172.16.2.4/30 network segment.
■ Configure the address checking function on the DHCP relay agent so that only
the devices that are assigned legal IP addresses from the DHCP server are
allowed to access the external network.
■ Configure address entry update on the DHCP relay agent so that it updates the
address entries by sending requests to the DHCP server every one minute.
■ Enable DHCP snooping to support DHCP Option 82, adding local port
information to the Option 82 field in DHCP messages.
■ Enable the DHCP relay agent to support DHCP Option 82 so that the DHCP
relay agent keeps the original filed unchanged upon receiving DHCP messages
carrying Option 82.
■ Enable the DHCP server to support DHCP Option 82 so that it assigns the IP
addresses 192.168.10.2 through 192.168.10.25 to the DHCP clients
connected to Ethernet1/0/11 on the DHCP snooping switch and assigns
192.168.10.100 through 192.168.10.150 to the DHCP clients connected to
Ethernet1/0/12 of the DHCP snooping switch.
DHCP Relay Agent/Snooping Configuration Examples 19
Network Diagram Figure 2 Network diagram for DHCP relay agent/snooping integrated configuration

Configuration Procedure In this example, the XRN Fabric is comprised of Switch 5500s running software
version 3.2, a Switch 7750 switch running software version Release 0028 is used
as the DHCP snooping-capable switch, and a 3Com Switch 7750 Family S3528
switch running software version Release 0028 is used as the Lab DHCP server.
For better readability:
■ The devices in the XRN Fabric are SwitchA, SwitchB, SwitchC, and SwitchD.
■ The DHCP snooping-capable device is referred to as “Snooping”.
■ The device serving as the Lab DHCP server is referred to as “LAB”.
Configuring XRN Fabric
The Switch 5500 supports XRN Fabric. You can interconnect four devices to form a
Fabric for centralized management of the devices in the Fabric. For details, see the
related sections in the Switch 5500 Family Configuration Guide.

lP network
SwitchA
( Master )
SwitchB
( Unit 2 )
SwitchC
( Unit 3 )
SwitchD
( Unit 4 )
VLAN - int 10
192 . 168 . 10 . 1
Eth 1 / 0 / 1
Eth 1 / 0 / 11
Eth 1 / 0 / 12
Eth 1 / 0 / 13
VLAN - int 17
172 . 16 . 2 . 4 / 30
VLAN - int 15
192 . 168 . 17 . 1
0010 - 5 ce 9 - 1 dea
lRF Fabric
DHCP Relay
VLAN - int 25
192 . 168 . 19 . 1
Lab 2
HQ
Office Lab 1
Lab
DHCP Server
DHCP Snooping
Cisco Catalyst
3745
192 . 168 . 0 . 3

20 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
Configuring the DHCP relay agent
Figure 3 Network diagram for DHCP relay agent configuration

Within the XRN Fabric, configuration made on a device can be synchronized to the
other devices. Therefore, configuration is performed on Switch A only in this
example.
# Configure to forward the DHCP requests from the Office to the DHCP server in
the HQ.
<SwitchA> system-view
[SwitchA] dhcp-server 1 ip 192.168.0.3
[SwitchA] interface vlan-interface10
[SwitchA-Vlan-interface10] ip address 192.168.10.1 24
[SwitchA-Vlan-interface10] dhcp-server 1
# Configure to forward the DHCP requests from Lab2 to the Lab DHCP server.
[SwitchA-Vlan-interface10] quit
[SwitchA] dhcp-server 2 ip 192.168.17.1
[SwitchA] interface Vlan-interface 25
[SwitchA-Vlan-interface25] ip address 192.168.19.1 24
[SwitchA-Vlan-interface25] dhcp-server 2
# Configure the IP address of VLAN-interface17 as 172.16.2.5/30 for forwarding
DHCP packets from the Lab DHCP Server to a non-local segment.
[SwitchA-Vlan-interface25] quit
[SwitchA] interface Vlan-interface 17
[SwitchA-Vlan-interface17] ip add 172.16.2.5 30
# Configure the address checking function on the DHCP relay agent. Make sure
you configure the IP addresses and MAC addresses of the two DHCP servers as
static entries for the security function.
[SwitchA-Vlan-interface17] quit
[SwitchA] dhcp-security static 192.168.0.3 000D-88F8-4E71
[SwitchA] dhcp-security static 192.168.17.1 0010-5ce9-1dea
[SwitchA] interface Vlan-interface 10
[SwitchA-Vlan-interface10] address-check enable
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 25
[SwitchA-Vlan-interface25] address-check enable
[SwitchA-Vlan-interface25] quit

SwitchA
( Master )
SwitchB
( Unit 2 )
SwitchC
( Unit 3 )
SwitchD
( Unit 4 )
VLAN - int 10
192 . 168 . 10 . 1
Eth 1 / 0 / 1
VLAN - int 17
172 . 16 . 2 . 4 / 30
lRF Fabric
DHCP Relay
VLAN - int 25
192 . 168 . 19 . 1

DHCP Relay Agent/Snooping Configuration Examples 21
# Configure the address entry update interval on the DHCP relay agent.
[SwitchA] dhcp relay hand enable
[SwitchA] dhcp-security tracker 60
# Enable the DHCP relay agent to support DHCP Option 82 and adopt the strategy
of keeping the original filed upon receiving DHCP messages carrying Option 82.
[SwitchA] dhcp relay information enable
[SwitchA] dhcp relay information strategy keep
# Enable the DHCP relay agent to detect unauthorized DHCP servers.
[SwitchA] dhcp-server detect
# Enable UDP-Helper so that the XRN Fabric can operate in the DHCP relay agent
mode.
[SwitchA] udp-helper enable
# To ensure normal forwarding of DHCP packets across network segments, you
need configure a routing protocol and advertise the network segments of
interfaces. The following configuration uses RIP as an example. For the
configuration of other routing protocols, see the parts covering routing protocols
in product manuals.
[SwitchA] rip
[SwitchA-rip] network 192.168.10.0
[SwitchA-rip] network 192.168.19.0
[SwitchA-rip] network 172.16.0.0
n
For the DHCP relay agent using the XRN structure and the DHCP server in the HQ
to communicate with each other, an active route must also be configured
between them. This configuration is performed by the ISP or the user; therefore, it
will not be covered in this document.
Configuring the Lab DHCP server
Figure 4 Network diagram for the Lab DHCP server configuration


VLAN - int 17
172 . 16 . 2 . 4 / 30
VLAN - int 15
192 . 168 . 17 . 1
0010 - 5 ce 9 - 1 dea
Lab 1
Lab
DHCP Server

22 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
# Configure an address pool for Lab2 and specify the address range, lease period,
and the gateway address.
<LAB> system-view
[LAB] dhcp enable
[LAB] dhcp server ip-pool lab2
[LAB-dhcp-lab2] network 192.168.19.0 255.255.255.0
[LAB-dhcp-lab2] expired day 2
[LAB-dhcp-lab2] gateway-list 192.168.19.1
# Configure the IP address of VLAN-interface17 as 172.16.2.6/30 and enable it to
operate in global address pool mode.
[LAB-dhcp-lab2] quit
[LAB] interface Vlan-interface 17
[LAB-Vlan-interface17] ip address 172.16.2.6 30
[LAB-Vlan-interface17] dhcp select global
# Lab1 is connected to VLAN-interface15. Therefore, to assign the IP addresses in
the 192.168.17.0/24 network segment to the devices in Lab1, you only need to
configure VLAN-interface15 to operate in the interface address pool mode.
[LAB-Vlan-interface17] quit
[LAB] interface vlan-interface 15
[LAB-Vlan-interface15] ip address 192.168.17.1 24
[LAB-Vlan-interface15] dhcp select interface
[LAB-Vlan-interface15] quit
# To ensure that the lab DHCP server forwards DHCP packets normally, you need
configure a routing protocol. The following configuration uses RIP as an example.
For the configuration of other routing protocols, see the related parts in product
manuals.
[LAB] rip
[LAB-rip] network 192.168.17.0
[LAB-rip] network 172.16.0.0
Configuring DHCP snooping
Figure 5 Network diagram for DHCP snooping configuration


Eth 1 / 0 / 1
Eth 1 / 0 / 11
Eth 1 / 0 / 12
Eth 1 / 0 / 13
Office
DHCP Snooping

DHCP Relay Agent/Snooping Configuration Examples 23
# Enable DHCP snooping and enable Option 82 support for DHCP snooping.
<Snooping> system-view
[Snooping] dhcp-snooping
[Snooping] dhcp-snooping information enable
[Snooping] dhcp-packet redirect Ethernet 0/11 to 0/13
Configuring the DHCP server in the HQ
# On the 3Com series switches, port numbers, VLAN numbers, and the MAC
addresses of the DHCP snooping device and the DHCP relay agent are added to
DHCP Option 82. A complete piece of Option 82 information is a combination of
the values of two suboptions:
Circuit ID suboption: It identifies the VLAN to which the clients belong and the
port to which the DHCP snooping device is connected.
Figure 6 Packet structure of Circuit ID suboption

For example, the DHCP messages from clients connected to Ethernet1/0/11 are
added with Option 82, whose Circuit ID suboption should be
0x010600040001000a, where 01060004 is a fixed value, 0001 indicates the
access port’s VLAN is VLAN 1, and 000a is the absolute number of the port, which
is 1 less than the actual port number, indicating the actual port is Ethernet1/0/11.
Remote ID suboption: It identifies the MAC address of the DHCP snooping device
connected to the client.
Figure 7 Packet structure of Remote ID suboption

For example, the DHCP messages from clients connected to the DHCP snooping
device with MAC 000f-e234-bc66 are added with Option 82, whose Remote ID
suboption should be 02080006000fe234bc66, where 02080006 is a fixed value
and 000fe234bc66 is the MAC address of the DHCP snooping device.
In this example, IP addresses are assigned based on port number only. Therefore,
on the DHCP server, only a matching port number field in the Circuit ID suboption
needs to be found.
n
The following configuration is performed on the Cisco Catalyst 3745 switch
running IOS version 12.3(11)T2. If you are using any other models or devices
running any other version, see the user manuals provided with the devices.
# Enable DHCP server and allocate IP addresses using Option 82 information.
0 31
Type(1)
15
VLAN ID
Length(6) 0 4
Port Index
0 31
Type(2)
15
Bridge MAC Address
Length(8) 0 6
24 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
Switch> enable
Switch(config)# configure terminal
Enter Configuration commands, one per line. End with CNTL/Z.
Switch(config)# service dhcp
Switch(config)# ip dhcp use class
# Create a DHCP class for the client connected to Ethernet1/0/11 of the DHCP
snooping device and match the port number in the Circuit ID suboption of
Option82, and replace the contents without match need with a wildcard “*”.
Switch(config)# ip dhcp class office1
Switch(dhcp-class)# relay agent information hex 010600040001000a*
Switch(dhcp-class)# exit
# Configure a DHCP class for the client connected to Etherent1/0/12 of the DHCP
snooping device and match the port number in the Circuit ID suboption of
Option82.
Switch(config)# ip dhcp class office2
Switch(dhcp-class)# relay agent information hex 010600040001000b*
# Create an address pool for Office and specify address ranges for the two DHCP
classes.
Switch(config)# ip dhcp pool office
Switch(dhcp-pool)# network 192.168.10.0
Switch(dhcp-pool)# class office1
Switch(dhcp-pool-class)# address range 192.168.10.2 192.168.10.25
Switch(dhcp-pool-class)# exit
Switch(dhcp-pool)# class office2
Switch(dhcp-pool-class)# address range 192.168.10.100 192.168.10.150
Switch(dhcp-pool-class)# exit
# Configure the lease period, gateway address, DNS server address, and WINS
server address for the address pool.
Switch(dhcp-pool)# lease 0 12
Switch(dhcp-pool)# default-router 192.168.10.1
Switch(dhcp-pool)# dns-server 192.168.100.2
Switch(dhcp-pool)# netbios-name-server 192.168.100.3
After the above-mentioned configuration, the DHCP server can automatically
assign an IP address, the gateway address, DNS server address, and the WINS
server address for each device in Office.
Precautions
Cooperation Between
DHCP Relay Agent and
XRN
■ In an XRN network, the DHCP relay agent runs on all the units in the Fabric. But
only the DHCP relay agent running on the master unit can receive and send
packets to perform full DHCP relay agent functions. The DHCP relay agent
running on a slave unit, however, only serves as a backup for the master unit.
■ DHCP is an application-layer protocol based on UDP. Once a slave unit receives
a DHCP request, UDP-Helper redirects the packet to the master unit. Then, the
DHCP relay agent running on the master unit gives a response back to the
Protocols and Standards 25
request and sends the real time information to each slave unit for backup. In
this way, when the current master unit fails, one of the slaves becomes the new
master and operates as the DHCP relay agent immediately. Therefore, make
sure you enable UDP-Helper before using DHCP relay agent in an XRN system.
Protocols and
Standards
■ RFC2131: Dynamic Host Configuration Protocol
■ RFC2132: DHCP Options and BOOTP Vendor Extensions
■ RFC3046: DHCP Relay Agent Information Option
26 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
2
QACL CONFIGURATION EXAMPLES
Key words:
ACL, and QoS
Abstract:
This document describes QACL configurations on Ethernet switches in actual
networking environments. To satisfy different user needs, the document covers
various functions and applications like time-based ACLs, traffic policing, priority
re-marking, queue scheduling, traffic measurement, port redirection, local traffic
mirroring, and WEB Cache redirection.
Acronyms:
Access control list (ACL), and quality of service (QoS)
Supported QACL
Functions
ACL/QoS Functions
Supported by 3Com
Stackable Switches
Table 6 ACL/QoS functions supported by 3Com stackable switches
Function\Model
Switch
5500
Switch
4500
Switch
5500G
Switch
4200G
Switch
4210
Basic ACL ● ● ● ● ●
Advanced ACL ● ● ● ● ●
Layer 2 ACL ● ● ● - -
User-defined ACL ● ● ● - -
Software-based
ACL referenced
by upper-layer
software
● ● ● ● ●
Apply
hardware-based
ACL to hardware
● ● ● - -
Traffic
classification
● ● ● - -
Priority
re-marking
● ● ● - -
Port rate limiting ● ● ● ● ●
Traffic policing ● ● ● - -
Traffic shaping - - - - -
Port redirection ● ● ● - -
28 CHAPTER 2: QACL CONFIGURATION EXAMPLES
n
● means that the function is supported.
- means that the function is not supported.
n
For details on the ACL and QoS functions supported by different models, refer to
switch model’s configuration guide.
Configuration Guide
n
■ ACL/QoS configuration varies with switch models. The configuration below
uses a 3Com Switch 5500 as an example. For ACL/QoS configuration on other
switches, refer to corresponding user manuals.
■ The section below lists basic configuration steps. For the function’s detailed
operational instructions, refer to the configuration guide and command
reference guidecommand reference guide for the applicable product.
Queue
scheduling
● ● ● ● ●
Congestion
avoidance
● ● - - -
Local traffic
mirroring
● ● ● - -
Traffic
measurement
● ● ● - -
WEB Cache
redirection
● - - - -
Table 6 ACL/QoS functions supported by 3Com stackable switches
Function\Model
Switch
5500
Switch
4500
Switch
5500G
Switch
4200G
Switch
4210
Table 7 Configure ACL/QoS in system view
Configuration Command Remarks
Create an ACL and enter
ACL view
acl number acl-number
[ match-order { config |
auto } ]
By default, the matching order is
config.
Layer 2 ACLs and user-defined
ACLs do not support
match-order.
Define an ACL rule rule [ rule-id ] { permit |
deny } rule-string
The parameters (criteria) available
for rule-string vary with ACL
types. For additional details, refer
to the corresponding command
reference guide.
Configuration Guide 29
Configure a queue
scheduling algorithm in
system view
queue-scheduler
{ strict-priority | wfq
queue0-width queue1-width
queue2-width queue3-width
queue4-width queue5-width
queue6-width queue7-width
| wrr queue0-weight
queue1-weight
queue2-weight
queue3-weight
queue4-weight
queue5-weight
queue6-weight
queue7-weight }
■ If the weight or minimum
bandwidth of a queue is set to
0 in the WRR or WFQ
approach, strict priority
queuing applies to the queue.
■ By default, the WRR queue
scheduling algorithm is used
for all outbound queues on a
port. Default weights are
1:2:3:4:5:9:13:15.
■ The queue scheduling
algorithm defined using the
queue-scheduler command
in system view will work on all
ports.
Configure congestion
avoidance
wred queue-index qstart
probability
-
Table 8 Configure ACL/QoS in port view
Configuration Command Remarks
Apply an ACL on a port packet-filter { inbound |
outbound } acl-rule
-
Configure the switch to trust
the priority of received
packets
priority trust Configure the switch to trust
the priority carried in received
packets.
Configure port-based rate
limit
line-rate { inbound |
outbound } target-rate
The granularity is 64 kbps. If
an entered number is in the
range N×64 to (N+1)×64 (N is
a natural number), the switch
takes the value (N+1)×64.
Reference an ACL for traffic
identification, and re-assign a
priority to the matching
packets
traffic-priority { inbound |
outbound } acl-rule { { dscp
dscp-value | ip-precedence
{ pre-value | from-cos } } | cos
{ pre-value | from-ipprec } |
local-precedence
pre-value }*
You can re-mark the IP
priority, 802.1p priority, DSCP
priority of packets, and the
priority of local queues.
Configure traffic policing traffic-limit inbound acl-rule
target-rate [ exceed action ]
exceed action: specifies the
action taken on the excess
packets when the packet
traffic exceeds the preset
limit.
■ drop: Drop the excess
packets.
■ remark-dscp value: Re-set
the DSCP priority, and
forward the packets.
Table 7 Configure ACL/QoS in system view
Configuration Command Remarks
30 CHAPTER 2: QACL CONFIGURATION EXAMPLES
Configure a queue scheduling
algorithm in port view
queue-scheduler { wfq
queue0-width queue1-width
queue2-width queue3-width
queue4-width queue5-width
queue6-width queue7-width |
wrr queue0-weight
queue1-weight
queue2-weight
queue3-weight
queue4-weight
queue5-weight
queue6-weight
queue7-weight }
■ The queue scheduling
algorithm defined using
the queue-scheduler
command in Ethernet port
view will work on the
current port only.
■ In the globally defined
WRR or WFQ queue
scheduling algorithm, you
can modify the weight or
bandwidth in port view if
the weight or bandwidth
of each queue cannot
satisfy the needs of a port.
■ Queue weight or
bandwidth defined in port
view take priority over the
global settings.
■ The queue weight or
bandwidth defined in port
view cannot be displayed
using the display
queue-scheduler
command.
Configure redirection traffic-redirect { inbound |
outbound } acl-rule { cpu |
interface interface-type
interface-number }
A packet cannot be
forwarded normally if it is
redirected to the CPU.
Reference an ACL for traffic
identification, and measure
the traffic of the matching
packets
traffic-statistic inbound
acl-rule
-
Table 8 Configure ACL/QoS in port view
Configuration Command Remarks
Network Environment 31
Network Environment Figure 8 Network topology

Figure 8 shows the network topology of a company. The environment is as
follows:
■ A Switch 5500 serves as the central switch of the company. The software
version is Release 3.2.
■ The devices within the company gain access to the Internet through Server1
attached to the port GigabitEthernet1/1/1.
■ Server2, Server3, and Server4 are the data server, mail server and file server of
the company respectively. They are connected to the port
GigabitEthernet1/1/2.
■ The Data Detect Server is connected to the port Ethernet1/0/20.
■ PC1, PC2, PC3 and PC4 are clients of the company, and are connected to the
ports Ethernet1/0/1, Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4
respectively.
Time-based ACL plus
Rate Limiting plus
Traffic Policing
Configuration
Example
Network Requirements The company gains access to the Internet through Server1. The requirements are
as follows:
PC 1
Server 1
Data Detect Server
LAN 1
LAN 12 LAN 10
PC 4
PC 3 PC 2
LAN 11 LAN 12
E1/0/1 E1/0/4
E1/0/3 E1/0/2
E1/0/20
GE1/1/2
GE1/1/1
LAN 2
Server 4 Server 3 Server 2
10.0.0.1
10.0.0.4 10.0.0.3 10.0.0.2
10.0.0.10 10.0.0.13
10.0.0.12 10.0.0.11
0012-a990-2440 0012- a990-2443
0012-a990-2442 0012-a990-2441
32 CHAPTER 2: QACL CONFIGURATION EXAMPLES
■ During the period from 8:30 to 18:30 in workdays, the clients are not allowed
to access the Internet through HTTP. In other periods, the clients are allowed to
access the Internet. The maximum access traffic is 100 Mbps.
■ For the packets with the IP priority of 7 that are sent by PC 1, the allowed
maximum rate is 20 Mbps. The DSCP priority of such packets at rates higher
than 20 Mbps is modified as EF.
■ For the packets with the CoS priority of 5 that are sent by PC 2, the allowed
maximum rate is 10 Mbps. Such packets at rates higher than 10 Mbps are
discarded.
Network Diagram Figure 9 Network diagram for configuration of time-based ACL plus port-based
bandwidth limiting plus traffic policing

Configuration Procedure # Create time range a001, defining the office hours on working days.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] time-range a001 8:30 to 18:00 working-day
# Create time range a002, defining off hours.
[3Com] time-range a002 00:00 to 8:30 working-day
[3Com] time-range a002 18:00 to 24:00 working-day
[3Com] time-range a002 00:00 to 24:00 off-day
# Define ACL 3010: Forbid the clients to access the Internet through HTTP during
the time range a001; classify and mark the packets with the IP priority of 7
generated when PC 1 accesses the Internet during non-workday periods.
[3Com] acl number 3010
[3Com-acl-adv-3010] rule 0 deny tcp destination 10.0.0.1 0 destinati
PC 1
Server 1
LAN 1
LAN 12 LAN 10
PC 4
PC 3 PC 2
LAN 11 LAN 12
E1/0/1 E1/0/4
E1/0/3 E1/0/2
E1/0/20
GE1/1/2
GE1/1/1
10.0.0.1
10.0.0.10 10.0.0.13
10.0.0.12 10.0.0.11
0012-a990-2440 0012- a990-2443
0012-a990-2442 0012-a990-2441
Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus Congestion Avoidance plus
Packet Priority Trust 33
on-port eq 80 time-range a001
[3Com-acl-adv-3010] rule 1 permit ip source 10.0.0.10 0 precedence 7
time-range a002
[3Com-acl-adv-3010] quit
# Define ACL 4010: Classify and mark the packets with the CoS priority of 5
generated when PC 2 accesses the Internet during non-work periods.
[3Com] acl number 4010
[3Com-acl-ethernetframe-4010] rule 0 permit cos 5 source 0012-0990-2
241 ffff-ffff-ffff time-range a002
[3Com-acl-ethernetframe-4010] quit
# Apply rule 0 of ACL 3010 to the port GigabitEthernet1/1/1 connected to
Server1, and set the maximum traffic rate by clients’ accessing the Internet to 100
Mbps.
[3Com] interface GigabitEthernet 1/1/1
[3Com-GigabitEthernet1/1/1] packet-filter outbound ip-group 3010 rule 0
[3Com-GigabitEthernet1/1/1] line-rate outbound 102400
[3Com-GigabitEthernet1/1/1] quit
# Perform traffic policing for the packets marked rule 1 of ACL 3010 on the port
Ethernet1/0/1 connected to PC 1, and modify the DSCP priority of the excess
packets to EF.
[3Com] interface Ethernet 1/0/1
[3Com-Ethernet1/0/1] traffic-limit inbound ip-group 3010 rule 1 2048
0 exceed remark-dscp ef
[3Com-Ethernet1/0/1] quit
# Perform traffic policing for the packets marked rule 0 of ACL 4010 on the port
Ethernet1/0/2 connected to PC 2, set the maximum traffic rate to 10 Mbps, and
discard the excess packets.
[3Com] interface Ethernet 1/0/2
[3Com-Ethernet1/0/2] traffic-limit inbound link-group 4010 rule 0 10
240 exceed drop
n
The traffic-limit command works only with the permit rules in ACLs.
Configuration
Example of Priority
Re-marking plus
Queue Scheduling
Algorithm plus
Congestion Avoidance
plus Packet Priority
Trust
Network Requirements Server2, Server3, and Server4 are the data server, mail server and file server of the
company respectively. The detailed requirements are as follows:
34 CHAPTER 2: QACL CONFIGURATION EXAMPLES
■ The switch first processes the packets accessing the data server, then the
packets accessing the mail server, and finally the packet accessing the file
server.
■ Configure the port GigabitEthernet1/1/2 to use the WRR queue priority
algorithm, and configure the weight of outbound queues as 1:1:1:5:1:10:1:15.
■ Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to
use WRED: Discard subsequent packets at random when the queue is more
than 64 packets in size, and configure the probability of discarding as 20%.
■ Configure the port Ethernet1/0/3 to trust the priority of packets rather than to
use the priority of the port.
Network Diagram Figure 10 Network diagram for configuration of priority re-marking plus queue
scheduling algorithm plus congestion avoidance plus packet priority trust

Configuration Procedure # Define ACL 3020: Classify and mark packets according to their destination IP
addresses.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] acl number 3020
[3Com-acl-adv-3020] rule 0 permit ip destination 10.0.0.2 0
[3Com-acl-adv-3020] rule 1 permit ip destination 10.0.0.3 0
[3Com-acl-adv-3020] rule 2 permit ip destination 10.0.0.4 0
[3Com-acl-adv-3020] quit
# Re-mark priority for the packets on the port GigabitEthernet1/1/2 that match
the rules in ACL 3020.
[3Com] interface GigabitEthernet 1/1/2
[3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020
rule 0 local-precedence 7
GE1/1/2
LAN 2
Server 4 Server 3 Server 2
10.0.0.4 10.0.0.3 10.0.0.2
Configuration Example of Traffic Measurement plus Port Redirection 35
[3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020
rule 1 local-precedence 5
[3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020
rule 2 local-precedence 3
# Configure the WRR queue scheduling algorithm on the port
GigabitEthernet1/1/2, and configure the weight of outbound queues as
1:1:1:5:1:10:1:15.
[3Com-GigabitEthernet1/1/2] queue-scheduler wrr 1 1 1 5 1 10 1 15
# Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to use
WRED: Discard subsequent packets at random when the queue is more than 64
packets in size, and configure the probability of discarding as 20%.
[3Com-GigabitEthernet1/1/2] wred 4 64 20
[3Com-GigabitEthernet1/1/2] quit
# Configure the port Ethernet1/0/3 connected to PC 3 to trust the 802.1p priority
carried by packets.
[3Com] interface Ethernet 1/0/3
[3Com-Ethernet1/0/3] priority trust
n
The traffic-priority command works only with the permit rules in ACLs.
Configuration
Example of Traffic
Measurement plus
Port Redirection
Network Requirements The Data Detect Server is connected to the port Ethernet1/0/20. The detailed
requirements are as follows:
■ Measure the HTTP traffic generated by Internet access through the port
Ethernet1/0/1 during non-workday periods.
■ Redirect all the HTTP traffic generated by the Internet access through the port
Ethernet1/0/1 during workday period to the port Ethernet1/0/20.
36 CHAPTER 2: QACL CONFIGURATION EXAMPLES
Network Diagram Figure 11 Network diagram for configuration of traffic measurement plus port redirection

Configuration Procedure # Configure a workday period.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] time-range a001 8:30 to 18:00 working-day
# Configure non-workday periods.
[3Com] time-range a002 00:00 to 8:30 working-day
[3Com] time-range a002 18:00 to 24:00 working-day
[3Com] time-range a002 00:00 to 24:00 off-day
# Define ACL 3030: Classify the packets accessing the Internet through HTTP
according to periods.
[3Com] acl number 3030
[3Com-acl-adv-3030] rule 0 permit tcp destination 10.0.0.1 0 destina
tion-port eq 80 time-range a001
[3Com-acl-adv-3030] rule 1 permit tcp destination 10.0.0.1 0 destina
tion-port eq 80 time-range a002
# Configure traffic redirection on the port Ethernet1/0/1: Redirect all the HTTP
traffic generated by Internet access during workday period to the port
Ethernet1/0/20.
[3Com] interface Ethernet 1/0/1
[3Com-Ethernet1/0/1] traffic-redirect inbound ip 3030 rule 0 interfa
ce Ethernet 1/0/20
# Measure the HTTP traffic generated by Internet access during non-workday
periods on the port Ethernet1/0/1.
[3Com-Ethernet1/0/1] traffic-statistic inbound ip-group 3030 rule 1
PC 1
E1/0/1
E1/0/20
10.0.0.10
0012-a990-2440
LAN 10
Data Detect Server
Configuration Example of Local Traffic Mirroring 37
n
The traffic-redirect and traffic-statistic commands work only with the permit
rules in ACLs.
Configuration
Example of Local
Traffic Mirroring
Network Requirements The Data Detect Server is connected to the port Ethernet1/0/20. All the packets
accessing the Internet through the ports Ethernet1/0/1 and Ethernet1/0/2 using
HTTP during workday period must be mirrored to the port Ethernet1/0/20. Then,
the Data Detect Server analyzes the packets.
Network Diagram Figure 12 Network diagram for configuration of traffic mirroring

Configuration Procedure # Configure a workday period.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] time-range a001 8:30 to 18:00 working-day
# Define ACL 3030: Classify the packets accessing the Internet through HTTP
during workday period.
[3Com] acl number 3030
[3Com-acl-adv-3030] rule 0 permit tcp destination 10.0.0.1 0 destina
tion-port eq 80 time-range a001
[3Com-acl-adv-3030] quit
# Configure the port Ethernet1/0/20 as the mirroring destination port.
PC 1
Data Detect Server
LAN 10
PC 2
LAN 11
E1/0/1
E1/0/2
E1/0/20
10.0.0.10
10.0.0.11
0012-a990-2440
0012-a990-2441
38 CHAPTER 2: QACL CONFIGURATION EXAMPLES
[3Com] interface Ethernet 1/0/20
[3Com-Ethernet1/0/20] monitor-port
[3Com-Ethernet1/0/20] quit
# Configure traffic mirroring on the ports Ethernet1/0/1 and Ethernet1/0/2:
Perform traffic identification through ACL 3030, and mirror the matching packets
to the destination port Ethernet1/0/20.
[3Com] interface Ethernet 1/0/1
[3Com-Ethernet1/0/1] mirrored-to inbound ip-group 3030 rule 0 monito
r-interface
[3Com-Ethernet1/0/1] quit
[3Com] interface Ethernet 1/0/2
[3Com-Ethernet1/0/2] mirrored-to inbound ip-group 3030 rule 0 monito
r-interface
n
The mirrored-to command works only with the permit rules in ACLs.
Precautions Note the following points during the configurations:
1 When ACL rules are applied to a port, the match order of multiple rules in an ACL
depends on the hardware of the switch. For the Switch 5500 Family, the match
order is “first applied, last matched”. Even if you configure a match order while
defining an ACL, the configured one will not work.
2 Each port supports eight outbound queues. The priority of Queues 7 to 0 goes
down one by one. When the SP+WRR queue scheduling algorithm is applied on a
port, the switch will first schedule the queue with the weight of 0. If no packets
are sent from the queue, the switch will perform the WRR scheduling for the
remaining queues. When the SP+WFQ queue scheduling algorithm is applied on a
port, the switch will first schedule the queue with the bandwidth of 0. If no
packets are sent from the queue, the switch will perform the WFQ scheduling for
the remaining queues.
3 The switch can be configured with multiple mirroring source ports but only one
mirroring destination port. You are recommended to use the mirror destination
port only for forwarding mirroring traffic rather than as a service port. Otherwise,
normal services may be affected.
4 The traffic-limit, traffic-priority, traffic-redirect, and mirrored-to commands
can work only on the permit rules in ACLs.
5 For the TCP/UDP port in an advanced ACL, only the eq operator is supported.
6 For a Layer 2 ACL, the format-type (including 802.3/802.2, 802.3, ether_ii, and
snap) parameter is not supported.
7 All redirected packets will be tagged no matter whether the egress port is tagged.
8 When configuring a user-defined ACL, consider the following points for the offset
length:
■ All the packets that are processed by the switch internally have a VLAN tag.
One VLAN tag is four bytes in length.
■ If the VLAN VPN function is disabled, all the packets that are processed by the
switch internally have one VLAN tag.
Other Functions Referencing ACL Rules 39
■ If the VLAN VPN function is enabled on a port, the switch will add another
layer of VLAN tag to the packets received on all ports. No matter whether the
packets contain a VLAN tag originally, the packets will have two layers of VLAN
tags.
The table below lists the common protocol types and offset.
Other Functions
Referencing ACL Rules
Other functions that reference ACL rules are as follows:
■ Telnet/SNMP/WEB login user control. For Telnet users, ACLs 2000 to 4999 may
be referenced, and for SNMP/WEB users, ACLs 2000 to 2999 may be
referenced.
■ ACLs 2000 to 3999 can be referenced for routing policy match.
■ ACLs 2000 to 3999 can be referenced for filtering route information.
■ ACLs 2000 to 3999 can be referenced for displaying the routing entries that
match an ACL rule.
■ ACLs 2000 to 3999 can be referenced for displaying the FIB entries that match
an ACL rule.
■ ACLs 2000 to 3999 can be referenced for connecting a TFTP client to the TFTP
server.
The functions that reference system ACL rules include:
■ 802.1x function (after 802.1x is enabled globally and on a port, ACL rules are
referenced to apply)
■ Cluster function (the function is enabled by default. ACL rules are referenced to
apply to all ports). ACL 3998 and ACL 3999 are reserved for cluster
management, and cannot be configured.
■ DHCP snooping (after the function is enabled, ACL rules are referenced to
apply to all ports)
■ Port isolation (If the function is configured and a virtual interface is available,
ACL rules are referenced to apply)
■ MAC+IP port binding (after the function is configured on a port, ACL rules are
referenced to apply)
Table 9 Common protocol type and offset
Protocol type Protocol number
Offset (VLAN VPN
disabled)
Offset (VLAN VPN
enabled)
ARP 0x0806 16 20
RARP 0x8035 16 20
IP 0x0800 16 20
IPX 0x8137 16 20
AppleTalk 0x809B 16 20
ICMP 0x01 27 31
IGMP 0x02 27 31
TCP 0x06 27 31
UDP 0x17 27 31
40 CHAPTER 2: QACL CONFIGURATION EXAMPLES
■ Flexible QinQ (after this function is configured on a port, the ACL rules within
the configured range are referenced to apply)
■ Voice VLAN (if Voice VLAN is enabled on a port and an OUIMAC is available,
ACL rules are referenced to add)
Configuration
Example of WEB
Cache Redirection
n
Now, only the Switch 5500 Family supports the WEB Cache redirection function.
Configuration
Example of WEB
Cache Redirection
Network Requirements Figure 13 shows the network topology of a company. The environment is as
follows:
■ A Switch 5500 serves as the central switch of the company. The software
version is Release 3.2.
■ The marketing department gains access to the switch through the port
Ethernet1/0/1. It belongs to VLAN 10, and the network segment is
192.168.1.1/24.
■ The R&D department gains access to the switch through the port
Ethernet1/0/2. It belongs to VLAN 20, and the network segment is
192.168.2.1/24.
■ The administrative department gains access to the switch through the port
Ethernet1/0/3. It belongs to VLAN 30, and the network segment is
192.168.3.1/24.
■ The WEB Cache Server gains access to the switch through the port
Ethernet1/0/4. It belongs to VLAN 40, and the network segment is
192.168.4.1/24.The IP address of the WEB Cache Server is 192.168.4.2, and
the MAC address of it is 0012-0990-2250.
The WEB Cache redirection function is enabled on the switch, and all the packets
of the marketing department, R&D department, and administrative department
are redirected to the WEB Cache Server, so as to relieve the load from the
connection links of the WAN, and improve the speed of Internet access.
Configuration Example of WEB Cache Redirection 41
Network Diagram Figure 13 Network diagram for configuration of WEB Cache redirection

Configuration Procedure # Create VLAN 10 for the marketing department, and assign an IP address
192.168.1.1 to the VLAN interface 10.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] vlan 10
[3Com-vlan10] port Ethernet 1/0/1
[3Com-vlan10] quit
[3Com] interface Vlan-interface 10
[3Com-Vlan-interface10] ip address 192.168.1.1 24
[3Com-Vlan-interface10] quit
# Create VLAN 20 for the R&D department, and assign an IP address 192.168.2.1
to the VLAN interface 20.
[3Com] vlan 20
[3Com-vlan20] port Ethernet 1/0/2
[3Com-vlan20] quit
[3Com] interface Vlan-interface 20
[3Com-Vlan-interface20] ip address 192.168.2.1 24
[3Com-Vlan-interface20] quit
# Create VLAN 30 for the administrative department, and assign an IP address
192.168.3.1 to the VLAN interface 30.
[3Com] vlan 30
[3Com-vlan30] port Ethernet 1/0/3
[3Com-vlan30] quit
[3Com] interface Vlan-interface 30
[3Com-Vlan-interface30] ip address 192.168.3.1 24
[3Com-Vlan-interface30] quit
E1/0/2
E1/0/1
E1/0/ 4
E1/0/ 3
VLAN 10
Market Depart ment
VLAN 20
VLAN 30
R&D Department
Administrative
Department
VLAN 40
WEB Cache Server
192.168.4.2
0012-0990-2250
Internet
E1/0/2
E1/0/1
E1/0/ 4
E1/0/ 3
E1/0/2
E1/0/1
E1/0/ 4
E1/0/ 3
VLAN 10
Market Depart ment
VLAN 20
VLAN 30
R&D Department
Administrative
Department
VLAN 40
WEB Cache Server
192.168.4.2
0012-0990-2250
Internet
42 CHAPTER 2: QACL CONFIGURATION EXAMPLES
# Create VLAN 40 for the WEB Cache Server, and assign an IP address 192.168.4.1
to the VLAN interface 40.
[3Com] vlan 40
[3Com-vlan40] port Ethernet 1/0/4
[3Com-vlan30] quit
[3Com] interface Vlan-interface 40
[3Com-Vlan-interface40] ip address 192.168.4.1 24
[3Com-Vlan-interface40] quit
# Enable the WEB Cache redirection function, and redirect all the HTTP packets
received on VLAN 10, VLAN 20 and VLAN 30 to the WEB Cache Server.
[3Com] webcache address 192.168.4.2 mac 0012-0990-2250 vlan 40 port
Ethernet 1/0/4
[3Com] webcache redirect-vlan 10
[3Com] webcache redirect-vlan 20
[3Com] webcache redirect-vlan 30
n
The VLAN interface 40, VLAN interface 10, VLAN interface 20, and VLAN interface
30 must be in UP state. Otherwise, the WEB Cache redirection function will not
work.
3
802.1X CONFIGURATION EXAMPLE
Keywords:
802.1x and AAA
Abstract:
This article introduces the application of 802.1x on Ethernet switches in real
network environments, and then presents detailed configurations of the 802.1x
client, LAN Switch and AAA server respectively.
Acronyms:
AAA (Authentication, Authorization and Accounting)
n
The use of this document is restricted to 3Com Switch 4500, Switch 5500, Switch
5500G, Switch 4210, and Switch 4200 Families.
Introduction to 802.1X The LAN defined in IEEE 802 protocols does not provide access authentication. In
general, users can access network devices or resources in a LAN as long as they
access the LAN. When it comes to application circumstances like telecom network
access, building, LAN and mobile office, however, administrators need to control
and configure the access of user devices. Therefore, port- or user-based access
control comes into being.
802.1x is a port-based network access control protocol. It is widely accepted by
vendors, service providers and end users for its low cost, superior service continuity
and scalability, and high security and flexibility.
Features
Configuration
Global Configuration ■ Enable 802.1x globally
■ Set time parameters
■ Set the maximum number of authentication request attempts
■ Enable the quiet timer
■ Enable re-authentication upon reboot
Configuration in Port
View
■ Enable dot1x on the port
■ Enable Guest VLAN
■ Set the maximum number of users supported on the port
■ Set a port access control method (port-based or MAC-based)
44 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
■ Set a port access control mode (force-authorized, force-unauthorized or auto)
■ Enable client version checking
■ Enable proxy detection
Precautions ■ The configuration of dot1x takes effect only after the dot1x feature is enabled
globally.
■ You can configure dot1x parameters associated with Ethernet ports or devices
before enabling dot1x. However, the configured dot1x parameters only take
effect after dot1x is enabled.
■ The configured dot1x parameters are reserved after dot1x is disabled and will
take effect if dot1x is re-enabled.
802.1X Configuration
Commands
To implement 802.1x, you need to configure the supplicant system (client),
authenticator system (switch) and authentication/authorization server correctly.
■ Supplicant system: Ensures that the PC uses a right client.
■ Authenticator system: Configuring 802.1x and AAA on the authenticator
system is required.
■ Authentication/authorization server: Configuring the
authentication/authorization server correctly is required.
The following table shows 802.1x configuration commands necessary for
configuring the switch (authenticator system). For configuration information on
other devices, refer to related manuals.
Table 10 802.1x configuration commands
To... Use the command... Remarks
Enable 802.1x globally dot1x Required
Disabled by default
Enable 802.1x on one or
more ports
In system view
dot1x [ interface interface-list ]
Required
Disabled on a port by default
802.1x must be enabled both
globally in system view and on
the intended port in system view
or port view. Otherwise, it does
not function.
In port view
dot1x
Set a port access control
method for the specified
or all ports
dot1x port-method
{ macbased | portbased }
[ interface interface-list ]
Optional
macbased by default
Port-based access control is
required for Guest VLAN.
Enable a Guest VLAN on
the specified or all ports
dot1x guest-vlan vlan-id
[ interface interface-list ]
Required
Not enabled by default. The
vlan-id of the Guest VLAN must
be created beforehand.
Enterprise Network Access Authentication Configuration Example 45
Enterprise Network
Access Authentication
Configuration
Example
n
The configuration or information displayed may vary with devices. The following
example uses the 3Com Switch 5500 (using software Release 1510).
Network Application
Analysis
An administrator of an enterprise network needs to authenticate users accessing
the network on a per-port basis on the switch to control access to network
resources. Table 11 shows the details of network application analysis.
Network Diagram Figure 14 Network diagram for enterprise network application

Table 11 Network application analysis
Network requirements Solution
Access of users is controlled by authentication. Enable 802.1x
Users can only access VLAN 10 before the
authentication succeeds.
Enable Guest VLAN
Users can access VLAN 100 after the
authentication succeeds.
Enable dynamic VLAN assignment
Users select the monthly payment service of 50
dollars and use 2M bandwidth to access the
network.
Configure an accounting policy and
bandwidth restraint policy on the RADIUS
server
IP address and MAC address are bound after a
user logs in.
Set MAC-to-IP binding
Tear down the connection by force if it is idle for
20 minutes.
Enable idle cut
Users can be re-authenticated successfully after
the switch reboots abnormally.
Enable re-authentication upon reboot
Internet
Supplicant
Authentication Server Update Server
VLAN 10
Ethernet 1/0/1
VLAN 1
Ethernet 1/0/3
VLAN 2
Ethernet 1/0/4
VLAN 100
Ethernet 1/0/2
46 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
Configuration
Procedure
Configuring the Switch # Create a RADIUS scheme named cams, and specify the primary and secondary
authentication/accounting servers.
<3Com> system-view
[3Com] radius scheme cams
[3Com-radius-cams] primary authentication 192.168.1.19
[3Com-radius-cams] primary accounting 192.168.1.19
[3Com-radius-cams] secondary authentication 192.168.1.20
[3Com-radius-cams] secondary accounting 192.168.1.20
# Set the password to expert for the switch to exchange messages with the
RADIUS authentication and accounting servers.
[3Com-radius-cams] key authentication expert
[3Com-radius-cams] key accounting expert
# Set the username format to fully qualified user name with domain name.
[3Com-radius-cams] user-name-format with-domain
# Set the server type to extended.
[3Com-radius-cams] server-type extended
# Enable re-authentication upon reboot.
[3Com-radius-cams] accounting-on enable
# Create an ISP domain named abc and adopt the RADIUS scheme cams for
authentication.
[3Com] domain abc
[3Com-isp-abc] radius-scheme cams
[3Com-isp-abc] quit
# Set the ISP domain abc as the default ISP domain.
[3Com] domain default enable abc
# Enable dynamic VLAN assignment.
[3Com-isp-abc] vlan-assignment-mode integer
# Enable Guest VLAN 10 on the specified port.
[3Com] vlan 10
[3Com-Ethernet1/0/3] dot1x port-method portbased
[3Com-Ehternet1/0/3] dot1x guest-vlan 10
# Enable 802.1x.
[3Com] dot1x
Configuration Procedure 47
# Enable dot1x in port view.
[3Com-Ethernet1/0/3] dot1x
# Use the display command to view the configuration associated with 802.1x and
AAA parameters.
[3Com] display dot1x interface ethernet1/0/3
Global 802.1x protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
ReAuth Period 3600 s, ReAuth MaxTimes 2
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Interval between version requests is 30s
Maximal request times for version information is 3
The maximal retransmitting times 2
Total maximum 802.1x user resource number is 1024
Total current used 802.1x resource number is 0
Ethernet1/0/3 is link-up
802.1x protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
ReAuthenticate is disabled
Max number of on-line users is 256
Authentication Success: 0, Failed: 0
EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
[3Com] display radius scheme cams
SchemeName =cams Index=1 Type=extended
Primary Auth IP =192.168.1.19 Port=1812
Primary Acct IP =192.168.1.19 Port=1813
Second Auth IP =192.168.1.20 Port=1812
Second Acct IP =192.168.1.20 Port=1813
Auth Server Encryption Key= expert
Acct Server Encryption Key= expert
Accounting method = required
Accounting-On packet enable, send times = 15 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =with-domain
Data flow unit =Byte
Packet unit =1
48 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
unit 1 :
Primary Auth State=active, Second Auth State=active
Primary Acc State=active, Second Acc State=active
[3Com] display domain abc
The contents of Domain abc:
State = Active
RADIUS Scheme = cams
Access-limit = Disable
Vlan-assignment-mode = Integer
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Configuring the RADIUS
Server
The configuration of CAMS authentication, authorization and accounting server
consists of four parts:
■ “Creating an accounting policy” on page 49
■ “Adding a service” on page 50
■ “Adding an account user” on page 51
■ “Configuring the access device” on page 52
The following parts take CAMS server V1.20 (standard version) as an example to
introduce CAMS configuration.
Logging in the CAMS configuration console
1 Enter the correct user name and password on the login page to log in to the
CAMS configuration console.
Figure 15 Login page of CAMS configuration console

2 After login, the following page appears:
Configuration Procedure 49
Figure 16 CAMS configuration console

Creating an accounting policy
1 Enter the Accounting Policy Management page.
Log in the CAMS configuration console. On the navigation tree, select [Charges
Management/Accounting Policy] to enter the [Accounting Policy Management]
page, as shown in Figure 17.
Figure 17 Accounting Policy Management

The list shows the created accounting policies. You can query, modify or maintain
these policies.
2 Create an accounting policy.
Click <Add> to enter the [Accounting Policy Basic Information] page and create a
monthly payment accounting policy, as shown in Figure 18.
50 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
Figure 18 Accounting Policy Basic Information

3 Click <Next> to enter the [Accounting Attribute Settings] page, and set
Accounting Type to By duration, Monthly Cycle to Monthly and Monthly Fixed Fee
to 50 dollars, as shown in Figure 19.
Figure 19 Accounting Attribute Settings

Click <OK>. A monthly payment accounting policy is created.
Adding a service
1 Enter the Service Config page.
Log in the CAMS configuration console. On the navigation tree, select [Service
Management/Service Config] to enter the [Service Config] page, as shown in
Figure 20.
Figure 20 Service Config

The list shows the created service types. You can query, modify or delete these
service types.
2 Add a service.
Click <Add> to enter the [Add Service] page and configure as follows:
■ Service Name: abc
Configuration Procedure 51
■ Service Suffix Name: abc
■ Accounting Policy: Monthly Fixed Payment
■ Upstream Rate Limitation: 2M (2048 Kbps)
■ Downstream Rate Limitation: 2M (2048 Kbps)
■ VLAN Assignment: VLAN 100
■ Authentication Binding: Bind user IP address and bind user MAC address
Figure 21 Add Service

Click <OK>. A service type is added.
Adding an account user
1 Enter the Account Management page.
Log in the CAMS configuration console. On the navigation tree, select [User
Management/Account User] to enter the [Account Management] page, as shown
in Figure 22.
Figure 22 Account Management

The list shows the created account users. You can maintain these account users.
2 Add an account user.
Click <Add> to enter the [Add Account] page and configure as follows:
52 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
■ Account: info
■ Password: info
■ Full Name: Bruce
■ Prepaid Money: 100 dollars
■ Bind multiple IP address and MAC address: enable
■ Online Limit: 1
■ Max. Idle Time: 20 minutes
■ Service Information: abc
Figure 23 Add Account

Click <OK>. An account user is added.
Configuring the access device
1 Enter the System Configuration page.
Log in the CAMS configuration console. On the navigation tree, select [System
Management/System Configuration] to enter the [System Configuration] page, as
shown in Figure 24.
Figure 24 System Configuration

Configuration Procedure 53
2 Click the Modify link for the Access Device item to enter the [Access Device
Configuration] page to modify access device configuration like IP address, shared
key, and authentication and accounting ports.
Figure 25 Access Device Configuration

Adding configuration item
1 Click <Add> to enter the [Add Access Device] page and add configuration items,
as shown in Figure 26.
Figure 26 Add Access Device

2 Click <OK>. The prompt page appears as shown in Figure 27.
Figure 27 Page prompting that system configuration is modified successfully

3 Return to the [System Configuration] page and click <Validate Now> to make the
configuration take effect immediately.
54 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
Figure 28 Validate Now on System Management page

Configuring the
Supplicant System
You need to install an 802.1x client on the PC, which may be 3Com’s 802.1x
client, the client shipped with Windows XP or other client from the third party. The
following takes 3Com’s 802.1X as an example to introduce how to configure the
supplicant system.
Starting up 3Com authentication client
Figure 29 3Com authentication client

Creating a connection
Right click the 802.1x Authentication icon and select [Create an 802.1x
connection], as shown in Figure 30.
Configuration Procedure 55
Figure 30 Create an 802.1x connection

Configuring connection attributes
Click <Next> to enter the [Set special properties] page:
56 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
Figure 31 Set special properties

Keep default settings and click <OK>. The prompt page appears as shown in
Figure 32.
Configuration Procedure 57
Figure 32 Page prompting that a connection is created successfully

Initiating the connection
Double click the info connection:
Figure 33 Connecting

The connection succeeds:
58 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
Figure 34 Page prompting that the Authentication succeeds

Verifying Configuration To verify that the configuration of Guest VLAN is taking effect, check that users
can access VLAN 10 before 802.1x authentication or the 802.1x authentication
fails.
To verify that the dynamically assigned VLAN is taking effect, check that users can
access VLAN 100 after 802.1x authentication succeeds. At the same time, 802.1x
authentication cooperates with CAMS to complete accounting and real time
monitoring.
To verify that the configuration of IP-to-MAC binding is taking effect, check that
users can be re-authenticated and access the Internet when the device reboots
abnormally. If the configured IP-to-MAC binding is different from that on the
CAMS, the user cannot access the Internet.
Troubleshooting Symptom: 802.1x authentication failed
Solution:
■ Use the display dot1x command to verify 802.1x is enabled globally and on
the specified ports.
■ Verify the username and password are set correctly.
■ Verify the connection works well.
■ Use the debugging dot1x packet command to verify the switch receives and
sends EAP and EAPoL packets normally.
Symptom: Users can access network resources without 802.1x
authentication
■ Use the display dot1x command to verify 802.1x is enabled globally and on
the specified ports.
Configuration Procedure 59
■ Use the display interface command to verify the statistics of incoming
packets are available for the specified port. 802.1x authentication applies only
to incoming packets, not outgoing packets.
60 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
4
SSH CONFIGURATION EXAMPLE
Keywords:
SSH, RSA
Abstract:
This article introduces the application of SSH on the 3Com stackable switches in
real network environments, and then presents detailed configurations of the
involved SSH client and Ethernet switches respectively.
Acronyms:
SSH (Secure Shell), RSA (Rivest Shamir Adleman)
Introduction to SSH Secure Shell (SSH) is designed to provide secure remote login and other security
services in insecure network environments. When users remotely access the switch
across an insecure network, SSH will automatically encrypt data before
transmission and decrypt data after they reach the destination to guarantee
information security and protect switches from such attacks as plain-text password
interception. In addition, SSH provides powerful authentication to defend against
the man-in-the-middle attacks. SSH uses the client/server mode, by which the SSH
server accepts the connection requests from SSH clients and provides
authentication. SSH clients can establish SSH connections and log into the SSH
server through the SSH connections.
SSH also provides other functions, such as compressing the data to be transmitted
to speed up the transmission speed, functioning as Telnet, and providing secure
channels for FTP, PoP and even PPP.
n
For details about SSH functions supported on different Ethernet switches, refer to
related user manuals.
Support for SSH
Functions
Table 12 List of SSH functions supported on the 3Com stackable switches
Model\Function SSH server SSH client
Switch 5500 ● ●
Switch 4500 ● ●
Switch 5500G ● ●
Switch 4200 ● ●
Switch 4200G ● ●
Switch 4210 ● ●
62 CHAPTER 4: SSH CONFIGURATION EXAMPLE
SSH Configuration
Configuring an SSH
Server
For a 3Com switch to be the SSH server
■ Configure the protocols supported on user interfaces
■ Create or destroy a RSA key pair
■ Export a RSA key pair
■ Create an SSH user and specify an authentication type
■ Specify a service type for the SSH user
■ Configure the SSH management function on the SSH server
■ Configure a client public key on the SSH server
■ Specify a public key for the SSH user
■ Specify the source IP address or source interface of packets
For a non 3Com device to be the SSH server
For such configuration, refer to the related user manual.
Configuring an SSH
Client
Using SSH client software
There are many kinds of SSH client software, such as PuTTY, Tectia, Winscp, and
OpenSSH. You can select one as required and refer to the attached manual for
configuration.
Using an SSH2-capable switch
■ Configure whether first-time authentication is supported
■ Establish a connection between the SSH client and the SSH server
Precautions ■ If you have configured a user interface to support the SSH protocol, you must
configure AAA authentication for the user interface by using the
authentication-mode scheme command to ensure successful login.
■ Creating a RSA key pair on the SSH server is necessary for successful SSH login.
■ For new SSH users to login successfully, you must specify an authentication
type for them.
SSH Configuration
Commands
To implement SSH, you need to configure the SSH client and the SSH server
correctly.
The following sections describe switch’s SSH configuration commands. For more
information, refer to the SSH section of the applicable configuration guide.
Configuring an 3Com Switch as an SSH Server 63
Configuring an 3Com
Switch as an SSH
Server
Configuration Procedure
Precautions for authentication type configuration
The above table introduces the password authentication and RSA authentication
separately. In practice, you can combine the two authentication types.
■ Executing the ssh authentication-type default password-publickey
command or the ssh user authentication-type password-publickey
command means that users must not only pass the password authentication
but also pass the RSA authentication to login the SSH server.
■ Executing the ssh authentication-type default all command or the ssh user
authentication-type all command means that users can login the SSH server
as long as they pass either the password or RSA authentication.
Public key configuration procedure and precautions
As shown in Table 13, you need to copy or import the public key from the client to
the server.
1 Manually configure the RSA public key
■ When a switch acts as the SSH client, use the display rsa local-key-pair
public command to display the RSA public key after creating RSA key pair
through the corresponding commands.
■ Manually copy the RSA public key to the SSH server. Thus, the SSH server has
the same public key as the SSH client, and can authenticate the SSH client
when the SSH client establishes a connection with it.
Table 13 Configure the switch as an SSH server
Role
Common
configurati
on
Authentication
type
Public key configuration
Remarks
SSH
server
For detailed
command,
refer to
“Common
configuratio
n” on page
64.
Password
authentication
- For detailed
command, refer to
“Password
authentication
configuration” on
page 65.
RSA
authentication
Configure a
public key
manually: copy
the public key
from the client
public key file
to the SSH
server.
Associate
the client
public key
saved on
the SSH
server to
the SSH
client
For detailed
commands, refer to
“Configuring the
client RSA public
key manually” on
page 65.
Import a public
key: import the
public key from
the client
public file to
the SSH server
through
commands.
For detailed
commands, refer to
“Importing the
client RSA public
key” on page 66 .
64 CHAPTER 4: SSH CONFIGURATION EXAMPLE
2 Import the RSA public key
■ When a switch acts as the SSH server, use the SSH client software to generate
an RSA key pair, and then upload the RSA public key file to the SSH server
through FTP or TFTP.
■ On the SSH server, import the public key from the public key file through
commands.
3 Precautions
When some SSH client software like PuTTY is used to generate an RSA key pair,
you can either manually configure the public key for the SSH server or import the
public key to the SSH server.
Configuration
Commands
Common configuration
Table 14 Common configuration
Operation Command Remarks
Enter system view system-view -
Enter the view of one or
multiple user interfaces
user-interface [ type-keyword ]
number [ ending-number ]
-
Configure the
authentication mode as
scheme
authentication-mode scheme
[ command-authorization ]
Required
By default, the user interface
authentication mode is
password.
Specify the supported
protocol(s)
protocol inbound { all |ssh |
telnet }
Optional
By default, both Telnet and
SSH are supported.
Return to the system
view
quit -
Create an RSA key pair rsa local-key-pair create Required
By default, no RSA key pair is
created.
Destroy the RSA key pair rsa local-key-pair destroy Optional
Specify a service type for
the SSH user
ssh user username service-type
{ stelnet | sftp | all }
Optional
stelnet by default
Set SSH authentication
timeout time
ssh server timeout seconds Optional
By default, the timeout time
is 60 seconds.
Set SSH authentication
retry times
ssh server authentication-retries
times
Optional
By default, the number of
retry times is 3.
Set RSA server key
update interval
ssh server rekey-interval hours Optional
By default, the system does
not update RSA server keys.
Configure SSH server to
be compatible with
SSH1.x clients
ssh server compatible-ssh1x
enable
Optional
By default, SSH server is
compatible with SSH1.x
clients.
Configuring an 3Com Switch as an SSH Server 65
Password authentication configuration
n
For common configuration commands, refer to Table 14.
Configuring the client RSA public key manually
Specify a source IP
address for the SSH
server
ssh-server source-ip ip-address Optional
Specify a source
interface for the SSH
server
ssh-server source-interface
interface-type interface-number
Optional
Table 15 Configure password authentication
Operation Command Description
Create an SSH User and
specify an authentication
type
Specify the
default
authentication
type for all SSH
users
ssh
authentication-
type default
password
Use either command.
By default, no SSH user is
created and no
authentication type is
specified.
Note that: If both commands
are used and different
authentication types are
specified, the authentication
type specified with the ssh
user authentication-type
command takes precedence.
ssh user
username
Create an SSH
user, and specify
an authentication
type for the user
ssh user
username
authentication-
type password
Table 14 Common configuration
Operation Command Remarks
Table 16 Configure the client RSA public key manually
Operation Command Description
Create an SSH user and
specify an authentication
type
Specify the
default
authentication
type for all SSH
users
ssh
authentication-
type default rsa
Use either command.
By default, no SSH user is
created and no
authentication type is
specified.
Note that: If both commands
are used and different
authentication types are
specified, the authentication
type specified with the ssh
user authentication-type
command takes precedence.
ssh user
username
Create an SSH
user, and specify
an authentication
type for it
ssh user
username
authentication-
typ rsa
Enter public key view rsa peer-public-key keyname Required
Enter public key edit
view
public-key-code begin -
Configure the client RSA
public key
Enter the content of the RSA public
key
The content must be a
hexadecimal string that is
generated randomly by the
SSH-supported client
software and coded
compliant to PKCS. Spaces
and carriage returns are
allowed between characters.
66 CHAPTER 4: SSH CONFIGURATION EXAMPLE
n
For general configuration commands, refer to Table 14.
Importing the client RSA public key
n
For general configuration commands, refer to Table 14.
Configuring an 3Com
Switch as an SSH
Client
When the device connects to the SSH server as an SSH client, you can configure
whether the device supports first-time authentication.
■ First-time authentication means that when the SSH client accesses the server
for the first time and is not configured with the server host public key, the user
can continue accessing the server, and will save the host public key on the
client for use in subsequent authentications.
■ When first-time authentication is not supported, a client, if not configured with
the server host public key, will be denied of access to the server. To access the
Return from public key
code view to public key
view
public-key-code end When you exit public key
code view, the system
automatically saves the
public key.
Return from public key
view to system view
peer-public-key end -
Assign a public key to an
SSH user
ssh user username assign rsa-key
keyname
Required
If you issue this command
multiple times, the last
command overrides the
previous ones
Table 16 Configure the client RSA public key manually
Operation Command Description
Table 17 Import the client RSA public key
Operation Command Description
Create an SSH user and
specify an authentication
type
Specify the
default
authentication
type for all SSH
users
ssh
authentication-
type default rsa
Use either command.
By default, no SSH user is
created and no
authentication type is
specified.
Note that: If both commands
are used and different
authentication types are
specified, the authentication
type specified with the ssh
user authentication-type
command takes precedence.
ssh user
username
Create an SSH
user, and specify
an authentication
type for it
ssh user
username
authentication-
type rsa
Import the client RSA
public key from the
specified public key file
rsa peer-public-key keyname
import sshkey filename
Required
Assign a public key to an
SSH user
ssh user username assign rsa-key
keyname
Required
If you issue this command
multiple times, the last
command overrides the
previous ones
Configuring an 3Com Switch as an SSH Client 67
server, a user must configure in advance the server host public key locally and
specify the public key name for authentication.
Configuration Procedure
As shown in Table 18, you need to configure the server public key to the client in
the case that the SSH client does not support first-time authentication.
1 Manually configure the RSA public key
■ On the SSH server, use the display rsa local-key-pair public command to
display the RSA public key.
■ Manually copy the public key to the SSH client. Thus, the SSH client has the
same public key as the SSH server, and can authenticate the SSH server using
the public key when establishing a connection with the SSH server.
Configuration
Commands
Common configuration
Enabling first-time authentication
Table 18 Configure the switch as an SSH client
Role
Common
configurati
on
First-time
authenticati
on support Public key configuration
Access the
SSH server Remarks
SSH
Client
Refer to
“Common
configuratio
n” on page
67.
Yes -- Establish a
connection
between the
SSH client
and the SSH
server
Refer to
“Enabling
first-time
authenticat
ion” on
page 67.
No Configure a
public key
manually:
copy the
server public
key from the
public key file
to the SSH
client
Specify the
host public
key of the
SSH server
to be
connected
Refer to
“Disabling
first-time
authenticat
ion and
manually
configuring
the server
public key”
on page
68.
Table 19 Common configuration
Operation Command Description
Enter system view system-view -
Specify a source IP address
for the SSH client
ssh2 source-ip ip-address Optional
Specify a source interface
for the SSH client
ssh2 source-interface interface-type
interface-number
Optional
Table 20 Enable first-time authentication
Operation Command Description
Enter system view system-view -
Enable first-time
authentication
ssh client first-time enable Optional
Enabled by default
68 CHAPTER 4: SSH CONFIGURATION EXAMPLE
Disabling first-time authentication and manually configuring the server
public key
Establish a connection with
the SSH server
ssh2 { host-ip | host-name } [ port-num ]
[ prefer_kex { dh_group1 |
dh_exchange_group } |
prefer_ctos_cipher { des | aes128 } |
prefer_stoc_cipher { des | aes128 } |
prefer_ctos_hmac { sha1 | sha1_96 |
md5 | md5_96 } | prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] *
Required
In this command, you
can also specify the
preferred key
exchange algorithm,
encryption algorithms
and HMAC algorithms
between the server
and client.
Table 21 Disable first-time authentication and manually configure the server public key
Operation Command Description
Enter system view system-view --
Disable first-time
authentication
undo ssh client first-time Required
Enabled by default
Enter public key view rsa peer-public-key keyname Required
Enter public key edit view public-key-code begin -
Configure server public
key
Enter the content of the public
key
When you input the key data,
spaces are allowed between
the characters you input
(because the system can
remove the spaces
automatically); you can also
press <Enter> to continue
your input at the next line.
But the key you input should
be a hexadecimal digit string
coded in the public key
format.
Return to public key view
from public key edit view
public-key-code end When you exit public key
code view, the system
automatically saves the public
key
Exit public key view and
return to system view
peer-public-key end -
Specify the host key name
of the server
ssh client { server-ip |
server-name } assign rsa-key
keyname
Optional
Required when the SSH client
does not support first-time
authentication
You need to copy the server
public key to the SSH client
before performing this
configuration.
Table 20 Enable first-time authentication
Operation Command Description
SSH Configuration Example 69
SSH Configuration
Example
n
The Switch 5500 software version in this configuration example is Release 1510.
When the Switch Acts as
the SSH Server and the
Authentication Type is
Password
Network requirements
As shown in Figure 35, establish an SSH connection between the host (SSH Client)
and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 client
software. Password authentication is required.
Network diagram
Figure 35 Network diagram of SSH server configuration using password authentication

Configuration procedure
1 Configure the SSH server
# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate RSA key pairs.
[3Com] rsa local-key-pair create
# Set the authentication mode for the user interfaces to AAA.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
Start the client to establish
a connection with an SSH
server
ssh2 { host-ip | host-name }
[ port-num ] [ prefer_kex
{ dh_group1 |
dh_exchange_group } |
prefer_ctos_cipher { des |
aes128 } | prefer_stoc_cipher
{ des | aes128 } |
prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } |
prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] *
Required
In this command, you can
also specify the preferred key
exchange algorithm,
encryption algorithms and
HMAC algorithms between
the server and client.
Table 21 Disable first-time authentication and manually configure the server public key
Operation Command Description
Switch
SSH client
192. 168.0.2/ 24
VLAN- interface 1
192. 168. 0. 1/ 24
70 CHAPTER 4: SSH CONFIGURATION EXAMPLE
# Enable the user interfaces to support SSH.
[3Com-ui-vty0-4] protocol inbound ssh
[3Com-ui-vty0-4] quit
# Create local client “client001”, and set the authentication password to “abc”,
protocol type to SSH, and command privilege level to 3 for the client.
[3Com] local-user client001
[3Com-luser-client001] password simple abc
[3Com-luser-client001] service-type ssh level 3
[3Com-luser-client001] quit
# Specify the authentication method of user client001 as password.
[3Com] ssh user client001 authentication-type password
2 Configure the SSH client
# Configure an IP address (192.168.0.2 in this case) for the SSH client. This IP
address and that of the VLAN interface on the switch must be in the same
network segment.
# Configure the SSH client software to establish a connection to the SSH server.
Take SSH client software “Putty” (version 0.58) as an example:
■ Run PuTTY.exe to enter the following configuration interface.
Figure 36 SSH client configuration interface

SSH Configuration Example 71
In the Host Name (or IP address) text box, enter the IP address of the SSH server.
■ From the category on the left pane of the window, select SSH under
Connection. The window as shown in Figure 37 appears.
Figure 37 SSH client configuration interface 2

Under Protocol options, select 2 from Preferred SSH protocol version.
■ As shown in Figure 38, click Open to enter the following interface. If the
connection is normal, you will be prompted to enter the user name
“client001” and password “abc”. Once authentication succeeds, you will log
onto the server.
72 CHAPTER 4: SSH CONFIGURATION EXAMPLE
Figure 38 SSH client interface

When the Switch Acts as
an SSH Server and the
Authentication Type is
RSA
Network requirements
As shown in Figure 39, establish an SSH connection between the host (SSH client)
and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 client
software. RSA authentication is required.
Network diagram
Figure 39 Network diagram of SSH server configuration

Configuration procedure
1 Configure the SSH server
# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate RSA key pairs.
[3Com] rsa local-key-pair create
# Set the authentication mode for the user interfaces to AAA.
Switch
SSH client
192.168.0.2/ 24
VLAN-interface 1
192. 168.0. 1/ 24
SSH Configuration Example 73
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
# Enable the user interfaces to support SSH.
[3Com-ui-vty0-4] protocol inbound ssh
# Set the client’s command privilege level to 3
[3Com-ui-vty0-4] user privilege level 3
[3Com-ui-vty0-4] quit
# Configure the authentication type of the SSH client named client 001 as RSA.
[3Com] ssh user client001 authentication-type rsa
n
Before performing the following steps, you must generate an RSA public key pair
(using the client software) on the client, save the key pair in a file named public,
and then upload the file to the SSH server through FTP or TFTP. For details, refer to
“Configuring an SSH Client” on page 62.
# Import the client’s public key named “Switch001” from file “public”.
[3Com] rsa peer-public-key Switch001 import sshkey public
# Assign the public key “Switch001” to client “client001”.
[3Com] ssh user client001 assign rsa-key Switch001
2 Configure the SSH client
# Generate an RSA key pair, taking PuTTYGen as an example.
■ Run PuTTYGen.exe, choose SSH2(RSA) and click Generate.
74 CHAPTER 4: SSH CONFIGURATION EXAMPLE
Figure 40 Generate a client key pair (1)
n
While generating the key pair, you must move the mouse continuously and keep
the mouse off the green process bar shown in Figure 40. Otherwise, the process
bar stops moving and the key pair generating process is stopped.
SSH Configuration Example 75
Figure 41 Generate a client key pair (2)

After the key pair is generated, click Save public key and enter the name of the
file for saving the public key (“public” in this case).
Figure 42 Generate a client key pair (3)

76 CHAPTER 4: SSH CONFIGURATION EXAMPLE
Likewise, to save the private key, click Save private key. A warning window pops
up to prompt you whether to save the private key without any protection. Click
Yes and enter the name of the file for saving the private key (“private.ppk” in this
case).
Figure 43 Generate a client key pair (4)

n
After a public key pair is generated, you need to upload the pubic key file to the
server through FTP or TFTP, and complete the server end configuration before you
continue to configure the client.
# Establish a connection with the SSH server.
The following takes the SSH client software Putty (version 0.58) as an example.
■ Launch PuTTY.exe to enter the following interface.
Figure 44 SSH client configuration interface 1

In the Host Name (or IP address) text box, enter the IP address of the server.
SSH Configuration Example 77
■ From the category on the left pane of the window, select SSH under
Connection. The window as shown in Figure 45 appears.
Figure 45 SSH client configuration interface 2

Under Protocol options, select 2 from Preferred SSH protocol version.
■ Select Connection/SSH/Auth. The following window appears.
78 CHAPTER 4: SSH CONFIGURATION EXAMPLE
Figure 46 SSH client configuration interface (2)

Click Browse... to bring up the file selection window, navigate to the private key
file and click OK.
■ From the window shown in Figure 46, click Open. The following SSH client
interface appears. If the connection is normal, you will be prompted to enter
the username and password, as shown in Figure 47.
SSH Configuration Example 79
Figure 47 SSH client interface

When the Switch Acts
as an SSH Client and the
Authentication Type is
Password
Network requirements
As shown in Figure 48, establish an SSH connection between Switch A (SSH
Client) and Switch B (SSH Server) for secure data exchange. The user name for
login is client001 and the SSH server’s IP address is 10.165.87.136. Password
authentication is required.
Network diagram
Figure 48 Network diagram of SSH client configuration when using password
authentication

Configuration procedure
1 Configure Switch B
# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate RSA key pairs.
Switch B
SSH server
Switch A
SSH client VLAN-interface 1
10. 165. 87. 137/ 24
10. 165.87.136 / 24
VLAN- interface 1
80 CHAPTER 4: SSH CONFIGURATION EXAMPLE
[3Com] rsa local-key-pair create
# Set the authentication mode for the user interfaces to AAA.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
# Enable the user interfaces to support SSH.
[3Com-ui-vty0-4] protocol inbound ssh
[3Com-ui-vty0-4] quit
# Create local user “client001”, and set the authentication password to abc, the
login protocol to SSH, and user command privilege level to 3.
[3Com] local-user client001
[3Com-luser-client001] password simple abc
[3Com-luser-client001] service-type ssh level 3
[3Com-luser-client001] quit
# Configure the authentication type of user client001 as password.
[3Com] ssh user client001 authentication-type password
2 Configure Switch A
# Create a VLAN interface on the switch and assign an IP address, which serves as
the SSH client’s address in an SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit
# Establish a connection to the server 10.165.87.136.
[3Com] ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...
The Server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server’s public key?(Y/N):n
Enter password:
*************************************************************************
* Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co., Ltd. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-switch fabricering shall be allowed. *
*************************************************************************
<3Com>
When the Switch Acts as
an SSH Client and the
Authentication Type is
RSA
Network requirements
As shown in Figure 49, establish an SSH connection between Switch A (SSH
Client) and Switch B (SSH Server) for secure data exchange. The user name is
client001 and the SSH server’s IP address is 10.165.87.136. RSA authentication is
required.
SSH Configuration Example 81
Network diagram
Figure 49 Network diagram of SSH client configuration when using publickey
authentication

Configuration procedure
1 Configure Switch B
# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate RSA key pair.
[3Com] rsa local-key-pair create
# Set the authentication mode for the user interfaces to AAA.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
# Enable the user interfaces to support SSH.
[3Com-ui-vty0-4] protocol inbound ssh
# Set the user command privilege level to 3.
[3Com-ui-vty0-4] user privilege level 3
[3Com-ui-vty0-4] quit
# Specify the authentication type of user client001 as RSA.
[3Com] ssh user client001 authentication-type rsa
n
Before proceeding with the following steps, you need to generate an RSA key pair
on the client, and manually configure the RSA public key for the SSH server. For
detailed information, refer to “Configuring an SSH Client” on page 62.
# Configure the public key of the SSH client on the SSH server, and specify the
public key name as Switch001.
[3Com] rsa peer-public-key Switch001
RSA public key view: return to System View with "peer-public-key end".
[3Com-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[3Com-rsa-key-code] 3047
[3Com-rsa-key-code] 0240
Switch B
SSH server
Switch A
SSH client VLAN- interface 1
10.165. 87. 137/ 24
10. 165.87. 136/ 24
VLAN- interface 1
82 CHAPTER 4: SSH CONFIGURATION EXAMPLE
[3Com-rsa-key-code] C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
[3Com-rsa-key-code] 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
[3Com-rsa-key-code] 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
[3Com-rsa-key-code] 074C0CA9
[3Com-rsa-key-code] 0203
[3Com-rsa-key-code] 010001
[3Com-rsa-key-code] public-key-code end
[3Com-rsa-public-key] peer-public-key end
[3Com]
# Assign the public key Switch001 to user client001.
[3Com] ssh user client001 assign rsa-key Switch001
2 Configure Switch A
# Create a VLAN interface on the switch and assign an IP address, which serves as
the SSH client’s address in an SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate a RSA key pair
[3Com] rsa local-key-pair create
# Display the RSA public key on the client.
<3Com> display rsa local-key-pair public
=====================================================
Time of Key pair created: 05:15:04 2006/12/08
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
074C0CA9
0203
010001
<Omitted>
n
After generating an RSA key pair on the client, you need to configure the RSA
public key for the SSH server and finish the SSH server configuration before
continuing to configure the SSH client.
# Establish an SSH connection to the server 10.165.87.136.
[3Com] ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...
SSH Configuration Example 83
The Server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server’s public key?(Y/N):n
*************************************************************************
* Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co., Ltd. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-switch fabricering shall be allowed. *
*************************************************************************
<3Com>
When the Switch Acts as
an SSH Client and
First-time authentication
is not Supported
Network requirements
As shown in Figure 50, establish an SSH connection between Switch A (SSH
Client) and Switch B (SSH Server) for secure data exchange. The user name is
client001 and the SSH server’s IP address is 10.165.87.136. The RSA
authentication mode is used to enhance security.
Network diagram
Figure 50 Network diagram of SSH client configuration

Configuration procedure
1 Configure Switch B
# Create a VLAN interface on the switch and assign an IP address for it to serve as
the destination of the client.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate RSA key pairs.
[3Com] rsa local-key-pair create
# Set AAA authentication on user interfaces.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
# Configure the user interfaces to support SSH.
[3Com-ui-vty0-4] protocol inbound ssh
# Set the user command privilege level to 3.
[3Com-ui-vty0-4] user privilege level 3
[3Com-ui-vty0-4] quit
Switch B
SSH server
Switch A
SSH client VLAN- interface 1
10.165. 87. 137/ 24
10. 165.87. 136/ 24
VLAN- interface 1
84 CHAPTER 4: SSH CONFIGURATION EXAMPLE
# Specify the authentication type for user client001 as RSA.
[3Com] ssh user client001 authentication-type rsa
n
Before proceeding with the following steps, you need to generate an RSA key pair
on the client, and manually configure the RSA public key for the SSH server. For
detailed information, refer to “Configuring an SSH Client” on page 62.
# Configure the public key of the SSH client on the SSH server, and specify the
public key name as Switch001
[3Com] rsa peer-public-key Switch001
RSA public key view: return to System View with "peer-public-key end".
[3Com-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[3Com-rsa-key-code] 3047
[3Com-rsa-key-code] 0240
[3Com-rsa-key-code] C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
[3Com-rsa-key-code] 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
[3Com-rsa-key-code] 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
[3Com-rsa-key-code] 074C0CA9
[3Com-rsa-key-code] 0203
[3Com-rsa-key-code] 010001
[3Com-rsa-key-code] public-key-code end
[3Com-rsa-public-key] peer-public-key end
[3Com]
# Assign public key Switch001 to user client001
[3Com] ssh user client001 assign rsa-key Switch001
n
If first-time authentication is disabled on the device, it is necessary to configure on
the SSH client the RSA public key of the SSH server.
# Display the RSA public key on the server.
[3Com] display rsa local-key-pair public
=====================================================
Time of Key pair created: 09:04:41 2000/04/04
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
308188
028180
C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86
FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9
E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74
5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420
024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33
BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78
C289B7DD 2BE0F7AD
0203
010001
<Omitted>
2 Configure Switch A
SSH Configuration Example 85
# Create a VLAN interface on the switch and assign an IP address, which serves as
the SSH client’s address in an SSH connection.
<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit
# Generate a RSA key pair
[3Com] rsa local-key-pair create
# Export the generated RSA key pair to a file named Switch001.
<3Com> display rsa local-key-pair public
=====================================================
Time of Key pair created: 05:15:04 2006/12/08
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
074C0CA9
0203
010001
<Omitted>
n
After the SSH client generates an RSA key pair, it is necessary to configure the RSA
public key for the SSH server and finish the SSH server configuration before
continuing to configure the SSH client.
# Disable first-time authentication on the device.
[3Com] undo ssh client first-time
n
If first-time authentication is disabled on the device, it is necessary to configure on
the SSH client the RSA public key of the SSH server.
# Configure the public key of the SSH server on the SSH client, and specify the
public key name as Switch002.
[3Com] rsa peer-public-key Switch002
RSA public key view: return to System View with "peer-public-key end".
[3Com-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[3Com-rsa-key-code] 308188
[3Com-rsa-key-code] 028180
[3Com-rsa-key-code] C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86
[3Com-rsa-key-code] FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9
[3Com-rsa-key-code] E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74
[3Com-rsa-key-code] 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420
[3Com-rsa-key-code] 024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33
[3Com-rsa-key-code] BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78
[3Com-rsa-key-code] C289B7DD 2BE0F7AD
86 CHAPTER 4: SSH CONFIGURATION EXAMPLE
[3Com-rsa-key-code] 0203
[3Com-rsa-key-code] 010001
[3Com-rsa-key-code] public-key-code end
[3Com-rsa-public-key] peer-public-key end
[3Com]
# Specify the host public key pair name of the server.
[3Com] ssh client 10.165.87.136 assign rsa-key Switch002
# Establish the SSH connection to server 10.165.87.136.
[3Com] ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...
*************************************************************************
* Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co., Ltd. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-switch fabricering shall be allowed. *
*************************************************************************
<3Com>
5
ROUTING OVERVIEW
Overview
Static Routing and
Routing Protocols
Static routing
Static routing features zero overhead, simple configuration, and is applicable to
simple and stable networks. But it requires human intervention when the network
topology changes.
RIP
RIP is easy to configure and is insensitive to CPU and memory, so it is applicable to
small and medium sized networks. However, it converges slowly and cannot
eliminate route loops completely. In addition, periodic RIP updating multicasts or
broadcasts consume many network resources.
OSPF
OSPF is complicated to configure and requires high-performance CPU and
memory. It is applicable to medium and large sized networks. OSPF converges fast
and can eliminate route loops completely. It supports area partition and provides
hierarchical route management.
BGP
BGP runs between ASs. Although complicated to configure, BGP features high
reliability, stability, and scalability, has flexible and powerful routing policies and
eliminates route loops completely.
Routing Protocols
Supported by the 3Com
Stackable Switches
Configuration
Example
n
■ This configuration example uses the Switch 5500G.
■ For configuration precautions, see the configuration guide and command
reference guide of the applicable switch.
Table 22 Routing protocols supported by the 3Com stackable switches
Model\Routing Protocols RIP OSPF BGP
Switch 4500 √ - -
Switch 5500 √ √ -
Switch 5500Gs √ √ √
88 CHAPTER 5: ROUTING OVERVIEW
Configuration Task List
Static Route
Configuration
RIP Configuration
Table 23 Configuration task List
Task Details
Static route configuration “Static Route Configuration” on page
88
RIP configuration “RIP Configuration” on page 88
OSPF configuration “OSPF Configuration” on page 93
BGP configuration “BGP Configuration” on page 101
Table 24 Configure a static route
Operation Command Remarks
Enter system view system-view -
Configure a static
route
ip route-static ip-address { mask |
mask-length } { interface-type
interface-number | next-hop }
[ preference preference-value ] [ reject |
blackhole ] [ detect-group group
number ] [ description text ]
Required
By default, the system can
obtain the route to the
subnet directly connected
to the router.
Table 25 RIP configuration tasks
Configuration task Remarks Related section
Configuring basic RIP
functions
Enabling RIP Required “Configuring Basic
RIP Functions” on
page 89
Setting the RIP
operating status on an
interface
Optional “Setting the RIP
operating status on
an interface” on
page 90
Specifying a RIP version Optional “Specifying the RIP
version on an
interface” on page
90
Configuration Example 89
Configuring Basic RIP Functions
Configuring RIP route
control
Setting the additional
routing metrics of an
interface
Optional “Setting the
additional routing
metrics of an
interface” on page
90
Configuring RIP route
summarization
Optional “Configuring RIP
route
summarization” on
page 91
Disabling the receiving
of host routes
Optional “Disabling the
router from
receiving host
routes” on page 91
Configuring RIP to
filter
incoming/outgoing
routes
Optional “Configuring RIP to
filter
incoming/outgoing
routes” on page 91
Setting RIP preference Optional “Setting RIP
preference” on
page 91
Enabling load sharing
among interfaces
Optional “Enabling load
sharing among RIP
interfaces” on page
92
Configuring RIP to
import routes from
another protocol
Optional “Configuring RIP to
redistribute routes
from another
protocol” on page
92
Adjusting and
optimizing a RIP
network
Configuring RIP timers Optional “Configuring RIP
timers” on page 92
Configuring split
horizon
Optional “Configuring split
horizon” on page
92
Configuring RIP-1
packet zero field check
Optional “Configuring RIP-1
packet zero field
check” on page 92
Setting RIP-2 packet
authentication mode
Optional “Setting RIP-2
packet
authentication
mode” on page 93
Configuring RIP to
unicast packets
Optional “Configuring RIP to
unicast RIP packets”
on page 93
Table 26 Enable RIP on the interfaces attached to a specified network segment
Operation Command Remarks
Enter system view system-view -
Enable RIP and enter RIP view rip Required
Enable RIP on the specified
interface
network network-address Required
Disabled by default.
Table 25 RIP configuration tasks
Configuration task Remarks Related section
90 CHAPTER 5: ROUTING OVERVIEW
Setting the RIP operating status on an interface
Specifying the RIP version on an interface
Setting the additional routing metrics of an interface
Additional metric is the metric added to the original metrics of RIP routes on an
interface. It does not directly change the metric value of a RIP route in the routing
table of a router, but will be added to incoming or outgoing RIP routes on the
interface.
Table 27 Set the RIP operating status on an interface
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Enable the interface to receive
RIP update packets
rip input Optional
By default, all interfaces are
allowed to send and receive
RIP update packets.
Enable the interface to send
RIP update packets
rip output
Enable the interface to receive
and send RIP update packets
rip work
Table 28 Specify the RIP version on an interface
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Specify the version of the RIP
running on the interface
rip version { 1 | 2
[ broadcast | multicast ] }
Optional
By default, the version of the
RIP running on an interface is
RIP-1.
Table 29 Set additional routing metric
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Set the additional routing
metric to be added for
incoming RIP routes on this
interface
rip metricin value Optional
By default, the additional
routing metric added for
incoming routes on an
interface is 0.
Set the additional routing
metric to be added for
outgoing RIP routes on this
interface
rip metricout value Optional
By default, the additional
routing metric added for
outgoing routes on an
interface is 1.
Configuration Example 91
Configuring RIP route summarization
Disabling the router from receiving host routes
Configuring RIP to filter incoming/outgoing routes
Setting RIP preference
Table 30 Configure RIP route summarization
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Enable RIP-2 automatic route
summarization
summary Required
By default, RIP-2 automatic route
summarization is enabled.
Table 31 Disable the router from receiving host routes
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Disable the router from
receiving host routes
undo host-route Required
By default, the router receives
host routes.
Table 32 Configure RIP to filter incoming/outgoing routes
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Configure RIP to filter
incoming routes
filter-policy { acl-number |
ip-prefix ip-prefix-name [ gateway
ip-prefix-name ] | route-policy
route-policy-name } import
Required
By default, RIP does not filter
any incoming route.
The gateway keyword is
used to filter the incoming
routes advertised from a
specified address.
filter-policy gateway
ip-prefix-name import
Configure RIP to filter
outgoing routes
filter-policy { acl-number |
ip-prefix ip-prefix-name } export
[ protocol ] [ process-id ]
Required
By default, RIP does not filter
any outgoing route.
filter-policy route-policy
route-policy-name export
Table 33 Set RIP preference
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Set the RIP preference preference value Required
The default RIP preference is 100.
92 CHAPTER 5: ROUTING OVERVIEW
Enabling load sharing among RIP interfaces
Configuring RIP to redistribute routes from another protocol
Configuring RIP timers
Configuring split horizon
Configuring RIP-1 packet zero field check
Table 34 Enable load sharing among RIP interfaces
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Enable load sharing among
RIP interfaces
traffic-share-across-interfac
e
Required
By default, load sharing
among RIP interfaces is
disabled
Table 35 Configure RIP to import routes from another protocol
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Configure a default cost for
an incoming route
default cost value Optional
1 by default.
Configure RIP to redistribute
routes from another protocol
import-route protocol
[ process-id ] [ cost value |
route-policy
route-policy-name ]*
Required
By default, RIP does
redistribute any route from
other protocols.
Table 36 Configure RIP timers
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Set the RIP timers timers { update update-timer
| timeout timeout-timer } *
Required
By default, the Update timer is set
30 seconds and the Timeout timer
to 180 seconds.
Table 37 Configure split horizon
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Enable split horizon rip split-horizon Required
Enabled by default.
Table 38 Configure RIP-1 packet zero field check
Operation Command Remarks
Enter system view system-view -
Configuration Example 93
Setting RIP-2 packet authentication mode
Configuring RIP to unicast RIP packets
OSPF Configuration
Enter RIP view rip -
Enable the check of the “must
be zero” field in RIP-1 packets
checkzero Required
Enabled by default.
Table 39 Set RIP-2 packet authentication mode
Operation Command Remarks
Enter system view system-view -
Enter interface view interface
interface-type
interface-number
-
Set RIP-2 packet
authentication mode
rip
authentication-mode
{ simple password |
md5 { rfc2453
key-string | rfc2082
key-string key-id } }
Required
If you specify to use MD5 authentication, you
must specify one of the following MD5
authentication types:
■ rfc2453 (this type supports the packet
format defined in RFC 2453)
■ rfc2082 (this type supports the packet
format defined in RFC 2082)
Table 40 Configure RIP to unicast RIP packets
Operation Command Remarks
Enter system view system-view -
Enter RIP view rip -
Configure RIP to unicast RIP
packets
peer ip-address Required
When RIP runs on the link that does not
support broadcast or multicast, you must
configure RIP to unicast RIP packets.
Table 38 Configure RIP-1 packet zero field check
Operation Command Remarks
Table 41 OSPF configuration tasks
Configuration task Remarks Related section
Basic OSPF configuration Required “Basic OSPF
configuration” on
page 95
OSPF area attribute configuration Optional “Configuring OSPF
Area Attributes” on
page 95
94 CHAPTER 5: ROUTING OVERVIEW
OSPF network type
configuration
Configuring the
network type of an
OSPF interface
Optional “Configuring the
Network Type of an
OSPF Interface” on
page 96
Configuring an
NBMA/P2MP
neighbor
Optional “Configuring an
NBMA/P2MP
Neighbor” on page
96
Configuring the DR
priority on an OSPF
interface
Optional “Configuring the DR
Priority on an OSPF
Interface” on page
97
OSPF route control Configuring OSPF
route
summarization
Optional “Configuring OSPF
Route
Summarization” on
page 97
Configuring OSPF
to filter received
routes
Optional “Configuring OSPF
to Filter Received
Routes” on page 97
Configuring OSPF
interface cost
Optional “Configuring the
OSPF Cost on an
Interface” on page
98
Configuring OSPF
route priority
Optional “Configuring OSPF
Route Priority” on
page 98
Configuring the
maximum number
of OSPF ECMP
routes
Optional “Configuring the
Maximum Number
of OSPF ECMP
Routes” on page 98
Configuring OSPF
to redistribute
external routes
Optional “Configuring OSPF
to Redistribute
External Routes” on
page 98
Table 41 OSPF configuration tasks
Configuration task Remarks Related section
Configuration Example 95
Basic OSPF configuration
Configuring OSPF Area Attributes
OSPF network adjustment
and optimization
Configuring OSPF
timers
Optional “Configuring OSPF
Timers” on page 99
Configuring the
LSA transmission
delay
Optional “Configure the LSA
transmission delay”
on page 99
Configuring the
SPF calculation
interval
Optional “Configuring the SPF
Calculation Interval”
on page 100
Disabling OSPF
packet
transmission on an
interface
Optional “Disabling OSPF
Packet Transmission
on an Interface” on
page 100
Configuring OSPF
authentication
Optional “Configuring OSPF
Authentication” on
page 100
Configuring the
MTU field in DD
packets
Optional “Configuring the
MTU Field in DD
Packets” on page
101
Enabling OSPF
logging of
neighbor state
changes
Optional “Enabling OSPF
Logging of Neighbor
State Changes” on
page 101
Configuring OSPF
network
management
Optional “Configuring OSPF
Network
Management” on
page 101
Table 42 Basic OSPF configuration
Operation Command Remarks
Enter system view system-view -
Configure the router ID router id router-id Optional
If multiple OSPF processes run on a
router, you are recommended to
use the router-id keyword in the
ospf command to specify different
router IDs for different processes.
Enable OSPF and enter OSPF
view
ospf [ process-id
[ router-id router-id ] ]
Required
Enter OSPF view.
Enter OSPF area view area area-id -
Configure the network
segments in the area
network ip-address
wildcard-mask
Required
By default, an interface does not
belong to any area.
Table 43 Configure OSPF area attributes
Operation Command Remarks
Enter system view system-view -
Table 41 OSPF configuration tasks
Configuration task Remarks Related section
96 CHAPTER 5: ROUTING OVERVIEW
Configuring the Network Type of an OSPF Interface
Configuring an NBMA/P2MP Neighbor
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Enter OSPF area view area area-id -
Configure the current area
to be a stub area
stub [ no-summary ] Optional
By default, no area is configured
as a stub area.
Configure the current area
to be an NSSA area
nssa
[ default-route-advertise |
no-import-route |
no-summary ] *
Optional
By default, no area is configured
as an NSSA area.
Configure the cost of the
default route transmitted by
OSPF to a stub or NSSA area
default-cost cost Optional
This can be configured on an ABR
only. By default, the cost of the
default route to a stub or NSSA
area is 1.
Create and configure a
virtual link
vlink-peer router-id [ hello
seconds | retransmit
seconds | trans-delay
seconds | dead seconds |
simple password | md5
keyid key ] *
Optional
For a virtual link to take effect,
you need to use this command at
both ends of the virtual link and
ensure consistent configurations
of the hello, dead, and other
parameters at both ends.
Table 44 Configure the network type of an OSPF interface
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Configure the network type
of the OSPF interface
ospf network-type
{ broadcast | nbma | p2mp
[ unicast ] | p2p }
Optional
By default, the network type
of an interface depends on
the physical interface.
Table 45 Configure NBMA/P2MP neighbor
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
Required
Configure an NBMA/P2MP
neighbor
peer ip-address [ dr-priority
dr-priority ]
Required
By default, the priority for the
neighbor of an NBMA
interface is 1.
Table 43 Configure OSPF area attributes
Operation Command Remarks
Configuration Example 97
Configuring the DR Priority on an OSPF Interface
Configuring OSPF Route Summarization
Configuring OSPF to Filter Received Routes
Table 46 Configure the DR priority on an OSPF interface
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Configure the DR priority on
the OSPF interface
ospf dr-priority priority Optional
The default DR priority is 1.
Table 47 Configure ABR route summarization
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Enter area view area area-id -
Enable ABR route
summarization
abr-summary ip-address mask
[ advertise | not-advertise ]
Required
This command takes effect only
when it is configured on an ABR. By
default, this function is disabled on
an ABR.
Table 48 Configure ASBR route summarization
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Enable ASBR route
summarization
asbr-summary ip-address
mask [ not-advertise | tag
value ]
Required
This command takes effect only
when it is configured on an ASBR.
By default, summarization of
imported routes is disabled.
Table 49 Configure OSPF to filter received routes
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Configure to filter the
received routes
filter-policy { acl-number |
ip-prefix ip-prefix-name |
gateway ip-prefix-name }
import
Required
By default, OSPF does not
filter received routing
information.
98 CHAPTER 5: ROUTING OVERVIEW
Configuring the OSPF Cost on an Interface
Configuring OSPF Route Priority
Configuring the Maximum Number of OSPF ECMP Routes
Configuring OSPF to Redistribute External Routes
Table 50 Configure the OSPF cost on an interface
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Configure the OSPF cost
on the interface
ospf cost value Optional
By default, the interface calculates
the OSPF cost according to the
current baud rate on it. For a VLAN
interface on the switch, a fixed value
of 10 is used.
Table 51 Configure OSPF route priority
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Configure OSPF route
priority
preference [ ase ] value Optional
By default, the OSPF route priority
is 10 and the priority of OSPF ASE
is 150.
Table 52 Configure the maximum number of OSPF ECMP routes
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Configure the maximum
number of OSPF ECMP routes
multi-path-number value Optional
3 by default.
Table 53 Configure OSPF to redistribute external routes
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Configure OSPF to
redistribute routes from
another protocol
import-route protocol
[ process-id ] [ cost value |
type value | tag value |
route-policy
route-policy-name ] *
Required
By default, OSPF does not
import the routing
information of other
protocols.
Configure OSPF to filter
outgoing routes
filter-policy { acl-number |
ip-prefix ip-prefix-name }
export [ protocol ]
Optional
By default, OSPF does not
filter advertised routes.
Configuration Example 99
Configuring OSPF Timers
Configure the LSA transmission delay
Enable OSPF to import the
default route
default-route-advertise
[ always | cost value | type
type-value | route-policy
route-policy-name ]*
Optional
By default, OSPF does not
import the default route.
Configure the default
parameters for redistributed
routes, including cost,
interval, limit, .tag, and type
default { cost value | interval
seconds | limit routes | tag
tag | type type } *
Optional
These parameters respectively
default to:
■ Cost: 1
■ Interval: 1 (second)
■ Limit: 1000
■ Tag: 1
■ Type: 2
Table 54 Configure OSPF timers
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Configure the hello interval
on the interface
ospf timer hello seconds Optional
By default, p2p and
broadcast interfaces send
Hello packets every 10
seconds; while p2mp and
NBMA interfaces send Hello
packets every 30 seconds.
Configure the poll interval on
the NBMA interface
ospf timer poll seconds Optional
By default, poll packets are
sent every 40 seconds.
Configure the dead time of
the neighboring router on the
interface
ospf timer dead seconds Optional
By default, the dead time for
the OSPF neighboring router
on a p2p or broadcast
interface is 40 seconds and
that for the OSPF neighboring
router on a p2mp or NBMA
interface is 120 seconds.
Configure the interval for
retransmitting an LSA on an
interface
ospf timer retransmit
interval
Optional
By default, this interval is five
seconds.
Table 55 Configure the LSA transmission delay
Operation Command Remarks
Enter system view system-view -
Enter interface view interface interface-type
interface-number
-
Table 53 Configure OSPF to redistribute external routes
Operation Command Remarks
100 CHAPTER 5: ROUTING OVERVIEW
Configuring the SPF Calculation Interval
Disabling OSPF Packet Transmission on an Interface
Configuring OSPF Authentication
Configure the LSA
transmission delay
ospf trans-delay seconds Optional
By default, the LSA
transmission delay is one
second.
Table 56 Configure the SPF calculation interval
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Configure the SPF calculation
interval
spf-schedule-interval
interval
Optional
By default, the SPF calculation
interval is five seconds.
Table 57 Disable OSPF packet transmission on an interface
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Disable OSPF packet
transmission on a specified
interface
silent-interface
silent-interface-type
silent-interface-number
Optional
By default, all the interfaces
are allowed to transmit OSPF
packets.
Table 58 Configure OSPF authentication
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Enter OSPF area view area area-id -
Configure the authentication
mode of the OSPF area
authentication-mode
{ simple | md5 }
Required
By default, no authentication
mode is configured for an
area.
Return to OSPF view quit -
Return to system view quit -
Enter interface view interface interface-type
interface-number
-
Configure the authentication
mode of the OSPF interface
ospf authentication-mode
{ simple password | md5
key-id key }
Optional
By default, OSPF packets are
not authenticated on an
interface.
Table 55 Configure the LSA transmission delay
Operation Command Remarks
Configuration Example 101
Configuring the MTU Field in DD Packets
Enabling OSPF Logging of Neighbor State Changes
Configuring OSPF Network Management
BGP Configuration
Table 59 Configure to fill the MTU field when an interface transmits DD packets
Operation Command Remarks
Enter system view system-view -
Enter Ethernet interface view interface interface-type
interface-number
Required
Enable the interface to fill in
the MTU field when
transmitting DD packets
ospf mtu-enable Optional
By default, the MTU value is 0
when an interface transmits
DD packets. That is, the actual
MTU value of the interface is
not filled in.
Table 60 Enable OSPF logging of neighbor state changes
Operation Command Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id
router-id ] ]
-
Enable the OSPF logging of
neighbor state changes
log-peer-change Required
Disabled by default.
Table 61 Configure OSPF network management (NM)
Operation Command Remarks
Enter system view system-view -
Configure OSPF MIB binding ospf mib-binding process-id Optional
By default, OSPF MIB is bound
to the first enabled OSPF
process.
Enable OSPF Trap sending snmp-agent trap enable
ospf [ process-id ] [ ifauthfail
| ifcfgerror | ifrxbadpkt |
ifstatechange |
iftxretransmit |
lsdbapproachoverflow |
lsdboverflow | maxagelsa |
nbrstatechange |
originatelsa | vifauthfail |
vifcfgerror | virifrxbadpkt |
virifstatechange |
viriftxretransmit |
virnbrstatechange ]*
Optional
You can configure OSPF to
send diversified SNMP TRAP
messages and specify a
certain OSPF process to send
SNMP TRAP messages by
process ID.
Table 62 BGP configuration tasks
Configuration task Remarks Related section
Configuring Basic BGP Functions Required “Configuring Basic BGP
Functions” on page
102
102 CHAPTER 5: ROUTING OVERVIEW
Configuring Basic BGP Functions
Configuring the way to
advertise/receive routing
information
Importing routes Optional “Importing Routes” on
page 103
Configuring route
aggregation
Optional “Configuring BGP
Route Aggregation” on
page 103
Enabling Default
Route Advertising
Optional “Enabling Default
Route Advertising” on
page 104
Configuring route
reception filtering
policies
Optional “Configuring route
reception filtering
policies” on page 104
Configure route
advertisement
filtering policies
Optional “Configure route
advertisement filtering
policies” on page 105
Disable BGP-IGP
Route
Synchronization
Optional “Disable BGP-IGP Route
Synchronization” on
page 105
Configuring BGP
Route Dampening
Optional “Configuring BGP
Route Dampening” on
page 106
Configuring BGP route attributes Optional “Configuring BGP
Route Attributes” on
page 106
Adjusting and optimizing a BGP network Optional “Adjusting and
Optimizing a BGP
Network” on page 107
Configure a large-scale BGP
network
Configuring BGP
Peer Group
Required “Configuring BGP Peer
Group” on page 108
Configuring BGP
Community
Required “Configuring BGP
Community” on page
109
Configuring BGP
RR
Optional “Configuring BGP
Route Reflector (RR)”
on page 109
Configuring BGP
Confederation
Optional “Configuring BGP
Confederation” on
page 110
Table 63 Configure basic BGP functions
Operation Command Description
Enter system view system-view -
Enable BGP and enter BGP
view
bgp as-number Required
By default, BGP is disabled.
Specify the AS number for the
BGP peers
peer group-name as-number
as-number
By default, a peer is not
assigned an AS number.
Assign a description string for
a BGP peer/a BGP peer group
peer { group-name |
ip-address } description
description-text
Optional
By default, a peer/a peer
group is not assigned a
description string.
Table 62 BGP configuration tasks
Configuration task Remarks Related section
Configuration Example 103
Importing Routes
Configuring BGP Route Aggregation
Activate a specified BGP peer peer { group-name |
ip-address } enable
Optional
By default, a BGP peer is
active.
Enable BGP logging log-peer-change Optional
By default, BGP logging is
enabled.
Specify the source interface
for route update packets
peer { group-name |
ip-address }
connect-interface
interface-type
interface-number
Optional
By default, the source
interface of the optimal route
update packets is used as the
source interface.
Allow routers that belong to
non-directly connected
networks to establish EBGP
connections.
peer group-name
ebgp-max-hop [ hop-count ]
Optional
By default, routers that
belong to two non-directly
connected networks cannot
establish EBGP connections.
You can configure the
maximum hops of EBGP
connection by specifying the
hop-count argument.
Table 64 Import routes
Operation Command Description
Enter system view system-view -
Enable BGP, and enter BGP
view
bgp as-number -
Import the default route to
the BGP routing table
default-route imported Optional
By default, BGP does not
import default routes to the
BGP routing table.
Import and advertise routing
information generated by
other protocols.
import-route protocol
[ process-id ] [ med
med-value | route-policy
route-policy-name ]*
Required
By default, BGP does not
import nor advertise the
routing information
generated by other protocols.
Advertise network segment
routes to BGP routing table
network network-address
[ mask ] [route-policy
route-policy-name ]
Optional
By default, BGP does not
advertise any network
segment routes.
Table 65 Configure BGP route aggregation
Operation Command Description
Enter system view system-view -
Enable BGP, and enter BGP view bgp as-number Required
By default, BGP is
disabled.
Table 63 Configure basic BGP functions
Operation Command Description
104 CHAPTER 5: ROUTING OVERVIEW
Enabling Default Route Advertising
Configuring route reception filtering policies
Configure BGP
route
aggregation
Enable automatic
route aggregation
summary Required
By default, routes are not
aggregated. Enable manual
route aggregation
aggregate ip-address
mask [ as-set |
attribute-policy
route-policy-name |
detail-suppressed |
origin-policy
route-policy-name |
suppress-policy
route-policy-name ]*
Table 66 Enable default rout advertising
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Enable default route
advertising
peer group-name
default-route-advertise
[ route-policy
route-policy-name ]
Required
By default, a BGP router does
not send default routes to a
specified peer/peer group.
Table 67 Configure route reception filtering policies
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Configure the global route
reception filtering policy
filter-policy { acl-number |
gateway ip-prefix-name |
ip-prefix ip-prefix-name
[ gateway
ip-prefix-name ] } import
Required
By default, the incoming
routing information is not
filtered.
Reference a routing policy to
filter routes from a peer/peer
group
peer { group-name |
ip-address } route-policy
policy-name import
Required
By default, no route filtering
policy is specified for a
peer/peer group.
Table 65 Configure BGP route aggregation
Operation Command Description
Configuration Example 105
Configure route advertisement filtering policies
Disable BGP-IGP Route Synchronization
Filter the
routing
information
from a
peer/peer
group
Reference an
ACL to filter
BGP routes
from a
peer/peer
group
peer { group-name |
ip-address } filter-policy
acl-number import
Required
By default, no ACL-based BGP
route filtering policy, AS path
ACL-based BGP route filtering
policy, or IP prefix list-based
BGP route filtering policy is
configured for a peer/peer
group.
Reference an
AS path ACL to
filter routes
from a
peer/peer
group
peer { group-name |
ip-address } as-path-acl
acl-number import
Reference an IP
prefix list to
filter routes
from a
peer/peer
group
peer { group-name |
ip-address } ip-prefix
ip-prefix-name import
Table 68 Configure route advertisement filtering policies
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Configure the global route
advertisement filtering policy
filter-policy { acl-number |
ip-prefix ip-prefix-name }
export [ protocol
[ process-id ] ]
Required
By default, advertised routes
are not filtered.
Reference a routing policy to
filter the routes to a peer
group
peer group-name
route-policy
route-policy-name export
Required
By default, no route advertising
policy is specified for the routes
advertised to a peer group.
Filter the
routing
information
to a peer
group
Reference an
ACL to filter
BGP routes to
a peer group
peer group-name
filter-policy acl-number
export
Required
Not configured by default
Reference an
AS path ACL
to filter BGP
routes to a
peer group
peer group-name
as-path-acl acl-number
export
Reference an
IP prefix list
to filter BGP
routes to a
peer group
peer group-name ip-prefix
ip-prefix-name export
Table 69 Disable BGP-IGP route synchronization
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Table 67 Configure route reception filtering policies
Operation Command Description
106 CHAPTER 5: ROUTING OVERVIEW
Configuring BGP Route Dampening
Configuring BGP Route Attributes
Disable BGP-IGP route
synchronization
undo synchronization Required
By default, BGP routes and
IGP routes are not
synchronized.
Table 70 Configure BGP route dampening
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Configure BGP route
dampening-related
parameters
dampening
[ half-life-reachable
half-life-unreachable reuse
suppress ceiling ]
[ route-policy
route-policy-name ]
Required
By default, route dampening is
disabled. Other default route
dampening-related parameters are as
follows.
■ half-life-reachable: 15 (in
minutes)
■ half-life-unreachable: 15 (in
minutes)
■ reuse: 750
■ suppress: 2000
■ ceiling: 16,000
Table 71 Configure BGP route attributes
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Configure the management preference of
the exterior, interior and local routes
preference ebgp-value
ibgp-value local-value
Optional
By default, the
management
preference of the
exterior, interior
and local routes is
256, 256, and 130.
Set the default local preference default
local-preference value
Optional
By default, the local
preference defaults
to 100.
Table 69 Disable BGP-IGP route synchronization
Operation Command Description
Configuration Example 107
Adjusting and Optimizing a BGP Network
Configure
the MED
attribute
Configure the default local MED
value
default med med-value Optional
By default, the
med-value
argument is 0.
Permit to compare the MED
values of the routes coming from
the neighbor routers in different
ASs.
compare-different-as-
med
Optional
By default, the
compare of MED
values of the routes
coming from the
neighbor routers in
different ASs is
disabled.
Configure the local address as the next hop
address when a BGP router advertises a
route.
peer group-name
next-hop-local
Required
In some network,
to ensure an IBGP
neighbor locates
the correct next
hop, you can
configure the next
hop address of a
route to be the
local address for a
BGP router to
advertise route
information to IBGP
peer groups.
Configure the AS_Path
attribute
Configure the
number of local AS
number
occurrences
allowed
peer { group-name |
ip-address }
allow-as-loop [ number ]
Optional
By default, the
number of local AS
number
occurrences
allowed is 1.
Assign an AS
number for a peer
group
peer group-name
as-number as-number
Optional
By default, the local
AS number is not
assigned to a peer
group.
Configure that the
BGP update packets
only carry the pubic
AS number in the
AS_Path attribute
when a peer sends
BGP update packets
to BGP peers.
peer group-name
public-as-only
Optional
By default, a BGP
update packet
carries the private
AS number.
Table 72 Adjust and optimize a BGP network
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Table 71 Configure BGP route attributes
Operation Command Description
108 CHAPTER 5: ROUTING OVERVIEW
Configuring BGP Peer Group
Configure
BGP timer
Configure the
Keepalive time and
Holdtime of BGP.
timer keepalive
keepalive-interval hold
holdtime-interval
Optional
By default, the keepalive
time is 60 seconds, and
holdtime is 180 seconds. The
priority of the timer
configured by the timer
command is lower than that
of the timer configured by
the peer time command.
Configure the
Keepalive time and
holdtime of a
specified peer/peer
group.
peer { group-name |
ip-address } timer
keepalive
keepalive-interval hold
holdtime-interval
Configure the interval at which a
peer group sends the same route
update packet
peer group-name
route-update-interval
seconds
Optional
By default, the interval at
which a peer group sends
the same route update
packet to IBGP peers is 15
seconds, and to EBGP peers
is 30 seconds.
Configure the number of route
prefixes that can be learned from a
BGP peer/peer group
peer { group-name |
ip-address } route-limit
prefix-number
[ { alert-only | reconnect
reconnect-time } |
percentage-value ] *
Optional
By default, there is no limit
on the number of route
prefixes that can be learned
from the BGP peer/peer
group.
Perform soft refreshment of BGP
connection manually
return -
refresh bgp { all |
ip-address | group
group-name }
[ multicast ] { import |
export }
Optional
system-view Enter BGP view again
bgp as-number
Configure BGP to perform MD5
authentication when establishing
TCP connection
peer { group-name |
ip-address } password
{ cipher | simple }
password
Optional
By default, BGP dose not
perform MD5 authentication
when establishing TCP
connection.
Table 73 Configure BGP peer group
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Create an
IBGP peer
group
Create an IBGP peer
group
group group-name
[ internal ]
Optional
If the command is executed
without the internal or
external keyword, an IBGP
peer group will be created. You
can add multiple peers to the
group, and the system will
automatically create a peer in
BGP view, and configure its AS
number as the local AS
number.
Add a peer to a peer
group
peer ip-address group
group-name
[ as-number
as-number ]
Table 72 Adjust and optimize a BGP network
Operation Command Description
Configuration Example 109
Configuring BGP Community
Configuring BGP Route Reflector (RR)
Create an
EBGP peer
group
Create an EBGP peer
group
group group-name
external
Optional
You can add multiple peers to
the group. The system
automatically creates the peer
in BGP view and specifies its AS
number as the one of the peer
group.
Configure the AS
number of a peer
group
peer group-name
as-number as-number
Add a peer to a peer
group
peer ip-address group
group-name
[ as-number
as-number ]
Create a
hybrid
EBGP peer
group
Create an EBGP peer
group
group group-name
external
Optional
You can add multiple peers to
the peer group. Add a peer to a peer
group
peer ip-address group
group-name
[ as-number
as-number ]
Finish the session with the
specified peer/peer group
peer { group-name |
ip-address } shutdown
Optional
Table 74 Configure BGP community
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Configure the peers to
advertise community
attribute to each other
peer group-name
advertise-community
Required
By default, no community
attribute or extended community
attribute is advertised to any peer
group.
Specify routing policy for
the routes exported to the
peer group
peer group-name
route-policy
route-policy-name export
Required
By default, no routing policy is
specified for the routes exported
to the peer group.
Table 75 Configure BGP RR
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Configure the local router as
the RR and configure the peer
group as the client of the RR
peer group-name
reflect-client
Required
By default, no RR or its client
is configured.
Enable route reflection
between clients
reflect between-clients Optional
By default, route reflection is
enabled between clients.
Configure cluster ID of an RR reflector cluster-id cluster-id Optional
By default, an RR uses its own
router ID as the cluster ID.
Table 73 Configure BGP peer group
Operation Command Description
110 CHAPTER 5: ROUTING OVERVIEW
Configuring BGP Confederation
Route Policy
Configuration
Configuring an ip-prefix list
Table 76 Configure BGP confederation
Operation Command Description
Enter system view system-view -
Enter BGP view bgp as-number -
Basic BGP
confederation
configuration
Configure
confederation ID
confederation id
as-number
Required
By default, no confederation ID
is configured and no sub-AS is
configured for a confederation.
Specify the
sub-ASs
included in a
confederation
confederation
peer-as as-number-list
Configure the compatibility of a
confederation
confederation
nonstandard
Optional
By default, the confederation
configured is consistent with
the RFC 1965.
Table 77 Route Policy Configuration
Configuration task Remarks Related section
Configure an IP-prefix list Configuring an
ip-prefix list
Optional “Configuring an
ip-prefix list” on
page 110
AS path list
configuration
Optional “AS path list
configuration”
on page 111
Community list
configuration
Optional “Community list
configuration”
on page 111
Define a routing policy Defining a Routing
Policy
Required “Defining a
Routing Policy”
on page 111
Define if-match
clauses
Optional “Define if-match
clauses” on
page 111
Define apply clauses Optional “Define apply
clauses” on
page 112
Table 78 Configure an IPv4 IP-prefix list
Operation Command Remarks
Enter system view system-view -
Configure an IPv4
IP-prefix list
ip ip-prefix ip-prefix-name [ index
index-number ] { permit | deny }
network len [ greater-equal
greater-equal | less-equal
less-equal ]
Required
By default, no IP-prefix list is
specified.
Configuration Example 111
AS path list configuration
Community list configuration
Defining a Routing Policy
Define if-match clauses
Table 79 AS path list configuration
Operation Command Description
Enter system view system-view -
Configure AS path list ip as-path-acl acl-number
{ permit | deny }
as-regular-expression
Optional
By default, no AS path list is
defined
Table 80 Community list configuration
Operation Command Description
Enter system view system-view -
Configure basic community
list
ip community-list
basic-comm-list-number
{ permit | deny } [ aa:nn |
internet |
no-export-subconfed |
no-advertise | no-export ]*
Optional
By default, no BGP
community list is defined
Configure advanced
community list
ip community-list
adv-comm-list-number
{ permit | deny }
comm-regular-expression
Optional
By default, no BGP
community list is defined
Table 81 Define a routing policy
Operation Command Remarks
Enter system view system-view -
Define a routing policy and
enter the routing policy view
route-policy
route-policy-name { permit |
deny } node node-number
Required
By default, no routing policy is
defined.
Table 82 Define if-match clauses
Operation Command Description
Enter system view system-view -
Enter the route-policy view route-policy
route-policy-name { permit |
deny } node node-number
Required
Define a rule to match AS
path of BGP routing
information
if-match as-path
as-path-number
Optional
Define a rule to match
community attributes of BGP
routing information
if-match community
{ basic-community-number
[ whole-match ] |
adv-community-number }
Optional
Define a rule to match the IP
address of routing
information
if-match { acl acl-number |
ip-prefix ip-prefix-name }
Optional
By default, no matching is
performed on the address of
routing information.
112 CHAPTER 5: ROUTING OVERVIEW
Define apply clauses
Define a rule to match the
routing cost of routing
information
if-match cost value Optional
By default, no matching is
performed on the routing cost
of routing information.
Define a rule to match the
next-hop interface of routing
information
if-match interface
interface-type
interface-number
Optional
By default, no matching is
performed on the next-hop
interface of routing
information.
Define a rule to match the
next-hop address of routing
information
if-match ip next-hop { acl
acl-number | ip-prefix
ip-prefix-name }
Optional
By default, no matching is
performed on the next-hop
address of routing
information.
Define a rule to match the tag
field of OSPF routing
information
if-match tag value Optional
By default, no matching is
performed on the tag field of
OSPF routing information.
Table 83 Define apply clauses
Operation Command Description
Enter system view system-view -
Enter the route-policy view route-policy
route-policy-name { permit |
deny } node node-number
Required
Add specified AS number for
as-path in BGP routing
information
apply as-path as-number-1
[ as-number-2 [ as-number-3
... ] ]
Optional
Configure community
attributes for BGP routing
information
apply community { none |
[ aa:nn ]
[ no-export-subconfed |
no-export | no-advertise ]*
[ additive ] }
Optional
Set next hop IP address for
routing information
apply ip next-hop ip-address Optional
Set local preference of BGP
routing information
apply local-preference
local-preference
Optional
Define an action to set the
cost of routing information
apply cost value Optional
By default, no action is
defined to set the routing cost
of routing information.
Set route cost type for routing
information
apply cost-type [ internal |
external ]
Optional
Set route source of BGP
routing information
apply origin { igp | egp
as-number | incomplete }
Optional
Define an action to set the tag
field of routing information
apply tag value Optional
By default, no action is
defined to set the tag field of
OSPF routing information.
Table 82 Define if-match clauses
Operation Command Description
Configuration Examples 113
Configuration
Examples
n
The following configuration examples use the Switch 5500Gs.
Static Routing
Configuration Example
Network requirements
1 Requirement analysis:
A small company requires any two nodes in its network communicate with each
other. The network should be simple and stable. The customer hopes to make the
best use of the existing devices that do not support dynamic routing protocols.
Based on the customer requirements and networking environment, configure
static routes to realize network interconnection.
2 Network diagram
Figure 51 shows the network diagram.
Figure 51 Network diagram for static route configuration

Configuration procedure
Configure the switches:
# Configure static routes on Switch A.
<SwitchA> system-view
[SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2
[SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2
[SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2
# Configure static routes on Switch B.
<SwitchB> system-view
[SwitchB] ip route-static 1.1.2.0 255.255.255.0 1.1.3.1
1.1.5.2/24
Switch B Switch A
Switch C
Host C
Host A
Host B
1.1.5.1/24
1.1.1.1/24
1.1.1.2/24
1.1.2.2/24
1.1.2.1/24 1.1.3.2/24
1.1.3.1/24
1.1.4.1/24
1.1.4.2/24
114 CHAPTER 5: ROUTING OVERVIEW
[SwitchB] ip route-static 1.1.5.0 255.255.255.0 1.1.3.1
[SwitchB] ip route-static 1.1.1.0 255.255.255.0 1.1.3.1
# Configure static routes on Switch C.
<SwitchC> system-view
[SwitchC] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1
[SwitchC] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2
Configure the hosts:
# Configure the default gateway as 1.1.5.1 on host A (omitted).
# Configure the default gateway as 1.1.4.1 on host B (omitted).
# Configure the default gateway as 1.1.1.1 on host C (omitted).
Now any two hosts or switches can communicate with each other.
RIP Configuration
Examples
Network requirements
1 Requirement analysis:
A small company requires any two nodes in its network can communicate with
each other. The devices can dynamically adjust to network topology changes.
Based on the customer requirements and networking environment, use RIP to
realize network interconnection.
2 Network diagram
Figure 52 shows the network diagram.
Figure 52 Network diagram for RIP configuration
Device Interface IP Address Device Interface IP Address
Switch A Vlan-int1 110.11.2.1/24 Switch B Vlan-int1 110.11.2.2/24
Vlan-int2 155.10.1.1/24 Vlan-int3 196.38.165.1/24
Switch C Vlan-int1 110.11.2.3/24
Vlan-int4 117.102.0.1/16
Switch A
Switch B Switch C
Vlan-int 2
Ethernet
Vlan-int 4 Vlan-int 3
Vlan-int 1
Configuration Examples 115
Configuration procedure
n
Only RIP-related configurations are described below. Before performing the
following configurations, make sure that the data link layer works normally and
the IP addresses of the VLAN interfaces have been configured.
1 Configure Switch A.
# Configure RIP.
<SwitchA> system-view
[SwitchA] rip
[SwitchA-rip] network 110.11.2.0
[SwitchA-rip] network 155.10.1.0
2 Configure Switch B.
# Configure RIP.
<Switch> system-view
[SwitchB] rip
[SwitchB-rip] network 196.38.165.0
[SwitchB-rip] network 110.11.2.0
3 Configure Switch C.
# Configure RIP.
<Switch> system-view
[SwitchC] rip
[SwitchC-rip] network 117.102.0.0
[SwitchC-rip] network 110.11.2.0
OSPF DR Configuration
Example
Network requirements
1 Requirement analysis
Use OSPF to realize interconnection between devices in a broadcast network.
Devices with higher performance should become the DR and BDR to improve
network performance. Devices with lower performance are forbidden to take part
in DB/BDR election.
Based on the customer requirements and networking environment, assign proper
priorities to interfaces.
2 Network diagram
Figure 53 shows the network diagram.
Figure 53 Network diagram for OSPF DR selection
DR
BDR
Switch A Switch D
Switch C Switch B
Vlan-int1
Vlan-int1
Vlan- int1
Vlan- int1
116 CHAPTER 5: ROUTING OVERVIEW
Configuration procedure
# Configure Switch A.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] ip address 196.1.1.1 255.255.255.0
[SwitchA-Vlan-interface1] ospf dr-priority 100
[SwitchA-Vlan-interface1] quit
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255
# Configure Switch B.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ip address 196.1.1.2 255.255.255.0
[SwitchB-Vlan-interface1] ospf dr-priority 0
[SwitchB-Vlan-interface1] quit
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255
# Configure Switch C.
<SwitchC> system-view
[SwitchC] interface Vlan-interface 1
[SwitchC-Vlan-interface1] ip address 196.1.1.3 255.255.255.0
[SwitchC-Vlan-interface1] ospf dr-priority 2
[SwitchC-Vlan-interface1] quit
[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255
# Configure Switch D.
<SwitchD> system-view
[SwitchD] interface Vlan-interface 1
[SwitchD-Vlan-interface1] ip address 196.1.1.4 255.255.255.0
[SwitchD-Vlan-interface1] quit
[SwitchD] router id 4.4.4.4
[SwitchD] ospf
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255
Use the display ospf peer command to display OSPF neighbors on Switch A.
Note that Switch A has three neighbors.
Device Interface IP address Router ID Interface priority
Switch A Vlan-int1 196.1.1.1/24 1.1.1.1 100
Switch B Vlan-int1 196.1.1.2/24 2.2.2.2 0
Switch C Vlan-int1 196.1.1.3/24 3.3.3.3 2
Switch D Vlan-int1 196.1.1.4/24 4.4.4.4 1
Configuration Examples 117
The state of each neighbor is full. This means that Switch A has formed
adjacencies with all neighbors. (Switch A and Switch C can act as the DR and BDR
only when they establish adjacencies with all the switches in the network.) Switch
A acts as the DR, while Switch C acts as the BDR. Any other neighbor is DRother
(neither DR nor BDR).
# Change the priority of Switch B to 200.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ospf dr-priority 200
Use the display ospf peer command to display OSPF neighbors on Switch A.
Note that the priority of Switch B is 200 now, but it is not the DR.
The DR will be reelected only after the current DR fails to work. Shut down Switch
A and use the display ospf peer command to display neighbors on Switch D.
Note that Switch C that used to be the BDR becomes the DR and Switch B
becomes the BDR.
If you shut down and then restart all the switches, Switch B with priority 200 will
be elected as the DR and Switch A with priority 100 will be elected as the BDR,
because such operation triggers a new round of DR/BDR election.
OSPF Virtual Link
Configuration Examples
Network requirements
1 Requirement analysis
Devices in the network run OSPF to realize interconnection. The network is split
into three areas: one backbone area and two non-backbone areas (Area 1 and
Area 2). Area 2 has no direct connection to the backbone, and it has to reach the
backbone through Area 1. The customer hopes that Area 2 can interconnect with
other two areas.
Based on the customer requirements and networking environment, use a virtual
link to connect Area 2 to the backbone area.
2 Network diagram
Figure 54 shows the network diagram.
Figure 54 Network diagram for virtual link configuration
Area 0
Switch B Switch A
Vlan-int1
Area 1
Virtual link
Area 2
Vlan-int2
Vlan-int1
118 CHAPTER 5: ROUTING OVERVIEW
Configuration procedure
1 Configure OSPF basic functions
# Configure Switch A.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 196.1.1.2 255.255.255.0
[SwitchA-Vlan-interface1] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 197.1.1.2 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
# Configure Switch B.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ip address 152.1.1.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
[SwitchB] interface Vlan-interface 2
[SwitchB-Vlan-interface2] ip address 197.1.1.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.1] quit
[SwitchB-ospf-1] area 2
[SwitchB-ospf-1-area-0.0.0.2] network 152.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.2] quit
# Display the OSPF routing table on Switch A
[SwitchA] display ospf routing
OSPF Process 1 with Router ID 1.1.1.1
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
196.1.1.0/24 10 Stub 196.1.1.2 1.1.1.1 0.0.0.0
197.1.1.0/24 10 Net 197.1.1.1 2.2.2.2 0.0.0.1
Total Nets: 2
Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0
Device Interface IP address Router ID
Switch A Vlan-int1 196.1.1.2/24 1.1.1.1
Vlan-int2 197.1.1.2/24 -
Switch B Vlan-int1 152.1.1.1/24 2.2.2.2
Vlan-int2 197.1.1.1/24 -
Configuration Examples 119
n
Since Area2 has no direct connection to Area0, the routing table of RouterA has
no route to Area2.
2 Configure a virtual link
# Configure Switch A.
[SwitchA] ospf
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
# Configure Switch B.
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1
[SwitchB-ospf-1-area-0.0.0.1] quit
# Display the OSPF routing table on Switch A.
[SwitchA]display ospf routing
OSPF Process 1 with Router ID 1.1.1.1
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
196.1.1.0/24 10 Stub 196.1.1.2 1.1.1.1 0.0.0.0
197.1.1.0/24 10 Net 197.1.1.1 2.2.2.2 0.0.0.1
152.1.1.0/24 20 SNet 197.1.1.1 2.2.2.2 0.0.0.0
Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
Switch A has learned the route 152.1.1.0/24 to Area2.
BGP Confederation
Configuration Example
Network requirements
1 Requirement analysis
BGP runs in a large AS of a company. As the number of IBGP peers increases
rapidly in the AS, more network resources for BGP communication are occupied.
The customer hopes to reduce IBGP peers and decrease the CPU and network
resources consumption of BGP without affecting device performance.
Based on user requirements, configure a BGP confederation to achieve the goal.
2 Network diagram
Figure 55 shows the network diagram.
120 CHAPTER 5: ROUTING OVERVIEW
Figure 55 Network diagram for BGP AS confederation configuration
3 Configuration plan
■ Split AS 100 into three sub-ASs: AS 1001, AS 1002, and AS 1003.
■ Run EBGP between AS 1001, AS1002, and AS 1003.
■ AS 1001, AS1002, and AS 1003 are fully meshed within themselves by running
IBGP.
■ Run EBGP between AS 100 and AS 200.
Configuration procedure
# Configure Switch A.
<SwitchA> system-view
[SwitchA] bgp 1001
[SwitchA-bgp] network 10.1.1.0 255.255.255.0
[SwitchA-bgp] confederation id 100
[SwitchA-bgp] confederation peer-as 1002 1003
[SwitchA-bgp] group confed1002 external
[SwitchA-bgp] peer 172.68.10.2 group confed1002 as-number 1002
[SwitchA-bgp] group confed1003 external
[SwitchA-bgp] peer 172.68.10.3 group confed1003 as-number 1003
[SwitchA-bgp] quit
# Configure Switch B.
<SwitchB> system-view
[SwitchB] bgp 1002
Device Interface IP address AS
Switch A Vlan-int 10 172.68.10.1/24 100
Vlan-int 50 10.1.1.1/24
Switch B Vlan-int 10 172.68.10.2/24
Switch C Vlan-int 10 172.68.10.3/24
Vlan-int 20 172.68.1.1/24
Vlan-int 30 156.10.1.1/24
Switch D Vlan-int 20 172.68.1.2/24
Switch E Vlan-int 30 156.10.1.2/24 200
Vlan-int 40 8.1.1.1/24
AS 200
AS 100
AS 1001
AS 1003
AS 1002
Switch B
Switch A
Switch C Switch D
Switch E
VLAN-int 10
VLAN-int 20
VLAN-int 30
VLAN-int 40
VLAN-int 50
Configuration Examples 121
[SwitchB-bgp] confederation id 100
[SwitchB-bgp] confederation peer-as 1001 1003
[SwitchB-bgp] group confed1001 external
[SwitchB-bgp] peer 172.68.10.1 group confed1001 as-number 1001
[SwitchB-bgp] group confed1003 external
[SwitchB-bgp] peer 172.68.10.3 group confed1003 as-number 1003
# Configure Switch C.
<SwitchC> system-view
[SwitchC] bgp 1003
[SwitchC-bgp] confederation id 100
[SwitchC-bgp] confederation peer-as 1001 1002
[SwitchC-bgp] group confed1001 external
[SwitchC-bgp] peer 172.68.10.1 group confed1001 as-number 1001
[SwitchC-bgp] group confed1002 external
[SwitchC-bgp] peer 172.68.10.2 group confed1002 as-number 1002
[SwitchC-bgp] group ebgp200 external
[SwitchC-bgp] peer 156.10.1.2 group ebgp200 as-number 200
[SwitchC-bgp] group ibgp1003 internal
[SwitchC-bgp] peer 172.68.1.2 group ibgp1003
# Configure Switch D.
<SwitchD> system-view
[SwitchD] bgp 1003
[SwitchD-bgp] confederation id 100
[SwitchD-bgp] group ibgp1003 internal
[SwitchD-bgp] peer 172.68.1.1 group ibgp1003
# Configure Switch E.
<SwitchE> system-view
[SwitchE] bgp 200
[SwitchE-bgp] network 8.1.1.0 255.255.255.0
[SwitchE-bgp] group ebgp100 external
[SwitchE-bgp] peer 156.10.1.1 group ebgp100 as-number 100
[SwitchE-bgp] quit
# Display the BGP routing table on Switch E.
[SwitchE] display bgp routing
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
--------------------------------------------------------------------------
#^ 8.1.1.0/24 0.0.0.0 0 100 IGP
#^ 10.1.1.0/24 156.10.1.1 0 100 IGP 100
Routes total: 2
# Display the BGP routing table on Switch A.
[SwitchA] display bgp routing
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
122 CHAPTER 5: ROUTING OVERVIEW
Dest/Mask Next-Hop Med Local-pref Origin Path
--------------------------------------------------------------------------
I 8.1.1.0/24 156.10.1.2 0 100 IGP (1003) 200
#^ 10.1.1.0/24 0.0.0.0 0 100 IGP
Routes total: 2
The above display shows that sub-AS routing information is advertised only within
the confederation. A device in an AS outside of the confederation, such as Switch
E, cannot learn the sub-AS routing information within the confederation because
it treats the confederation as a single AS.
BGP Route Reflector
Configuration Example
Network requirements
1 Requirement analysis
BGP runs in a large AS of a company. As the number of IBGP peers increases
rapidly in the AS, more network resources for BGP communication are occupied.
The customer hopes to reduce IBGP peers and decrease CPU and network
resources consumption of BGP without affecting device performance. In addition,
IBGP peers are partially interconnected in the AS.
Based on the requirements and networking environment, configure a BGP route
reflector to achieve the goal.
2 Network diagram
Figure 56 shows the network diagram.
Figure 56 Network diagram for BGP route reflector configuration
3 Configuration plan
■ Run EBGP between the peers in AS 100 and AS 200. Advertise network
1.0.0.0/8.
Device Interface IP address AS
Switch A Vlan-int 100 1.1.1.1/8 100
Vlan-int 2 192.1.1.1/24
Switch B Vlan-int 2 192.1.1.2/24 200
Vlan-int 3 193.1.1.2/24
Switch C Vlan-int 3 193.1.1.1/24
Vlan-int 4 194.1.1.1/24
Switch D Vlan-int 4 194.1.1.2/24
Switch A
AS 100
VLAN-int4
Switch C
Switch B Switch D
AS 200
Router
Reflector
VLAN-int3
VLAN-int2
VLAN-int100
Configuration Examples 123
■ Run IBGP between the peers in AS 200. Configure a star topology for the AS.
Specify the central device as a route reflector and other devices as clients.
Configuration procedure
1 Configure switch A.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.1.1.1 255.255.255.0
[SwitchA-Vlan-interface2] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 1.1.1.1 255.0.0.0
[SwitchA-Vlan-interface100] quit
[SwitchA] bgp 100
[SwitchA-bgp] group ex external
[SwitchA-bgp] peer 192.1.1.2 group ex as-number 200
[SwitchA-bgp] network 1.0.0.0 255.0.0.0
2 Configure Switch B.
# Configure the VLAN interface IP addresses.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0
[SwitchB-Vlan-interface2] quit
[SwitchB] interface Vlan-interface 3
[SwitchB-Vlan-interface3] ip address 193.1.1.2 255.255.255.0
[SwitchB-Vlan-interface3] quit
# Configure BGP peers.
[SwitchB] bgp 200
[SwitchB-bgp] group ex external
[SwitchB-bgp] peer 192.1.1.1 group ex as-number 100
[SwitchB-bgp] group in internal
[SwitchB-bgp] peer 193.1.1.1 group in
3 Configure Switch C.
# Configure the VLAN interface IP addresses.
<SwitchC> system-view
[SwitchC] interface Vlan-interface 3
[SwitchC-Vlan-interface3] ip address 193.1.1.1 255.255.255.0
[SwitchC-Vlan-interface3] quit
[SwitchC] interface vlan-Interface 4
[SwitchC-Vlan-interface4] ip address 194.1.1.1 255.255.255.0
[SwitchC-Vlan-interface4] quit
# Configure BGP peers and configure Switch C as the route reflector.
[SwitchC] bgp 200
[SwitchC-bgp] group rr internal
[SwitchC-bgp] peer rr reflect-client
[SwitchC-bgp] peer 193.1.1.2 group rr
[SwitchC-bgp] peer 194.1.1.2 group rr
4 Configure Switch D.
# Configure the VLAN interface IP address.
<SwitchD> system-view
[SwitchD] interface Vlan-interface 4
124 CHAPTER 5: ROUTING OVERVIEW
[SwitchD-Vlan-interface4] ip address 194.1.1.2 255.255.255.0
[SwitchD-Vlan-interface4] quit
# Configure the BGP peer.
[SwitchD] bgp 200
[SwitchD-bgp] group in internal
[SwitchD-bgp] peer 194.1.1.1 group in
Use the display bgp routing command to display the BGP routing table on
Switch B. Note that Switch B has learned network 1.0.0.0.
Use the display bgp routing command to display the BGP routing table on
Switch D. Note that Switch D has learned network 1.0.0.0.
BGP Path Selection
Configuration Example
Network requirements
1 Requirement analysis
A network consists of two ASs, which run BGP to communicate with each other.
OSPF runs in one of them.
The requirement is to control the data forwarding path from AS 200 to AS 100.
The following give two plans to meet the requirement
■ Use the MED attribute to control the forwarding path for packets from AS 200
to AS 100.
■ Use the LOCAL_PREF attribute to control the forwarding path for packets from
AS 200 to AS 100
2 Network diagram
Figure 57 shows the network diagram.
Figure 57 Network diagram for BGP path selection
Switch A
AS 100
Vlan-int101
Switch C
AS 200
Switch B
Switch D
VLAN-int2
VLAN- int4
VLAN-int5
VLAN-int3
VLAN-int2
VLAN-int3
Configuration Examples 125
3 Configuration plan
■ Run EBGP between AS 100 and AS 200. Advertise network 1.0.0.0/8.
■ Run OSPF in AS 200 to realize network interconnection.
■ Run IBGP between Switch D and Switch B as well as between Switch D and
Switch C.
■ Apply a routing policy on Switch A to modify the MED attribute of the route to
be advertised to AS 200, making the data forwarding path from Switch D to AS
100 as Switch D - Switch C - Switch A.
■ Apply a routing policy on Switch C to modify the LOCAL_PREF attribute of the
route to be advertised to Switch D, making the data forwarding path from AS
200 to AS 100 as Switch D - Switch C - Switch A.
Configuration procedure
1 Configure Switch A.
# Configure the VLAN interface IP addresses.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.1.1.1 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] interface Vlan-interface 3
[SwitchA-Vlan-interface3] ip address 193.1.1.1 255.255.255.0
[SwitchA-Vlan-interface3] quit
[SwitchA] interface Vlan-interface 101
[SwitchA-Vlan-interface101] ip address 1.1.1.1 255.0.0.0
[SwitchA-Vlan-interface101] quit
# Enable BGP.
[SwitchA] bgp 100
# Advertise network 1.0.0.0/8.
[SwitchA-bgp] network 1.0.0.0
# Configure BGP peers.
[SwitchA-bgp] group ex192 external
[SwitchA-bgp] peer 192.1.1.2 group ex192 as-number 200
[SwitchA-bgp] group ex193 external
[SwitchA-bgp] peer 193.1.1.2 group ex193 as-number 200
[SwitchA-bgp] quit
# Define ACL 2000 to permit the routes destined for 1.0.0.0/8.
Device Interface IP address AS
Switch A Vlan-int 101 1.1.1.1/8 100
Vlan-int 2 192.1.1.1/24
Vlan-int 3 193.1.1.1/24
Switch B Vlan-int 2 192.1.1.2/24 200
Vlan-int 4 194.1.1.2/24
Switch C Vlan-int 3 193.1.1.2/24
Vlan-int 5 195.1.1.2/24
Switch D Vlan-int 4 194.1.1.1/24
Vlan-int 5 195.1.1.1/24
126 CHAPTER 5: ROUTING OVERVIEW
[SwitchA] acl number 2000
[SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255
[SwitchA-acl-basic-2000] rule deny source any
[SwitchA-acl-basic-2000] quit
# Create a routing policy named apply_med_50, and specify node 10 with the
permit matching mode for the routing policy. Set the MED value of the route
matching ACL 2000 to 50.
[SwitchA] route-policy apply_med_50 permit node 10
[SwitchA-route-policy] if-match acl 2000
[SwitchA-route-policy] apply cost 50
[SwitchA-route-policy] quit
# Create a routing policy named apply_med_100, and specify node 10 with the
permit matching mode for the routing policy. Set the MED value of the route
matching ACL 2000 to 100.
[SwitchA] route-policy apply_med_100 permit node 10
[SwitchA-route-policy] if-match acl 2000
[SwitchA-route-policy] apply cost 100
[SwitchA-route-policy] quit
# Apply the routing policy apply_med_50 to routing updates to the peer group
ex193 (the peer 193.1.1.2) and apply_med_100 to routing updates to the peer
group ex192 (the peer 192.1.1.2).
[SwitchA] bgp 100
[SwitchA-bgp] peer ex193 route-policy apply_med_50 export
[SwitchA-bgp] peer ex192 route-policy apply_med_100 export
2 Configure Switch B.
# Configure the VLAN interface IP addresses.
<SwitchB> system-view
[SwitchB] interface vlan 2
[SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0
[SwitchB-Vlan-interface2] quit
[SwitchB] interface Vlan-interface 4
[SwitchB-Vlan-interface4] ip address 194.1.1.2 255.255.255.0
[SwitchB-Vlan-interface4] quit
# Configure OSPF.
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchB] bgp 200
[SwitchB-bgp] undo synchronization
[SwitchB-bgp] group ex external
[SwitchB-bgp] peer 192.1.1.1 group ex as-number 100
[SwitchB-bgp] group in internal
[SwitchB-bgp] peer 194.1.1.1 group in
[SwitchB-bgp] peer 195.1.1.2 group in
3 Configure Switch C.
# Configure the VLAN interface IP addresses.
Configuration Examples 127
<SwitchC> system-view
[SwitchC] interface Vlan-interface 3
[SwitchC-Vlan-interface3] ip address 193.1.1.2 255.255.255.0
[SwitchC-Vlan-interface3] quit
[SwitchC] interface Vlan-interface 5
[SwitchC-Vlan-interface5] ip address 195.1.1.2 255.255.255.0
[SwitchC-Vlan-interface5] quit
# Enable OSPF.
[SwitchC] ospf
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchC] bgp 200
[SwitchC-bgp] undo synchronization
[SwitchC-bgp] group ex external
[SwitchC-bgp] peer 193.1.1.1 group ex as-number 100
[SwitchC-bgp] group in internal
[SwitchC-bgp] peer 195.1.1.1 group in
[SwitchC-bgp] peer 194.1.1.2 group in
4 Configure Switch D.
# Configure the VLAN interface IP addresses.
<SwitchD> system-view
[SwitchD] interface Vlan-interface 4
[SwitchD-Vlan-interface4] ip address 194.1.1.1 255.255.255.0
[SwitchD-Vlan-interface4] quit
[SwitchD] interface Vlan-interface 5
[SwitchD-Vlan-interface5] ip address 195.1.1.1 255.255.255.0
[SwitchD-Vlan-interface5] quit
# Enable OSPF.
[SwitchD] ospf
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 4.0.0.0 0.255.255.255
[SwitchD-ospf-1-area-0.0.0.0] quit
[SwitchD-ospf-1] quit
# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchD] bgp 200
[SwitchD-bgp] undo synchronization
[SwitchD-bgp] group in internal
[SwitchD-bgp] peer 195.1.1.2 group in
[SwitchD-bgp] peer 194.1.1.2 group in
■ To validate the configuration, you need to use the reset bgp all command on all
the BGP peers.
■ Since the MED attribute of route 1.0.0.0 learned by Switch C is smaller than
that learned by Switch B, Switch D selects the route 1.0.0.0 from Switch C.
128 CHAPTER 5: ROUTING OVERVIEW
■ If you do not configure MED attribute control on Switch A, setting the local
preference attribute for route 1.0.0.0 on Switch C is another choice.
# Define ACL 2000 to permit the routes destined for 1.0.0.0/8.
[SwitchC] acl number 2000
[SwitchC-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255
[SwitchC-acl-basic-2000] rule deny source any
[SwitchC-acl-basic-2000] quit
# Create a routing policy named localpref, and specify node 10 with the permit
matching mode for the routing policy. Set the local preference value of the route
matching ACL 2000 to 200
[SwitchC] route-policy localpref permit node 10
[SwitchC-route-policy] if-match acl 2000
[SwitchC-route-policy] apply local-preference 200
[SwitchC-route-policy] quit
# Create a routing policy named localpref, and specify node 20 with the permit
matching mode for the routing policy. Set the local preference value of the route
to 100.
[SwitchC] route-policy localpref permit node 20
[SwitchC-route-policy] apply local-preference 100
[SwitchC-route-policy] quit
# Apply the routing policy localpref to the routing information from the peer
193.1.1.1 (Switch A).
[SwitchC] bgp 200
[SwitchC-bgp] peer 193.1.1.1 route-policy localpref import
Since the local preference (200) of the route learned by Switch C is bigger than
that learned by Switch B (100), Switch D prefers the route 1.0.0.0 from Switch C.
Note that the local preference is not set for route 1.0.0.0 on Switch B, so the route
uses the default value 100.
Comprehensive
Configuration
Example
n
■ For details about routing protocols, see corresponding configuration guide of
products.
■ For details on using specific commands, see the corresponding command
reference guide.
■ The following examples use the Switch 5500 and Switch 5500G.
Network
Requirements
Requirement Analysis,
Network Diagram and
Configuration Plan
Requirement analysis
An ISP has four ASs: AS 100, AS 200, AS 300, and AS 400. AS 100 is the core
layer. It connects AS 200, AS 300, and AS 400 and forwards data between them.
AS 200, AS 300, and AS 400 constitutes the distribution layer. They provide access
services for users. The specific requirements are as follows:
Network Requirements 129
■ Fast convergence is required for AS 200 and AS 400 because their networks
are quite large and complicated.
■ The network of AS 300 is small and simple. The devices in the network
supports only RIP. Their performances are low and the capacities of routing
tables are quite limited.
■ Access users in AS 200 require a very reliable network.
■ Access users in AS 200, AS 300, and AS 400 are accessible to each other.
■ S200_10 in AS 200 is connected with Layer 2 devices.
■ S300_B in AS 300 is connected with Layer 2 devices.
■ The data forwarding path needs to be controlled when users in AS 400 access
AS 200 and AS 300.
■ An AS 300 access user is interconnected with the ISP through a single link.
Network diagram
Figure 58 shows the network diagram designed according to the requirements.
Figure 58 Network diagram

Configuration plan
■ Run BGP in AS 100 to interconnect with AS 200, AS 300, and AS 400. Use the
MED attribute to control the forwarding path.
■ Run OSPF in AS 200. The device in AS 200 connecting to AS 100 runs both
OSPF and BGP. Use static routes as backup routes to implement link
redundancy and improve network reliability. Apply a routing policy when
redistributing BGP routes for filtering.
AS 100
AS 200 AS 300
AS 400
OSPF
RIP
OSPF
IBGP
EBGP EBGP
EBGP EBGP
EBGP
S300
S300_A
S300_B
S200
S200_0
S200_10
S100_1 S100_2
S400
S400_0
130 CHAPTER 5: ROUTING OVERVIEW
■ Run OSPF in AS 400. The device in AS 400 connecting to AS 100 runs both
OSPF and BGP. Apply a routing policy when redistributing BGP routes for
filtering.
■ Run RIPv2 in AS 300. The device in AS 300 connecting to AS 100 runs both
RIPv2 and BGP. Apply a routing policy when redistributing BGP routes for
filtering.
■ AS 300 users use the combination of static routes, RIP, and routing policy to
access the ISP.
■ Interaction between IGP and BGP is involved in the configuration. Since the
default BGP preference is 256, when backup routes exist in the routing table,
you need to modify the BGP preference in order to select the primary route as
required.
Devices Used for
Networking
n
■ Either Switch 7750 Ethernet switches or Switch 5500Gs Ethernet switches can
serve as S100_1/S100_2/S400/S200/S300.
■ You can use other partially layer 3 capable switches as S300_B.
Routing Protocols and
Related Parameters on
Devices
Software Version Switch 5500 Release 1510
Switch 5500G Release 1510
Switch 7750 Release 3130
Table 84 Device model and device name
Model Device name
7500 S200/S300
5600 S100_1/S100_2/S400
3600 S200_0/S200_10/S300_A/S300_B/
S400_0
Table 85 Routing protocols supported by devices
Device name Routing protocol Router ID AS
S100_1 BGP (IBGP&EBGP) 1.1.1.1 100
S100_2 BGP (IBGP&EBGP) 1.2.1.1
S200 BGP (EBGP)/OSPF 2.1.1.1 200
S200_0 OSPF -
S200_10 OSPF/STATIC
S300 BGP (EBGP)/RIPv2 3.1.1.1 300
S300_A RIPv2/STATIC -
S300_B RIPv2
S400 BGP (EBGP)/OSPF 4.1.1.1 400
S400_0 OSPF -
Configuration Procedure 131
Configuration
Procedure
Configuration Guide
Basic Configuration Creating VLANs and configuring IP addresses for VLAN interfaces are omitted
here, refer to “Displaying the Whole Configuration on Devices” on page 145 for
related information.
Basic RIPv2/OSPF/BGP
Configuration
Basic RIPv2 configuration
Figure 59 shows the relevant network diagram of AS 300.
Figure 59 Network diagram for RIPv2 configuration
Table 86 Configuration guide
Configuration task Description
“Basic Configuration” on page 131 Create VLANs and configure IP addresses
for VLAN interfaces
“Basic RIPv2/OSPF/BGP Configuration” on page
131
Basic RIPv2/OSPF/BGP configuration
“RIP, Static Route, and Routing Policy
Configuration Example” on page 137
Using a routing policy, configure RIP to
advertise route updates but does not
receive route updates and use static routing
to access the ISP.
“BGP and IGP Interaction Configuration
Example” on page 138
IGP and BGP share routes. Apply a routing
policy for BGP redistribution to IGP as
required
“Route Backup Configuration Example” on page
140
To improve network reliability, run OSPF on
the primary link and run static routing on
the backup link to realize interconnection
“BGP MED Attribute Configuration Example” on
page 141
Apply a routing policy to change the MED
attribute of routes to control the
forwarding path
AS 300
RIP
EBGP
EBGP
S300
S300_A
S300_B
VLAN-int 22
LAN-int 13
VLAN-int 14
VLAN-int 662
AN-int 665
VLAN-int 623 VLAN-int 624
132 CHAPTER 5: ROUTING OVERVIEW
■ Configure S300.
# Run RIP on the interface with the IP address 206.1.4.0.
<S300> system-view
[S300] rip
[S300-rip] network 206.1.4.0
# Disable RIPv2 route summarization.
[S300-rip] undo summary
[S300-rip] quit
# Run RIPv2 on VLAN-interface 14.
[S300] interface vlan-interface 14
[S300-Vlan-interface14] rip version 2
[S300-Vlan-interface14] quit
■ Configure S300_A.
# Run RIP on the interfaces on networks 206.1.4.0 and 166.1.0.0.
<S300_A> system-view
[S300_A] rip
[S300_A-rip] network 206.1.4.0
[S300_A-rip] network 166.1.0.0
# Disable RIPv2 route summarization.
[S300_A-rip] undo summary
[S300_A-rip] quit
# Run RIPv2 on VLAN-interface 14 and VLAN-interface 662.
[S300_A] interface vlan-interface 14
[S300_A-Vlan-interface14] rip version 2
[S300_A-Vlan-interface14] quit
[S300_A] interface vlan-interface 662
[S300_A-Vlan-interface662] rip version 2
[S300_A-Vlan-interface662] quit
■ Configure S300_B.
# Run RIP on the interfaces connected to networks 162.1.0.0 and 166.1.0.0.
<S300_B> system-view
[S300_B] rip
[S300_B-rip] network 162.1.0.0
[S300_B-rip] network 166.1.0.0
# Disable RIPv2 route summarization.
[S300_B-rip] undo summary
[S300_B-rip] quit
Device Interface IP address
S300 Vlan-int 14 206.1.4.2/24
S300_A Vlan-int 14 206.1.4.1/24
Vlan-int 662 166.1.2.1/24
Vlan-int 665 166.1.5.2/24
S300_B Vlan-int 662 166.1.2.2/24
Vlan-int 623 162.1.3.1/24
Vlan-int 624 162.1.4.1/24
Configuration Procedure 133
# Run RIPv2 on VLAN-interface 623, VLAN-interface 624, and VLAN-interface 662.
[S300_B] interface vlan-interface 623
[S300_B-Vlan-interface623] rip version 2
[S300_B-Vlan-interface623] quit
[S300_B] interface vlan-interface 624
[S300_B-Vlan-interface624] rip version 2
[S300_B-Vlan-interface624] quit
[S300_B] interface vlan-interface 662
[S300_B-Vlan-interface662] rip version 2
[S300_B-Vlan-interface662] quit
Basic OSPF configuration
Figure 60 shows the relevant network diagram of AS 200.
Figure 60 Network diagram for OSPF configuration
■ Configure S200.
# Run OSPF on the interface connected to network 206.1.2.0/24 and specify its
area ID as 0.
<S200> system-view
[S200] ospf
[S200-ospf-1] area 0
[S200-ospf-1-area-0.0.0.0] network 206.1.2.0 0.0.0.255
■ Configure S200_0.
# Run OSPF on the interface connected to network 206.1.2.0/24 and specify its
area ID as 0.
<S200_0> system-view
[S200_0] ospf
[S200_0-ospf-1] area 0
Device Interface IP address Area
S200 Vlan-int 12 206.1.2.3/24 0
S200_0 Vlan-int 12 206.1.2.1/24 0
Vlan-int 661 166.1.1.1/24 10
S200_10 Vlan-int 661 166.1.1.2/24 10
Vlan-int 621 162.1.1.1/24 10
Vlan-int 622 162.1.2.1/24 10
AS 200
OSPF
EBGP
S200
S200_0
S200_10
VLAN- int 11
VL
VLAN- int 12
VLAN-int 661
VLA
VLAN-int 621 VLAN-int 622
134 CHAPTER 5: ROUTING OVERVIEW
[S200_0-ospf-1-area-0.0.0.0] network 206.1.2.0 0.0.0.255
[S200_0-ospf-1-area-0.0.0.0] quit
# Run OSPF on the interface connected to network 166.1.1.0/24 and specify its
area ID as 10.
[S200_0-ospf-1] area 10
[S200_0-ospf-1-area-0.0.0.10] network 166.1.1.0 0.0.0.255
■ Configure S200_10.
# Run OSPF on interfaces connected to networks 162.1.1.0/24, 162.1.2.0/24, and
166.1.1.0/24 and specify their area ID as 10.
<S200_10> system-view
[S200_10] ospf
[S200_10-ospf-1] area 10
[S200_10-ospf-1-area-0.0.0.10] network 162.1.1.0 0.0.0.255
[S200_10-ospf-1-area-0.0.0.10] network 162.1.2.0 0.0.0.255
[S200_10-ospf-1-area-0.0.0.10] network 166.1.1.0 0.0.0.255
Figure 61 shows the network diagram of AS 400.
Figure 61 Network diagram for AS 400 configuration
■ Configure S400.
# Run OSPF on the interface connected to network 206.1.6.0/24 and specify its
area ID as 0.
<S400> system-view
[S400] ospf
[S400-ospf-1] area 0
[S400-ospf-1-area-0.0.0.0] network 206.1.6.0 0.0.0.255
■ Configure S400_0.
# Run OSPF on the interface connected to network 206.1.6.0/24 and specify its
area ID as 0.
<S400_0> system-view
[S400_0] ospf
[S400_0-ospf-1] area 0
[S400_0-ospf-1-area-0.0.0.0] network 206.1.6.0 0.0.0.255
[S400_0-ospf-1-area-0.0.0.0] quit
# Run OSPF on interfaces connected to networks 166.1.3.0/24 and 166.1.4.0/24
and specify their area ID as 0.0.1.44.
Device Interface IP address Area
S400 Vlan-int 16 206.1.6.3/24 0
S400_0 Vlan-int 16 206.1.6.1/24 0
Vlan-int 663 166.1.3.1/24 0.0.1.44
Vlan-int 664 166.1.4.1/24 0.0.1.44
AS 400
OSPF
S400
S400_0
VLAN-int 663 VLAN- int 664
VLAN-int 16
Configuration Procedure 135
[S400_0-ospf-1] area 0.0.1.44
[S400_0-ospf-1-area-0.0.1.44] network 166.1.3.0 0.0.0.255
[S400_0-ospf-1-area-0.0.1.44] network 166.1.4.0 0.0.0.255
Basic BGP configuration
Figure 62 shows the relevant network diagram.
Figure 62 Network diagram for BGP configuration
■ Configure S100_1.
# Configure the router ID of S100_1 as 1.1.1.1.
<S100_1> system-view
[S100_1] router id 1.1.1.1
# Enable BGP and specify the local AS number as 100.
[S100_1] bgp 100
# Create IBGP peer group 100 and EBGP peer groups 200 and 400.
[S100_1-bgp] group 100 internal
[S100_1-bgp] group 200 external
[S100_1-bgp] group 400 external
# Add peer 196.3.1.2 in AS 100 into peer group 100; Add peer 196.1.1.3 in AS
200 into peer group 200; Add peer 196.1.3.3 in AS 400 into peer group 400.
[S100_1-bgp] peer 196.3.1.2 group 100
[S100_1-bgp] peer 196.1.1.3 group 200 as-number 200
[S100_1-bgp] peer 196.1.3.3 group 400 as-number 400
Device Interface IP address Router ID AS
S100_1 Vlan-int 11 196.1.1.1/24 1.1.1.1 100
Vlan-int 15 196.1.3.1/24
Vlan-int 31 196.3.1.1/24
S100_2 Vlan-int 22 196.2.2.1/24 1.2.1.1
Vlan-int 23 196.2.3.2/24
Vlan-int 31 196.3.1.2/24
S200 Vlan-int 11 196.1.1.3/24 2.1.1.1 200
Vlan-int 13 206.1.3.3/24
S300 Vlan-int 22 196.2.2.2/24 3.1.1.1 300
Vlan-int 13 206.1.3.2/24
S400 Vlan-int 15 196.1.3.3/24 4.1.1.1 400
Vlan-int 23 196.2.3.3/24
AS 100
AS 200 AS 300
OSPF
IBGP
EBGP EBGP
EBGP EBGP
EBGP
S300 S200
S100_1 S100_2
S400
6
VLAN-int 15 VLAN-int 23
VLAN- int 11 VLAN-int 22
VLAN-int 31
VLAN-int 13
136 CHAPTER 5: ROUTING OVERVIEW
# Advertise networks 196.1.3.0, 196.3.1.0, and 196.1.1.0.
[S100_1-bgp] network 196.1.3.0
[S100_1-bgp] network 196.3.1.0
[S100_1-bgp] network 196.1.1.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S100_1-bgp] preference 200 200 200
■ Configure S100_2.
# Configure the router ID of S200_2 as 1.2.1.1.
<S100_2> system-view
[S100_2] router id 1.2.1.1
# Enable BGP and specify the local AS number as 100.
[S100_2] bgp 100
# Create IBGP peer group 100 and EBGP peer groups 300 and 400.
[S100_2-bgp] group 100 internal
[S100_2-bgp] group 300 external
[S100_2-bgp] group 400 external
# Add peer 196.3.1.1 in AS 100 into peer group 100; Add peer 196.2.2.2 in AS
300 into peer group 300; Add peer 196.2.3.3 in AS 400 into peer group 400.
[S100_2-bgp] peer 196.3.1.1 group 100
[S100_2-bgp] peer 196.2.2.2 group 300 as-number 300
[S100_2-bgp] peer 196.2.3.3 group 400 as-number 400
# Advertise networks 196.2.2.0, 196.2.3.0, and 196.3.1.0.
[S100_2-bgp] network 196.2.2.0
[S100_2-bgp] network 196.2.3.0
[S100_2-bgp] network 196.3.1.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S100_2-bgp] preference 200 200 200
■ Configure S200.
# Configure the router ID of S200 as 2.1.1.1.
<S200> system-view
[S200] router id 2.1.1.1
# Enable BGP and specify the local AS number as 200.
[S200] bgp 200
# Create EBGP peer groups 100 and 300.
[S200-bgp] group 100 external
[S200-bgp] group 300 external
# Add peer 196.1.1.1 in AS 100 into peer group 100; Add peer 206.1.3.2 in AS
300 into peer group 300.
[S200-bgp] peer 196.1.1.1 group 100 as-number 100
[S200-bgp] peer 206.1.3.2 group 300 as-number 300
# Advertise networks 192.1.1.0 and 206.1.3.0.
[S200-bgp] network 192.1.1.0
[S200-bgp] network 206.1.3.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
Configuration Procedure 137
[S200-bgp] preference 200 200 200
■ Configure S300.
# Configure the router ID of S300 as 3.1.1.1.
<S300> system-view
[S300] router id 3.1.1.1
# Enable BGP and specify the local AS number as 300.
[S300] bgp 300
# Create EBGP peer groups 100 and 200.
[S300-bgp] group 100 external
[S300-bgp] group 200 external
# Add peer 196.2.2.1 in AS 100 into peer group 100; Add peer 206.1.3.3 in AS
200 into peer group 200.
[S300-bgp] peer 196.2.2.1 group 100 as-number 100
[S300-bgp] peer 206.1.3.3 group 200 as-number 200
# Advertise networks 206.1.3.0 and 196.2.2.0.
[S300-bgp] network 206.1.3.0
[S300-bgp] network 196.2.2.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S300-bgp] preference 200 200 200
■ Configure S400.
# Configure the router ID of S400 as 4.1.1.1.
<S400> system-view
[S400] router id 4.1.1.1
# Enable BGP and specify the local AS number as 400.
[S400] bgp 400
# Create EBGP peer groups 100_1 and 100_2.
[S400-bgp] group 100_1 external
[S400-bgp] group 100_2 external
# Add peer 196.1.3.1 in AS 100 into peer group 100_1; Add peer 196.2.3.2 in AS
100 into peer group 100_2.
[S400-bgp] peer 196.1.3.1 group 100_1 as-number 100
[S400-bgp] peer 196.2.3.2 group 100_2 as-number 100
# Advertise networks 196.1.3.0 and 196.2.3.0.
[S400-bgp] network 196.1.3.0
[S400-bgp] network 196.2.3.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S400-bgp] preference 200 200 200
RIP, Static Route, and
Routing Policy
Configuration Example
Network requirements
As shown in Figure 63, RIPv2 runs on S300_A/S300_B. To control the number of
routes learned by S300_B through RIP, allow S300_B to advertise routes to S300_A
and forbid S300_B to receive routes advertised by S300_A. Packets from S300_B
to S300_A are forwarded through the default route.
138 CHAPTER 5: ROUTING OVERVIEW
Network diagram
Figure 63 Network diagram for RIP, static route, and routing policy configuration
Configuration procedure
# Create ACL 2000 and deny all packets.
<S300_B> system-view
[S300_B] acl number 2000
[S300_B-acl-basic-2000] rule deny source any
[S300_B-acl-basic-2000] quit
# Apply ACL 2000 to incoming RIP routes.
[S300_B] rip
[S300_B-rip] filter-policy 2000 import
# Configure a default route and specify the next-hop IP address as 166.1.2.1.
[S300_B] ip route-static 0.0.0.0 0.0.0.0 166.1.2.1 preference 60
BGP and IGP Interaction
Configuration Example
Network requirements
As shown in Figure 64, OSPF and BGP run on S400/S200. RIPv2 and BGP run on
S300. To ensure that devices in each AS can learn network topologies of other
ASs, configure interaction between IGP and BGP to share routes. When
redistributing routes from IGP to BGP, apply a routing policy to redistribute routes
with IP prefixes 162.1.1.0/24, 162.1.2.0/24, 162.1.3.0/24, 162.1.4.0/24,
166.1.3.0/24, and 166.1.4.0/24 only.
Device Interface IP address
S300_A Vlan-int 662 166.1.2.1/24
S300_B Vlan-int 662 166.1.2.2/24
Vlan-int 623 162.1.3.1/24
Vlan-int 624 162.1.4.1/24
AS 300
RIP
EBGP
EBGP
S300
S300_A
S300_B
VLAN-int 22
LAN-int 13
VLAN-int 14
VLAN-int 662
AN-int 665
VLAN-int 623 VLAN-int 624
Configuration Procedure 139
Network diagram
Figure 64 Network diagram for BGP and IGP interaction

Configuration procedure
■ Configure interaction between IGP and BGP on S200.
# Redistribute OSPF routes into BGP.
<S200> system-view
[S200] bgp 200
[S200-bgp] import-route ospf 1
[S200-bgp] quit
# Define a prefix list named ospf_import and permit the routes with IP prefixes
162.1.3.0/24, 162.1.4.0/24, 166.1.3.0/24, or 166.1.4.0/24.
[S200] ip ip-prefix ospf_import index 10 permit 162.1.3.0 24
[S200] ip ip-prefix ospf_import index 20 permit 162.1.4.0 24
[S200] ip ip-prefix ospf_import index 30 permit 166.1.4.0 24
[S200] ip ip-prefix ospf_import index 40 permit 166.1.3.0 24
# Create a routing policy named ospf_import with the match mode as permit.
Define an if-match clause to permit routes whose destination addresses match IP
prefix list ospf_import.
[S200] route-policy ospf_import permit node 10
[S200-route-policy] if-match ip-prefix ospf_import
[S200-route-policy] quit
# Redistribute BGP routes into OSPF and apply routing policy ospf_import.
[S200] ospf
[S200-ospf-1] import-route bgp route-policy ospf_import
■ Configure interaction between IGP and BGP on S300.
# Redistribute RIP routes into BGP.
<S300> system-view
[S300] bgp 300
[S300-bgp] import-route rip
[S300-bgp] quit
# Define a prefix list named rip_import and permit the routes with IP prefixes
162.1.1.0/24, 162.1.2.0/24, 166.1.3.0/24, and 166.1.4.0/24.
[S300] ip ip-prefix rip_import index 10 permit 162.1.1.0 24
[S300] ip ip-prefix rip_import index 20 permit 162.1.2.0 24
[S300] ip ip-prefix rip_import index 30 permit 166.1.3.0 24
[S300] ip ip-prefix rip_import index 40 permit 166.1.4.0 24
AS 100
AS 200 AS 300
OSPF
IBGP
EBGP EBGP
EBGP EBGP
EBGP
S300 S200
S100_1 S100_2
S400
VLAN-int 16
VLAN-int 15 VLAN-int 23
VLAN- int 11 VLAN-int 22
VLAN-int 31
VLAN-int 13
VLAN- int 12 VLAN-int 14
140 CHAPTER 5: ROUTING OVERVIEW
# Create a routing policy named rip_import with the matching mode as permit.
Define an if-match clause to permit routes whose destination addresses match IP
prefix list rip_import.
[S300] route-policy rip_import permit node 10
[S300-route-policy] if-match ip-prefix rip_import
[S300-route-policy] quit
# Redistribute BGP routes into RIP and apply routing policy rip_import.
[S300] rip
[S300-rip] import-route bgp route-policy rip_import
■ Configure interaction between IGP and BGP on S400.
# Redistribute OSPF routes into BGP.
<S400> system-view
[S400] bgp 400
[S400-bgp] import-route ospf 1
[S400-bgp] quit
# Define a prefix list named ospf_import and permit the routes with IP prefixes
162.1.1.0/24, 162.1.2.0/24, 162.1.3.0/24, and 162.1.4.0/24.
[S400] ip ip-prefix ospf_import index 10 permit 162.1.1.0 24
[S400] ip ip-prefix ospf_import index 20 permit 162.1.2.0 24
[S400] ip ip-prefix ospf_import index 30 permit 162.1.3.0 24
[S400] ip ip-prefix ospf_import index 40 permit 162.1.4.0 24
# Create a routing policy named ospf_import with the match mode as permit.
Define an if-match clause to permit the routes whose destination addresses match
IP prefix list ospf_import.
[S400] route-policy ospf_import permit node 10
[S400-route-policy] if-match ip-prefix ospf_import
[S400-route-policy] quit
# Redistribute BGP routes into OSPF and apply the routing policy named
ospf_import.
[S400] ospf
[S400-ospf-1] import-route bgp route-policy ospf_import
Route Backup
Configuration Example
Network requirements
As shown in Figure 65, implement route backup on S200_10. Run OSPF between
S200_10 and S200_0. The OSPF route is the primary route. Configure a default
route between S200_10 and S300_A. This route is the backup route. When the
primary route cannot work, the device switches to the backup route automatically.
When the primary route becomes feasible, the device switches to the primary
route automatically. To achieve the route backup of S200_10, configure a static
route to S200_10 on S300_A and redistribute this route into RIPv2.
Configuration Procedure 141
Network diagram
Figure 65 Network diagram for route backup
Configuration procedure
# Configure a default route on S200_10 and specify the next-hop IP address as
166.1.5.2. Set the default preference to 200.
<S200_10> system-view
[S200_10] ip route-static 0.0.0.0 0.0.0.0 166.1.5.2 preference 200
# Configure a static route on S300_A and specify the destination IP addresses as
162.1.1.0/24 and 162.1.2.0/24. Specify the next-hop IP address as 166.1.5.1 and
the default preference to 200.
<S300_A> system-view
[S300_A] ip route-static 162.1.1.0 255.255.255.0 166.1.5.1 preference 200
[S300_A] ip route-static 162.1.2.0 255.255.255.0 166.1.5.1 preference 200
# Redistribute the static route into RIP.
[S300_A] rip
[S300_A-rip] import-route static
BGP MED Attribute
Configuration Example
Network requirements
As shown in Figure 66, S100_1 forwards packets from S400 to S200_10. S100_2
forwards packets from S400 to S300_B. Modify the MED value to achieve this
goal.
Device Interface IP address AS
S300_A Vlan-int 665 166.1.5.2/24 300
S200_10 Vlan-int 665 166.1.5.1/24 200
Vlan-int 621 162.1.1.1/24
Vlan-int 622 162.1.2.1/24
AS 200 AS 300
OSPF
RIP
EBGP
S300
S300_A
S300_B
S200
S200_0
S200_10
VLAN-int 13
VLAN- int 12 VLAN-int 14
VLAN-int 661 VLAN-int 662
VLAN-int 665
VLAN-int 621 VLAN-int 622 VLAN-int 623 VLAN-int 624
142 CHAPTER 5: ROUTING OVERVIEW
Network diagram
Figure 66 Network diagram for MED attribute configuration
Configuration procedure
■ Configure S100_1.
# Define a prefix list named as200_1 and permit the route with IP prefix
162.1.1.0/24.
<S100_1> system-view
[S100_1] ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
# Define a prefix list named as200_2 and permit the route with IP prefix
162.1.2.0/24.
[S100_1] ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
# Define a prefix list named as300_1 and permit the route with IP prefix
162.1.3.0/24.
[S100_1] ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
Device Interface IP address AS
S200_10 Vlan-int 621 162.1.1.1/24 200
Vlan-int 622 162.1.2.1/24
S300_B Vlan-int 623 162.1.3.1/24 300
Vlan-int 624 162.1.4.1/24
S400_0 Vlan-int 663 166.1.3.1/24 400
Vlan-int 664 166.1.4.1/24
AS 100
AS 200 AS 300
AS 400
OSPF
RIP
OSPF
IBGP
EBGP EBGP
EBGP EBGP
EBGP
S300
S300_A
S300_B
S200
S200_0
S200_10
S100_1 S100_2
S400
S400_0
VLAN-int 663 VLAN- int 664
VLAN-int 16
VLAN-int 15 VLAN-int 23
VLAN- int 11 VLAN-int 22
VLAN-int 31
VLAN-int 13
VLAN- int 12 VLAN-int 14
VLAN-int 661 VLAN-int 662
VLAN-int 665
VLAN-int 621 VLAN-int 622 VLAN-int 623 VLAN-int 624
Configuration Procedure 143
# Define a prefix list named as300_2 and permit the route with IP prefix
162.1.4.0/24.
[S100_1] ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
# Define a prefix list named other and permit all the routes.
[S100_1] ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
# Create a routing policy named as200, and specify node 10 with the permit
matching mode in the routing policy. Set the MED value of the route matching
prefix list as200_1 to 100.
[S100_1] route-policy as200 permit node 10
[S100_1-route-policy] if-match ip-prefix as200_1
[S100_1-route-policy] apply cost 100
[S100_1-route-policy] quit
# Create node 20 with the matching mode as permit in routing policy as200. Set
the MED value of the route matching prefix list as200_2 to 100
[S100_1] route-policy as200 permit node 20
[S100_1-route-policy] if-match ip-prefix as200_2
[S100_1-route-policy] apply cost 100
[S100_1-route-policy] quit
# Create node 30 with the permit matching mode in routing policy as200. Set the
MED value of the route matching prefix list as300_1 to 200.
[S100_1] route-policy as200 permit node 30
[S100_1-route-policy] if-match ip-prefix as300_1
[S100_1-route-policy] apply cost 200
[S100_1-route-policy] quit
# Create node 40 with the permit matching mode in routing policy as200. Set the
MED value of the route matching prefix list as300_2 to 200.
[S100_1] route-policy as200 permit node 40
[S100_1-route-policy] if-match ip-prefix as300_2
[S100_1-route-policy] apply cost 200
[S100_1-route-policy] quit
# Create node 50 with the permit matching mode in routing policy as200. Permit
all the routes.
[S100_1] route-policy as200 permit node 50
[S100_1-route-policy] if-match ip-prefix other
[S100_1-route-policy] quit
# Apply the routing policy as200 to the routes outgoing to peer group 400 (the
peer 196.1.3.3).
[S100_1] bgp 100
[S100_1-bgp] peer 400 route-policy as200 export
■ Configure S100_2.
# Define a prefix list named as200_1 and permit the route with IP prefix
162.1.1.0/24.
<S100_2> system-view
[S100_2] ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
# Define a prefix list named as200_2 and permit the route with IP prefix
162.1.2.0/24.
[S100_2] ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
144 CHAPTER 5: ROUTING OVERVIEW
# Define a prefix list named as300_1 and permit the route with IP prefix
162.1.3.0/24.
[S100_2] ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
# Define a prefix list named as300_2 and permit the route with IP prefix
162.1.4.0/24.
[S100_2] ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
# Define a prefix list named other and permit all the routes.
[S100_2] ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
# Create a routing policy named as300. Configure the node number as 10 and
the matching mode as permit. Set the MED value of the route matching prefix list
as200_1 to 200.
[S100_2] route-policy as300 permit node 10
[S100_2-route-policy] if-match ip-prefix as200_1
[S100_2-route-policy] apply cost 200
[S100_2-route-policy] quit
# Create node 20 with the permit matching mode in routing policy as300. Set the
MED value of the route matching prefix list as200_2 to 200.
[S100_2] route-policy as300 permit node 20
[S100_2-route-policy] if-match ip-prefix as200_2
[S100_2-route-policy] apply cost 200
[S100_2-route-policy] quit
# Create node 30 with the permit matching mode in routing policy as300. Set the
MED value of the route matching prefix list as300_1 to 100.
[S100_2] route-policy as300 permit node 30
[S100_2-route-policy] if-match ip-prefix as300_1
[S100_2-route-policy] apply cost 100
[S100_2-route-policy] quit
# Create node 40 with the permit matching mode in routing policy as300. Set the
MED value of the route matching prefix list as300_2 to 100.
[S100_2] route-policy as300 permit node 40
[S100_2-route-policy] if-match ip-prefix as300_2
[S100_2-route-policy] apply cost 100
[S100_2-route-policy] quit
# Create node 50 with the permit matching mode in routing policy as300 and
permit all routes.
[S100_2] route-policy as300 permit node 50
[S100_2-route-policy] if-match ip-prefix other
[S100_2-route-policy] quit
# Apply routing policy as300 to the routes outgoing to peer group 400 (peer
196.2.3.3).
[S100_2] bgp 100
[S100_2-bgp] peer 400 route-policy as300 export
Displaying the Whole Configuration on Devices 145
Displaying the Whole
Configuration on
Devices
Displaying the Whole
Configuration on
Devices
S100_1
<S100_1> display current-configuration
#
sysname S100_1
#
router id 1.1.1.1
#
....
#
vlan 11
#
vlan 15
#
vlan 31
#
interface Vlan-interface11
ip address 196.1.1.1 255.255.255.0
#
interface Vlan-interface15
ip address 196.1.3.1 255.255.255.0
#
interface Vlan-interface31
ip address 196.3.1.1 255.255.255.0
#
...
#
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
#
interface NULL0
#
bgp 100
network 196.1.3.0
network 196.3.1.0
network 196.1.1.0
undo synchronization
group 100 internal
peer 196.3.1.2 group 100
group 200 external
peer 196.1.1.3 group 200 as-number 200
group 400 external
peer 400 route-policy as200 export
peer 196.1.3.3 group 400 as-number 400
preference 200 200 200
#
route-policy as200 permit node 10
if-match ip-prefix as200_1
apply cost 100
route-policy as200 permit node 20
if-match ip-prefix as200_2
apply cost 100
route-policy as200 permit node 30
146 CHAPTER 5: ROUTING OVERVIEW
if-match ip-prefix as300_1
apply cost 200
route-policy as200 permit node 40
if-match ip-prefix as300_2
apply cost 200
route-policy as200 permit node 50
if-match ip-prefix other
#
ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
#
...
S100_2
<S100_2> display current-configuration
#
sysname S100_2
#
router id 1.2.1.1
#
......
#
vlan 22
#
vlan 23
#
vlan 31
#
interface Vlan-interface22
ip address 196.2.2.1 255.255.255.0
#
interface Vlan-interface23
ip address 196.2.3.2 255.255.255.0
#
interface Vlan-interface31
ip address 196.3.1.2 255.255.255.0
#
...
#
interface Cascade1/2/1
#
interface Cascade1/2/2
#
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
#
interface NULL0
#
bgp 100
network 196.2.2.0
network 196.2.3.0
network 196.3.1.0
undo synchronization
group 100 internal
Displaying the Whole Configuration on Devices 147
peer 196.3.1.1 group 100
group 300 external
peer 196.2.2.2 group 300 as-number 300
group 400 external
peer 400 route-policy as300 export
peer 196.2.3.3 group 400 as-number 400
preference 200 200 200
#
route-policy as300 permit node 10
if-match ip-prefix as200_1
apply cost 200
route-policy as300 permit node 20
if-match ip-prefix as200_2
apply cost 200
route-policy as300 permit node 30
if-match ip-prefix as300_1
apply cost 100
route-policy as300 permit node 40
if-match ip-prefix as300_2
apply cost 100
route-policy as300 permit node 50
if-match ip-prefix other
#
ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
#
.....
S200
<S200> display current-configuration
#
sysname S200
#
......
#
router id 2.1.1.1
#
...........
#
vlan 11
#
vlan 12
#
vlan 13
#
interface Vlan-interface11
ip address 196.1.1.3 255.255.255.0
#
interface Vlan-interface12
ip address 206.1.2.3 255.255.255.0
#
interface Vlan-interface13
ip address 206.1.3.3 255.255.255.0
#
148 CHAPTER 5: ROUTING OVERVIEW
.......
#
bgp 200
network 192.1.1.0
network 206.1.3.0
import-route ospf 1
undo synchronization
group 100 external
peer 196.1.1.1 group 100 as-number 100
group 300 external
peer 206.1.3.2 group 300 as-number 300
preference 200 200 200
#
ospf 1
import-route bgp route-policy ospf_import
area 0.0.0.0
network 206.1.2.0 0.0.0.255
#
route-policy ospf_import permit node 10
if-match ip-prefix ospf_import
#
ip ip-prefix ospf_import index 10 permit 162.1.3.0 24
ip ip-prefix ospf_import index 20 permit 162.1.4.0 24
ip ip-prefix ospf_import index 30 permit 166.1.4.0 24
ip ip-prefix ospf_import index 40 permit 166.1.3.0 24
#
......
S200_0
<S200_0> display current-configuration
#
sysname S200_0
#
.......
#
vlan 12
#
vlan 661
#
interface Vlan-interface12
ip address 206.1.2.1 255.255.255.0
#
interface Vlan-interface661
ip address 166.1.1.1 255.255.255.0
#
.......
#
ospf 1
area 0.0.0.10
network 166.1.1.0 0.0.0.255
#
area 0.0.0.0
network 206.1.2.0 0.0.0.255
#
..........
Displaying the Whole Configuration on Devices 149
S200_10
<S200_10> display current-configuration
#
sysname S200_10
#
.......
#
vlan 621 to 622
#
vlan 661
#
vlan 665
#
interface Vlan-interface621
ip address 162.1.1.1 255.255.255.0
#
interface Vlan-interface622
ip address 162.1.2.1 255.255.255.0
#
interface Vlan-interface661
ip address 166.1.1.2 255.255.255.0
#
interface Vlan-interface665
ip address 166.1.5.1 255.255.255.0
#
.........
#
ospf 1
area 0.0.0.10
network 162.1.1.0 0.0.0.255
network 162.1.2.0 0.0.0.255
network 166.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 166.1.5.2 preference 200
#
.........
S300
<S300> display current-configuration
#
sysname S300
#
router id 3.1.1.1
#
.....
#
vlan 13
#
vlan 14
#
vlan 22
#
interface Vlan-interface13
ip address 206.1.3.2 255.255.255.0
#
interface Vlan-interface14
ip address 206.1.4.2 255.255.255.0
150 CHAPTER 5: ROUTING OVERVIEW
rip version 2 multicast
#
interface Vlan-interface22
ip address 196.2.2.2 255.255.255.0
#
......
#
bgp 300
network 206.1.3.0
network 196.2.2.0
import-route rip
undo synchronization
group 100 external
peer 196.2.2.1 group 100 as-number 100
group 200 external
peer 206.1.3.3 group 200 as-number 200
preference 200 200 200
#
rip
undo summary
network 206.1.4.0
import-route bgp route-policy rip_import
#
route-policy rip_import permit node 10
if-match ip-prefix rip_import
#
ip ip-prefix rip_import index 10 permit 162.1.1.0 24
ip ip-prefix rip_import index 20 permit 162.1.2.0 24
ip ip-prefix rip_import index 30 permit 166.1.3.0 24
ip ip-prefix rip_import index 40 permit 166.1.4.0 24
#
.........
S300_A
<S300_A> display current-configuration
#
sysname S300_A
#
......
#
vlan 14
#
vlan 662
#
vlan 665
#
interface Vlan-interface14
ip address 206.1.4.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface662
ip address 166.1.2.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface665
ip address 166.1.5.2 255.255.255.0
#
Displaying the Whole Configuration on Devices 151
......
#
rip
undo summary
network 206.1.4.0
network 166.1.0.0
import-route static
#
ip route-static 162.1.1.0 255.255.255.0 166.1.5.1 preference 200
ip route-static 162.1.2.0 255.255.255.0 166.1.5.1 preference 200
#
.........
S300_B
<S300_B> display current-configuration
#
sysname S300_B
#
......
#
acl number 2000
rule 5 deny
#
......
#
vlan 623
#
vlan 624
#
vlan 662
#
interface Vlan-interface623
ip address 162.1.3.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface624
ip address 162.1.4.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface662
ip address 166.1.2.2 255.255.255.0
rip version 2 multicast
#
......
#
rip
undo summary
network 166.1.0.0
network 162.1.0.0
filter-policy 2000 import
#
ip route-static 0.0.0.0 0.0.0.0 166.1.2.1 preference 60
#
......
152 CHAPTER 5: ROUTING OVERVIEW
S400
<S400> display current-configuration
#
sysname S400
#
router id 4.1.1.1
#
......
#
vlan 15 to 16
#
vlan 23
#
interface Vlan-interface15
ip address 196.1.3.3 255.255.255.0
#
interface Vlan-interface16
ip address 206.1.6.3 255.255.255.0
#
interface Vlan-interface23
ip address 196.2.3.3 255.255.255.0
#
......
#
interface Cascade1/2/1
#
interface Cascade1/2/2
#
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
#
interface NULL0
#
bgp 400
network 196.1.3.0
network 196.2.3.0
import-route ospf 1
undo synchronization
group 100_1 external
peer 196.1.3.1 group 100_1 as-number 100
group 100_2 external
peer 196.2.3.2 group 100_2 as-number 100
preference 200 200 200
#
ospf 1
import-route bgp route-policy ospf_import
area 0.0.0.0
network 206.1.6.0 0.0.0.255
#
route-policy ospf_import permit node 10
if-match ip-prefix ospf_import
#
ip as-path-acl 1 permit ^100 200$
ip as-path-acl 2 permit ^100 300$
#
ip ip-prefix ospf_import index 10 permit 162.1.1.0 24
ip ip-prefix ospf_import index 20 permit 162.1.2.0 24
Verifying the Configuration 153
ip ip-prefix ospf_import index 30 permit 162.1.3.0 24
ip ip-prefix ospf_import index 40 permit 162.1.4.0 24
#
.....
S400_0
<S400_0> display current-configuration
#
sysname S400_0
#
.........
#
vlan 16
#
vlan 663 to 664
#
.........
#
interface Vlan-interface16
ip address 206.1.6.1 255.255.255.0
#
interface Vlan-interface663
ip address 166.1.3.1 255.255.255.0
#
interface Vlan-interface664
ip address 166.1.4.1 255.255.255.0
#
.........
#
ospf 1
area 0.0.1.44
network 166.1.3.0 0.0.0.255
network 166.1.4.0 0.0.0.255
#
area 0.0.0.0
network 206.1.6.0 0.0.0.255
#
.........
Verifying the
Configuration
Verifying the
Configuration of
Routing Policy and Static
Routes
<S300_B> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 166.1.2.1 Vlan-interface662
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.3.0/24 DIRECT 0 0 162.1.3.1 Vlan-interface623
162.1.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.4.0/24 DIRECT 0 0 162.1.4.1 Vlan-interface624
162.1.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.2.0/24 DIRECT 0 0 166.1.2.2 Vlan-interface662
166.1.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S300_B> tracert -a 162.1.3.1 166.1.4.1
traceroute to 166.1.4.1(166.1.4.1) 30 hops max,40 bytes packet
1 166.1.2.1 18 ms 3 ms 3 ms
154 CHAPTER 5: ROUTING OVERVIEW
2 206.1.4.2 9 ms 4 ms 4 ms
3 196.2.2.1 9 ms 9 ms 18 ms
4 196.2.3.3 6 ms 3 ms 4 ms
5 206.1.6.1 14 ms 4 ms 3 ms
Verifying the BGP and
IGP Interaction
Configuration
<S400_0> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
162.1.2.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
162.1.3.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
162.1.4.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
166.1.3.0/24 DIRECT 0 0 166.1.3.1 Vlan-interface663
166.1.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.4.0/24 DIRECT 0 0 166.1.4.1 Vlan-interface664
166.1.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.0.0/24 DIRECT 0 0 192.168.0.30 Vlan-interface1
192.168.0.30/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.6.0/24 DIRECT 0 0 206.1.6.1 Vlan-interface16
206.1.6.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S300_A> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
162.1.2.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
162.1.3.0/24 RIP 100 1 166.1.2.2 Vlan-interface662
162.1.4.0/24 RIP 100 1 166.1.2.2 Vlan-interface662
166.1.2.0/24 DIRECT 0 0 166.1.2.1 Vlan-interface662
166.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.3.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
166.1.4.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
166.1.5.0/24 DIRECT 0 0 166.1.5.2 Vlan-interface665
166.1.5.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.4.0/24 DIRECT 0 0 206.1.4.1 Vlan-interface14
206.1.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S200_10> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 200 0 166.1.5.2 Vlan-interface665
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 DIRECT 0 0 162.1.1.1 Vlan-interface621
162.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.2.0/24 DIRECT 0 0 162.1.2.1 Vlan-interface622
162.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
162.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.1.0/24 DIRECT 0 0 166.1.1.2 Vlan-interface661
166.1.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.5.0/24 DIRECT 0 0 166.1.5.1 Vlan-interface665
166.1.5.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.2.0/24 OSPF 10 20 166.1.1.1 Vlan-interface661
Verifying the Route
Backup Configuration
Verify the primary route is installed into the routing table
<S200_10> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 200 0 166.1.5.2 Vlan-interface665
Verifying the Configuration 155
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 DIRECT 0 0 162.1.1.1 Vlan-interface621
162.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.2.0/24 DIRECT 0 0 162.1.2.1 Vlan-interface622
162.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
162.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.1.0/24 DIRECT 0 0 166.1.1.2 Vlan-interface661
166.1.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.5.0/24 DIRECT 0 0 166.1.5.1 Vlan-interface665
166.1.5.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.2.0/24 OSPF 10 20 166.1.1.1 Vlan-interface661
<S200_10> tracert -a 162.1.1.1 166.1.3.1
traceroute to 166.1.3.1(166.1.3.1) 30 hops max,40 bytes packet
1 166.1.1.1 10 ms 3 ms 3 ms
2 206.1.2.3 13 ms 3 ms 5 ms
3 196.1.1.1 9 ms 3 ms 4 ms
4 196.1.3.3 12 ms 3 ms 3 ms
5 206.1.6.1 14 ms 5 ms 3 ms
Verify the backup route is installed into the routing table after the primary
one fails
<S200_10> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 200 0 166.1.5.2 Vlan-interface665
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 DIRECT 0 0 162.1.1.1 Vlan-interface621
162.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.2.0/24 DIRECT 0 0 162.1.2.1 Vlan-interface622
162.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.5.0/24 DIRECT 0 0 166.1.5.1 Vlan-interface665
166.1.5.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S200_10> tracert -a 162.1.1.1 166.1.3.1
traceroute to 166.1.3.1(166.1.3.1) 30 hops max,40 bytes packet
1 166.1.5.2 11 ms 3 ms 4 ms
2 206.1.4.2 13 ms 3 ms 4 ms
3 196.2.2.1 13 ms 3 ms 6 ms
4 196.2.3.3 11 ms 3 ms 4 ms
5 206.1.6.1 12 ms 3 ms 4 ms
Verifying the MED
Attribute Configuration
Trace the packet forwarding path when the default MED is used
<S400_0> tracert -a 166.1.3.1 162.1.1.1
traceroute to 162.1.1.1(162.1.1.1) 30 hops max,40 bytes packet
1 206.1.6.3 11 ms 3 ms 7 ms
2 196.1.3.1 10 ms 3 ms 8 ms
3 196.1.1.3 8 ms 3 ms 3 ms
4 206.1.2.1 13 ms 4 ms 3 ms
5 166.1.1.2 13 ms 4 ms 3 ms
<S400_0> tracert -a 166.1.3.1 162.1.3.1
traceroute to 162.1.3.1(162.1.3.1) 30 hops max,40 bytes packet
1 206.1.6.3 11 ms 3 ms 3 ms
2 196.1.3.1 14 ms 4 ms 5 ms
3 196.3.1.2 10 ms 8 ms 17 ms
4 196.2.2.2 14 ms 3 ms 3 ms
5 206.1.4.1 13 ms 3 ms 3 ms
6 166.1.2.2 13 ms 3 ms 4 ms
156 CHAPTER 5: ROUTING OVERVIEW
Trace the packet forwarding path after the MED is modified
# Create AS path ACL 1 and permit the routes whose AS_PATH starts with 100
and ends with 200.
[S400] ip as-path-acl 1 permit ^100 200$
# Display the routes that match AS path ACL 1.
<S400> display bgp routing as-path-acl 1
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
----------------------------------------------------------------------
#^ 162.1.1.0/24 196.1.3.1 100 100 INC 100 200
# 162.1.1.0/24 196.2.3.2 200 100 INC 100 200
#^ 162.1.2.0/24 196.1.3.1 100 100 INC 100 200
# 162.1.2.0/24 196.2.3.2 200 100 INC 100 200
#^ 166.1.1.0/24 196.1.3.1 0 100 INC 100 200
# 166.1.1.0/24 196.2.3.2 0 100 INC 100 200
#^ 206.1.3.0 196.1.3.1 0 100 IGP 100 200
# Create AS path ACL 2 and permit the routes whose AS_PATH starts with 100
and ends with 300.
[S400] ip as-path-acl 2 permit ^100 300$
# Display the routes that match AS path ACL 2.
<S400> display bgp routing as-path-acl 2
Flags: # - valid ^ - active I - internal
D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
----------------------------------------------------------------------
#^ 162.1.3.0/24 196.2.3.2 100 100 INC 100 300
# 162.1.3.0/24 196.1.3.1 200 100 INC 100 300
#^ 162.1.4.0/24 196.2.3.2 100 100 INC 100 300
# 162.1.4.0/24 196.1.3.1 200 100 INC 100 300
#^ 166.1.2.0/24 196.1.3.1 0 100 INC 100 300
# 166.1.2.0/24 196.2.3.2 0 100 INC 100 300
#^ 166.1.5.0/24 196.1.3.1 0 100 INC 100 300
# 166.1.5.0/24 196.2.3.2 0 100 INC 100 300
# 206.1.3.0 196.2.3.2 0 100 IGP 100 300
<S400_0> tracert -a 166.1.3.1 162.1.1.1
traceroute to 162.1.1.1(162.1.1.1) 30 hops max,40 bytes packet
1 206.1.6.3 9 ms 4 ms 3 ms
2 196.1.3.1 13 ms 4 ms 3 ms
3 196.1.1.3 14 ms 4 ms 3 ms
4 206.1.2.1 12 ms 3 ms 3 ms
5 166.1.1.2 13 ms 4 ms 3 ms
<S400_0> tracert -a 166.1.3.1 162.1.3.1
traceroute to 162.1.3.1(162.1.3.1) 30 hops max,40 bytes packet
1 206.1.6.3 10 ms 4 ms 3 ms
2 196.2.3.2 13 ms 3 ms 5 ms
3 196.2.2.2 12 ms 5 ms 3 ms
4 206.1.4.1 12 ms 4 ms 3 ms
5 166.1.2.2 14 ms 3 ms 5 ms
Precautions In the configuration and verification process, pay attention to the following points:
■ Disable the Fabric function before enabling BGP on Fabric-capable devices.
Precautions 157
■ To achieve the configuration goal, you are recommended to set the BGP
preference to 200. For devices with static routes configured, set a preference
for the static routes as required.
■ On S300_A, the backup route (static route) cannot be switched to the primary
RIP route automatically, so you need to delete the backup route manually and
then add it again.
■ Since the routing policy is applied when BGP routes are redistributed into IGP,
some route entries may not be redistributed, so you are recommended to use
the tracert -a /ping -a command to verify the configuration in the source
address mode.
158 CHAPTER 5: ROUTING OVERVIEW
6
MULTICAST PROTOCOL
CONFIGURATION EXAMPLES
Keywords:
IGMP, PIM-DM, PIM-SM, MSDP, IGMP Snooping
Abstract:
This document introduces how to configure multicast functions on Ethernet
switches in practical networking, based on three typical networking scenarios:
1 Deployment of PIM-DM plus IGMP, with and without IGMP Snooping respectively.
Multicast group filtering in IGMP and IGMP Snooping is mainly described for this
scenario.
2 Deployment of PIM-SM plus IGMP, with and without IGMP Snooping respectively.
Simulated joining is mainly described for this scenario.
3 IGMP Snooping only. The function of dropping unknown multicast data is mainly
described for this scenario.
Acronyms:
Internet Group Management Protocol (IGMP), Internet Group Management
Protocol Snooping (IGMP Snooping), Protocol Independent Multicast Dense Mode
(PIM-DM), Protocol Independent Multicast Sparse Mode (PIM-SM), Multicast
Source Discovery Protocol (MSDP)
Multicast Protocol
Overview
Different from unicast and broadcast, the multicast technique efficiently addresses
the issue of point-to-multipoint data transmission. By allowing high-efficiency
point-to-multipoint data transmission, multicast greatly saves network bandwidth
and reduces network load.
With the multicast technique, service providers can easily provide new
value-added services, such as live Webcasting, Web TV, distance learning,
Telemedicine, Web radio, real-time videoconferencing, and other bandwidth- and
time-critical information services.
IGMP
As a TCP/IP protocol responsible for IP multicast group membership management,
the Internet Group Management Protocol (IGMP) is used by IP hosts to establish
and maintain their multicast group memberships to the immediately neighboring
multicast router.
PIM
Protocol Independent Multicast (PIM) provides IP multicast forwarding by
leveraging unicast routing tables generated by static routing or any unicast routing
protocol, such as the Routing Information Protocol (RIP), Open Shortest Path First
160 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
(OSPF), Intermediate System to Intermediate System (IS-IS), or the Border Gateway
Protocol (BGP). PIM uses the unicast routing table to perform reverse path
forwarding (RPF) check in multicast forwarding.
Based on the forwarding mechanism, PIM falls into two modes:
■ PIM-DM
■ PIM-SM
PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for
multicast forwarding, suitable for small-sized networks with densely distributed
multicast group members.
PIM-SM is a type of sparse mode multicast protocol. It uses the “pull mode” for
multicast forwarding, suitable for large- and medium-sized networks with sparsely
and widely distributed multicast group members.
IGMP Snooping
Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast
monitoring mechanism that runs on Layer 2 devices to manage and control
multicast groups. By analyzing received IGMP messages, a Layer 2 device running
IGMP Snooping establishes mappings between ports and MAC multicast groups
and forwards multicast data based on these mappings.
MSDP
The Multicast Source Discovery Protocol (MSDP) is an inter-domain multicast
solution for the interconnection of PIM-SM domains. It is used to discover the
multicast source information in other PIM-SM domains.
Within a PIM-SM domain, the multicast source registers only with the local
rendezvous point (RP). Therefore, the RP knows all the sources within its own
domain only. If there is a mechanism that allows RPs of different PIM-SM domains
to share their multicast source information, the information of active sources in
other domains can be delivered to the local receivers, so that multicast data can be
transmitted among different domains. MSDP achieves this objective. By setting up
MSDP peering relationships among RPs of different domains, MSDP propagates
source active (SA) messages, which carry multicast source information, between
these MSDP peers, thus to allow multicast traffic to flow between different
PIM-SM domains.
IGMP Proxy
When a multicast routing protocol (such as PIM-DM) is deployed on a large
network, many stub networks may exist. It is tedious work to configure and
manage these stub networks.
To minimize the workload of such configuration and management without
affecting the multicast connections of the multicast networks, you can configure
IGMP Proxy on a Layer 3 switch in the edge networks, so that the Layer 3 switch
forwards the IGMP join and IGMP leave messages sent by the hosts attached to it.
After the IGMP Proxy configuration, the Layer 3 switch is no longer a PIM neighbor
to the external network; instead, it is a host. The Layer 3 switch receives multicast
data for a multicast group only when a member of that group is directly attached
to it.
Support of Multicast Features 161
Support of Multicast
Features
Multicast features supported by the 3Com series Ethernet switches vary with
device models. For details, see the corresponding configuration guide. Table 87
lists the multicast features supported by 3Com series Ethernet switches.
Configuration
Guidance
The following configuration guidance describes the configuration of multicast
features based on the implementations on the Switch 5500Gs Ethernet switches.
For more information, see the corresponding configuration guide.
Configuring IGMP
Snooping
Complete these tasks to configure IGMP Snooping:
Enabling IGMP Snooping
Follow these steps to enable IGMP Snooping:
Configuring IGMP-Snooping timers
Follow these steps to configure IGMP-Snooping timers:
Table 87 Multicast features supported by the 3Com stackable switches
Model\Feature IGMP Snooping IGMP PIM MSDP
Switch 5500 ● ● ● ●
Switch 4500 ● - - -
Switch 5500Gs ● ● ● ●
Switch 4200 ● - - -
Switch 4200G ● - - -
Switch 4210 ● - - -
E352&E328 ● - - -
E126 ● - - -
S3152P ● - - -
E152 ● - - -
Configuration task Remarks
“Enabling IGMP Snooping” on page 161 Required
“Configuring IGMP-Snooping timers” on page 161 Optional
“Configuring fast leave processing” on page 162 Optional
“Configuring a multicast group filter” on page 162 Optional
“Configuring the maximum number of multicast groups that can
be joined on a port” on page 163
Optional
“Configuring IGMP Snooping querier” on page 163 Optional
To... Use the command... Remarks
Enter system view system-view -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default.
Enter VLAN view vlan vlan-id -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default.
162 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Configuring fast leave processing
1 Configure fast leave processing in system view
Follow these steps to configure fast leave processing in system view:
2 Configure fast leave in Ethernet port view
Follow these steps to configure fast leave processing in Ethernet port view:
Configuring a multicast group filter
1 Configure a multicast group filter in system view
Follow these steps to configure a multicast group filter in system view:
2 Configure a multicast group filter in Ethernet port view
Follow these steps to configure a multicast group filter in Ethernet port view:
To... Use the command... Remarks
Enter system view system-view -
Configure an aging timer
of router port
igmp-snooping
router-aging-time seconds
Optional
By default, the router port aging
time is 105 seconds.
Configure a
response-to-query timer
igmp-snooping
max-response-time seconds
Optional
By default, the maximum
response-to-query time is 10
seconds.
Configure an aging timer
of a member port of a
multicast group
igmp-snooping
host-aging-time seconds
Optional
By default, the aging time of the
multicast group member port is
260 seconds.
To... Use the command... Remarks
Enter system view system-view -
Configure fast leave
processing
igmp-snooping fast-leave
[ vlan vlan-list ]
Required
Disabled by default
To... Use the command... Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure fast leave
processing
igmp-snooping fast-leave
[ vlan vlan-list ]
Required
Disabled by default
To... Use the command... Remarks
Enter system view system-view -
Configure a multicast group
filter
igmp-snooping
group-policy acl-number
[ vlan vlan-list ]
Required
Disabled by default
Configuration Guidance 163
Configuring the maximum number of multicast groups that can be joined
on a port
Follow these steps to configure the maximum number of multicast groups that
can be joined on a port:
Configuring IGMP Snooping querier
Follow these steps to configure IGMP Snooping querier:
Configuring IGMP Complete these tasks to configure IGMP:
To... Use the command... Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure a multicast group
filter
igmp-snooping
group-policy acl-number
[ vlan vlan-list ]
Required
Disabled by default
To... Use the command... Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure maximum number
of multicast groups that can
be joined on the port
igmp-snooping group-limit
limit [ vlan vlan-list
[ overflow-replace ] ]
Required
The system default is 255.
To... Use the command... Remarks
Enter system view system-view -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default
Enter VLAN view vlan vlan-id -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default
Enable IGMP-Snooping
querier
igmp-snooping querier Required
Disabled by default
Configure the query interval igmp-snooping
query-interval seconds
Optional
The system default is 60
seconds.
Configure a source IP address
for general query messages
igmp-snooping
general-query source-ip
{ current-interface |
ip-address }
Optional
The system default is 0.0.0.0.
Configuration task Remarks
“Enabling IGMP” on page 164 Required
“Configuring IGMP version” on page 164 Optional
“Configuring parameters related to IGMP queries” on page 164 Optional
“Configuring the maximum allowed number of multicast groups” on
page 165
Optional
164 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Enabling IGMP
Follow these steps to enable IGMP:
c
CAUTION: The following configurations in this chapter are implemented after
multicast routing is enabled on the device and IGMP is enabled on the
corresponding interface.
Configuring IGMP version
Follow these steps to configure IGMP version:
c
CAUTION: The device cannot switch from one IGMP version to another
automatically. All switches on the same subnet must run the same version of IGMP.
Configuring parameters related to IGMP queries
Follow these steps to configure parameters related to IGMP queries:
“Configuring a multicast group filter” on page 165 Optional
“Configuring simulated joining” on page 166 Optional
“Configuring IGMP proxy” on page 166 Optional
“Removing joined IGMP groups from an interface” on page 167 Optional
To... Use the command... Remarks
Enter system view system-view -
Enable multicast routing multicast routing-enable -
Enter VLAN interface view interface Vlan-interface
interface-number
-
Enabling IGMP igmp enable Required
Disabled by default
Configuration task Remarks
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN interface view interface Vlan-interface
interface-number
-
Configure IGMP version igmp version { 1 | 2 } Required
IGMPv2 by default
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN interface view interface Vlan-interface
interface-number
-
Configure IGMP query interval igmp timer query seconds Optional
The system default is 60
seconds.
Configure the IGMP last
member query interval
igmp
lastmember-queryinterval
seconds
Optional
The system default is 1
second.
Configuration Guidance 165
Configuring the maximum allowed number of multicast groups
Follow these steps to configure the maximum number of multicast groups allowed
to be joined on an interface:
c
CAUTION: If you configure the maximum number of multicast groups allowed on
an interface to 1, a new group joined on the interface automatically supersedes
the existing one.
If the number of existing multicast groups is larger than the limit configured on
the interface, the system will remove the oldest entries automatically until the
number of multicast groups on the interface conforms to the configured limit.
Configuring a multicast group filter
1 Configure a multicast group filter in VLAN interface view
Follow these steps to configure a multicast group filter in VLAN interface view:
2 Configuring a multicast group filter in Ethernet port view
Follow these steps to configure a multicast group filter in Ethernet port view:
Configure the IGMP last
member query count
igmp robust-count
robust-value
Optional
The system default is two.
Configure the IGMP other
querier present interval
igmp timer
other-querier-present
seconds
Optional
The system default is 120
seconds, twice the interval
specified by the igmp timer
query command.
Configure the maximum
response time
igmp max-response-time
seconds
Optional
The system default is 10
seconds.
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN interface view interface Vlan-interface
interface-number
-
Configure the maximum
number of multicast groups
allowed on the interface
igmp group-limit limit Required
The system default is 256.
To... Use the command... Remarks
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN interface view interface Vlan-interface
interface-number
-
Configure a multicast group
filter
igmp group-policy acl-number [ 1 | 2 |
port interface-type interface-number
[ to interface-type interface-number ] ]
Optional
No filter is
configured by
default.
166 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Configuring simulated joining
1 Configure simulated joining in VLAN interface view
Follow these steps to configure simulated joining in VLAN interface view:
2 Configure simulated joining in Ethernet port view
Follow these steps to configure simulated joining in VLAN interface view:
c
CAUTION: Before configuring simulated joining, you must enable IGMP in VLAN
interface view.
If you configure a port as a simulated host in Ethernet port view, the Ethernet port
must belong to the specified VLAN; otherwise the configuration does not take
effect.
Configuring IGMP proxy
Follow these steps to configure IGMP proxy:
To... Use the command... Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure a multicast
group filter
igmp group-policy
acl-number vlan vlan-id
Optional
No multicast group filter is configured
by default. The port must belong to
the specified VLAN.
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN interface view interface Vlan-interface
interface-number
-
Configure simulated joining igmp host-join
group-address port
interface-list
Optional
Disabled by default
To... Use the command... Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure simulated joining igmp host-join
group-address vlan vlan-id
Optional
Disabled by default
To... Use the command... Remarks
Enter system view system-view -
Enable multicast routing multicast routing-enable Required
Enter VLAN interface view interface Vlan-interface
interface-number
-
Enable IGMP igmp enable Required
Configuration Guidance 167
c
CAUTION:
■ You must enable PIM on the interface before configuring the igmp proxy
command. Otherwise, the IGMP proxy feature does not take effect.
■ One interface cannot serve as the proxy interface for two or more interfaces.
■ When you configure the IP address of the interface that will serve as an IGMP
proxy, make sure that the IP address is not the lowest on this subnet to prevent
this interface from being elected as the IGMP querier on the subnet, as this will
result in failure of multicast data forwarding.
Removing joined IGMP groups from an interface
Follow these steps to remove joined IGMP groups from an interface:
c
CAUTION: After a multicast group is removed from an interface, hosts attached
to interface can join the multicast group again.
Configuring PIM Configuring PIM-DM
Follow these steps to configure PIM-DM:
Configure IGMP proxy igmp proxy Vlan-interface
interface-number
Required
Disabled by default
To... Use the command... Remarks
To... Use the command... Remarks
Remove the specified group
or all groups from the
specified interface or all
interfaces
reset igmp group { all |
interface interface-type
interface-number { all |
group-address
[ group-mask ] } }
The reset command available
in user view.
To... Use the command... Remarks
Enter system view system-view -
Enable multicast routing multicast routing-enable Required
Disabled by default
Enter PIM view pim -
Configure a multicast source
or multicast source-group
filter
source-policy acl-number Optional
You can define the related IP
addresses in an ACL.
Enter VLAN interface view interface Vlan-interface
interface-number
-
Enable PIM-DM pim dm Required
Configure the hello interval
on the interface
pim timer hello seconds Optional
The system default is 30
seconds.
Configure a limit on the
number of PIM neighbors on
the interface
pim neighbor-limit limit Optional
The default value is 128.
168 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Configuring PIM-SM
Follow these steps to configure PIM-SM:
Configure the filtering policy
for PIM neighbors
pim neighbor-policy
acl-number
Optional
You can define the related IP
addresses in an ACL.
Disabled by default
To... Use the command... Remarks
Enter system view system-view -
Enable multicast routing multicast routing-enable Required
Disabled by default
Enter PIM view pim -
Configure a multicast source
or multicast source-group
filter
source-policy acl-number Optional
You can define the related IP
addresses in an ACL.
Configure a C-BSR c-bsr interface-type
interface-number
hash-mask-len [ priority ]
Optional
By default, no C-BSR is
configured. The default
priority is 0.
Configure a C-RP c-rp interface-type
interface-number
[ group-policy acl-number |
priority priority ]*
Optional
By default, no C-RP is
configured. The default
priority is 0.
Configure a static RP static-rp rp-address
[ acl-number ]
Optional
No static RP is configured by
default.
Configure a legal BSR address
range
bsr-policy acl-number Optional
No legal BSR address range is
configured by default.
Configure a legal C-RP
address range
crp-policy acl-number Optional
You can define the related IP
address ranges in an ACL.
No legal C-RP address range is
configured by default.
Configure to filter the register
messages from RP to DR
register-policy acl-number Optional
You can define the related IP
addresses in an ACL.
Disabled by default.
Disable RPT-to-SPT switchover spt-switch-threshold
infinity [ group-policy
acl-number [ order
order-value ] ]
Optional
By default, the device
switches to the SPT
immediately after it receives
the first multicast packet from
the RPT.
Enter VLAN interface view interface Vlan-interface
interface-number
-
Enable PIM-SM pim sm Required
To... Use the command... Remarks
Configuration Guidance 169
Configuring MSDP Configuring MSDP basic functions
Follow these steps to configure MSDP basic functions:
Configuring MSDP peer connections
Complete these tasks to configure connection between MSDP peers:
1 Configure description information for MSDP peers
Follow these steps to configure description information of an MSDP peer:
Configuring a PIM-SM
domain boundary
pim bsr-boundary Optional
By default, no PIM-SM
domain boundary is
configured
Configure the hello interval
on the interface
pim timer hello seconds Optional
The system default is 30
seconds.
Configure the maximum
number of PIM neighbors
allowed on the interface
pim neighbor-limit limit Optional
The default value is 128.
Configure the filtering policy
for PIM neighbors
pim neighbor-policy
acl-number
Optional
You can define the related IP
addresses in an ACL.
Disabled by default
To... Use the command... Remarks
To... Use the command... Remarks
Enter system view system-view -
Enable MSDP and enter
MSDP view
msdp Required
Create an MSDP peer
connection
peer peer-address
connect-interface
interface-type
interface-number
Required
You need to configure related
parameters on both devices between
which the peer connection is to be
created. The peer ID is an address pair
(the IP address of the local interface and
the IP address of the remote MSDP
peer).
Configure a static RPF
peer
static-rpf-peer
peer-address [ rp-policy
ip-prefix-name ]
Optional
For an area with only one MSDP peer, if
BGP or MBGP is not running, you need
to configure a static RPF peer.
Configuration task Remarks
“Configure description information for MSDP peers” on page 169 Required
“Configure an MSDP mesh group” on page 170 Optional
“Configure MSDP peer connection control” on page 170 Optional
To... Use the command... Remarks
Enter system view system-view -
170 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
2 Configure an MSDP mesh group
Follow these steps to configure an MSDP mesh group:
n
■ Before grouping multiple routers into an MSDP mesh group, make sure that
these routers are interconnected with one another.
■ To add different MSDP peers into an MSDP mesh group, configure the same
mesh group name on them.
■ An MSDP peer can belong to only one mesh group. A newly configured mesh
group name supersedes the existing one.
3 Configure MSDP peer connection control
Follow these steps to configure MSDP peer connection control:
Configuring SA message delivery
Complete these tasks to configure SA message delivery:
Enter MSDP view msdp -
Configure description
information for an MSDP
peer
peer peer-address
description text
Optional
No description information is
configured for MSDP peers by
default.
To... Use the command... Remarks
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Add an MSDP peer in a
mesh group
peer peer-address
mesh-group name
Required
An MSDP peer does not belong to any
mesh group by default.
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Shut down an MSDP peer shutdown peer-address Optional
By default, MSDP peers are
connected.
Configure the MSDP peer
connection retry period
timer retry seconds Optional
The system default is 30
seconds.
Configuration Guidance 171
1 Configure the RP address in SA messages
Follow these steps to configure the RP address in SA messages:
n
In Anycast RP application, C-BSR and C-RP must be configured on different devices
or ports.
2 Configure the SA message cache
Follow these steps to configure the SA message cache:
3 Configure SA message transmission and filtering
Follow these steps to configure SA message transmission and filtering:
Configuration task Remarks
“Configure the RP address in SA messages” on page 171 Optional
“Configure the SA message cache” on page 171 Optional
“Configure SA message transmission and filtering” on page 171 Optional
“Configure a rule for filtering multicast sources in SA messages” on page
172
Optional
“Configure a filtering rule for receiving or forwarding SA messages” on
page 172
Optional
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Configure the RP address
in SA messages
originating-rp
interface-type
interface-number
Optional
By default, the RP address in an SA
message is the PIM RP address.
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Enable the SA message cache
mechanism
cache-sa-enable Optional
Enabled by default
Configure the maximum
number of SA messages the
router can cache
peer peer-address
sa-cache-maximum sa-limit
Optional
The system default is 2048.
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Enable the SA message cache
mechanism
cache-sa-enable Optional
After receiving an SA message, a
router caches SA state by default.
172 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
4 Configure a rule for filtering multicast sources in SA messages
Follow these steps to configure a rule for filtering the multicast sources of SA
messages:
5 Configure a filtering rule for receiving or forwarding SA messages
Follow these steps to configure a filtering rule for receiving or forwarding SA
messages:
Enable the router to send SA
requests to the designated
MSDP peer
peer peer-address
request-sa-enable
Optional
By default, upon receiving a new
Join message, a router does not
send an SA request message to its
designated MSDP peer; instead it
waits for the next SA message.
Configure a filtering rule for
SA requests from the
specified MSDP peer
peer peer-address
sa-request-policy [ acl
acl-number ]
Optional
Be default, a router receives all SA
request messages from its MSDP
peer.
To... Use the command... Remarks
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Configure multicast source
filtering at SA message
creation
import-source [ acl
acl-number ]
Optional
By default, SA messages
advertise all the (S, G) entries
in the domain.
To... Use the command... Remarks
Enter system view system-view -
Enter MSDP view msdp -
Configure a filtering rule for
receiving or forwarding SA
messages
peer peer-address sa-policy
{ import | export } [ acl
acl-number ]
Optional
By default, no filtering rule is
configured for receiving or
forwarding SA messages,
namely, all SA messages from
MSDP peers will be accepted
or forwarded.
Configure the minimum TTL
required for an
SA-encapsulated multicast
packet to be forwarded to the
specified MSDP peer
peer peer-address
minimum-ttl ttl-value
Optional
The system default is 0.
PIM-DM plus IGMP plus IGMP Snooping Configuration Example 173
PIM-DM plus IGMP
plus IGMP Snooping
Configuration
Example
Requirement Analysis When users receive voice on demand (VOD) information through multicast, the
information receiving mode may vary based on user requirements:
1 To avoid video broadcast at Layer 2, IGMP Snooping is enabled on Switch E,
through which Host A and Host B receive the multicast data.
2 To ensure reliable and stable reception of multicast data, Switch B and Switch C
provide uplink backup for the directly attached stub network N1, which comprises
multicast receivers Host C and Host D.
3 All the Layer 3 switches run RIP for unicast routing and run PIM-DM for multicast
routing.
Configuration Plan
1 Switch D connects to the network that comprises the multicast source (Source)
through VLAN-interface 300.
2 Switch A connects to Switch E through VLAN-interface 100, and to Switch D
through VLAN-interface 103.
3 Switch B and Switch C connect to stub network N1 through their respective
VLAN-interface 200, and to Switch D through VLAN-interface 101 and
VLAN-interface 102 respectively.
4 Enable IGMPv2 on VLAN-interface 100 of Switch A. Enable IGMP Snooping on
Switch E and in VLAN 100. Run IGMPv2 on Switch B, Switch C, and the hosts in
stub network N1. Typically, Switch B acts as the IGMP querier.
174 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Network Diagram Figure 67 Network diagram for PIM-DM plus IGMP plus IGMP Snooping configuration
Configuration Procedure Configuring VLANs, VLAN interfaces and IP addresses on each switch
# Configure VLANs, VLAN interfaces, and their IP addresses on Switch A.
<SwitchA> system-view
System View: return to User View with Ctrl+Z.
[SwitchA] vlan 100
[SwitchA-vlan100] port Ethernet 1/0/1
[SwitchA-vlan100] quit
[SwitchA] vlan 103
[SwitchA-vlan103] port Ethernet 1/0/2
[SwitchA-vlan103] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 10.110.1.1 24
Device Interface IP address Ports
Switch A Vlan-int100 10.110.1.1/24 Ethernet1/0/1
Vlan-int103 192.168.1.1/24 Ethernet1/0/2
Switch B Vlan-int200 10.110.2.1/24 Ethernet1/0/1
Vlan-int101 192.168.2.1/24 Ethernet1/0/2
Switch C Vlan-int200 10.110.2.2/24 Ethernet1/0/1
Vlan-int102 192.168.3.1/24 Ethernet1/0/2
Switch D Vlan-int300 10.110.5.1/24 Ethernet1/0/1
Vlan-int103 192.168.1.2/24 Ethernet1/0/2
Vlan-int101 192.168.2.2/24 Ethernet1/0/3
Vlan-int102 192.168.3.2/24 Ethernet1/0/4
Switch E Vlan 100 - Ethernet1/0/1,
Ethernet1/0/2,
Ethernet1/0/3
E
t
h
e
r
n
e
t
E
t
h
e
r
n
e
t
Source
10.110.5.100/24
PIM-DM
Switch A
Switch B
Switch C
Switch D
Receiver
Host A
Host B
Host C
Host D
Receiver
N
1
Vlan-int100
Vlan-int200
Vlan-int200
Vlan-int300
V
la
n
-in
t1
0
1
V
la
n
-in
t1
0
1
V
l
a
n
-
i
n
t
1
0
2
V
l
a
n
-
i
n
t
1
0
2
V
l
a
n
-
i
n
t
1
0
3
V
l
a
n
-
i
n
t
1
0
3
IGMP querier
Vlan100
Switch E
PIM-DM plus IGMP plus IGMP Snooping Configuration Example 175
[SwitchA-Vlan-interface100] quit
[SwitchA] interface Vlan-interface 103
[SwitchA-Vlan-interface103] ip address 192.168.1.1 24
[SwitchA-Vlan-interface103] quit
Configure VLANs, VLAN interfaces, and their IP addresses on other switches as per
Figure 67. The detailed configuration steps are omitted here.
Configuring the unicast routing protocol
# Enable RIP on Switch A, and then enable RIP on subnets 192.168.1.0 and
10.110.1.0.
<SwitchA> system-view
[SwitchA] rip
[SwitchA- rip] network 192.168.1.0
[SwitchA- rip] network 10.110.1.0
[SwitchA- rip] quit
The configuration on Switch B, Switch C, and Switch D is similar to the
configuration on Switch A.
Configuring the multicast protocols
# Enable IP multicast routing on Switch A, enable PIM-DM on each interface, and
then enable IGMPv2 on VLAN-interface 100.
<SwitchA> system-view
[SwitchA] multicast routing-enable
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] igmp enable
[SwitchA-Vlan-interface100] pim dm
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 103
[SwitchA-Vlan-interface103] pim dm
[SwitchA-Vlan-interface103] quit
The configuration on Switch B and Switch C is similar to the configuration on
Switch A.
# Enable multicast routing on Switch D, and enable PIM-DM on each interface.
<SwitchD> system-view
[SwitchD] multicast routing-enable
[SwitchD] interface vlan-interface 300
[SwitchD-Vlan-interface300] pim dm
[SwitchD-Vlan-interface300] quit
[SwitchD] interface vlan-interface 103
[SwitchD-Vlan-interface103] pim dm
[SwitchD-Vlan-interface103] quit
[SwitchD] interface vlan-interface 101
[SwitchD-Vlan-interface101] pim dm
[SwitchD-Vlan-interface101] quit
[SwitchD] interface vlan-interface 102
[SwitchD-Vlan-interface102] pim dm
[SwitchD-Vlan-interface102] quit
# Enable IGMP Snooping on Switch E, and enable IGMP Snooping in VLAN 100.
176 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
<SwitchE> system-view
[SwitchE] igmp-snooping enable
Enable IGMP-Snooping ok.
[SwitchE] vlan 100
[SwitchE-vlan100] igmp-snooping enable
[SwitchE-vlan100] quit
Verifying the configuration
Now start sending multicast data to multicast group 224.1.1.1 from Source and
start receiving the multicast data on Host A, and take the following steps to verify
the configurations made on the switches.
1 Check whether the multicast stream can flow to Host A.
# View the PIM neighboring relationships on Switch D.
<SwitchD> display pim neighbor
Neighbor’s Address Interface Name Uptime Expires
192.168.2.1 Vlan-interface101 02:45:04 00:04:46
192.168.3.1 Vlan-interface102 02:42:24 00:04:45
192.168.1.1 Vlan-interface103 02:43:44 00:05:44
# View the multicast forwarding table of Switch D.
<SwitchD>display multicast forwarding-table
Multicast Forwarding Cache Table
Total 1 entries: 0 entry created by IP, 1 entries created by protocol
00001. (10.110.5.110, 224.1.1.1), iif Vlan-interface1, 1 oifs,
Protocol Create
List of outgoing interface:
01: Vlan-interface101
Matched 181 pkts(271500 bytes), Wrong If 0 pkts
Forwarded 130 pkts(195000 bytes)
Total 1 entries Listed
# View the multicast forwarding table of Switch A.
<SwitchA>display multicast forwarding-table
Multicast Forwarding Cache Table
Total 1 entry: 0 entry created by IP, 1 entry created by protocol
00001. (10.110.5.110, 224.1.1.1), iif Vlan-interface101, 1 oifs,
Protocol Create
List of outgoing interface:
01: Vlan-interface100
Matched 451 pkts(676500 bytes), Wrong If 0 pkts
Forwarded 451 pkts(676500 bytes)
Total 1 entry Listed
Matched 1 entry
# View the multicast group information that contains port information on Switch
A.
<SwitchA> display mpm group
Total 1 IP Group(s).
Total 1 MAC Group(s).
PIM-DM plus IGMP plus IGMP Snooping Configuration Example 177
Vlan(id):101.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/2
Vlan(id):200.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/15
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/15
# View the information about the multicast group entries created by IGMP
Snooping on Switch E.
<SwitchE> display igmp-snooping group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):Ethernet1/0/2
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/19
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/19
The above-mentioned information shows that multicast forwarding entries have
been correctly established on Switch D and Switch A, and multicast traffic can
successfully flow to Host A.
2 Configure IGMP Snooping multicast group filtering on Switch E
# Configure to filter the packets for the multicast group 224.1.1.1 on Switch E.
<SwitchE> system-view
[SwitchE-acl-basic-2000] rule deny source 224.1.1.1 0
[SwitchE-acl-basic-2000] rule permit source any
[SwitchE-acl-basic-2000] quit
[SwitchE]igmp-snooping group-policy 2000 vlan 100
# View multicast forwarding entries on Switch A.
<SwitchA> display multicast forwarding-table
Multicast Forwarding Cache Table
Total 1 entry: 0 entry created by IP, 1 entry created by protocol
00001. (10.110.5.100, 224.1.1.1), iif Vlan-interface101, 0 oifs,
Protocol Create
Matched 5 pkts(7500 bytes), Wrong If 0 pkts
178 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Forwarded 0 pkts(0 bytes)
Total 1 entry Listed
As shown above, Switch A has stopped forwarding multicast data for the
multicast group 224.1.1.1.
# View multicast group information on Switch E.
<SwitchE> display igmp-snooping group
Total 0 IP Group(s).
Total 0 MAC Group(s).
Vlan(id):200.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/19
With multicast group filtering enabled, the corresponding ports drop IGMP reports
for the filtered group and will be removed for that group when their respective
port aging timer expires.
3 Configure IGMP multicast group filtering on Switch A.
# Disable multicast group filtering on Switch E.
<SwitchE> system-view
[SwitchE] undo igmp-snooping group-policy
n
To verify the configuration of IGMP multicast group filtering on Switch A, disable
IGMP Snooping multicast group filtering on Switch E first.
Configure to filter the multicast group 224.1.1.1 on VLAN-interface 100 of Switch
A, and then display the multicast forwarding entries of Switch A.
# Configure to filter the multicast group 224.1.1.1 on VLAN-interface 100 of
Switch A.
<SwitchA> system-view
[SwitchA] acl number 2000
[SwitchA-acl-basic-2000] rule deny source 224.1.1.1 0
[SwitchA-acl-basic-2000] rule permit source any
[SwitchA-acl-basic-2000] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] igmp group-policy 2000
[SwitchA-Vlan-interface100] return
# View multicast forwarding entries on Switch A.
<SwitchA> display multicast forwarding-table
Multicast Forwarding Cache Table
Total 1 entry: 0 entry created by IP, 1 entry created by protocol
00001. (10.110.5.100, 224.1.1.1), iif Vlan-interface101, 0 oifs,
Protocol Create
Matched 5 pkts(7500 bytes), Wrong If 0 pkts
Forwarded 0 pkts(0 bytes)
PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 179
Total 1 entry Listed
# View multicast group information on Switch A.
<SwitchA> display igmp group
Total 0 IGMP groups reported on this router
After multicast group filtering is enabled, the corresponding port cannot receive
IGMP reports. Thus, the corresponding multicast groups are deleted after the port
aging timer expires.
n
As shown above, IGMP Snooping multicast group filtering has the same function
as IGMP multicast group filtering. You can use either approach based on the
specific situation.
PIM-SM plus IGMP
plus IGMP Snooping
Configuration
Examples
Requirement Analysis When users receive VOD information through multicast, the information receiving
mode may vary based on user requirements:
1 To avoid broadcasting of the video information at Layer 2, IGMP Snooping is
enabled on Switch E, through which Host A and Host B receive the multicast data.
2 To ensure reliable and stable reception of multicast data, Switch B and Switch C
provide uplink backup for the directly attached stub network N1, which comprises
multicast receivers Host C and Host D.
3 Configure the PIM-SM domain as a single-BSR domain. Run OSPF for unicast
routing in the domain.
Configuration Plan
1 Switch D connects to the network that comprises the multicast source (Source)
through VLAN-interface 300.
2 Switch A connects to Switch F through VLAN-interface 100, and to Switch D and
Switch E through VLAN-interface 101 and VLAN-interface 102 respectively.
3 Switch B and Switch C connect to stub network N1 through their respective
VLAN-interface 200, and to Switch E through VLAN-interface 103 and
VLAN-interface 104 respectively.
4 It is required that VLAN-interface 105 of Switch D and VLAN-interface 102 of
Switch E act as C-BSR and C-RP.
5 IGMPv2 is required on VLAN-interface 100 of Switch A. IGMP Snooping is required
on Switch F and in VLAN 100. IGMPv2 is also required between Switch B, Switch
C, and stub network N1. Typically, Switch B acts as the querier.
180 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Network Diagram Figure 68 Network diagram for PIM-SM plus IGMP plus IGMP Snooping configuration
Configuration Procedure Configuring VLANs, VLAN interfaces and IP addresses for each switch
# Configure VLANs, VLAN interfaces, and their IP addresses on Switch A.
<SwitchA> system-view
System View: return to User View with Ctrl+Z.
[SwitchA] vlan 100
[SwitchA-vlan100] port Ethernet 1/0/1
[SwitchA-vlan100] quit
Device Interface IP address Ports
Switch A Vlan-int100 10.110.1.1/24 Ethernet1/0/1
Vlan-int101 192.168.1.1/24 Ethernet1/0/2
Vlan-int102 192.168.9.1/24 Ethernet1/0/3
Switch B Vlan-int200 10.110.2.1/24 Ethernet1/0/1
Vlan-int103 192.168.2.1/24 Ethernet1/0/2
Switch C Vlan-int200 10.110.2.2/24 Ethernet1/0/1
Vlan-int104 192.168.3.1/24 Ethernet1/0/2
Switch D Vlanint300 10.110.5.1/24 Ethernet1/0/1
Vlanint101 192.168.1.2/24 Ethernet1/0/2
Vlanint105 192.168.4.2/24 Ethernet1/0/3
Switch E Vlanint104 192.168.3.2/24 Ethernet1/0/3
Vlanint103 192.168.2.2/24 Ethernet1/0/2
Vlanint102 192.168.9.2/24 Ethernet1/0/1
Vlanint105 192.168.4.1/24 Ethernet1/0/4
Switch F Vlan 100 - Ethernet1/0/1,
Ethernet1/0/2,
Ethernet1/0/3
E
t
h
e
r
n
e
t
E
t
h
e
r
n
e
t
Source
10.110.5.100/24
PIM-SM
Switch A
Switch B
Switch C
Switch D
Host C
Host D
Receiver
N
1
Switch E
Vlan-int200
Vlan-int200
Vlan-int300
Vlan-int102
Vlan-int102
V
l
a
n
-
i
n
t
1
0
1
V
l
a
n
-
i
n
t
1
0
1
Vlan-int103
Vlan-int103
Vlan-int104
Vlan-int104
Vlan-int105
Vlan-int105
Receiver
Host A
Host B
Vlan-int100
Vlan100
Switch F


PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 181
[SwitchA] vlan 101
[SwitchA-vlan101] port Ethernet 1/0/2
[SwitchA-vlan101] quit
[SwitchA] vlan 102
[SwitchA-vlan102] port Ethernet 1/0/3
[SwitchA-vlan102] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 10.110.1.1 24
[SwitchA-Vlan-interface100] quit
[SwitchA] interface Vlan-interface 101
[SwitchA-Vlan-interface101] ip address 192.168.1.1 24
[SwitchA-Vlan-interface101] quit
[SwitchA] interface Vlan-interface 102
[SwitchA-Vlan-interface102] ip address 192.168.9.1 24
[SwitchA-Vlan-interface102] quit
Configure VLANs, VLAN interfaces, and their IP addresses on other switches as per
Figure 68. The detailed configuration steps are omitted here.
Configuring the unicast routing protocol
# Configure a router ID and enable OSPF on Switch A.
<SwitchA> system-view.
[SwitchA]router id 1.1.1.1
[SwitchA]ospf
[SwitchA-ospf-1]area 0
[SwitchA-ospf-1-area-0.0.0.0]network 10.110.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0]network 192.168.9.0 0.0.0.255
The configuration on Switch B, Switch C, Switch D, and Switch E is similar to the
configuration on Switch A.
Configuring the multicast protocols
# Enable IP multicast routing on Switch A, enable PIM-SM on each interface, and
then enable IGMPv2 on VLAN-interface 100.
<SwitchA> system-view
[SwitchA] multicast routing-enable
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] igmp enable
[SwitchA-Vlan-interface100] pim sm
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 101
[SwitchA-Vlan-interface101] pim sm
[SwitchA-Vlan-interface101] quit
[SwitchA] interface vlan-interface 102
[SwitchA-Vlan-interface102] pim sm
n
It is necessary to enable IGMP only on interfaces with attached multicast receivers.
As the default IGMP version is IGMPv2, it is not necessary to use the version
configuration command on the interface.
The configuration on Switch B and Switch C is similar to that on Switch A. The
configuration on Switch D and Switch E is also similar to that on Switch A except
that it is not necessary to enable IGMP on the corresponding interfaces on these
two switches.
182 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
# Configure the group range to be served by the RP and configure a C-BSR and a
C-RP on Switch D.
<SwitchD> system-view
[SwitchD] acl number 2005
[SwitchD-acl-basic-2005] rule permit source 225.1.1.0 0.0.0.255
[SwitchD-acl-basic-2005] quit
[SwitchD] pim
[SwitchD-pim] c-bsr vlan-interface 105 24 2
[SwitchD-pim] c-rp vlan-interface 105 group-policy 2005 priority 2
[SwitchD-pim] quit
# Configure the group range to be served by the RP and configure a C-BSR and a
C-RP on Switch E.
<SwitchE> system-view
[SwitchE] acl number 2005
[SwitchE-acl-basic-2005] rule permit source 225.1.1.0 0.0.0.255
[SwitchE-acl-basic-2005] quit
[SwitchE] pim
[SwitchE-pim] c-bsr vlan-interface 102 24 1
[SwitchE-pim] c-rp vlan-interface 102 group-policy 2005 priority 1
[SwitchE-pim] quit
# Enable IGMP Snooping globally on Switch E, and enable IGMP Snooping in
VLAN 100.
<SwitchF> system-view
[SwitchF] igmp-snooping enable
Enable IGMP-Snooping ok.
[SwitchF] vlan 100
[SwitchF-vlan100] igmp-snooping enable
[SwitchF-vlan100] quit
Verifying the configuration
Now start sending multicast data to multicast group 225.1.1.1 from Source and
start receiving the multicast data on Host A and Host C, and take the following
steps to verify the configurations made on the switches.
1 Check whether the multicast stream flows to Host A and Host C.
# View PIM neighboring relationships on Switch E.
<SwitchE> display pim neighbor
Neighbor’s Address Interface Name Uptime Expires
192.168.9.1 Vlan-interface102 02:47:04 00:01:42
192.168.2.1 Vlan-interface103 02:45:04 00:04:46
192.168.3.1 Vlan-interface104 02:42:24 00:04:45
192.168.4.2 Vlan-interface105 02:43:44 00:05:44
# View BSR information on Switch E.
<SwitchE> display pim bsr-info
Current BSR Address: 192.168.4.2
Priority: 2
Mask Length: 24
Expires: 00:01:39
Local Host is C-BSR: 192.168.9.2
PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 183
Priority: 1
Mask Length: 24
# View RP information on Switch E.
<SwitchE> display pim rp-info
PIM-SM RP-SET information:
BSR is: 192.168.4.2
Group/MaskLen: 225.1.1.0/24
RP 192.168.9.2
Version: 2
Priority: 1
Uptime: 00:03:15
Expires: 00:01:14
RP 192.168.4.2
Version: 2
Priority: 2
Uptime: 00:04:25
Expires: 00:01:09
# View PIM routing table entries on Switch A.
<SwitchA> display pim routing-table
PIM-SM Routing Table
Total 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry
(*, 225.1.1.1), RP 192.168.9.2
Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF
Uptime: 00:23:21, never timeout
Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2
Downstream interface list:
Vlan-interface100, Protocol 0x1: IGMP, never timeout
(10.110.5.100, 225.1.1.1)
Protocol 0x20: PIMSM, Flag 0x80004: SPT
Uptime: 00:03:43, Timeout in 199 sec
Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2
Downstream interface list:
Vlan-interface100, Protocol 0x1: IGMP, never timeout
Matched 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry
The information on Switch B and Switch C is similar to that on Switch A.
# View PIM routing table entries on Switch D.
<SwitchD> display pim routing-table
PIM-SM Routing Table
Total 1 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry
(10.110.5.100, 225.1.1.1)
Protocol 0x20: PIMSM, Flag 0x4: SPT
Uptime: 00:03:03, Timeout in 27 sec
Upstream interface: Vlan-interface300, RPF neighbor: NULL
Downstream interface list:
Vlan-interface101, Protocol 0x200: SPT, timeout in 147 sec
Vlan-interface105, Protocol 0x200: SPT, timeout in 145 sec
Matched 1 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry
184 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
# View PIM routing table entries on Switch E.
<SwitchE> display pim routing-table
PIM-SM Routing Table
Total 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry
(*,225.1.1.1), RP 192.168.9.2
Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF
Uptime: 00:02:34, Timeout in 176 sec
Upstream interface: Null, RPF neighbor: 0.0.0.0
Downstream interface list:
Vlan-interface102, Protocol 0x100: RPT, timeout in 176 sec
Vlan-interface103, Protocol 0x100: SPT, timeout in 135 sec
(10.110.5.100, 225.1.1.1)
Protocol 0x20: PIMSM, Flag 0x4: SPT
Uptime: 00:03:03, Timeout in 27 sec
Upstream interface: Vlan-interface105, RPF neighbor: 192.168.4.2
Downstream interface list:
Vlan-interface102, Protocol 0x200: SPT, timeout in 147 sec
Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec
Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry
# View the information about multicast group entries created by IGMP Snooping
on Switch F.
<SwitchF> display igmp-snooping group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):Ethernet1/0/2
IP group(s):the following ip group(s) match to one mac group.
IP group address:225.1.1.1
Host port(s):Ethernet1/0/19
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/19
# View multicast group information that contains port information on Switch B.
<SwitchB> display mpm group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):200.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:225.1.1.1
Host port(s):Ethernet1/0/24
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/24
IGMP Snooping-Only Configuration Examples 185
Vlan(id):103.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/10
As shown above, multicast traffic can successfully flow to Host A and Host C.
2 Configure simulated joining
Configure simulated joining on Switch B, thus to prevent the multicast switch from
considering that no multicast receiver exist on the subnet due to some reason and
removing the corresponding path from the multicast forwarding tree.
# Configure Ethernet 1/0/21 as a simulated host to join multicast group 225.1.1.1.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 200
[SwitchB-Vlan-interface200] igmp host-join 225.1.1.1 port Ethernet 1/0/21
# View multicast group information that contains port information on Switch B.
<SwitchB> display mpm group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):200.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:225.1.1.1
Host port(s):Ethernet1/0/21 Ethernet1/0/24
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/21 Ethernet1/0/24
Vlan(id):103.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/10
As shown above, Ethernet 1/0/21 has become a member port for multicast group
225.1.1.1.
IGMP Snooping-Only
Configuration
Examples
Network Requirements In case that it is unnecessary or infeasible to build a Layer-3 multicast network,
enabling IGMP Snooping on all the devices in a Layer 2 network can implement
some multicast functions.
186 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Configuration Plan
1 As shown in Figure 69, in a Layer-2 network without Layer-3 devices, Switch C
connects to the multicast source through Ethernet 1/0/3. At least one receiver is
attached to Switch B and Switch C respectively.
2 Enable IGMP Snooping on Switch A, Switch B, and Switch C, with Switch A acting
as the IGMP Snooping querier.
3 Enable Switch A and Switch B to drop unknown multicast traffic so that multicast
traffic for unknown multicast groups are not flooded in the VLAN.
Network Diagram Figure 69 Network diagram for IGMP Snooping-only configuration

Configuration Procedure Configuring switch A
# Enable IGMP Snooping globally.
<SwitchA> system-view
[SwitchA] igmp-snooping enable
Enable IGMP-Snooping ok.
# Create VLAN 100, add Ethernet 1/0/1 and Ethernet 1/0/2 into VLAN 100, and
then enable IGMP Snooping in this VLAN.
[SwitchA] vlan 100
[SwitchA-vlan100] port Ethernet 1/0/1 Ethernet 1/0/2
[SwitchA-vlan100] igmp-snooping enable
# Enable IGMP Snooping querier in VLAN 100.
[SwitchA-vlan100] igmp-snooping querier
[SwitchA-vlan100] quit
# Enable the function of dropping unknown multicast packets.
[SwitchA] unknown-multicast drop enable
Source
1.1.1.1/24
Host A
Receiver
Switch C
Switch A
Switch B
Host B
Receiver
Host C
Receiver
Querier
Eth1/0/1 Eth1/0/2
Eth1/0/1 Eth1/0/1
Eth1/0/2 Eth1/0/3 Eth1/0/2 Eth1/0/3
IGMP Snooping-Only Configuration Examples 187
Configuring Switch B
# Enable IGMP Snooping globally.
<SwitchB> system-view
[SwitchB] igmp-snooping enable
Enable IGMP-Snooping ok.
# Create VLAN 100, add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 100,
and then enable IGMP Snooping in this VLAN.
[SwitchB] vlan 100
[SwitchB-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/3
[SwitchB-vlan100] igmp-snooping enable
[SwitchB-vlan100] quit
# Enable the function of dropping unknown multicast packets.
[SwitchB] unknown-multicast drop enable
Configuring Switch C
# Enable IGMP Snooping globally.
<SwitchC system-view
[SwitchC] igmp-snooping enable
Enable IGMP-Snooping ok.
# Create VLAN 100, add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 100,
and then enable IGMP Snooping in this VLAN.
[SwitchC] vlan 100
[SwitchC-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/3
[SwitchC-vlan100] igmp-snooping enable
c
CAUTION: Switch C is not the IGMP Snooping querier, so it does not have
member ports for non-directly-connected hosts, and the corresponding
forwarding entries cannot be created on it. Therefore, do not enable the function
of dropping unknown multicast packets on Switch C. To avoid impact on the
network and on Switch C caused by multicast flooding, it is recommended to
enable IGMP Snooping querier on the switch to which the multicast source is
directly attached.
Verifying the configuration
1 View information on Switch B.
# View IGMP packet statistics on Switch B.
<SwitchB> display igmp-snooping statistics
Received IGMP general query packet(s) number:16.
Received IGMP specific query packet(s) number:3.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:53.
Received IGMP leave packet(s) number:1.
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:1.
188 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Switch B received IGMP general queries sent by the querier and IGMP reports from
receivers.
# View multicast group information on Switch B.
<Switch B> display igmp-snooping group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):Ethernet1/0/1
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/2
MAC group(s):
MAC group address:0100-5e7f-fffe
Host port(s):Ethernet1/0/2
As shown above, a forwarding entry for the multicast group 224.1.1.1 has been
created on Switch A, with Ethernet 1/0/1 as the router port and Ethernet 1/0/2 as
the member port.
2 View information on Switch A.
# View IGMP packet statistics on Switch A.
<SwitchA> display igmp-snooping statistics
Received IGMP general query packet(s) number:0.
Received IGMP specific query packet(s) number:0.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:53.
Received IGMP leave packet(s) number:1.
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:1.
Switch A receives IGMP reports from the receivers.
# View multicast group information on Switch A.
<Switch A> display igmp-snooping group
Total 1 IP Group(s).
Total 1 MAC Group(s).
Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/1
MAC group(s):
MAC group address:0100-5e7f-fffe
Host port(s):Ethernet1/0/1
MSDP Configuration Examples 189
As shown above, a forwarding entry for the multicast group 224.1.1.1 has been
created on Switch A, with Ethernet 1/0/1 as the member port. Acting as the IGMP
Snooping querier, Switch A does not have a router port.
3 View information on Switch C.
# View IGMP packet statistics on Switch C.
<SwitchC> display igmp-snooping statistics
Received IGMP general query packet(s) number:10.
Received IGMP specific query packet(s) number:0.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:0.
Received IGMP leave packet(s) number:.0
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:0.
Switch C received only IGMP general queries from the querier.
# View multicast group information on Switch C.
<Switch C> display igmp-snooping group
Total 0 IP Group(s).
Total 0 MAC Group(s).
Vlan(id):100.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/1
As shown above, no forwarding entries have been created on Switch C. The
switch must flood multicast data in the VLAN to allow the multicast data to flow
to the receivers downstream; therefore, do not enable the function of dropping
unknown multicast packets on Switch C.
MSDP Configuration
Examples
Network Requirements To enable communication between receivers and multicast sources in different
PIM-SM domains, use MSDP to establish MSDP peering relationships between the
RPs of different PIM-SM domains, so that these RPs can forward SA messages
between PIM-SM domains to share multicast source information.
Configuration Plan ■ Two ISPs maintain their respective ASs, AS 100 and AS 200. OSPF runs within
each AS, and BGP is deployed for interoperability between the two ASs.
■ PIM-SM 1 belongs to AS 100. PIM-SM 2 and PIM-SM 3 belong to AS 200.
■ Both PIM-SM domains have 0 or 1 multicast source and at least one receiver.
OSPF runs within each domain for unicast routing.
■ The respective loopback interfaces, Loopback 0, of Switch C, Switch D and
Switch F are configured as C-BSRs and C-RPs of the respective PIM-SM
domains.
190 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
■ Establish MSDP peering relationship between Switch C and Switch D through
EBGP. Establish MSDP peering relationship between Switch D and Switch F
through IBGP.
Network Diagram Figure 70 Network diagram for MSDP configuration
Configuration Procedure Configuring an interface IP address and a unicast routing protocol for each
switch
Configure an IP address and a subnet mask for each interface as per Figure 70.
The detailed configuration steps are not discussed in this document.
Configure OSPF for interoperation between switches in each PIM-SM domain.
Ensure the network-layer interoperation among Switch A, Switch B and Switch C
Device Interface IP address Device Interface IP address
SwitchA Vlan-int100 10.110.1.2/24 Switch D Vlan-int300 10.110.4.1/24
Vlan-int200 10.110.6.1/24 Vlan-int102 192.168.3.1/24
Vlan-int300 10.110.5.1/24 Vlan-int101 192.168.1.2/24
SwitchB Vlan-int100 10.110.7.1/24 Loop0 2.2.2.2/32
Vlan-int200 10.110.2.2/24 Switch E Vlan-int100 10.110.8.1/24
Vlan-int300 10.110.5.2/24 Vlan-int200 10.110.9.1/24
Switch C Vlan-int100 10.110.1.1/24 Vlan-int300 10.110.4.2/24
Vlan-int200 10.110.2.1/24 Loop0 2.2.2.2/32
Vlan-int101 192.168.1.1/24 Switch F Vlan-int400 10.110.3.1/24
Loop0 1.1.1.1/32 Vlan-int102 192.168.3.2/24
Loop0 3.3.3.3/32
SwitchG Vlan-int100 10.110.10.1/24
Vlan-int400 10.110.3.2/24
Vlan-int101
Vlan-int102
Switch A
Switch C
Switch B
Source 1
AS 100
PIM-SM 1
PIM-SM 3
PIM-SM 2
AS 200
Loop0
Switch D
Switch E
Switch F
Switch G
Source 2
V
la
n
-
in
t
1
0
0
V
la
n
-
in
t
1
0
0
Vlan-int101
Vlan-int102
Vlan-int300
Vlan-int400
Loop0
Receiver
Receiver
Receiver
Loop0
MSDP peers
V
la
n
-
in
t
1
0
0 Vlan-int200
Vlan-int300
Vlan-int300
V
la
n
-
in
t
2
0
0
Vlan-int200
Vlan-int300
V
la
n
-
in
t
1
0
0
V
la
n
-
in
t
2
0
0
Vlan-int400
V
la
n
-
in
t
1
0
0
MSDP Configuration Examples 191
in PIM-SM 1, the network-layer interoperation between Switch D and Switch E in
PIM-SM 2, and the network-layer interoperation between Switch F and Switch G
in PIM-SM 3, and ensure the dynamic update of routing information between the
switches in each PIM-SM domain through the unicast routing protocol.
Configuring a unicast routing protocol for each AS
# Configure OSPF on Switch C.
<SwitchC> system-view.
[SwitchC]ospf
[SwitchC-ospf-1]area 0
[SwitchC-ospf-1-area-0.0.0.0]network 10.110.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0]network 10.110.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
The configuration on Switch A, Switch B, Switch D, Switch E, Switch F and Switch
G is similar to the configuration on Switch C.
Configuring a multicast routing protocol
1 Enable IP multicast routing, enable PIM-SM on each interface, and enable IGMP on
the interfaces connected with receivers.
# Enable IP multicast routing on Switch A, enable PIM-SM on each interface, and
enable IGMP on VLAN-interface 200.
<SwitchA> system-view
[SwitchA] multicast routing-enable
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] pim sm
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 200
[SwitchA-Vlan-interface200] pim sm
[SwitchA-Vlan-interface200] igmp enable
[SwitchA-Vlan-interface200] quit
[SwitchA] interface vlan-interface 300
[SwitchA-Vlan-interface101] pim sm
The configuration on Switch E and Switch G is similar to the configuration on
Switch A. The specific configuration steps are omitted here.
# Enable IP multicast routing on Switch C and enable PIM-SM on each interface.
<SwitchC> system-view
[SwitchC] multicast routing-enable
[SwitchC] interface vlan-interface 100
[SwitchC-Vlan-interface100] pim sm
[SwitchC-Vlan-interface100] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] pim sm
[SwitchC-Vlan-interface200] quit
[SwitchC] interface vlan-interface 101
[SwitchC-Vlan-interface101] pim sm
The configuration on Switch B, Switch D, and Switch F is similar to the
configuration on Switch C. The specific configuration steps are omitted here.
192 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
# Configure a BSR boundary on Switch C.
[SwitchC-Vlan-interface101] pim bsr-boundary
[SwitchC-Vlan-interface101] quit
The configuration on Switch D and Switch F is similar to the configuration on
Switch C.
2 Configure the position of interface Loopback 0, C-BSR, and C-RP.
# Configure the position of Loopback 0, C-BSR, and C-RP on Switch C.
[SwitchC] interface loopback 0
[SwitchC-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchC-LoopBack0] pim sm
[SwitchC-LoopBack0] quit
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 0 24
[SwitchC-pim] c-rp loopback 0
[SwitchC-pim] quit
The configuration on Switch D and Switch F is similar to the configuration on
Switch C.
Configuring inter-AS BGP for mutual route redistribution between BGP
and OSPF
# Configure EBGP on Switch C, and configure OSPF route redistribution.
[SwitchC] bgp 100
[SwitchC-bgp] group 100 external
[SwitchC-bgp] peer 192.168.1.2 group 100 as-number 200
[SwitchC-bgp] import-route ospf 1
[SwitchC-bgp] import-route direct
[SwitchC-bgp] quit
# Configure IBGP and EBGP on Switch D, and configure OSPF route redistribution.
[SwitchD] bgp 200
[SwitchD-bgp] group 100 external
[SwitchD-bgp] group 200
[SwitchD-bgp] peer 192.168.1.1 group 100 as-number 100
[SwitchD-bgp] peer 192.168.3.2 group 200
[SwitchD-bgp] import-route ospf 1
[SwitchD-bgp] import-route direct
[SwitchD-bgp] quit
# Configure IBGP on Switch F, and configure OSPF route redistribution.
[SwitchF] bgp 200
[SwitchF-bgp] group 200
[SwitchF-bgp] peer 192.168.3.1 group 200
[SwitchF-bgp] import-route ospf 1
[SwitchF-bgp] import-route direct
[SwitchF-bgp] quit
# Configure BGP route redistribution to OSPF on Switch C.
MSDP Configuration Examples 193
[SwitchC] ospf 1
[SwitchC-ospf-1] import-route bgp
[SwitchC-ospf-1] quit
The configuration on Switch D and Switch F is similar to the configuration on
Switch C.
Carry out the display bgp peer command to view the BGP peering relationships
between the switches. For example:
# View the information about BGP peering relationships on Switch C.
[SwitchC] display bgp peer
Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State
--------------------------------------------------------------------------
192.168.1.2 200 4 0 950 945 15:41:14 Established
# View the information about BGP peering relationships on Switch D.
[SwitchD] display bgp peer
Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State
--------------------------------------------------------------------------
192.168.1.1 100 4 0 946 953 15:43:32 Established
192.168.3.2 200 4 0 946 954 15:41:18 Established
# View the information about BGP peering relationships on Switch F.
[SwitchF] display bgp peer
Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State
--------------------------------------------------------------------------
192.168.3.1 200 4 0 953 948 15:42:23 Established
Configuring MSDP peers
# Configure an MSDP peer on Switch C.
[SwitchC] msdp
[SwitchC-msdp] peer 192.168.1.2 connect-interface vlan-interface 101
[SwitchC-msdp] quit
# Configure an MSDP peer on Switch D.
[SwitchD] msdp
[SwitchD-msdp] peer 192.168.1.1 connect-interface vlan-interface 101
[SwitchD-msdp] peer 192.168.3.2 connect-interface vlan-interface 102
[SwitchD-msdp] quit
# Configure MSDP peers on Switch F.
[SwitchF] msdp
[SwitchF-msdp] peer 192.168.3.1 connect-interface vlan-interface 102
[SwitchF-msdp] quit
When the multicast source Source 1 sends multicast information, receivers in
PIM-SM2 and PIM-SM3 can receive the multicast data. You can use the display
msdp brief command to view the brief information of MSDP peering
relationships between the switches. For example:
194 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES
# View the brief information about MSDP peering relationships on Switch C.
[SwitchC] display msdp brief
MSDP Peer Brief Information
Peer’s Address State Up/Down time AS SA Count Reset Count
192.168.1.2 Up 00:12:27 200 13 0
# View the brief information about MSDP peering relationships on Switch D.
[SwitchD] display msdp brief
MSDP Peer Brief Information
Peer’s Address State Up/Down time AS SA Count Reset Count
192.168.3.2 Up 00:15:32 200 8 0
192.168.1.1 UP 00:06:39 100 13 0
# View the brief information about MSDP peering relationships on Switch F.
[SwitchF] display msdp brief
MSDP Peer Brief Information
Peer’s Address State Up/Down time AS SA Count Reset Count
192.168.3.1 UP 01:07:08 200 8 0
# View the detailed MSDP peer information on Switch C.
[SwitchC] display msdp peer-status
MSDP Peer 192.168.1.2, AS 200
Description:
Information about connection status:
State: Up
Up/down time: 00:15:47
Resets: 0
Connection interface: Vlan-interface101 (192.168.1.1)
Number of sent/received messages: 16/16
Number of discarded output messages: 0
Elapsed time since last connection or counters clear: 00:17:51
Information about (Source, Group)-based SA filtering policy:
Import policy: none
Export policy: none
Information about SA-Requests:
Policy to accept SA-Request messages: none
Sending SA-Requests status: disable
Minimum TTL to forward SA with encapsulated data: 0
SAs learned from this peer: 0, SA-cache maximum for the peer: none
Input queue size: 0, Output queue size: 0
Counters for MSDP message:
Count of RPF check failure: 0
Incoming/outgoing SA messages: 0/0
Incoming/outgoing SA requests: 0/0
Incoming/outgoing SA responses: 0/0
Incoming/outgoing data packets: 0/0
7
VLAN CONFIGURATION EXAMPLES
Keywords:
VLAN, 802.1q, VLAN interface, protocol VLAN
Abstract:
This document introduces how VLAN of the 3Com series Ethernet switches is
applied and configured in practical networking implementations and how
protocols are used in conjunction with VLANs.
Acronyms:
VLAN (Virtual local area network)
VLAN Support Matrix
Support for VLAN on
3Com Stackable
Switches
n
■ In the above table, the solid dots (●) indicate that the corresponding models
provide full support for the function; the hollow dots (❍) indicate that the
corresponding models provide incomplete support for the function, that is, the
corresponding models support only the VLAN-interface for the management
VLAN; the dashes (-) indicate that the corresponding models do not support
the function.
■ For detailed information about the support of your device for VLAN, refer to
the user manual for your device.
Table 88 Support for VLAN on 3Com stackable switches
Feature (right)
802.1Q VLAN VLAN interface Protocol VLAN Model (below)
Switch 5500 ● ● ●
Switch 4500 ● ● ●
Switch 5500Gs ● ● ●
Switch 4200 ● ❍ ●
Switch 4210 ● ❍ -
Switch 4210 52-Port ● ● -
E352/E328 ● ● ●
E126 ● ❍ -
E152 ● ❍ -
196 CHAPTER 7: VLAN CONFIGURATION EXAMPLES
Configuration Guide
n
■ The configuration procedure differs by device. In this guide, the Switch 5500 is
used as an example. For informaiton on how to configure VLAN on other
models, refer to the Configuration Guide for that model.
■ The configuration example in this guide provides only basic configuration
procedures. For detailed information about individual functions, refer to the
Configuraiton Guide and Command Reference Guide for that model.
Configuring Basic VLAN
Settings
The 3Com series switches support IEEE 802.1Q VLAN. The technology allows you
to organize Ethernet ports into virtual workgroups by assigning them to different
VLANs.
Follow these steps to create a VLAN and perform basic VLAN configuration:
You can assign a port to a VLAN in Ethernet port view or in VLAN view.
Follow these steps to assign a port to a VLAN in VLAN view:
n
Only access ports can be assigned to a VLAN in VLAN view. You can assign trunk
or hybrid ports to a VLAN only in Ethernet port view.
Follow these steps to assign a port to a VLAN in Ethernet port view:
To... Use the command... Remarks
Enter system view system-view -
Create multiple VLANs in bulk vlan { vlan-id1 to vlan-id2 |
all }
Optional
Create a VLAN and enter
VLAN view
vlan vlan-id Required
By default, only one default
VLAN (VLAN 1) exists in the
system.
Assign a name for the current
VLAN
name text Optional
By default, the name of a
VLAN is its VLAN ID, for
example, VLAN 0001.
Configure the description of
the current VLAN
description text Optional
By default, the description of
a VLAN is its VLAN ID, for
example, VLAN 0001.
Display VLAN information display vlan [ vlan-id [ to
vlan-id ] | all | dynamic |
static ]
Available in any view
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN view vlan vlan-id -
Assign a list of Ethernet ports
to the VLAN
port interface-list Required
By default, all ports belong to
the default VLAN (VLAN 1).
Configuration Guide 197
Configuring Basic
Settings of a VLAN
Interface
You can enable your switch to perform Layer 3 forwarding by configuring VLAN
interfaces with IP addresses on the switch.
Follow these steps to configure basic settings of a VLAN interface:
To... Use the command... Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure the port type port link-type { access |
trunk | hybrid }
Optional
By defaults, all ports are
access ports.
Assign the
current port to
the specified
VLAN(s)
For an access
port
port access vlan vlan-id Required
By default, all the three
types of ports belong to the
default VLAN (VLAN 1).
For a trunk port port trunk permit vlan
{ vlan-id-list | all }
For a hybrid
port
port hybrid vlan vlan-id-list
{ tagged | untagged }
Specify the
default VLAN
for the current
port
For a trunk port port trunk pvid vlan
vlan-id
Optional
By default, the default VLAN
of an Ethernet port is VLAN
1.
Because an access port can
be assigned to only one
VLAN, its default VLAN is
the VLAN to which it
belongs. Therefore, you do
not need to configure a
default VLAN for it.
For a hybrid
port
port hybrid pvid vlan
vlan-id
To... Use the command... Remarks
Enter system view system-view -
Create a VLAN interface and
enter VLAN interface view
interface Vlan-interface
vlan-id
Required
By default, no VLAN interface
exists.
Assign an IP address to the
current VLAN interface
ip address ip-address { mask |
mask-length } [ sub ]
Required
No IP address is assigned to
any VLAN interface by default.
Configure the description of
the current VLAN interface
description text Optional
By default, the description of
a VLAN interface is its name,
for example, Vlan-interface1
Interface.
198 CHAPTER 7: VLAN CONFIGURATION EXAMPLES
n
■ Before creating a VLAN interface for a VLAN, create the VLAN first.
■ On some 3Com series switches, only one VLAN interface is supported, and you
must configure its VLAN as the default VLAN with the management-vlan
command before creating the VLAN interface. For detailed configurations,
refer to the corresponding user manual.
Protocol VLAN
Configuration
Protocol VLAN enables your switch to assign an incoming untagged frame to a
VLAN based on its protocol. To configure a protocol VLAN, first create a protocol
template to enable protocol VLAN, and then assign Ethernet ports to the protocol
VLAN.
Follow these steps to configure a protocol VLAN:
Shut down the VLAN interface shutdown Optional
By default, a VLAN interface is
in the up state. In this case,
the VLAN interface is up so
long as one port in the VLAN
is up and goes down if all
ports in the VLAN go down.
An administratively shut down
VLAN interface however will
be in the down state until you
bring it up, regardless of how
the state of the ports in the
VLAN changes.
Bring up the VLAN interface undo shutdown
Display information about the
VLAN interface
display interface
Vlan-interface [ vlan-id ]
Available in any view
To... Use the command... Remarks
To... Use the command... Remarks
Enter system view system-view -
Enter VLAN view vlan vlan-id -
Create a protocol template protocol-vlan
[ protocol-index ] { at | ip | ipx
{ ethernetii | llc | raw |
snap } | mode { ethernetii
etype etype-id | llc { dsap
dsap-id ssap ssap-id } | snap
etype etype-id } }
Required
No protocol template exists by
default.
Return to system view quit -
Enter Ethernet port view interface interface-type
interface-number
-
Configure the port as a hybrid
port
port link-type hybrid Required
All Ethernet ports are access
ports by default.
Assign the port to the
protocol VLAN and configure
the port to forward the
frames of the VLAN with their
VLAN tag removed
port hybrid vlan vlan-id
untagged
Required
All ports belong to VLAN 1 by
default.
VLAN Configuration Example 199
VLAN Configuration
Example
Network Requirements A company has three departments: the R&D department, the marketing
department, and the design department. The three departments are located in the
same building. The R&D department and the marketing department are located in
different office areas. The design department and part of the R&D department
share the same office area. The hosts of the design department use the Apple
operating system (OS), and the hosts of the other two departments use Windows.
Use VLANs to fulfill the following:
■ Employees of the same department can communicate with each other, while
employees of different departments cannot.
■ The R&D department and the marketing department are on different IP
network segments. A switch (Core-Switch A in Figure 71) assigns addresses to
hosts of the two departments automatically.
■ Both the R&D department and the marketing department can access the public
servers. However, the design server and the R&D server are accessible to only
the employees of the design department and the R&D department respectively.
■ The hosts and server of the R&D department and those of the design
department cannot access the Internet; the hosts and server of the marketing
department and those of the design department cannot access the VPN of the
R&D department.
Associate the port with the
protocol VLAN
port hybrid protocol-vlan
vlan vlan-id { protocol-index
[ to protocol-index-end ] | all }
Required
By default, an Ethernet port is
not associated with any
protocol VLAN.
Display information about the
protocol templates of the
specified VLAN(s)
display protocol-vlan vlan
{ vlan-id [ to vlan-id ] | all }
Available in any view
Display information about the
protocol templates of the
protocol VLANs associated
with the specified port(s)
display protocol-vlan
interface { interface-type
interface-number [ to
interface-type
interface-number ] | all }
To... Use the command... Remarks
200 CHAPTER 7: VLAN CONFIGURATION EXAMPLES
Network Diagram Figure 71 Network diagram for VLAN configuration

Configuration Outlines Configuration on Switch A
Figure 72 Network diagram for Switch A

On Switch A, assign the port connecting to the independent office area of the
R&D department and the port connecting to the independent office area of the
marketing department to different VLANs, thus isolating the two areas.
As the shared office area is used by two departments, assigning the port
connecting to the area to a VLAN cannot isolate the two departments.
Considering that the design department and the R&D department use different
operating systems, you can assign Apple hosts whose network protocol is
Appletalk and Windows hosts whose network protocol is IP to different protocol
VLANs.
Configure GigabitEthernet 1/1/1 to permit frames of all existing VLANs to pass
through with VLAN tags for VLAN identification.
Internet
Design Dept. & R&D Dept.
R&D Server Design Server
Public Servers
Core-SwitchA
Core-SwitchB
VPN
R&D Dept.
Market Dept.
SwitchA
R&D Dept. Market Dept.
SwitchB
R&D Dept.
Market Dept.
SwitchA
Eth1/0/5
Eth1/0/7
Eth1/0/10
GE1/1/1
Design Dept. & R&D Dept.
VLAN Configuration Example 201
Configuration on Switch B
Figure 73 Network diagram for Switch B

On Switch B, assign the port connecting to the marketing department and the
port connecting to the R&D department to different VLANs. Note that, the
configuration of the VLAN to which a department belongs must be the same on
both Switch A and Switch B. Configure the port connecting to Core-Switch A to
permit the frames of all existing VLANs to pass through with VLAN tags.
Configuration on Core-Switch A
Figure 74 Network diagram for Core-Switch A

On Core-Switch A, configure the port connecting to Switch B to permit the frames
of the three departments to pass through.
Configure Core-Switch A as the DHCP server for IP address assignment. As it is the
egress device for the R&D department to access the VPN, configure Core-Switch A
as the gateway for the R&D department and configure the port connecting to the
VPN to permit only the frames of the R&D department to pass through. As
Core-Switch B is the egress device for accessing the Internet and only the
marketing department is allowed to access the Internet, configure Core-Switch B
as the gateway for the marketing department.
R&D Dept. Market Dept.
SwitchB
GE1/1/1
Eth 1/0/2 Eth 1/0/3
GE1/1/2
Core-SwitchA
VPN
Eth 1/0/20
GE1/1/2
GE1/1/1
202 CHAPTER 7: VLAN CONFIGURATION EXAMPLES
Configuration on Core-Switch B
Figure 75 Network diagram for Core-Switch B

Each server is connected to Core-Switch B through an individual port. Assign these
ports to different VLANs to provide the departments exclusive access to their
respective servers.
As the public servers are accessible to both the R&D department and the
marketing department, create an individual VLAN for the public servers to forward
Layer 3 traffic between the servers and the clients. As Core-Switch A forwards
Layer 3 traffic between the R&D department and the public servers, configure the
link between Core-Switch B and Core-Switch A to permit the frames of the VLAN
created for the public servers to pass through besides the frames of the three
departments.
As Core-Switch B is the egress device for accessing the Internet and only the
marketing department is allowed to access the Internet, configure a VLAN
interface with an IP address for the VLAN of the marketing department and
configure the port connecting to the Internet to permit only the frames of the
VLAN to pass through. The IP address of the VLAN interface will be used as the
gateway address for the marketing department on Core-Switch A.
Summary
Assign the hosts and server of the R&D department, those of the marketing
department, and those of the design department to VLAN 100, VLAN 200, and
VLAN 300 respectively. The public servers belong to VLAN 500 and lie on the
network segment 192.168.50.0. The following diagram shows the planned
VLANs:
Internet
R&D Server Design Server
Public Servers
Core-SwitchB
Eth 1/0/15
GE1/1/1
GE1/1/3
GE1/1/4
GE1/1/2
VLAN Configuration Example 203
Figure 76 Network diagram for the deployment of VLANs

Configuration Procedure Device and version used
Switch 5500 Release version 1510.
Configuration procedure
■ Configure Switch A
# Create VLAN 100, VLAN 200, and VLAN 300.
<SwitchA> system-view
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] vlan 200
[SwitchA-vlan200] quit
[SwitchA] vlan 300
[SwitchA-vlan300]
[SwitchA-vlan300] quit
# Assign Ethernet 1/0/5 to VLAN 100.
[SwitchA] interface Ethernet 1/0/5
[SwitchA-Ethernet1/0/5] port access vlan 100
[SwitchA-Ethernet1/0/5] quit
# Assign Ethernet 1/0/10 to VLAN 200.
[SwitchA] interface Ethernet 1/0/10
[SwitchA-Ethernet1/0/10] port access vlan 200
[SwitchA-Ethernet1/0/10] quit
# Create a protocol template for VLAN 100 to carry IP and a protocol template for
VLAN 300 to carry Appletalk.
Internet
VLAN 100 & VLAN 300
VLAN 100 VLAN 300
VLAN 500
Core-SwitchA
Core-SwitchB
VPN
VLAN 100
VLAN 200
SwitchA
VLAN 100 VLAN 200
SwitchB
Access VLAN 100
Access VLAN 200
Trunk permit VLAN 100/200/300
Trunk permit VLAN 100/200/300/500
Access VLAN 500
Hybrid VLAN 100/300 untagged
204 CHAPTER 7: VLAN CONFIGURATION EXAMPLES
[SwtichA] vlan 100
[SwitchA-vlan100] protocol-vlan ip
[SwitchA-vlan100] quit
[SwitchA] vlan 300
[SwitchA-vlan300] protocol-vlan at
[SwitchA-vlan300] quit
# Create a user-defined protocol template for VLAN 100 to carry ARP for IP
communication, assuming that Ethernet_II encapsulation is used.
[SwitchA] vlan 100
[SwitchA-vlan100] protocol-vlan mode ethernetii etype 0806
# Configure Ethernet 1/0/10 as a hybrid port permitting the frames of VLAN 100
and VLAN 300 to pass through untagged.
[SwitchA] interface Ethernet 1/0/10
[SwitchA-Ethernet1/0/10] port link hybrid
[SwitchA-Ethernet1/0/10] port hybrid vlan 100 300 untagged
# Associate Ethernet 1/0/10 with all the protocol templates of VLAN 100 and
VLAN 300.
[SwitchA-Ethernet1/0/10] port hybrid protocol-vlan vlan 100 all
[SwitchA-Ethernet1/0/10] port hybrid protocol-vlan vlan 300 all
[SwitchA-Ethernet1/0/10] quit
# Configure GigabitEthernet 1/1/1 as a trunk port permitting the frames of VLAN
100, VLAN 200, VLAN 300, and VLAN 500 to pass through with VLAN tags.
[SwitchA] interface GigabitEthernet 1/1/1
[SwitchA-GigabitEthernet1/1/1] port link-type trunk
[SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 100 200 300 500
■ Configure Switch B
# Create VLAN 100, VLAN 200, and VLAN 300 on Switch B as you have done on
Switch A.
# Assign Ethernet 1/0/2 and Ethernet 1/0/3 to VLAN 200 and VLAN 100
respectively.
<SwitchB> system-view
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port access vlan 200
[SwitchB-Ethernet1/0/2] quit
[SwitchB] interface Ethernet 1/0/3
[SwitchB-Ethernet1/0/3] port access vlan 100
[SwitchB-Ethernet1/0/3] quit
# Configure GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 as trunk ports
permitting the frames of VLAN 100, VLAN 200, VLAN 300, and VLAN 500 to pass
through with VLAN tags.
[SwitchB] interface GigabitEthernet 1/1/1
[SwitchB-GigabitEthernet1/1/1] port link-type trunk
[SwitchB-GigabitEthernet1/1/1] port trunk permit vlan 100 200 300 500
[SwitchB-GigabitEthernet1/1/1] quit
VLAN Configuration Example 205
[SwitchB] interface GigabitEthernet 1/1/2
[SwitchB-GigabitEthernet1/1/2] port link-type trunk
[SwitchB-GigabitEthernet1/1/2] port trunk permit vlan 100 200 300 500
[SwitchB-GigabitEthernet1/1/2] quit
■ Configure Core-Switch A
# Create VLAN 100, VLAN 200, and VLAN 300 on Core-Switch A. The
configuration procedure is the same as that on Switch A.
# Configure GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 as trunk ports
permitting the frames of VLAN 100, VLAN 200, VLAN 300, and VLAN 500 to pass
through with VLAN tags. The configuration procedure is the same as that on
Switch B.
# Create VLAN-interface 100 and assign it IP address 192.168.30.1. Use this
address as the IP address of the gateway for the R&D department. Allocate IP
addresses in the address pool 192.168.30.0/24 for the hosts of the R&D
department.
[Core-SwitchA] dhcp enable
[Core-SwitchA] interface Vlan-interface 100
[Core-SwitchA-Vlan-interface100] ip address 192.168.30.1 24
[Core-SwitchA-Vlan-interface100] dhcp select interface
[Core-SwitchA-Vlan-interface100] quit
# Create a global IP address pool mk with the address segment 192.168.40.0/24
to allocate IP addresses for the hosts of the marketing department. Configure the
gateway IP address as 192.168.40.1 for the hosts, pointing to Core-Switch B.
[Core-SwitchA] dhcp server ip-pool mk
[Core-SwitchA-dhcp-pool-mk] network 192.168.40.0 mask 255.255.255.0
[Core-SwitchA-dhcp-pool-mk] gateway-list 192.168.40.1
n
For detailed information about configuring DHCP, refer to the Switch 5500 Family
Configuration Guide.
# Create VLAN 500 and VLAN-interface 500 on Core-Switch A and assign IP
address 192.168.50.1/24 to VLAN-interface 500. Configure the trunk port
GigabitEthernet 1/1/1 to carry VLAN 500 and configure GigabitEthernet 1/1/1 to
permit the frames of VLAN 500 to pass through with VLAN tags.
[Core-SwitchA] vlan 500
[Core-SwitchA-vlan500] quit
[Core-SwitchA] interface Vlan-interface 500
[Core-SwitchA-Vlan-interface500] ip address 192.168.50.1 24
[Core-SwitchA-Vlan-interface500] quit
[Core-SwitchA] interface GigabitEthernet 1/1/1
[Core-SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 500
# Create a VLAN-interface on Core-Switch A to forward traffic of the R&D
department to the VPN and assign an IP address to the VLAN-interface. Assign
Ethernet 1/0/20 to the VLAN corresponding to the VLAN-interface. The
configuration procedure is omitted here.
■ Configuration on Core-Switch B
206 CHAPTER 7: VLAN CONFIGURATION EXAMPLES
# Create VLAN 100, VLAN 200, VLAN 300, and VLAN 500 on Core-Switch B. The
configuration procedure is the same as that on Switch A.
# Configure GigabitEthernet 1/1/1 as a trunk port permitting the frames of all
existing VLANs to pass through with VLAN tags. The configuration procedure is
omitted here.
# Create a VLAN-interface on Core-Switch B to forward traffic of the marketing
department to the Internet and assign an IP address to the VLAN-interface. Assign
Ethernet 1/0/15 to the VLAN corresponding to the VLAN-interface. The
configuration procedure is omitted here.
# Configure GigabitEthernet 1/1/3 and GigabitEthernet 1/1/4 to permit only the
frames of VLAN 300 and only the frames of VLAN 100 to pass through
respectively.
# Configure GigabitEthernet 1/1/2 to permit only the frames of VLAN 500 to pass
through.
# Assign IP address 192.168.40.1 to VLAN-interface 200. The configuration
procedure is omitted here.
Configuration remarks
After you finish the configuration, the hosts of the three departments should be
isolated at the data link layer.
As no VLAN interface is created for the VLAN of the marketing department on the
VPN gateway Core-Switch A, the hosts of the marketing department should not
be able to access the VPN or the R&D department through Layer 3 forwarding.
Similarly, as no VLAN interface is created for the VLAN of the R&D department on
the Internet gateway Core-Switch B, the hosts of the R&D department should not
be able to access the Internet or the marketing department through Layer 3
forwarding.
Thus, all departments are isolated at both the data link layer and the network
layer.
n
To prevent users from modifying the IP addresses and gateways of hosts for
accessing unauthorized network resources, you are recommended to enable
DHCP-Snooping on Switch A and Switch B to monitor the IP addresses of clients.
For detailed information about configuring DHCP-Snooping, refer to the Switch
5500 Family Configuration Guide.
Precautions ■ Because IP depends on ARP for address resolution in Ethernet, you are
recommended to configure the IP and ARP templates in the same VLAN and
associate them with the same port to prevent communication failure.
■ The maximum number of protocol templates that can be bound to a port varies
by device.
Protocols and
Standards
IEEE 802.1Q: Virtual Bridged Local Area Networks
8
VLAN CONFIGURATION EXAMPLES
Keywords:
VLAN, 802.1q, voice VLAN
Abstract:
This document introduces how voice VLAN of the 3Com series Ethernet switches is
applied and configured in a network.
Acronyms:
VLAN (Virtual local area network)
Voice VLAN Support
Matrix
In the 3Com series Ethernet switches based on the Comware V3.10 software
platform, the following models support voice VLAN:
■ Switch 5500
■ Switch 5500G
■ Switch 4500
■ Switch 4200
■ E352/E328
■ Switch 4210
■ E126A
Configuring Voice VLAN
n
■ For how to configure VLAN, port type and other related functions that voice
VLAN configuration involves, refer to the configuration guide that applicable to
your switch.
■ The configuration procedure differs by device. This configuration example uses
the Switch 5500. For information on how to configure voice VLAN on other
switches, refer to the Configuration Guide for that model.
■ The configuration example in this guide provides only basic configuration
procedures. For detailed information about the involved functions, refer to the
switch’s configuration guide and command reference guide.
Configuring a Voice VLAN in automatic mode
Follow these steps to configure a voice VLAN in automatic mode:
To... Use the command... Remarks
Enter system view system-view -
208 CHAPTER 8: VLAN CONFIGURATION EXAMPLES
Configuring a Voice VLAN in manual mode
Follow these steps to configure a voice VLAN in manual mode:
Add a recognizable voice
device vendor OUI to the OUI
address list
voice vlan mac-address oui
mask oui-mask [ description
text ]
Optional
By default, the switch
identifies voice traffic
according to the default OUI
address list.
Enable the voice VLAN
security mode
voice vlan security enable Optional
Enabled by default.
Set the voice VLAN aging time voice vlan aging minutes Optional
1440 minutes by default.
Enable voice VLAN globally voice vlan vlan-id enable Required
Enter Ethernet port view interface interface-type
interface-number
-
Enable voice VLAN on the
port
voice vlan enable Required
Disabled by default.
Enable voice VLAN legacy on
the port to allow for
automatic voice VLAN
assignment for voice traffic
from third-party vendors’
voice devices
voice vlan legacy Optional
Disabled by default.
Configure the voice VLAN to
operate in automatic mode on
the port
voice vlan mode auto Optional
Automatic mode applies by
default.
To... Use the command... Remarks
Enter system view system-view -
Add a recognizable voice device
vendor OUI to the OUI address list
voice vlan mac-address
oui mask oui-mask
[ description text ]
Optional
By default, the switch
identifies voice traffic
according to the default
OUI address list.
Enable the voice VLAN security mode voice vlan security
enable
Optional
Enabled by default.
Set the voice VLAN aging time voice vlan aging
minutes
Optional
1440 minutes by default.
Enable voice VLAN globally voice vlan vlan-id
enable
Required
Enter Ethernet port view interface interface-type
interface-number
-
Enable voice VLAN on the port voice vlan enable Required
Disabled by default.
Enable voice VLAN legacy on the port
to allow for automatic voice VLAN
assignment for voice traffic from
third-party vendors’ voice devices
voice vlan legacy Optional
Disabled by default.
To... Use the command... Remarks
Voice VLAN Configuration Examples 209
Voice VLAN
Configuration
Examples
A company plans to deploy IP phones in the office area and meeting rooms. To
guarantee voice quality, the voice traffic must be transmitted in a VLAN dedicated
to voice traffic. At the same time, assign different network segments for the IP
phones in the meeting rooms and those in the office area.
■ Network requirements of the IP phones in the office area
All IP phones can get an IP address and voice VLAN information automatically. In
addition, they can send tagged voice traffic. The IP phones connect to a switch
port via the PCs of their users. It is required that the switch port exit the voice
VLAN automatically if no voice traffic has passed by within 100 minutes.
■ Network requirements of the IP phones in the meeting rooms
The company deploys IP phones in two meeting rooms. The IP phone in meeting
room 1 sends VLAN untagged voice traffic. The OUI address of the IP phone is
00e3-f200-0000. In addition, the IP address of the IP phone is manually
configured. In meeting room 2, a Cisco IP phone capable of getting an IP address
and voice VLAN information automatically is deployed. The IP phone sends VLAN
tagged voice traffic.
■ Overall network requirements
The IP phones and PCs in the office area connect to the enterprise network
through Switch A, and the IP phones in the two meeting rooms connect to the
enterprise network via Switch B. The two switches and an XE voice server are
connected to the core switch. The core switch connects to the Internet through an
egress router. In addition, the core switch also operates as the DHCP server to
Configure the voice VLAN to operate
in manual mode on the port
undo voice vlan mode
auto
Required
Automatic mode applies
by default.
Return to system view quit -
Assign
the
port to
the
voice
VLAN
Access port Enter VLAN
view
vlan vlan-id Required
Assign the
specified
port(s) to
the VLAN
port interface-list
Trunk port or
hybrid port
Enter port
view
interface interface-type
interface-number
Assign the
port to the
specified
VLAN
port trunk permit vlan
vlan-id
port hybrid vlan vlan-id
{ tagged | untagged }
Configure
the voice
VLAN as
the default
VLAN of
the port
port trunk pvid vlan
vlan-id
port hybrid pvid vlan
vlan-id
Optional
To... Use the command... Remarks
210 CHAPTER 8: VLAN CONFIGURATION EXAMPLES
allocate IP addresses and voice VLAN configuration for the IP phones configured to
get IP addresses automatically.
Network Diagram Figure 77 Network diagram for voice VLAN configuration

Configuration Outlines Configuration on Switch A
Figure 78 Network diagram for Switch A

As the IP phones connected to Switch A get IP addresses automatically, they
should send an untagged DHCP request to the DHCP server for an IP address upon
their startup. When the DHCP server receives a request, it responds with a
temporary IP address, and in addition, the voice VLAN ID, and the IP address of the
voice server. After the IP phone receives the response, it discards the temporary IP
address and re-sends a DHCP request with the voice VLAN tag to the DHCP server.
Thus, the IP phone gets an IP address within the voice VLAN to communicate with
the voice server normally.
n
The above procedure describes how a common IP phone gets an IP address. The
procedure may differ depending on your IP phone. For the actual procedure of
your IP phone, refer to its user manual.
Internet
Switch A
Switch B
Core switch
(DHCP Server˅
XE SIP
Server
Office area
Meeting room
1
Meeting room 2
Router
Switch A
Office area
Eth1/ 0/10
GE1/1/1
Voice VLAN Configuration Examples 211
In this network, as Ethernet 1/0/10 of Switch A is required to forward traffic of the
default VLAN and the voice VLAN, you should configure Ethernet 1/0/10 as a
trunk port or hybrid port. In this example, Ethernet 1/0/10 is configured as a hybrid
port. As the traffic from the PCs is untagged, it will be transmitted through the
default VLAN. Configure VLAN 100 as the default VLAN and configure the port to
transmit the traffic of the default VLAN untagged. As the IP phones send tagged
traffic after getting IP addresses within the voice VLAN, configure VLAN 200 as the
voice VLAN and configure the voice VLAN to operate in automatic mode on the
port. Thus, the port can join/exit the voice VLAN automatically.
n
A hybrid port with voice VLAN enabled in automatic mode joins the voice VLAN in
tagged mode automatically and sends the traffic of the voice VLAN tagged.
On Switch A, GigabitEthernet 1/1/1 is uplinked to the core switch to transmit both
service traffic and voice traffic. To discriminate data, configure the port as a trunk
port to carry VLAN 100 and VLAN 200. As the switch is required to send traffic of
the two VLANs tagged, do not configure either of them as the default VLAN.
Figure 77 lists the port configurations on Switch A.
n
The following describes the operations on VLAN traffic
■ pvid: Indicates that the VLAN is configured as the default VLAN of the port.
■ untagged: Indicates that the port sends the traffic of the VLAN untagged.
■ tagged: Indicates that the port sends the traffic of the VLAN tagged.
For instructions on configuring the port’s default VLAN and configuring the port to
send traffic untagged or tagged, refer to the applicable configuration
guideconfiguration guide.
In the following configuration, Ethernet 1/0/10 is configured as a hybrid port.
Table 89 Port configurations on Switch A
Port Voice VLAN mode Port type
Permitted VLANs and
operations on the VLAN
traffic
Ethernet 1/0/10 Automatic mode Trunk/hybrid VLAN100: pvid, untagged
GigabitEthernet
1/1/1
- Trunk VLAN100: tagged
VLAN200: tagged
212 CHAPTER 8: VLAN CONFIGURATION EXAMPLES
Configuration on Switch B
Figure 79 Network diagram for Switch B

As two types of IP phones are connected to Switch B, the configuration on
Ethernet 1/0/1 is different from that on Ethernet 1/0/2.
■ Ethernet 1/0/1
The IP phones connected to Ethernet 1/0/1 are configured with an IP address
manually and they send voice traffic untagged. As the port with the voice VLAN
mode set to auToes not support receiving untagged voice traffic, you should
configure the voice VLAN to operate in manual mode on the port. In addition,
configure the voice VLAN as the default VLAN of the port.
■ Ethernet 1/0/2
You can configure Ethernet 1/0/2 in a way similar to configuring Ethernet 1/0/10
on Switch A. However, because only IP phones are connected to Ethernet 1/0/2,
you can assign the port to the voice VLAN manually to guarantee stable
transmission for voice traffic. For the Cisco IP phones connected to the port to
communicate with the switch, enable voice VLAN legacy on the port to notify
them of the voice VLAN ID, so that the Cisco IP phones can request IP addresses
within the voice VLAN. Because the IP phones send tagged voice traffic, you
should configure the port to send the traffic of the voice VLAN tagged.
■ GigabitEthernet 1/1/2
The port sends the voice traffic received on Switch B. As the meeting rooms should
use a voice VLAN different from that for the office area, configure VLAN 400 as
the voice VLAN on Switch B and configure the port to send the traffic of VLAN
400 tagged.
Table 90 lists the port configurations on Switch B.
Table 90 Port configurations on Switch B
Port Voice VLAN mode Port type
Permitted VLANs and
operations on the
VLAN traffic
Ethernet 1/0/1 Manual mode Access/hybrid/trunk VLAN400: pvid untagged
Ethernet 1/0/2 Manual mode Trunk/hybrid VLAN400: tagged
Switch B
Meeting room 1 Meeting room 2
Eth1/0/1
Eth1/ 0/ 2
GE1/ 1/ 2
Voice VLAN Configuration Examples 213
In the following configuration, Ethernet 1/0/1 is configured as an access port, and
Ethernet 1/0/2 and GigabitEthernet 1/1/2 are configure as trunk ports.
Configuration on Core Switch
Figure 80 Network diagram for the Core Switch

The core switch forwards traffic, allocates IP addresses to IP phones, and specifies
the voice VLAN and the voice server address.
According to the configuration on Switch A and Switch B, the core switch is
required to forward the traffic of VLAN 100, VLAN 200, and VLAN 400, and
allocate IP addresses to IP phones in VLAN 200 and VLAN 400.
As analyzed earlier, when an IP phone is powered up, it first gets an IP address in
the default VLAN (VLAN 100) from the DHCP server. The DHCP server should
return not only an IP address but also the voice VLAN and the voice server address
to the IP phone. To achieve that, you should configure the core switch to use
option 184 in the DHCP responses in VLAN 100 for conveying voice related
information.
After the IP phone gets the voice VLAN information, it requests for an IP address in
the voice VLAN instead of using the IP address obtained in the default VLAN.
When receiving the request, the core switch allocates an IP address in VLAN 200 or
VLAN 400, whichever the IP phone belongs to. Note that VLAN 200 and VLAN
400 use different IP address segments.
As both the XE voice server and the egress router are connected to the core
switch, you should create two VLAN interfaces, and assign GigabitEthernet 1/0/3
and GigabitEthernet 1/0/4 to the two VLANs respectively, thus achieving Layer-3
forwarding.
Table 91 lists the interface and port configurations on Switch A.
GigabitEthernet
1/1/2
- Trunk/hybrid VLAN400: tagged
Table 90 Port configurations on Switch B
Port Voice VLAN mode Port type
Permitted VLANs and
operations on the
VLAN traffic
Core switch
(DHCP Server)
GE1/0/2
GE1/0/1
GE1/0/3 GE1/0/4
214 CHAPTER 8: VLAN CONFIGURATION EXAMPLES
Configuration Procedure Devices and software version used
Switch A and Switch B are Switch 5500s with software version Release 1510. The
core switch is a Switch 5500Gs Ethernet switch whose software version is Release
1510.
Configuration steps
■ Configuration on Switch A
# Create VLAN 100 and VLAN 200.
<SwitchA> system-view
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] vlan 200
[SwitchA-vlan200] quit
# Assign GigabitEthernet 1/1/1 and Ethernet 1/1/10 to the specified VLANs
according to Table 89.
[SwitchA] interface GigabitEthernet 1/1/1
[SwitchA-GigabitEthernet1/1/1] port link-type trunk
[SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 100 200
[SwitchA-GigabitEthernet1/1/1] quit
[SwitchA] interface Ethernet 1/0/10
[SwitchA-Ethernet1/0/10] port link-type hybrid
[SwitchA-Ethernet1/0/10] port hybrid vlan 100 untagged
[SwitchA-Ethernet1/0/10] port hybrid pvid vlan 100
[SwitchA-Ethernet1/0/10] quit
# Enable voice VLAN on Ethernet 1/0/10.
[SwitchA-Ethernet1/0/10] voice vlan enable
# Set the voice VLAN aging time to 100 minutes.
[SwitchA-Ethernet1/0/10] quit
[SwitchA] voice vlan aging 100
Table 91 Interface and port configurations on the core switch
VLAN interface
IP address and
network
segment Ports involved Port type
Operations on
the VLAN traffic
Vlan-interface10
0
192.168.1.1/24 GigabitEthernet
1/0/1
Trunk tagged
Vlan-interface20
0
192.168.2.1/24 GigabitEthernet
1/0/1
Trunk tagged
Vlan-interface40
0
192.168.4.1/24 GigabitEthernet
1/0/2
Trunk tagged
Vlan-interface30
0
192.168.3.1/24 GigabitEthernet
1/0/3
Access untagged
Vlan-interface50
0
192.168.5.1/24 GigabitEthernet
1/0/4
Access untagged
Voice VLAN Configuration Examples 215
# Enable voice VLAN security mode so that only voice traffic is transmitted in the
voice VLAN. (Optional. The voice VLAN security mode is enabled by default.)
[SwitchA] voice vlan security enable
# Configure VLAN 200 as the voice VLAN globally.
[SwitchA] voice vlan 200 enable
■ Configuration on Switch B
# Create VLAN 100 and VLAN 400.
<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan100] quit
[SwitchB] vlan 400
[SwitchB-vlan400] quit
# Assign Ethernet 1/0/1, Ethernet 1/0/2, and GigabitEthernet 1/1/2 to the specified
VLANs according to Table 90.
[SwitchB] interface Ethernet 1/0/1
[SwitchB-Ethernet1/0/1] port access vlan 400
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port link-type trunk
[SwitchB-Ethernet1/0/2] port trunk permit vlan 100 400
[SwitchB-Ethernet1/0/2] quit
[SwitchB] interface GigabitEthernet1/1/2
[SwitchB-GigabitEthernet1/1/2] port link-type trunk
[SwitchB-GigabitEthernet1/1/2] port trunk permit vlan 100 400
[SwitchB-GigabitEthernet1/1/2] quit
# Enable voice VLAN legacy on Ethernet 1/0/2.
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] voice vlan legacy
[SwitchB-Ethernet1/0/2] quit
# Configure the voice VLAN to operate in manual mode on Ethernet 1/0/1 and
Ethernet 1/0/2, and enable voice VLAN on the two ports.
[SwitchB] interface Ethernet 1/0/1
[SwitchB-Ethernet1/0/1] undo voice vlan mode auto
[SwitchB-Ethernet1/0/1] voice vlan enable
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] undo voice vlan mode auto
[SwitchB-Ethernet1/0/2] voice vlan enable
[SwitchB-Ethernet1/0/2] quit
# Add an OUI address 00e3-f200-0000 with the description of Meeting room1
globally.
[SwitchB] voice vlan mac-address 00e3-f200-0000 mask ffff-ff00-0000
description Meeting room1
216 CHAPTER 8: VLAN CONFIGURATION EXAMPLES
# Enable voice VLAN security mode so that only voice traffic is transmitted in the
voice VLAN. This step is optional. The voice VLAN security mode is enabled by
default.
[SwitchB] voice vlan security enable
# Configure VLAN 400 as the voice VLAN globally.
[SwitchB] voice vlan 400 enable
■ Configure the core switch
# Create VLAN 100, VLAN 200, VLAN 300, VLAN 400, and VLAN 500 on the core
switch. Assign the specified ports to their respective VLANs according to Table 91.
The configuration procedure is omitted here.
# Create VLAN interfaces and assign IP addresses to the VLAN interfaces according
to Table 91. The configuration procedure is omitted here.
# Enable DHCP globally.
<CoreSwitch> system-view
[CoreSwitch] dhcp enable
# Create a global address pool vlan100 to allocate IP addresses on the network
segment 192.168.1.1/24 to devices in the default VLAN (VLAN 100).
[CoreSwitch] dhcp server ip-pool vlan100
[CoreSwitch-dhcp-pool-vlan100] network 192.168.1.0 mask 255.255.255.0
# Configure VLAN 200 as the voice VLAN and the voice server IP address as
192.168.3.3 for option 184 in the address pool vlan100.
[CoreSwitch-dhcp-pool-vlan100] voice-config ncp-ip 192.168.3.3
[CoreSwitch-dhcp-pool-vlan100] voice-config voice-vlan 200 enable
[CoreSwitch-dhcp-pool-vlan100] quit
# Configure VLAN-interface 100 to operate in global address pool mode.
[CoreSwitch] interface Vlan-interface 100
[CoreSwitch-Vlan-interface100] dhcp select global
[CoreSwitch-Vlan-interface100] quit
# Create an address pool for VLAN-interface 200 and VLAN-interface 400
respectively to allocate IP addresses for the IP phones in the office area and the IP
phone in meeting room 2.
[CoreSwitch] interface Vlan-interface 200
[CoreSwitch-Vlan-interface200] dhcp select interface
[CoreSwitch-Vlan-interface200] quit
[CoreSwitch] interface Vlan-interface 400
[CoreSwitch-Vlan-interface400] dhcp select interface
n
For detailed information about configuring DHCP, refer to the Switch 5500 Family
Configuration Guide.
Protocols and Standards 217
The core switch thus configured should be able to allocate IP addresses, voice
VLANs, and the voice server IP address for IP phones in VLAN 200 and VLAN 400,
and to forward voice traffic at Layer 3. If required, configure dynamic routing
protocols on the core switch, which is beyond the scope of this document.
Configuration remarks
After you finish the configuration, the IP phones in each area can establish
connections with the voice server, get telephone numbers, and communicate
normally. For the configuration on the voice server, refer to the user manual of the
3Com XE voice server.
You are recommended to enable DHCP snooping and some security functions on
Switch A and Switch B to ensure that only legal IP phones that get IP addresses
from the core switch can use the service, thus preventing malicious interception.
Protocols and
Standards
IEEE 802.1Q: Virtual Bridged Local Area Networks
218 CHAPTER 8: VLAN CONFIGURATION EXAMPLES

3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064

Copyright © 2006-2008, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you. UNITED STATES GOVERNMENT LEGEND If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following: All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com and the 3Com logo are registered trademarks of 3Com Corporation. Cisco is a registered trademark of Cisco Systems, Inc. Funk RADIUS is a registered trademark of Funk Software, Inc. Aegis is a registered trademark of Aegis Group PLC. Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc. All other company and product names may be trademarks of the respective companies with which they are associated. ENVIRONMENTAL STATEMENT It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to: Establishing environmental performance standards that comply with national legislation and regulations. Conserving energy, materials and natural resources in all operations. Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products. Ensuring that all products can be recycled, reused and disposed of safely. Ensuring that all products are labelled according to recognized environmental standards. Improving our environmental record on a continual basis. End of Life Statement 3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components. Regulated Materials Statement 3Com products do not contain any hazardous or ozone-depleting material.

CONTENTS

ABOUT THIS GUIDE
Conventions 5 Related Documentation 6

1

DHCP CONFIGURATION EXAMPLES
Supported DHCP Functions 7 Configuration Guide 8 DHCP Server Configuration Example 15 DHCP Relay Agent/Snooping Configuration Examples Precautions 24 Protocols and Standards 25

17

2

QACL CONFIGURATION EXAMPLES
Supported QACL Functions 27 Configuration Guide 28 Network Environment 31 Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example 31 Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus Congestion Avoidance plus Packet Priority Trust 33 Configuration Example of Traffic Measurement plus Port Redirection 35 Configuration Example of Local Traffic Mirroring 37 Precautions 38 Other Functions Referencing ACL Rules 39 Configuration Example of WEB Cache Redirection 40 Configuration Example of WEB Cache Redirection 40

3

802.1X CONFIGURATION EXAMPLE
Introduction to 802.1X 43 Features Configuration 43 802.1X Configuration Commands 44 Enterprise Network Access Authentication Configuration Example Network Application Analysis 45 Network Diagram 45 Configuration Procedure 46

45

4

SSH CONFIGURATION EXAMPLE
Introduction to SSH 61

Support for SSH Functions 61 SSH Configuration 62 SSH Configuration Commands 62 Configuring an 3Com Switch as an SSH Server Configuring an 3Com Switch as an SSH Client SSH Configuration Example 69

63 66

5

ROUTING OVERVIEW
Overview 87 Configuration Example 87 Configuration Examples 113 Comprehensive Configuration Example 128 Network Requirements 128 Configuration Procedure 131 Displaying the Whole Configuration on Devices Verifying the Configuration 153 Precautions 156

145

6

MULTICAST PROTOCOL CONFIGURATION EXAMPLES
Multicast Protocol Overview 159 Support of Multicast Features 161 Configuration Guidance 161 PIM-DM plus IGMP plus IGMP Snooping Configuration Example PIM-SM plus IGMP plus IGMP Snooping Configuration Examples IGMP Snooping-Only Configuration Examples 185 MSDP Configuration Examples 189

173 179

7

VLAN CONFIGURATION EXAMPLES
VLAN Support Matrix 195 Configuration Guide 196 VLAN Configuration Example 199 Precautions 206 Protocols and Standards 206

8

VLAN CONFIGURATION EXAMPLES
Voice VLAN Support Matrix 207 Voice VLAN Configuration Examples Protocols and Standards 217 209

3com. Table 1 Notice Icons Icon Notice Type Description Information that describes important features or instructions. and managing the switches. or device. Information that alerts you to potential loss of data or potential damage to an application. n c w Related Documentation Information note Caution Warning The following manuals offer additional information necessary for managing your Stackable Switch. system. . Information that alerts you to potential personal injury. n Conventions Always download the Release Notes for your product from the 3Com World Wide Web site and check for the latest updates to software and product documentation: http://www.com Table 1 lists icon conventions that are used throughout this guide. using. that you require to manage your Stackable Switch. ■ 3Com Switch Family Command Reference Guides — Provide detailed descriptions of command line interface (CLI) commands. which includes the following: ■ ■ ■ ■ ■ 3Com Switch 5500 3Com Switch 5500G 3Com Switch 4500 3Com Switch 4200G 3Com Switch 4210 This guide is intended for Qualified Service personnel who are responsible for configuring. It assumes a working knowledge of local area network (LAN) operations and familiarity with communication protocols that are used to interconnect LANs.ABOUT THIS GUIDE Provides advanced configuration examples for the 3Com stackable switches. Consult the documents that apply to the switch model that you are using.

6 ABOUT THIS GUIDE ■ 3Com Switch Family Configuration Guides— Describe how to configure your Stackable Switch using the supported protocols and CLI commands. 3Com Switch Family Quick Reference Guides — Provide a summary of command line interface (CLI) commands that are required for you to manage your Stackable Switch .3com. If information in this guide differs from information in the release notes.com/ Products Supported by this Document Table 2 Supported Products Product 4210 4210 4210 4210 4210 4210 4210 4500 4500 4500 4500 5500 5500 5500 5500 4200G 4200G 4200G 4200G 5500G 5500G 5500G 5500G Orderable SKU 3CR17331-91 3CR17332-91 3CR17333-91 3CR17334-91 3CR17341-91 3CR17342-91 3CR17343-91 3CR17561-91 3CR17562-91 3CR17571-91 3CR17572-91 3CR17161-91 3CR17162-91 3CR17171-91 3CR17172-91 3CR17660-91 3CR17661-91 3CR17662-91 3CR17671-91 3CR17250-91 3CR17251-91 3CR17252-91 3CR17253-91 Description Switch 4210 9-Port Switch 4210 18-Port Switch 4210 26-Port Switch 4210 52-Port Switch 4210 PWR 9-Port Switch 4210 PWR 18-Port Switch 4210 PWR 26-Port Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Switch 5500-EI 28-Port Switch 5500-EI 52-Port Switch 5500-EI PWR 28-Port Switch 5500-EI PWR 52-Port Switch 4200G 12-Port Switch 4200G 24-Port Switch 4200G 48-Port Switch 4200G PWR 24-Port Switch 5500G-EI 24 Port Switch 5500G-EI 48-Port Switch 5500G-EI PWR 24-Port Switch 5500G-EI PWR 48-Port . ■ ■ These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the 3Com World Wide Web site: http://www. use the information in the Release Notes. 3Com Stackable Switch Family Release Notes — Contain the latest information about your product.

Products Supported by this Document 7 .

8 ABOUT THIS GUIDE .

Based on the different roles played by the devices in the network.1 DHCP CONFIGURATION EXAMPLES Keywords: DHCP. Supported DHCP Functions DHCP Functions Supported by the 3Com Stackable Switches Table 1 DHCP functions supported by the 3Com stackable switches Function \Model Switch 5500 Switch 4500 Switch 5500Gs Switch 4200 Switch 4200G Switch 4210 DHCP server ● ● DHCP relay agent ● ● ● DHCP snooping ● ● ● ● ● ● Depending on the models. DNS server addresses. and DHCP Option 82 are covered. and WINS server addresses to DHCP clients Static bindings for special addresses DHCP server security functions. DHCP snooping. DHCP relay agent. Option 82 Abstract: This document describes DHCP configuration and application on Ethernet switches in specific networking environments. Acronym: DHCP (Dynamic Host Configuration Protocol). including detecting unauthorized DHCP servers and duplicate IP addresses ■ ■ The DHCP relay agent includes the: . the functions and applications of DHCP server. the 3Com stackable switches can support part or all of the following DHCP functions: The DHCP server provides the: ■ ■ ■ Global address pool/interface address pool IP address lease configuration Allocation of subnet masks. gateway addresses.

DHCP server handshaking. n ■ This configuration varies depending on your switch’s model. Option 82 ■ n Configuration Guide Refer to respective user manuals for detailed descriptions of the DHCP functions supported by different models. the DHCP server can only be configured to assign IP addresses from a global address pool. both methods can be applied. Table 2 Configure IP address allocation from a global address pool Operation Enter system view Enable the DHCP service Command system-view dhcp enable Description Optional By default. including address checking. Required By default. This example provides only basic configuration steps Refer to the appropriate Configuration Guide and Command Reference Guide for the function’s operating principles and applications. and periodic updates of client address entries The DHCP snooping includes the: ■ ■ DHCP snooping DHCP snooping security functions. including DHCP snooping entry update and ARP source checking DHCP Snooping. Refer to configuration guide for your switch’s model for further information. the DHCP service is enabled. Configuring the DHCP Server The DHCP server can be configured to assign IP addresses from a global or interface address pool. The example in this section uses the Switch 5500. no global DHCP address pool is created. Configure an IP address range for dynamic network allocation ip-address [ mask-length | mask mask ] . ■ 1 Use the following commands to configure the DHCP server to assign IP addresses from a global address pool. no IP address range is configured for dynamic allocation.8 CHAPTER 1: DHCP CONFIGURATION EXAMPLES ■ ■ DHCP relay agent DHCP relay agent security functions. Create a DHCP address pool and enter DHCP address pool view dhcp server ip-pool pool-name Required By default. These two configuration methods are applicable to the following environments: ■ If the DHCP server and DHCP clients are on the same network segment. If the DHCP server and DHCP clients are on different network segments.

no DNS server addresses are configured. hex-string&<1-10 > | ip-address ip-address&<1-8> } quit dhcp server ip-pool pool-name static-bind ip-address ip-address [ mask-length | mask mask ] static-bind mac-address mac-address static-bind client-identifier client-identifier quit -Optional By default. ■ Specify the IP addresses to be excluded from automatic allocation dhcp server Optional forbidden-ip By default. no gateway address is configured. Required option code { ascii ascii-string | By default. gateway-list Required ip-address&<1-8> By default. no self-defined hex option is configured. you need to specify the IP address and the MAC address or client ID. all the IP low-ip-address addresses in a DHCP address [ high-ip-address ] pool are available for dynamic allocation. . minute ] ] | unlimited } domain-name domain-name Required By default. no WINS server addresses are configured. no domain name is configured for DHCP clients.Configuration Guide 9 Table 2 Configure IP address allocation from a global address pool Operation Configure the lease period of dynamically allocated IP addresses Command Description expired { day day Optional [ hour hour IP address lease period [ minute defaults to one day. no MAC address or client ID is bound to an IP address statically. Configure WINS server addresses for DHCP nbns-list Required clients ip-address&<1-8> By default. Configure a domain name for DHCP clients Configure DNS server addresses for DHCP clients dns-list Required ip-address&<1-8> By default. Note: ■ Configure gateway addresses for DHCP clients Configure a self-defined DHCP option Confi gure a static bindi ng Return to system view Create an address pool for the static address binding Specify the IP address of the static binding Specify the MAC address or the client ID of the static binding Return to system view Specify the MAC address of the static binding Specify the client ID of the static binding To configure a static binding. Specify a NetBIOS node type for DHCP clients netbios-type Optional { b-node | By default. the DHCP clients h-node | m-node are h-nodes if the command | p-node } is not specified. A static address pool can be configured with only one IP address-to-MAC or IP address-to-client ID binding.

Enable the DHCP server to support Option dhcp server 82 relay information enable 2 Use the following commands to configure IP address allocation through the interface address pool. Description Optional By default. the detection of unauthorized DHCP servers is disabled. the DHCP server supports Option 82. Table 3 Configure IP address allocation through the interface address pool Operation Enter system view Enable the DHCP service Command system-view dhcp enable Description Optional By default. the DHCP service is enabled. address Set a response timeout for each ping packet dhcp server ping Optional timeout The default timeout is 500 milliseconds milliseconds. Optional By default. Enable the detection of unauthorized DHCP servers Configure duplicate IP address detection Set the maximum number of dhcp server ping Optional packets number ping packets sent by the The default maximum DHCP server for each IP number is 2. an interface operates in the global address pool mode. Configure multiple or all the VLAN interfaces to operate in interface address pool mode Optional dhcp select interface { interface vlan-interface vlan-interface-num ber [ to vlan-interface vlan-interface-num ber ] | all } .10 CHAPTER 1: DHCP CONFIGURATION EXAMPLES Table 2 Configure IP address allocation from a global address pool Operation Configure the global address pool mode On the current interface Command interface VLAN-interface VLAN-interfacenumber dhcp select global quit On multiple interfaces in system view dhcp select global { interface VLAN-interface VLAN-interfacenumber [ to interface-type interface-number ] | all } dhcp server detect Required By default.

Optional By default. no domain name vlan-interface-num is configured for DHCP ber clients. [ minute minute ] ] | unlimited } quit dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number [ to interface-type interface-number ] | all } quit dhcp server forbidden-ip low-ip-address [ high-ip-address ] Optional By default. Return to system view Specify the IP addresses to be excluded from automatic allocation Configure a domain On one interface name for DHCP clients interface Optional vlan-interface By default. dhcp server domain-name domain-name quit dhcp server domain-name domain-name { interface vlan-interface vlan-interface-num ber [ to vlan-interface vlan-interface-num ber ] | all } On multiple interfaces . no static binding is configured Config On the current interface ure the lease period of dynami cally On multiple interfaces in system allocat view ed IP addres ses Optional dhcp server expired { day day IP address lease period [ hour hour defaults to one day. a VLAN interface operates in global address pool mode.Configuration Guide 11 Table 3 Configure IP address allocation through the interface address pool Operation Configure a VLAN interface to operate in interface address pool mode Command interface interface-type interface-number dhcp select interface Bind an IP address statically to a client MAC address or client ID dhcp server static-bind ip-address ip-address { client-identifier client-identifier | mac-address mac-address } Description Required By default. all the IP addresses in an interface address pool are available for dynamic allocation.

Define a NetBIOS On one interface node type for DHCP clients On multiple interfaces dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface interface-type interface-number [ to interface-type interface-number ] | all } . ber dhcp server dns-list ip-address&<1-8> quit On multiple interfaces dhcp server dns-list ip-address&<1-8> { interface vlan-interface vlan-interface-num ber [ to vlan-interface vlan-interface-num ber ] | all } Optional interface vlan-interface By default. ber dhcp server nbns-list ip-address&<1-8> quit Configure WINS server addresses for DHCP clients On one interface On multiple interfaces dhcp server nbns-list ip-address&<1-8> { interface vlan-interface vlan-interface-num ber [ to interface-type interface-number ] | all } interface interface-type interface-number dhcp server netbios-type { b-node | h-node | m-node | p-node } quit Optional By default. no NetBIOS node type is specified and a DHCP client uses the h-node type. no DNS server vlan-interface-num address is configured.12 CHAPTER 1: DHCP CONFIGURATION EXAMPLES Table 3 Configure IP address allocation through the interface address pool Operation Configure DNS server addresses for DHCP clients On one interface Command Description interface Optional vlan-interface By default. no WINS server vlan-interface-num addresses are configured.

no DHCP server IP address is configured for a DHCP server group. Optional The default maximum number is 2. Description Optional By default. Table 4 Configure DHCP relay agent Operation Enter system view Enable the DHCP service Command system-view dhcp enable Description Optional By default. no self-defined option is configured. Configure DHCP server IP addresses for a DHCP server group dhcp-server groupNo ip ip-address&<1-8> Required By default. Optional The default timeout is 500 milliseconds.Configuration Guide 13 Table 3 Configure IP address allocation through the interface address pool Operation Configure a self-defined DHCP option On one interface Command interface interface-type interface-number dhcp server option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> } quit On multiple interfaces dhcp server option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> } { interface interface-type interface-number [ to interface-type interface-number ] | all } dhcp server detect Optional By default. the DHCP service is enabled. Enable the detection of unauthorized DHCP servers dhcp server ping Configure duplicate Set the maximum packets number IP address detection number of ping packets sent by the DHCP server for each IP address Set a response timeout for each ping packet dhcp server ping timeout milliseconds Enable the DHCP server to support Option dhcp server relay Optional 82 information By default. the DHCP server enable supports Option 82. . Configuring the DHCP Relay Agent Use the following commands to configure the DHCP relay agent. the detection of unauthorized DHCP servers is disabled.

address-check enable Required By default. dhcp-security tracker { interval | auto } Optional By default. Optional By default. all the ports of a switch are untrusted ports. Enter Ethernet port view interface eth\gig-interface-type unit/0/0port-number - Specify the port connected to dhcp-snooping trust the DHCP server as a trusted port Optional By default.14 CHAPTER 1: DHCP CONFIGURATION EXAMPLES Table 4 Configure DHCP relay agent Operation Configure a DHCP user address entry Enable DHCP relay agent handshake Configure the interval at which the DHCP relay agent updates dynamic client address entries Enable the detection on unauthorized DHCP servers Command dhcp-security static ip-address mac-address dhcp relay hand enable Description Optional By default. dhcp relay information enable Required By default. the update interval is calculated automatically according to the number of the DHCP client entries. the strategy is replace. the address checking function is disabled for the DHCP relay agent. DHCP relay agent handshake is enabled. Required By default. a VLAN interface is not associated to any DHCP server group. the DHCP relay agent does not support Option 82. Required By default. DHCP snooping is disabled. dhcp-server detect Enable the DHCP relay agent to support Option 82 Configure a strategy for the DHCP relay agent to handle request packets containing Option 82 Enter VLAN interface view Associate the interface to a DHCP server group dhcp relay information strategy { drop | keep | replace } interface interface-type interface-number dhcp-server groupNo Enable the address checking function for the DHCP relay agent Configuring DHCP Snooping Use the following commands to configure DHCP snooping: Table 5 Configure DHCP snooping Operation Enter system view Enable DHCP snooping Command system-view dhcp-snooping Description Required By default. no DHCP user address entry is configured. . Optional By default. the detection of unauthorized DHCP servers is disabled.

and exclude the IP addresses of the DNS server.10.0/24 network segment. Assign the addresses of the gateway. and the mail server in HQ through static bindings. The network requirements are as follows: ■ Assign the HQ the IP addresses in the 10. ■ ■ ■ ■ Network Diagram Figure 1 Network diagram for DHCP server configuration VLAN-int 10 VLAN-int 100 .214. Enable the detection of unauthorized DHCP servers to prevent any unauthorized DHCP server from allocating invalid addresses. WINS server.10. with a lease period of three days. Assign the workstations in the Branch the IP addresses in the 10.210. and mail server from allocation. DNS server. WINS server. Assign IP addresses to the DNS server. and assign the file server in the Branch an IP address through a static IP-to-MAC binding.0/24 network segment. and it also acts as the gateway to forward packets from the HQ.DHCP Server Configuration Example 15 DHCP Server Configuration Example Network Requirements A Switch 5500 serves as the DHCP server in the corporate headquarters (HQ) to allocate IP addresses to the workstations in the HQ and a branch. and the WINS server along with an IP address to each workstation in the HQ and Branch. with a lease period of two days.

10.214.214.214.3 mac-address 000d-85c7-4e20 [3Com-Vlan-interface10] dhcp server static-bind ip-address 10. assigning the IP addresses in the 10. WINS server.5 mac-address 002e08d20-54c6 # Exclude the static IP addresses of the DNS server. # Create a global address pool named “br” for the Branch.214.0/24 network segment to the devices in the HQ. # Configure the IP address of VLAN-interface10 on the DHCP server in the HQ.214.4 mac-address 0013-4ca8-9b71 [3Com-Vlan-interface10] dhcp server static-bind ip-address 10.0 mask 255.10.214.5 ■ Configure address allocation for the devices in the Branch.0 [3Com-dhcp-pool-br] expired day 3 # Create a static binding address pool named “br-static”.10 .10. [3Com] dhcp server ip-pool br [3Com-dhcp-pool-br] network 10. and specify the range and lease period of the IP addresses for allocation.10. and configure the IP addresses of the DNS server and WINS server. .10 .214. WINS server. and mail server from allocation.10.255.3 [3Com-Vlan-interface10] dhcp server nbst-list 10. [3Com-Vlan-interface10] dhcp select interface # Configure the address lease period of the address pool. Configuring DHCP server ■ Configure address allocation for the devices in the HQ. [3Com-Vlan-interface10] dhcp server expired day 2 [3Com-Vlan-interface10] dhcp server dns-list 10.3 10.10 .10. [3Com-Vlan-interface10] quit [3Com] dhcp server forbidden-ip 10.16 CHAPTER 1: DHCP CONFIGURATION EXAMPLES Configuration Procedure Software Version Used This example uses the Switch 5500 running software version 3.214. # Assign IP addresses to the DNS server.1 24 # Configure the interface to operate in the interface address pool mode. [3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214. and mail server through IP-to-MAC bindings.10.4 No gateway needs to be configured for the clients because an interface operating in the interface address pool mode automatically serves as the gateway for DHCP clients and sends the requested information to the clients.210. <3Com> system-view [3Com] interface Vlan-interface 10 [3Com-Vlan-interface10] ip address 10. and assign the file server in the Branch an IP address through an IP-to-MAC binding.2.255.

1 # Enable the detection of unauthorized DHCP servers.255.214.3 [3Com-dhcp-pool-br] nbst-list 10.4 mask 2 55. and the WINS server address for the workstations in the Branch.10. [3Com] dhcp server detect # Configure VLAN-interface100 to operate in the global address pool mode.210.10. [3Com] interface Vlan-interface 100 [3Com-Vlan-interface100] dhcp select global Note that: After DHCP configuration is complete.10. Configuring the DHCP relay agent This section mainly describes the DHCP server configuration.214. IP addresses can be assigned to the workstations in the Branch only when a route is active between the HQ and the Branch. For details about DHCP relay agent configuration.10. see “DHCP Relay Agent/Snooping Configuration Examples” on page 17.210.10.214. <3Com> system-view [3Com] dhcp-server 1 ip 10.0 [3Com-dhcp-pool-br-static] static-bind mac-address 000d-88f8-4e71 # Specify the gateway address.1 [3Com] interface Vlan-interface 5 (define Vlan 5 in configuration above) [3Com-Vlan-interface5] dhcp-server 1 DHCP Relay Agent/Snooping Configuration Examples Network Requirements A Cisco Catalyst 3745 switch is deployed in the HQ and serves as the DHCP server to assign IP addresses to the workstations in the Office branch.10. [3Com-dhcp-pool-br-static] quit [3Com] dhcp server ip-pool br [3Com-dhcp-pool-br] gateway-list 10.DHCP Relay Agent/Snooping Configuration Examples 17 [3Com-dhcp-pool-br] quit [3Com] dhcp server ip-pool br-static [3Com-dhcp-pool-br-static] static-bind ip-address 10.214.4 # Exclude the static IP address of the gateway in the Branch from allocation.1 [3Com-dhcp-pool-br] dns-list 10. DNS server address.255. The branches are . The following shows the basic DHCP relay agent configuration that ensures the DHCP relay agent to relay DHCP requests to the DHCP server. [3Com-dhcp-pool-br] quit [3Com] dhcp server forbidden-ip 10.

18

CHAPTER 1: DHCP CONFIGURATION EXAMPLES

connected to an XRN (Expandable resilient network) Fabric that serves as the central node and the DHCP relay agent to forward the DHCP requests from the workstations. Meanwhile, a lab DHCP server is used to assign IP addresses to the devices in the labs. The network requirements are as follows:

Configure the DHCP server in the HQ to assign the IP addresses in the 192.168.10.0/24 network segment to the workstations in the Office branch, with a lease period of 12 hours. Configure the IP addresses of the DNS server and WINS server as 192.169.100.2 and 192.168.100.3 respectively. The XRN Fabric is connected to the branches and is comprised of four switches. It serves as the DHCP relay agent to forward the DHCP requests from the workstations in the Office and the devices in the labs. It is enabled to detect unauthorized DHCP servers. An Ethernet switch in Lab1 serves as the Lab DHCP server to assign the IP addresses in the 192.168.17.0/24 network segment to the devices in Lab1, with a lease period of one day, and to assign the IP addresses in the 192.168.19.0/24 network segment to Lab2, with a lease period of two days. The lab DHCP server and the XRN Fabric are interconnected through the 172.16.2.4/30 network segment. Configure the address checking function on the DHCP relay agent so that only the devices that are assigned legal IP addresses from the DHCP server are allowed to access the external network. Configure address entry update on the DHCP relay agent so that it updates the address entries by sending requests to the DHCP server every one minute. Enable DHCP snooping to support DHCP Option 82, adding local port information to the Option 82 field in DHCP messages. Enable the DHCP relay agent to support DHCP Option 82 so that the DHCP relay agent keeps the original filed unchanged upon receiving DHCP messages carrying Option 82. Enable the DHCP server to support DHCP Option 82 so that it assigns the IP addresses 192.168.10.2 through 192.168.10.25 to the DHCP clients connected to Ethernet1/0/11 on the DHCP snooping switch and assigns 192.168.10.100 through 192.168.10.150 to the DHCP clients connected to Ethernet1/0/12 of the DHCP snooping switch.

DHCP Relay Agent/Snooping Configuration Examples

19

Network Diagram

Figure 2 Network diagram for DHCP relay agent/snooping integrated configuration

Configuration Procedure

In this example, the XRN Fabric is comprised of Switch 5500s running software version 3.2, a Switch 7750 switch running software version Release 0028 is used as the DHCP snooping-capable switch, and a 3Com Switch 7750 Family S3528 switch running software version Release 0028 is used as the Lab DHCP server. For better readability:
■ ■ ■

The devices in the XRN Fabric are SwitchA, SwitchB, SwitchC, and SwitchD. The DHCP snooping-capable device is referred to as “Snooping”. The device serving as the Lab DHCP server is referred to as “LAB”.

Configuring XRN Fabric The Switch 5500 supports XRN Fabric. You can interconnect four devices to form a Fabric for centralized management of the devices in the Fabric. For details, see the related sections in the Switch 5500 Family Configuration Guide.

20

CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Configuring the DHCP relay agent
Figure 3 Network diagram for DHCP relay agent configuration

Within the XRN Fabric, configuration made on a device can be synchronized to the other devices. Therefore, configuration is performed on Switch A only in this example. # Configure to forward the DHCP requests from the Office to the DHCP server in the HQ.
<SwitchA> system-view [SwitchA] dhcp-server 1 ip 192.168.0.3 [SwitchA] interface vlan-interface10 [SwitchA-Vlan-interface10] ip address 192.168.10.1 24 [SwitchA-Vlan-interface10] dhcp-server 1

# Configure to forward the DHCP requests from Lab2 to the Lab DHCP server.
[SwitchA-Vlan-interface10] quit [SwitchA] dhcp-server 2 ip 192.168.17.1 [SwitchA] interface Vlan-interface 25 [SwitchA-Vlan-interface25] ip address 192.168.19.1 24 [SwitchA-Vlan-interface25] dhcp-server 2

# Configure the IP address of VLAN-interface17 as 172.16.2.5/30 for forwarding DHCP packets from the Lab DHCP Server to a non-local segment.
[SwitchA-Vlan-interface25] quit [SwitchA] interface Vlan-interface 17 [SwitchA-Vlan-interface17] ip add 172.16.2.5 30

# Configure the address checking function on the DHCP relay agent. Make sure you configure the IP addresses and MAC addresses of the two DHCP servers as static entries for the security function.
[SwitchA-Vlan-interface17] quit [SwitchA] dhcp-security static 192.168.0.3 000D-88F8-4E71 [SwitchA] dhcp-security static 192.168.17.1 0010-5ce9-1dea [SwitchA] interface Vlan-interface 10 [SwitchA-Vlan-interface10] address-check enable [SwitchA-Vlan-interface10] quit [SwitchA] interface vlan-interface 25 [SwitchA-Vlan-interface25] address-check enable [SwitchA-Vlan-interface25] quit

DHCP Relay Agent/Snooping Configuration Examples

21

# Configure the address entry update interval on the DHCP relay agent.
[SwitchA] dhcp relay hand enable [SwitchA] dhcp-security tracker 60

# Enable the DHCP relay agent to support DHCP Option 82 and adopt the strategy of keeping the original filed upon receiving DHCP messages carrying Option 82.
[SwitchA] dhcp relay information enable [SwitchA] dhcp relay information strategy keep

# Enable the DHCP relay agent to detect unauthorized DHCP servers.
[SwitchA] dhcp-server detect

# Enable UDP-Helper so that the XRN Fabric can operate in the DHCP relay agent mode.
[SwitchA] udp-helper enable

# To ensure normal forwarding of DHCP packets across network segments, you need configure a routing protocol and advertise the network segments of interfaces. The following configuration uses RIP as an example. For the configuration of other routing protocols, see the parts covering routing protocols in product manuals.
[SwitchA] rip [SwitchA-rip] network 192.168.10.0 [SwitchA-rip] network 192.168.19.0 [SwitchA-rip] network 172.16.0.0

n

For the DHCP relay agent using the XRN structure and the DHCP server in the HQ to communicate with each other, an active route must also be configured between them. This configuration is performed by the ISP or the user; therefore, it will not be covered in this document. Configuring the Lab DHCP server
Figure 4 Network diagram for the Lab DHCP server configuration

255. lease period.1 # Configure the IP address of VLAN-interface17 as 172.17.2.0/24 network segment to the devices in Lab1. you need configure a routing protocol. see the related parts in product manuals. you only need to configure VLAN-interface15 to operate in the interface address pool mode.0 255. [LAB-Vlan-interface17] quit [LAB] interface vlan-interface 15 [LAB-Vlan-interface15] ip address 192.0 [LAB-rip] network 172. Therefore.0 [LAB-dhcp-lab2] expired day 2 [LAB-dhcp-lab2] gateway-list 192.1 24 [LAB-Vlan-interface15] dhcp select interface [LAB-Vlan-interface15] quit # To ensure that the lab DHCP server forwards DHCP packets normally.168.6/30 and enable it to operate in global address pool mode. The following configuration uses RIP as an example. <LAB> system-view [LAB] dhcp enable [LAB] dhcp server ip-pool lab2 [LAB-dhcp-lab2] network 192.168.19. For the configuration of other routing protocols.168.6 30 [LAB-Vlan-interface17] dhcp select global # Lab1 is connected to VLAN-interface15.16. [LAB-dhcp-lab2] quit [LAB] interface Vlan-interface 17 [LAB-Vlan-interface17] ip address 172.255.16.17.19.168.2. to assign the IP addresses in the 192.16. [LAB] rip [LAB-rip] network 192. and the gateway address.17.0 Configuring DHCP snooping Figure 5 Network diagram for DHCP snooping configuration .0.22 CHAPTER 1: DHCP CONFIGURATION EXAMPLES # Configure an address pool for Lab2 and specify the address range.168.

VLAN numbers.3(11)T2. on the DHCP server. IP addresses are assigned based on port number only. where 01060004 is a fixed value. and 000a is the absolute number of the port. which is 1 less than the actual port number. In this example. Figure 6 Packet structure of Circuit ID suboption 0 Type(1) VLAN ID Length(6) 15 0 Port Index 4 31 For example. Remote ID suboption: It identifies the MAC address of the DHCP snooping device connected to the client. only a matching port number field in the Circuit ID suboption needs to be found. If you are using any other models or devices running any other version. indicating the actual port is Ethernet1/0/11. the DHCP messages from clients connected to Ethernet1/0/11 are added with Option 82. Figure 7 Packet structure of Remote ID suboption 0 Type(2) Length(8) Bridge MAC Address 15 0 6 31 For example. A complete piece of Option 82 information is a combination of the values of two suboptions: Circuit ID suboption: It identifies the VLAN to which the clients belong and the port to which the DHCP snooping device is connected. whose Circuit ID suboption should be 0x010600040001000a.DHCP Relay Agent/Snooping Configuration Examples 23 # Enable DHCP snooping and enable Option 82 support for DHCP snooping. port numbers. # Enable DHCP server and allocate IP addresses using Option 82 information. the DHCP messages from clients connected to the DHCP snooping device with MAC 000f-e234-bc66 are added with Option 82. and the MAC addresses of the DHCP snooping device and the DHCP relay agent are added to DHCP Option 82. 0001 indicates the access port’s VLAN is VLAN 1. see the user manuals provided with the devices. Therefore. <Snooping> [Snooping] [Snooping] [Snooping] system-view dhcp-snooping dhcp-snooping information enable dhcp-packet redirect Ethernet 0/11 to 0/13 Configuring the DHCP server in the HQ # On the 3Com series switches. . where 02080006 is a fixed value and 000fe234bc66 is the MAC address of the DHCP snooping device. whose Remote ID suboption should be 02080006000fe234bc66. n The following configuration is performed on the Cisco Catalyst 3745 switch running IOS version 12.

and replace the contents without match need with a wildcard “*”. however.150 Switch(dhcp-pool-class)# exit # Configure the lease period. only serves as a backup for the master unit.10. But only the DHCP relay agent running on the master unit can receive and send packets to perform full DHCP relay agent functions.10. and the WINS server address for each device in Office. Then. DNS server address. Once a slave unit receives a DHCP request.10. the DHCP relay agent running on the master unit gives a response back to the ■ . Precautions Cooperation Between DHCP Relay Agent and XRN ■ In an XRN network.100 192.25 Switch(dhcp-pool-class)# exit Switch(dhcp-pool)# class office2 Switch(dhcp-pool-class)# address range 192. the DHCP relay agent runs on all the units in the Fabric. Switch(config)# ip dhcp class office1 Switch(dhcp-class)# relay agent information hex 010600040001000a* Switch(dhcp-class)# exit # Configure a DHCP class for the client connected to Etherent1/0/12 of the DHCP snooping device and match the port number in the Circuit ID suboption of Option82. and WINS server address for the address pool.10.168.10.168. the gateway address.168. gateway address. DHCP is an application-layer protocol based on UDP.24 CHAPTER 1: DHCP CONFIGURATION EXAMPLES Switch> enable Switch(config)# configure terminal Enter Configuration commands. the DHCP server can automatically assign an IP address.1 dns-server 192. DNS server address. Switch(config)# ip dhcp class office2 Switch(dhcp-class)# relay agent information hex 010600040001000b* # Create an address pool for Office and specify address ranges for the two DHCP classes. The DHCP relay agent running on a slave unit.100.2 192.168.168. Switch(config)# ip dhcp pool office Switch(dhcp-pool)# network 192.168.3 After the above-mentioned configuration.168. UDP-Helper redirects the packet to the master unit.2 netbios-name-server 192. Switch(config)# service dhcp Switch(config)# ip dhcp use class # Create a DHCP class for the client connected to Ethernet1/0/11 of the DHCP snooping device and match the port number in the Circuit ID suboption of Option82.0 Switch(dhcp-pool)# class office1 Switch(dhcp-pool-class)# address range 192.10. one per line.100. Switch(dhcp-pool)# Switch(dhcp-pool)# Switch(dhcp-pool)# Switch(dhcp-pool)# lease 0 12 default-router 192.168. End with CNTL/Z.

make sure you enable UDP-Helper before using DHCP relay agent in an XRN system. when the current master unit fails.Protocols and Standards 25 request and sends the real time information to each slave unit for backup. Therefore. one of the slaves becomes the new master and operates as the DHCP relay agent immediately. In this way. Protocols and Standards ■ ■ ■ RFC2131: Dynamic Host Configuration Protocol RFC2132: DHCP Options and BOOTP Vendor Extensions RFC3046: DHCP Relay Agent Information Option .

26 CHAPTER 1: DHCP CONFIGURATION EXAMPLES .

the document covers various functions and applications like time-based ACLs. local traffic mirroring. Acronyms: Access control list (ACL). and WEB Cache redirection. traffic policing. priority re-marking. To satisfy different user needs. traffic measurement.2 QACL CONFIGURATION EXAMPLES Key words: ACL. queue scheduling. port redirection. and QoS Abstract: This document describes QACL configurations on Ethernet switches in actual networking environments. and quality of service (QoS) Supported QACL Functions ACL/QoS Functions Supported by 3Com Stackable Switches Table 6 ACL/QoS functions supported by 3Com stackable switches Switch Function\Model 5500 Basic ACL Advanced ACL Layer 2 ACL Software-based ACL referenced by upper-layer software ● ● ● ● Switch 4500 ● ● ● ● ● Switch 5500G ● ● ● ● ● Switch 4200G ● ● ● Switch 4210 ● ● ● User-defined ACL ● Apply ● hardware-based ACL to hardware Traffic classification Priority re-marking Port rate limiting Traffic policing Traffic shaping Port redirection ● ● ● ● ● ● ● - - ● ● ● ● ● ● ● ● ● ● ● - ● - .

Define an ACL rule rule [ rule-id ] { permit | deny } rule-string . Layer 2 ACLs and user-defined ACLs do not support match-order.means that the function is not supported. ■ Table 7 Configure ACL/QoS in system view Configuration Create an ACL and enter ACL view Command acl number acl-number [ match-order { config | auto } ] Remarks By default. The configuration below uses a 3Com Switch 5500 as an example. refer to corresponding user manuals. For details on the ACL and QoS functions supported by different models. The section below lists basic configuration steps.28 CHAPTER 2: QACL CONFIGURATION EXAMPLES Table 6 ACL/QoS functions supported by 3Com stackable switches Switch Function\Model 5500 Queue scheduling Congestion avoidance Local traffic mirroring Traffic measurement WEB Cache redirection ● ● ● ● ● Switch 4500 ● ● ● ● Switch 5500G ● ● ● Switch 4200G ● Switch 4210 ● - n n Configuration Guide ● means that the function is supported. For the function’s detailed operational instructions. The parameters (criteria) available for rule-string vary with ACL types. . the matching order is config. For ACL/QoS configuration on other switches. refer to switch model’s configuration guide. n ■ ACL/QoS configuration varies with switch models. refer to the configuration guide and command reference guidecommand reference guide for the applicable product. For additional details. refer to the corresponding command reference guide.

line-rate { inbound | outbound } target-rate Reference an ACL for traffic identification. the WRR queue scheduling algorithm is used for all outbound queues on a port. 802. and the priority of local queues. The granularity is 64 kbps. strict priority queuing applies to the queue.Configuration Guide 29 Table 7 Configure ACL/QoS in system view Configuration Configure a queue scheduling algorithm in system view Command queue-scheduler { strict-priority | wfq queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width | wrr queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight } Remarks ■ If the weight or minimum bandwidth of a queue is set to 0 in the WRR or WFQ approach. If an entered number is in the range N×64 to (N+1)×64 (N is a natural number). remark-dscp value: Re-set the DSCP priority. ■ ■ Configure congestion avoidance wred queue-index qstart probability - Table 8 Configure ACL/QoS in port view Configuration Apply an ACL on a port Configure the switch to trust the priority of received packets Configure port-based rate limit Command packet-filter { inbound | outbound } acl-rule priority trust Remarks Configure the switch to trust the priority carried in received packets. the switch takes the value (N+1)×64. and forward the packets. ■ . Default weights are 1:2:3:4:5:9:13:15. and re-assign a priority to the matching packets traffic-priority { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }* Configure traffic policing traffic-limit inbound acl-rule exceed action: specifies the target-rate [ exceed action ] action taken on the excess packets when the packet traffic exceeds the preset limit.1p priority. By default. You can re-mark the IP priority. The queue scheduling algorithm defined using the queue-scheduler command in system view will work on all ports. ■ drop: Drop the excess packets. DSCP priority of packets.

you can modify the weight or bandwidth in port view if the weight or bandwidth of each queue cannot satisfy the needs of a port.30 CHAPTER 2: QACL CONFIGURATION EXAMPLES Table 8 Configure ACL/QoS in port view Configuration Command Remarks ■ Configure a queue scheduling queue-scheduler { wfq algorithm in port view queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width | wrr queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight } The queue scheduling algorithm defined using the queue-scheduler command in Ethernet port view will work on the current port only. In the globally defined WRR or WFQ queue scheduling algorithm. - Reference an ACL for traffic identification. Queue weight or bandwidth defined in port view take priority over the global settings. and measure the traffic of the matching packets . ■ ■ ■ Configure redirection traffic-redirect { inbound | outbound } acl-rule { cpu | interface interface-type interface-number } traffic-statistic inbound acl-rule A packet cannot be forwarded normally if it is redirected to the CPU. The queue weight or bandwidth defined in port view cannot be displayed using the display queue-scheduler command.

1 Server 3 Server 4 Server 1 LAN 2 LAN 1 GE 1/1/2 GE 1/1/1 E1 /0/20 E1 /0/4 Data Detect Server LAN 10 E1 /0/1 LAN 12 E1 /0/2 E1/0/3 PC 1 PC 4 LAN 11 10.0 . They are connected to the port GigabitEthernet1/1/2.12 0012 -a990 -2442 Figure 8 shows the network topology of a company.13 0012. The Data Detect Server is connected to the port Ethernet1/0/20.0 . PC2.2.0. PC3 and PC4 are clients of the company.0 .0.11 0012-a 990-2441 PC 3 10.2 10.0.0. mail server and file server of the company respectively.Network Environment 31 Network Environment Figure 8 Network topology 10 .0. PC1. The requirements are as follows: . The environment is as follows: ■ A Switch 5500 serves as the central switch of the company.a990-2443 PC 2 10 .0. ■ ■ ■ ■ Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example Network Requirements The company gains access to the Internet through Server1.0.4 Server 2 10. The software version is Release 3. and Ethernet1/0/4 respectively. Ethernet1/0/3. and Server4 are the data server.10 0012-a 990-2440 LAN 12 10 .0.0 .0. Server3. and are connected to the ports Ethernet1/0/1.0.0 .3 10.0. Ethernet1/0/2. The devices within the company gain access to the Internet through Server1 attached to the port GigabitEthernet1/1/1. Server2.

For the packets with the IP priority of 7 that are sent by PC 1. The maximum access traffic is 100 Mbps. Such packets at rates higher than 10 Mbps are discarded. the clients are not allowed to access the Internet through HTTP.0 . classify and mark the packets with the IP priority of 7 generated when PC 1 accesses the Internet during non-workday periods. the allowed maximum rate is 10 Mbps.12 0012 -a990 -2442 Configuration Procedure # Create time range a001.a990-2443 PC 2 10 .0. defining off hours.1 Server 1 LAN 1 GE 1/1/2 GE 1/1/1 E1 /0/20 E1 /0/4 LAN 10 E1 /0/1 LAN 12 E1 /0/2 E1/0/3 PC 1 PC 4 LAN 11 10. [3Com] acl number 3010 [3Com-acl-adv-3010] rule 0 deny tcp destination 10. the clients are allowed to access the Internet. <3Com> system-view System View: return to User View with Ctrl+Z.0 .13 0012. The DSCP priority of such packets at rates higher than 20 Mbps is modified as EF.0. In other periods.0.0.0. defining the office hours on working days.0.10 0012-a 990-2440 LAN 12 10 .0. [3Com] time-range a002 00:00 to 8:30 working-day [3Com] time-range a002 18:00 to 24:00 working-day [3Com] time-range a002 00:00 to 24:00 off-day # Define ACL 3010: Forbid the clients to access the Internet through HTTP during the time range a001. For the packets with the CoS priority of 5 that are sent by PC 2. the allowed maximum rate is 20 Mbps.1 0 destinati .32 CHAPTER 2: QACL CONFIGURATION EXAMPLES ■ During the period from 8:30 to 18:30 in workdays.0 .11 0012-a 990-2441 PC 3 10. ■ ■ Network Diagram Figure 9 Network diagram for configuration of time-based ACL plus port-based bandwidth limiting plus traffic policing 10. [3Com] time-range a001 8:30 to 18:00 working-day # Create time range a002.0.0.

[3Com] interface Ethernet 1/0/2 [3Com-Ethernet1/0/2] traffic-limit inbound link-group 4010 rule 0 10 240 exceed drop n Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus Congestion Avoidance plus Packet Priority Trust Network Requirements The traffic-limit command works only with the permit rules in ACLs.10 0 precedence 7 time-range a002 [3Com-acl-adv-3010] quit # Define ACL 4010: Classify and mark the packets with the CoS priority of 5 generated when PC 2 accesses the Internet during non-work periods.0. The detailed requirements are as follows: . [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] traffic-limit inbound ip-group 3010 rule 1 2048 0 exceed remark-dscp ef [3Com-Ethernet1/0/1] quit # Perform traffic policing for the packets marked rule 0 of ACL 4010 on the port Ethernet1/0/2 connected to PC 2.Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus Congestion Avoidance plus Packet Priority Trust 33 on-port eq 80 time-range a001 [3Com-acl-adv-3010] rule 1 permit ip source 10. [3Com] acl number 4010 [3Com-acl-ethernetframe-4010] rule 0 permit cos 5 source 0012-0990-2 241 ffff-ffff-ffff time-range a002 [3Com-acl-ethernetframe-4010] quit # Apply rule 0 of ACL 3010 to the port GigabitEthernet1/1/1 connected to Server1. and set the maximum traffic rate by clients’ accessing the Internet to 100 Mbps. Server3. mail server and file server of the company respectively. set the maximum traffic rate to 10 Mbps. and Server4 are the data server. Server2. and discard the excess packets.0. [3Com] interface GigabitEthernet 1/1/1 [3Com-GigabitEthernet1/1/1] packet-filter outbound ip-group 3010 rule 0 [3Com-GigabitEthernet1/1/1] line-rate outbound 102400 [3Com-GigabitEthernet1/1/1] quit # Perform traffic policing for the packets marked rule 1 of ACL 3010 on the port Ethernet1/0/1 connected to PC 1. and modify the DSCP priority of the excess packets to EF.

2 10. and configure the probability of discarding as 20%.0 .0. ■ ■ ■ Network Diagram Figure 10 Network diagram for configuration of priority re-marking plus queue scheduling algorithm plus congestion avoidance plus packet priority trust 10.4 Server 2 Server 3 Server 4 LAN 2 GE 1/1/2 Configuration Procedure # Define ACL 3020: Classify and mark packets according to their destination IP addresses.0.3 0 [3Com-acl-adv-3020] rule 2 permit ip destination 10. Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to use WRED: Discard subsequent packets at random when the queue is more than 64 packets in size.4 0 [3Com-acl-adv-3020] quit # Re-mark priority for the packets on the port GigabitEthernet1/1/2 that match the rules in ACL 3020.0.0 .0. [3Com] interface GigabitEthernet 1/1/2 [3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020 rule 0 local-precedence 7 .0.3 10 .2 0 [3Com-acl-adv-3020] rule 1 permit ip destination 10. Configure the port Ethernet1/0/3 to trust the priority of packets rather than to use the priority of the port.0 . then the packets accessing the mail server.0. Configure the port GigabitEthernet1/1/2 to use the WRR queue priority algorithm. and configure the weight of outbound queues as 1:1:1:5:1:10:1:15. and finally the packet accessing the file server.34 CHAPTER 2: QACL CONFIGURATION EXAMPLES ■ The switch first processes the packets accessing the data server.0. [3Com] acl number 3020 [3Com-acl-adv-3020] rule 0 permit ip destination 10.0.0. <3Com> system-view System View: return to User View with Ctrl+Z.

1p priority carried by packets. Redirect all the HTTP traffic generated by the Internet access through the port Ethernet1/0/1 during workday period to the port Ethernet1/0/20. [3Com-GigabitEthernet1/1/2] queue-scheduler wrr 1 1 1 5 1 10 1 15 # Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to use WRED: Discard subsequent packets at random when the queue is more than 64 packets in size. ■ . and configure the weight of outbound queues as 1:1:1:5:1:10:1:15. The Data Detect Server is connected to the port Ethernet1/0/20. [3Com] interface Ethernet 1/0/3 [3Com-Ethernet1/0/3] priority trust n Configuration Example of Traffic Measurement plus Port Redirection Network Requirements The traffic-priority command works only with the permit rules in ACLs. and configure the probability of discarding as 20%.Configuration Example of Traffic Measurement plus Port Redirection 35 [3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020 rule 1 local-precedence 5 [3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020 rule 2 local-precedence 3 # Configure the WRR queue scheduling algorithm on the port GigabitEthernet1/1/2. The detailed requirements are as follows: ■ Measure the HTTP traffic generated by Internet access through the port Ethernet1/0/1 during non-workday periods. [3Com-GigabitEthernet1/1/2] wred 4 64 20 [3Com-GigabitEthernet1/1/2] quit # Configure the port Ethernet1/0/3 connected to PC 3 to trust the 802.

0.0.1 0 destina a002 # Configure traffic redirection on the port Ethernet1/0/1: Redirect all the HTTP traffic generated by Internet access during workday period to the port Ethernet1/0/20.36 CHAPTER 2: QACL CONFIGURATION EXAMPLES Network Diagram Figure 11 Network diagram for configuration of traffic measurement plus port redirection Data Detect Server E1 /0/20 LAN 10 E1 /0/1 PC 1 10. [3Com-Ethernet1/0/1] traffic-statistic inbound ip-group 3030 rule 1 .0. <3Com> system-view System View: return to User View with Ctrl+Z.10 0012-a 990-2440 Configuration Procedure # Configure a workday period.1 0 destina a001 permit tcp destination 10. [3Com] time-range a001 8:30 to 18:00 working-day # Configure non-workday periods. [3Com] time-range a002 00:00 to 8:30 working-day [3Com] time-range a002 18:00 to 24:00 working-day [3Com] time-range a002 00:00 to 24:00 off-day # Define ACL 3030: Classify the packets accessing the Internet through HTTP according to periods.0.0. [3Com] acl number 3030 [3Com-acl-adv-3030] rule 0 tion-port eq 80 time-range [3Com-acl-adv-3030] rule 1 tion-port eq 80 time-range permit tcp destination 10.0. [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] traffic-redirect inbound ip 3030 rule 0 interfa ce Ethernet 1/0/20 # Measure the HTTP traffic generated by Internet access during non-workday periods on the port Ethernet1/0/1.

1 0 destina tion-port eq 80 time-range a001 [3Com-acl-adv-3030] quit # Configure the port Ethernet1/0/20 as the mirroring destination port.0.0. the Data Detect Server analyzes the packets.Configuration Example of Local Traffic Mirroring 37 n Configuration Example of Local Traffic Mirroring Network Requirements The traffic-redirect and traffic-statistic commands work only with the permit rules in ACLs.0.0. All the packets accessing the Internet through the ports Ethernet1/0/1 and Ethernet1/0/2 using HTTP during workday period must be mirrored to the port Ethernet1/0/20. Then.0. [3Com] time-range a001 8:30 to 18:00 working-day # Define ACL 3030: Classify the packets accessing the Internet through HTTP during workday period. .0.11 0012 -a990 -2441 Configuration Procedure # Configure a workday period. The Data Detect Server is connected to the port Ethernet1/0/20. Figure 12 Network diagram for configuration of traffic mirroring Network Diagram Data Detect Server E1/0/20 E1/0/1 LAN 10 E1 /0/2 PC 1 LAN 11 10.10 0012 -a 990-2440 PC 2 10 . [3Com] acl number 3030 [3Com-acl-adv-3030] rule 0 permit tcp destination 10. <3Com> system-view System View: return to User View with Ctrl+Z.

When the SP+WFQ queue scheduling algorithm is applied on a port. ■ . 5 For the TCP/UDP port in an advanced ACL. and mirror the matching packets to the destination port Ethernet1/0/20. only the eq operator is supported. consider the following points for the offset length: ■ All the packets that are processed by the switch internally have a VLAN tag.3/802. traffic-redirect. the switch will first schedule the queue with the weight of 0. For the Switch 5500 Family. If no packets are sent from the queue. the configured one will not work. Otherwise. ether_ii. One VLAN tag is four bytes in length. and mirrored-to commands can work only on the permit rules in ACLs. 8 When configuring a user-defined ACL. The priority of Queues 7 to 0 goes down one by one. When the SP+WRR queue scheduling algorithm is applied on a port.2. the switch will perform the WRR scheduling for the remaining queues. You are recommended to use the mirror destination port only for forwarding mirroring traffic rather than as a service port. all the packets that are processed by the switch internally have one VLAN tag. normal services may be affected. the switch will first schedule the queue with the bandwidth of 0.38 CHAPTER 2: QACL CONFIGURATION EXAMPLES [3Com] interface Ethernet 1/0/20 [3Com-Ethernet1/0/20] monitor-port [3Com-Ethernet1/0/20] quit # Configure traffic mirroring on the ports Ethernet1/0/1 and Ethernet1/0/2: Perform traffic identification through ACL 3030. 4 The traffic-limit. the format-type (including 802. traffic-priority. last matched”.3. Note the following points during the configurations: 1 When ACL rules are applied to a port. Even if you configure a match order while defining an ACL. 802. 3 The switch can be configured with multiple mirroring source ports but only one mirroring destination port. the switch will perform the WFQ scheduling for the remaining queues. If no packets are sent from the queue. 7 All redirected packets will be tagged no matter whether the egress port is tagged. and snap) parameter is not supported. 6 For a Layer 2 ACL. the match order of multiple rules in an ACL depends on the hardware of the switch. If the VLAN VPN function is disabled. the match order is “first applied. [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] mirrored-to inbound ip-group 3030 rule 0 monito r-interface [3Com-Ethernet1/0/1] quit [3Com] interface Ethernet 1/0/2 [3Com-Ethernet1/0/2] mirrored-to inbound ip-group 3030 rule 0 monito r-interface n Precautions The mirrored-to command works only with the permit rules in ACLs. 2 Each port supports eight outbound queues.

Table 9 Common protocol type and offset Protocol type ARP RARP IP IPX AppleTalk ICMP IGMP TCP UDP Protocol number 0x0806 0x8035 0x0800 0x8137 0x809B 0x01 0x02 0x06 0x17 Offset (VLAN VPN disabled) 16 16 16 16 16 27 27 27 27 Offset (VLAN VPN enabled) 20 20 20 20 20 31 31 31 31 Other Functions Referencing ACL Rules Other functions that reference ACL rules are as follows: ■ Telnet/SNMP/WEB login user control. DHCP snooping (after the function is enabled.1x is enabled globally and on a port. ACL rules are referenced to apply) MAC+IP port binding (after the function is configured on a port. ACL 3998 and ACL 3999 are reserved for cluster management. ACLs 2000 to 3999 can be referenced for displaying the FIB entries that match an ACL rule. and cannot be configured. ACL rules are referenced to apply to all ports) Port isolation (If the function is configured and a virtual interface is available. ACL rules are referenced to apply) Cluster function (the function is enabled by default. ■ ■ ■ ■ ■ The functions that reference system ACL rules include: ■ 802. ACLs 2000 to 4999 may be referenced. For Telnet users. ACLs 2000 to 2999 may be referenced.1x function (after 802. ACLs 2000 to 3999 can be referenced for routing policy match.Other Functions Referencing ACL Rules 39 ■ If the VLAN VPN function is enabled on a port. ACLs 2000 to 3999 can be referenced for filtering route information. ACL rules are referenced to apply to all ports). and for SNMP/WEB users. the packets will have two layers of VLAN tags. No matter whether the packets contain a VLAN tag originally. ACLs 2000 to 3999 can be referenced for connecting a TFTP client to the TFTP server. ACLs 2000 to 3999 can be referenced for displaying the routing entries that match an ACL rule. ACL rules are referenced to apply) ■ ■ ■ ■ . the switch will add another layer of VLAN tag to the packets received on all ports. The table below lists the common protocol types and offset.

R&D department.168.1/24.1/24. and the network segment is 192.2. only the Switch 5500 Family supports the WEB Cache redirection function. and the network segment is 192. It belongs to VLAN 20. and the network segment is 192.2.168. and improve the speed of Internet access.1/24. ACL rules are referenced to add) ■ Configuration Example of WEB Cache Redirection n Configuration Example of WEB Cache Redirection Network Requirements Now. The software version is Release 3.168. The administrative department gains access to the switch through the port Ethernet1/0/3. so as to relieve the load from the connection links of the WAN.40 CHAPTER 2: QACL CONFIGURATION EXAMPLES ■ Flexible QinQ (after this function is configured on a port.1/24. The environment is as follows: ■ A Switch 5500 serves as the central switch of the company. and all the packets of the marketing department. It belongs to VLAN 40.4.3. and the network segment is 192. It belongs to VLAN 10. Figure 13 shows the network topology of a company. The WEB Cache Server gains access to the switch through the port Ethernet1/0/4.The IP address of the WEB Cache Server is 192.2. The R&D department gains access to the switch through the port Ethernet1/0/2. ■ ■ ■ ■ The WEB Cache redirection function is enabled on the switch.1. and the MAC address of it is 0012-0990-2250. the ACL rules within the configured range are referenced to apply) Voice VLAN (if Voice VLAN is enabled on a port and an OUIMAC is available.168. It belongs to VLAN 30. The marketing department gains access to the switch through the port Ethernet1/0/1. and administrative department are redirected to the WEB Cache Server.4. .168.

1. <3Com> system-view System View: return to User View with Ctrl+Z.1 to the VLAN interface 10. and assign an IP address 192. [3Com] vlan 20 [3Com-vlan20] port Ethernet 1/0/2 [3Com-vlan20] quit [3Com] interface Vlan-interface 20 [3Com-Vlan-interface20] ip address 192.3.3. and assign an IP address 192.Configuration Example of WEB Cache Redirection 41 Network Diagram Figure 13 Network diagram for configuration of WEB Cache redirection Internet VLAN 40 WEB Cache Server 192 .168.1 to the VLAN interface 30.2. and assign an IP address 192.168.1 24 [3Com-Vlan-interface30] quit . [3Com] vlan 10 [3Com-vlan10] port Ethernet 1/0/1 [3Com-vlan10] quit [3Com] interface Vlan-interface 10 [3Com-Vlan-interface10] ip address 192.2.168.168.4.1 24 [3Com-Vlan-interface10] quit # Create VLAN 20 for the R&D department.168.1 24 [3Com-Vlan-interface20] quit # Create VLAN 30 for the administrative department.168.2 0012 -0990 -2250 E1 /0/1 E1 /0/2 E1 /0/ 4 E1/0/ 3 VLAN 10 Market Department VLAN 20 R&D Department VLAN 30 Administrative Department Configuration Procedure # Create VLAN 10 for the marketing department.1.1 to the VLAN interface 20. [3Com] vlan 30 [3Com-vlan30] port Ethernet 1/0/3 [3Com-vlan30] quit [3Com] interface Vlan-interface 30 [3Com-Vlan-interface30] ip address 192.168.

[3Com] webcache Ethernet 1/0/4 [3Com] webcache [3Com] webcache [3Com] webcache address 192. VLAN interface 20. .4. and redirect all the HTTP packets received on VLAN 10. [3Com] vlan 40 [3Com-vlan40] port Ethernet 1/0/4 [3Com-vlan30] quit [3Com] interface Vlan-interface 40 [3Com-Vlan-interface40] ip address 192.168. and VLAN interface 30 must be in UP state.2 mac 0012-0990-2250 vlan 40 port redirect-vlan 10 redirect-vlan 20 redirect-vlan 30 n The VLAN interface 40.42 CHAPTER 2: QACL CONFIGURATION EXAMPLES # Create VLAN 40 for the WEB Cache Server. the WEB Cache redirection function will not work. Otherwise. VLAN interface 10.4.168. VLAN 20 and VLAN 30 to the WEB Cache Server.4.168. and assign an IP address 192.1 to the VLAN interface 40.1 24 [3Com-Vlan-interface40] quit # Enable the WEB Cache redirection function.

and high security and flexibility. Authorization and Accounting) n Introduction to 802. 802. Switch 5500. and then presents detailed configurations of the 802.1X CONFIGURATION EXAMPLE Keywords: 802. administrators need to control and configure the access of user devices. building.1x on Ethernet switches in real network environments. Switch 4210.3 802. When it comes to application circumstances like telecom network access. Features Configuration Global Configuration ■ ■ ■ ■ ■ Enable 802. and Switch 4200 Families.1x client.or user-based access control comes into being. port.1X The use of this document is restricted to 3Com Switch 4500. users can access network devices or resources in a LAN as long as they access the LAN. service providers and end users for its low cost. Switch 5500G. LAN and mobile office.1x is a port-based network access control protocol. The LAN defined in IEEE 802 protocols does not provide access authentication. It is widely accepted by vendors. In general. Therefore.1x and AAA Abstract: This article introduces the application of 802. however. Acronyms: AAA (Authentication. superior service continuity and scalability. LAN Switch and AAA server respectively.1x globally Set time parameters Set the maximum number of authentication request attempts Enable the quiet timer Enable re-authentication upon reboot Enable dot1x on the port Enable Guest VLAN Set the maximum number of users supported on the port Set a port access control method (port-based or MAC-based) Configuration in Port View ■ ■ ■ ■ .

Enable 802. Optional macbased by default Port-based access control is required for Guest VLAN. the configured dot1x parameters only take effect after dot1x is enabled.. Authentication/authorization server: Configuring the authentication/authorization server correctly is required. Otherwise. refer to related manuals. dot1x Remarks Required Disabled by default Enable 802. Precautions ■ ■ ■ 802.1x must be enabled both globally in system view and on the intended port in system view or port view.1x globally Use the command.1x and AAA on the authenticator system is required.. The vlan-id of the Guest VLAN must be created beforehand. authenticator system (switch) and authentication/authorization server correctly. ■ The following table shows 802. Table 10 802.1x configuration commands necessary for configuring the switch (authenticator system). ■ ■ Supplicant system: Ensures that the PC uses a right client. However. Authenticator system: Configuring 802. The configured dot1x parameters are reserved after dot1x is disabled and will take effect if dot1x is re-enabled. Set a port access control dot1x port-method method for the specified { macbased | portbased } [ interface interface-list ] or all ports .44 CHAPTER 3: 802.1x configuration commands To.1X Configuration Commands To implement 802. force-unauthorized or auto) Enable client version checking Enable proxy detection The configuration of dot1x takes effect only after the dot1x feature is enabled globally... You can configure dot1x parameters associated with Ethernet ports or devices before enabling dot1x.1x on one or In system view Required more ports dot1x [ interface interface-list ] Disabled on a port by default In port view dot1x 802. Enable a Guest VLAN on dot1x guest-vlan vlan-id the specified or all ports [ interface interface-list ] Required Not enabled by default.1X CONFIGURATION EXAMPLE ■ ■ ■ Set a port access control mode (force-authorized. you need to configure the supplicant system (client). For configuration information on other devices. it does not function.1x.

Users can be re-authenticated successfully after the switch reboots abnormally. Table 11 shows the details of network application analysis. Users can access VLAN 100 after the authentication succeeds. Solution Enable 802. Users select the monthly payment service of 50 dollars and use 2M bandwidth to access the network.Enterprise Network Access Authentication Configuration Example 45 Enterprise Network Access Authentication Configuration Example n Network Application Analysis The configuration or information displayed may vary with devices. Enable re-authentication upon reboot Network Diagram Figure 14 Network diagram for enterprise network application Update Server Authentication Server Ethernet 1/0/1 VLAN 10 Ethernet 1/0/3 VLAN 1 Ethernet 1/0/4 VLAN 2 Ethernet 1/0/2 VLAN 100 Internet Supplicant . Users can only access VLAN 10 before the authentication succeeds.1x Enable Guest VLAN Enable dynamic VLAN assignment Configure an accounting policy and bandwidth restraint policy on the RADIUS server Set MAC-to-IP binding Tear down the connection by force if it is idle for Enable idle cut 20 minutes. The following example uses the 3Com Switch 5500 (using software Release 1510). Table 11 Network application analysis Network requirements Access of users is controlled by authentication. IP address and MAC address are bound after a user logs in. An administrator of an enterprise network needs to authenticate users accessing the network on a per-port basis on the switch to control access to network resources.

1.1.168. <3Com> system-view [3Com] radius scheme cams [3Com-radius-cams] primary authentication 192.19 [3Com-radius-cams] secondary authentication 192. [3Com] domain default enable abc # Enable dynamic VLAN assignment. [3Com] dot1x . [3Com-radius-cams] user-name-format with-domain # Set the server type to extended.20 # Set the password to expert for the switch to exchange messages with the RADIUS authentication and accounting servers. and specify the primary and secondary authentication/accounting servers.19 [3Com-radius-cams] primary accounting 192.1. [3Com-radius-cams] server-type extended # Enable re-authentication upon reboot. [3Com-radius-cams] accounting-on enable # Create an ISP domain named abc and adopt the RADIUS scheme cams for authentication.46 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE Configuration Procedure Configuring the Switch # Create a RADIUS scheme named cams. [3Com] domain abc [3Com-isp-abc] radius-scheme cams [3Com-isp-abc] quit # Set the ISP domain abc as the default ISP domain.168. [3Com-isp-abc] vlan-assignment-mode integer # Enable Guest VLAN 10 on the specified port. [3Com-radius-cams] key authentication expert [3Com-radius-cams] key accounting expert # Set the username format to fully qualified user name with domain name. [3Com] vlan 10 [3Com-Ethernet1/0/3] dot1x port-method portbased [3Com-Ehternet1/0/3] dot1x guest-vlan 10 # Enable 802.20 [3Com-radius-cams] secondary accounting 192.1.168.168.1x.

Quiet Period Timer is disabled Supp Timeout 30 s.1.1. ReAuth MaxTimes 2 Quiet Period 60 s.19 Port=1812 Primary Acct IP =192.1x and AAA parameters.168. interval = 3s TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-PKT =500 Quiet-interval(min) =5 Username format =with-domain Data flow unit =Byte Packet unit =1 .168. Server Timeout 100 s Interval between version requests is 30s Maximal request times for version information is 3 The maximal retransmitting times 2 Total maximum 802. send times = 15 . Handshake Period 15 s ReAuth Period 3600 s. Failed: 0 EAPOL Packets: Tx 0.19 Port=1813 Second Auth IP =192.168.1x user resource number is 1024 Total current used 802.1x protocol is enabled CHAP authentication is enabled DHCP-launch is disabled Proxy trap checker is disabled Proxy logoff checker is disabled Configuration: Transmit Period 30 s. [3Com-Ethernet1/0/3] dot1x # Use the display command to view the configuration associated with 802.1.168.20 Port=1812 Second Acct IP =192.1x protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Version-Check is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Port-based ReAuthenticate is disabled Max number of on-line users is 256 Authentication Success: 0.1. [3Com] display dot1x interface ethernet1/0/3 Global 802. Rx 0 Sent EAP Request/Identity Packets : 0 EAP Request/Challenge Packets: 0 Received EAPOL Start Packets : 0 EAPOL LogOff Packets: 0 EAP Response/Identity Packets : 0 EAP Response/Challenge Packets: 0 Error Packets: 0 Controlled User(s) amount to 0 [3Com] display radius scheme cams SchemeName =cams Index=1 Type=extended Primary Auth IP =192.1x resource number is 0 Ethernet1/0/3 is link-up 802.Configuration Procedure 47 # Enable dot1x in port view.20 Port=1813 Auth Server Encryption Key= expert Acct Server Encryption Key= expert Accounting method = required Accounting-On packet enable.

authorization and accounting server consists of four parts: ■ ■ ■ ■ “Creating an accounting policy” on page 49 “Adding a service” on page 50 “Adding an account user” on page 51 “Configuring the access device” on page 52 The following parts take CAMS server V1. Figure 15 Login page of CAMS configuration console 2 After login. Second Acc State=active [3Com] display domain abc The contents of Domain abc: State = Active RADIUS Scheme = cams Access-limit = Disable Vlan-assignment-mode = Integer Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable Configuring the RADIUS Server The configuration of CAMS authentication. Second Auth State=active Primary Acc State=active. the following page appears: .48 CHAPTER 3: 802. Logging in the CAMS configuration console 1 Enter the correct user name and password on the login page to log in to the CAMS configuration console.1X CONFIGURATION EXAMPLE unit 1 : Primary Auth State=active.20 (standard version) as an example to introduce CAMS configuration.

Configuration Procedure 49 Figure 16 CAMS configuration console Creating an accounting policy 1 Enter the Accounting Policy Management page. as shown in Figure 17. 2 Create an accounting policy. Figure 17 Accounting Policy Management The list shows the created accounting policies. You can query. . Click <Add> to enter the [Accounting Policy Basic Information] page and create a monthly payment accounting policy. On the navigation tree. select [Charges Management/Accounting Policy] to enter the [Accounting Policy Management] page. as shown in Figure 18. Log in the CAMS configuration console. modify or maintain these policies.

Click <Add> to enter the [Add Service] page and configure as follows: ■ Service Name: abc .50 CHAPTER 3: 802. Adding a service 1 Enter the Service Config page. Monthly Cycle to Monthly and Monthly Fixed Fee to 50 dollars. Figure 20 Service Config The list shows the created service types.1X CONFIGURATION EXAMPLE Figure 18 Accounting Policy Basic Information 3 Click <Next> to enter the [Accounting Attribute Settings] page. 2 Add a service. select [Service Management/Service Config] to enter the [Service Config] page. as shown in Figure 19. modify or delete these service types. and set Accounting Type to By duration. as shown in Figure 20. On the navigation tree. Log in the CAMS configuration console. You can query. A monthly payment accounting policy is created. Figure 19 Accounting Attribute Settings Click <OK>.

Click <Add> to enter the [Add Account] page and configure as follows: . You can maintain these account users. Adding an account user 1 Enter the Account Management page. 2 Add an account user. Figure 22 Account Management The list shows the created account users. as shown in Figure 22. select [User Management/Account User] to enter the [Account Management] page. A service type is added. On the navigation tree. Log in the CAMS configuration console.Configuration Procedure 51 ■ ■ ■ ■ ■ ■ Service Suffix Name: abc Accounting Policy: Monthly Fixed Payment Upstream Rate Limitation: 2M (2048 Kbps) Downstream Rate Limitation: 2M (2048 Kbps) VLAN Assignment: VLAN 100 Authentication Binding: Bind user IP address and bind user MAC address Figure 21 Add Service Click <OK>.

select [System Management/System Configuration] to enter the [System Configuration] page. Idle Time: 20 minutes Service Information: abc Figure 23 Add Account Click <OK>.52 CHAPTER 3: 802. Configuring the access device 1 Enter the System Configuration page. On the navigation tree. An account user is added. as shown in Figure 24. Figure 24 System Configuration . Log in the CAMS configuration console.1X CONFIGURATION EXAMPLE ■ ■ ■ ■ ■ ■ ■ ■ Account: info Password: info Full Name: Bruce Prepaid Money: 100 dollars Bind multiple IP address and MAC address: enable Online Limit: 1 Max.

Figure 27 Page prompting that system configuration is modified successfully 3 Return to the [System Configuration] page and click <Validate Now> to make the configuration take effect immediately. . and authentication and accounting ports. Figure 25 Access Device Configuration Adding configuration item 1 Click <Add> to enter the [Add Access Device] page and add configuration items. Figure 26 Add Access Device 2 Click <OK>.Configuration Procedure 53 2 Click the Modify link for the Access Device item to enter the [Access Device Configuration] page to modify access device configuration like IP address. shared key. as shown in Figure 26. The prompt page appears as shown in Figure 27.

as shown in Figure 30.1x Authentication icon and select [Create an 802. which may be 3Com’s 802. Starting up 3Com authentication client Figure 29 3Com authentication client Creating a connection Right click the 802. the client shipped with Windows XP or other client from the third party.1x connection]. The following takes 3Com’s 802.1X as an example to introduce how to configure the supplicant system.1x client on the PC. .1x client.54 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE Figure 28 Validate Now on System Management page Configuring the Supplicant System You need to install an 802.

Configuration Procedure 55 Figure 30 Create an 802.1x connection Configuring connection attributes Click <Next> to enter the [Set special properties] page: .

1X CONFIGURATION EXAMPLE Figure 31 Set special properties Keep default settings and click <OK>. The prompt page appears as shown in Figure 32.56 CHAPTER 3: 802. .

Configuration Procedure 57 Figure 32 Page prompting that a connection is created successfully Initiating the connection Double click the info connection: Figure 33 Connecting The connection succeeds: .

To verify that the dynamically assigned VLAN is taking effect. Verify the username and password are set correctly.1x authentication failed Solution: ■ Use the display dot1x command to verify 802. ■ ■ ■ Symptom: Users can access network resources without 802. the user cannot access the Internet.1x is enabled globally and on the specified ports. Troubleshooting Symptom: 802.1x is enabled globally and on the specified ports.1x authentication cooperates with CAMS to complete accounting and real time monitoring.1X CONFIGURATION EXAMPLE Figure 34 Page prompting that the Authentication succeeds Verifying Configuration To verify that the configuration of Guest VLAN is taking effect. check that users can access VLAN 100 after 802. If the configured IP-to-MAC binding is different from that on the CAMS. . check that users can be re-authenticated and access the Internet when the device reboots abnormally.1x authentication fails.1x authentication succeeds.1x authentication ■ Use the display dot1x command to verify 802.58 CHAPTER 3: 802. To verify that the configuration of IP-to-MAC binding is taking effect. check that users can access VLAN 10 before 802. Use the debugging dot1x packet command to verify the switch receives and sends EAP and EAPoL packets normally. 802. At the same time.1x authentication or the 802. Verify the connection works well.

1x authentication applies only to incoming packets.Configuration Procedure 59 ■ Use the display interface command to verify the statistics of incoming packets are available for the specified port. not outgoing packets. 802. .

60 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE .

such as compressing the data to be transmitted to speed up the transmission speed. refer to related user manuals. SSH will automatically encrypt data before transmission and decrypt data after they reach the destination to guarantee information security and protect switches from such attacks as plain-text password interception. In addition. and then presents detailed configurations of the involved SSH client and Ethernet switches respectively. PoP and even PPP. Acronyms: SSH (Secure Shell). n Support for SSH Functions For details about SSH functions supported on different Ethernet switches. RSA (Rivest Shamir Adleman) Introduction to SSH Secure Shell (SSH) is designed to provide secure remote login and other security services in insecure network environments. SSH provides powerful authentication to defend against the man-in-the-middle attacks. functioning as Telnet. SSH also provides other functions. by which the SSH server accepts the connection requests from SSH clients and provides authentication. and providing secure channels for FTP. Table 12 List of SSH functions supported on the 3Com stackable switches Model\Function SSH server Switch 5500 Switch 4500 Switch 5500G Switch 4200 Switch 4200G Switch 4210 ● ● ● ● ● ● SSH client ● ● ● ● ● ● . SSH uses the client/server mode.4 SSH CONFIGURATION EXAMPLE Keywords: SSH. SSH clients can establish SSH connections and log into the SSH server through the SSH connections. RSA Abstract: This article introduces the application of SSH on the 3Com stackable switches in real network environments. When users remotely access the switch across an insecure network.

such as PuTTY. For more information. For new SSH users to login successfully. Configuring an SSH Client Using SSH client software There are many kinds of SSH client software. The following sections describe switch’s SSH configuration commands. you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login. Winscp. Tectia. you need to configure the SSH client and the SSH server correctly. Creating a RSA key pair on the SSH server is necessary for successful SSH login. you must specify an authentication type for them. refer to the SSH section of the applicable configuration guide. Precautions ■ ■ ■ SSH Configuration Commands To implement SSH. refer to the related user manual. and OpenSSH. .62 CHAPTER 4: SSH CONFIGURATION EXAMPLE SSH Configuration Configuring an SSH Server For a 3Com switch to be the SSH server ■ ■ ■ ■ ■ ■ ■ ■ ■ Configure the protocols supported on user interfaces Create or destroy a RSA key pair Export a RSA key pair Create an SSH user and specify an authentication type Specify a service type for the SSH user Configure the SSH management function on the SSH server Configure a client public key on the SSH server Specify a public key for the SSH user Specify the source IP address or source interface of packets For a non 3Com device to be the SSH server For such configuration. Using an SSH2-capable switch ■ ■ Configure whether first-time authentication is supported Establish a connection between the SSH client and the SSH server If you have configured a user interface to support the SSH protocol. You can select one as required and refer to the attached manual for configuration.

refer to “Configuring the client RSA public key manually” on page 65. Precautions for authentication type configuration The above table introduces the password authentication and RSA authentication separately. and can authenticate the SSH client when the SSH client establishes a connection with it. Import a public key: import the public key from the client public file to the SSH server through commands.Configuring an 3Com Switch as an SSH Server 63 Configuring an 3Com Switch as an SSH Server Configuration Procedure Table 13 Configure the switch as an SSH server Common configurati Authentication on type For detailed Password authentication command. use the display rsa local-key-pair public command to display the RSA public key after creating RSA key pair through the corresponding commands. RSA authentication Public key configuration Remarks For detailed command. ■ . Executing the ssh authentication-type default all command or the ssh user authentication-type all command means that users can login the SSH server as long as they pass either the password or RSA authentication. 1 Manually configure the RSA public key ■ When a switch acts as the SSH client. Manually copy the RSA public key to the SSH server. refer to “Password authentication configuration” on page 65. refer to “Importing the client RSA public key” on page 66 . you can combine the two authentication types. ■ Executing the ssh authentication-type default password-publickey command or the ssh user authentication-type password-publickey command means that users must not only pass the password authentication but also pass the RSA authentication to login the SSH server. ■ Public key configuration procedure and precautions As shown in Table 13. Thus. the SSH server has the same public key as the SSH client. In practice. Role SSH server Configure a public key manually: copy the public key from the client public key file to the SSH server. Associate the client public key saved on the SSH server to the SSH client For detailed commands. refer to “Common configuratio n” on page 64. For detailed commands. you need to copy or import the public key from the client to the server.

the user interface authentication mode is password. the timeout time is 60 seconds. ssh server compatible-ssh1x enable Optional By default. you can either manually configure the public key for the SSH server or import the public key to the SSH server. protocol inbound { all |ssh | telnet } quit rsa local-key-pair create . both Telnet and SSH are supported.x clients ssh server timeout seconds Optional Optional stelnet by default Optional By default. Optional By default. the system does not update RSA server keys. import the public key from the public key file through commands. ■ 3 Precautions When some SSH client software like PuTTY is used to generate an RSA key pair. Destroy the RSA key pair rsa local-key-pair destroy Specify a service type for ssh user username service-type the SSH user { stelnet | sftp | all } Set SSH authentication timeout time Set SSH authentication retry times Set RSA server key update interval Configure SSH server to be compatible with SSH1. the number of retry times is 3. On the SSH server. no RSA key pair is created.64 CHAPTER 4: SSH CONFIGURATION EXAMPLE 2 Import the RSA public key ■ When a switch acts as the SSH server. Required By default. SSH server is compatible with SSH1.x clients. ssh server authentication-retries times ssh server rekey-interval hours Optional By default. use the SSH client software to generate an RSA key pair. Configuration Commands Common configuration Table 14 Common configuration Operation Enter system view Enter the view of one or multiple user interfaces Configure the authentication mode as scheme Specify the supported protocol(s) Return to the system view Create an RSA key pair Command system-view user-interface [ type-keyword ] number [ ending-number ] authentication-mode scheme [ command-authorization ] Remarks Required By default. and then upload the RSA public key file to the SSH server through FTP or TFTP. Optional By default.

n For common configuration commands. Spaces and carriage returns are allowed between characters. username ssh user username authenticationtyp rsa Note that: If both commands are used and different authentication types are specified. the authentication type for the user type password type specified with the ssh user authentication-type command takes precedence. authenticationBy default.Configuring an 3Com Switch as an SSH Server 65 Table 14 Common configuration Operation Specify a source IP address for the SSH server Specify a source interface for the SSH server Command ssh-server source-ip ip-address Remarks Optional ssh-server source-interface interface-type interface-number Optional Password authentication configuration Table 15 Configure password authentication Operation Command Description Create an SSH User and Specify the specify an authentication default authentication type type for all SSH users ssh Use either command. no SSH user is type default created and no password authentication type is specified. Required The content must be a hexadecimal string that is generated randomly by the SSH-supported client software and coded compliant to PKCS. and specify username an authentication authentication. the authentication type specified with the ssh user authentication-type command takes precedence. no SSH user is type default rsa created and no authentication type is ssh user specified. Create an SSH user and Specify the specify an authentication default authentication type type for all SSH users Create an SSH user.specified. Configuring the client RSA public key manually Table 16 Configure the client RSA public key manually Operation Command Description Use either command. ssh authenticationBy default. ssh user username Note that: If both commands are used and different Create an SSH ssh user authentication types are user. refer to Table 14. and specify an authentication type for it Enter public key view Enter public key edit view rsa peer-public-key keyname public-key-code begin Configure the client RSA Enter the content of the RSA public public key key .

the authentication type specified with the ssh user authentication-type command takes precedence. the last command overrides the previous ones n Configuring an 3Com Switch as an SSH Client For general configuration commands. Required If you issue this command multiple times. Importing the client RSA public key Table 17 Import the client RSA public key Operation Command Description ssh Use either command. refer to Table 14. To access the ■ . you can configure whether the device supports first-time authentication. When first-time authentication is not supported. a client. refer to Table 14. the user can continue accessing the server. the last command overrides the previous ones peer-public-key end Assign a public key to an ssh user username assign rsa-key SSH user keyname n For general configuration commands. ssh user username authenticationtype rsa Note that: If both commands are used and different authentication types are specified. and specify an authentication type for it Import the client RSA public key from the specified public key file rsa peer-public-key keyname import sshkey filename Assign a public key to an ssh user username assign rsa-key SSH user keyname Required If you issue this command multiple times. will be denied of access to the server. the system automatically saves the public key. Required Create an SSH user and Specify the specify an authentication default type authentication type for all SSH users Create an SSH user. if not configured with the server host public key. and will save the host public key on the client for use in subsequent authentications.66 CHAPTER 4: SSH CONFIGURATION EXAMPLE Table 16 Configure the client RSA public key manually Operation Return from public key code view to public key view Return from public key view to system view Command public-key-code end Description When you exit public key code view. authenticationBy default. no SSH user is type default rsa created and no ssh user authentication type is username specified. When the device connects to the SSH server as an SSH client. ■ First-time authentication means that when the SSH client accesses the server for the first time and is not configured with the server host public key.

you need to configure the server public key to the client in the case that the SSH client does not support first-time authentication. ■ Configuration Commands Common configuration Table 19 Common configuration Operation Enter system view Command system-view Description Optional Optional Specify a source IP address ssh2 source-ip ip-address for the SSH client Specify a source interface for the SSH client ssh2 source-interface interface-type interface-number Enabling first-time authentication Table 20 Enable first-time authentication Operation Enter system view Enable first-time authentication Command system-view ssh client first-time enable Description Optional Enabled by default . the SSH client has the same public key as the SSH server. Thus. Configure a public key manually: copy the server public key from the public key file to the SSH client As shown in Table 18. No -Establish a connection between the SSH client and the SSH server Specify the host public key of the SSH server to be connected Role SSH Client Remarks Refer to “Enabling first-time authenticat ion” on page 67. and can authenticate the SSH server using the public key when establishing a connection with the SSH server.Configuring an 3Com Switch as an SSH Client 67 server. a user must configure in advance the server host public key locally and specify the public key name for authentication. Manually copy the public key to the SSH client. 1 Manually configure the RSA public key ■ On the SSH server. Refer to “Disabling first-time authenticat ion and manually configuring the server public key” on page 68. Configuration Procedure Table 18 Configure the switch as an SSH client First-time Common Access the configurati authenticati on support Public key configuration SSH server on Refer to Yes “Common configuratio n” on page 67. use the display rsa local-key-pair public command to display the RSA public key.

When you exit public key code view. Establish a connection with ssh2 { host-ip | host-name } [ port-num ] the SSH server [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] * Disabling first-time authentication and manually configuring the server public key Table 21 Disable first-time authentication and manually configure the server public key Operation Enter system view Disable first-time authentication Enter public key view Enter public key edit view Configure server public key Command system-view undo ssh client first-time rsa peer-public-key keyname public-key-code begin Enter the content of the public key Description -Required Enabled by default Required When you input the key data. the system automatically saves the public key Optional Required when the SSH client does not support first-time authentication You need to copy the server public key to the SSH client before performing this configuration. But the key you input should be a hexadecimal digit string coded in the public key format. encryption algorithms and HMAC algorithms between the server and client.68 CHAPTER 4: SSH CONFIGURATION EXAMPLE Table 20 Enable first-time authentication Operation Command Description Required In this command. Return to public key view from public key edit view public-key-code end Exit public key view and return to system view peer-public-key end Specify the host key name ssh client { server-ip | of the server server-name } assign rsa-key keyname . you can also press <Enter> to continue your input at the next line. you can also specify the preferred key exchange algorithm. spaces are allowed between the characters you input (because the system can remove the spaces automatically).

Password authentication is required. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 192. which the SSH client will use as the destination for SSH connection. you can also specify the preferred key exchange algorithm. Start the client to establish ssh2 { host-ip | host-name } a connection with an SSH [ port-num ] [ prefer_kex { dh_group1 | server dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] * SSH Configuration Example n When the Switch Acts as the SSH Server and the Authentication Type is Password The Switch 5500 software version in this configuration example is Release 1510. Network requirements As shown in Figure 35. establish an SSH connection between the host (SSH Client) and the switch (SSH Server) for secure data exchange.255. encryption algorithms and HMAC algorithms between the server and client.255. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme .1 255.168.1/24 Switch Configuration procedure 1 Configure the SSH server # Create a VLAN interface on the switch and assign an IP address. [3Com] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA.168.0 client software.2/24 VLAN.0.interface 1 SSH client 192. Network diagram Figure 35 Network diagram of SSH server configuration using password authentication 192.0.0 [3Com-Vlan-interface1] quit # Generate RSA key pairs. 168.0.SSH Configuration Example 69 Table 21 Disable first-time authentication and manually configure the server public key Operation Command Description Required In this command. The host runs SSH2.

Take SSH client software “Putty” (version 0. This IP address and that of the VLAN interface on the switch must be in the same network segment. Figure 36 SSH client configuration interface .58) as an example: ■ Run PuTTY. [3Com] ssh user client001 authentication-type password 2 Configure the SSH client # Configure an IP address (192. and set the authentication password to “abc”. protocol type to SSH.70 CHAPTER 4: SSH CONFIGURATION EXAMPLE # Enable the user interfaces to support SSH.0.exe to enter the following configuration interface.2 in this case) for the SSH client. [3Com] local-user client001 [3Com-luser-client001] password simple abc [3Com-luser-client001] service-type ssh level 3 [3Com-luser-client001] quit # Specify the authentication method of user client001 as password. # Configure the SSH client software to establish a connection to the SSH server. [3Com-ui-vty0-4] protocol inbound ssh [3Com-ui-vty0-4] quit # Create local client “client001”. and command privilege level to 3 for the client.168.

The window as shown in Figure 37 appears. select 2 from Preferred SSH protocol version. . ■ From the category on the left pane of the window. ■ As shown in Figure 38. you will be prompted to enter the user name “client001” and password “abc”. If the connection is normal. select SSH under Connection. click Open to enter the following interface.SSH Configuration Example 71 In the Host Name (or IP address) text box. enter the IP address of the SSH server. you will log onto the server. Once authentication succeeds. Figure 37 SSH client configuration interface 2 Under Protocol options.

RSA authentication is required. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 192. 1/ 24 Switch Configuration procedure 1 Configure the SSH server # Create a VLAN interface on the switch and assign an IP address.0 [3Com-Vlan-interface1] quit # Generate RSA key pairs.0 client software.168.255. Network diagram Figure 39 Network diagram of SSH server configuration 192.0.1 255. 168.0.255.0 . establish an SSH connection between the host (SSH client) and the switch (SSH Server) for secure data exchange. [3Com] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA.168. . which the SSH client will use as the destination for SSH connection.72 CHAPTER 4: SSH CONFIGURATION EXAMPLE Figure 38 SSH client interface When the Switch Acts as an SSH Server and the Authentication Type is RSA Network requirements As shown in Figure 39. The host runs SSH2.2/ 24 VLAN -interface 1 SSH client 192.

refer to “Configuring an SSH Client” on page 62. choose SSH2(RSA) and click Generate. and then upload the file to the SSH server through FTP or TFTP. [3Com] ssh user client001 assign rsa-key Switch001 2 Configure the SSH client # Generate an RSA key pair. [3Com] ssh user client001 authentication-type rsa n Before performing the following steps.SSH Configuration Example 73 [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. For details. [3Com] rsa peer-public-key Switch001 import sshkey public # Assign the public key “Switch001” to client “client001”. . you must generate an RSA public key pair (using the client software) on the client. [3Com-ui-vty0-4] protocol inbound ssh # Set the client’s command privilege level to 3 [3Com-ui-vty0-4] user privilege level 3 [3Com-ui-vty0-4] quit # Configure the authentication type of the SSH client named client 001 as RSA.exe. taking PuTTYGen as an example. ■ Run PuTTYGen. # Import the client’s public key named “Switch001” from file “public”. save the key pair in a file named public.

74 CHAPTER 4: SSH CONFIGURATION EXAMPLE Figure 40 Generate a client key pair (1) n While generating the key pair. . you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 40. Otherwise. the process bar stops moving and the key pair generating process is stopped.

Figure 42 Generate a client key pair (3) .SSH Configuration Example 75 Figure 41 Generate a client key pair (2) After the key pair is generated. click Save public key and enter the name of the file for saving the public key (“public” in this case).

58) as an example. # Establish a connection with the SSH server. enter the IP address of the server. to save the private key. Figure 43 Generate a client key pair (4) n After a public key pair is generated. click Save private key. and complete the server end configuration before you continue to configure the client. ■ Launch PuTTY. Figure 44 SSH client configuration interface 1 In the Host Name (or IP address) text box. you need to upload the pubic key file to the server through FTP or TFTP. Click Yes and enter the name of the file for saving the private key (“private.76 CHAPTER 4: SSH CONFIGURATION EXAMPLE Likewise.ppk” in this case). A warning window pops up to prompt you whether to save the private key without any protection.exe to enter the following interface. . The following takes the SSH client software Putty (version 0.

. select 2 from Preferred SSH protocol version. The window as shown in Figure 45 appears.SSH Configuration Example 77 ■ From the category on the left pane of the window. Figure 45 SSH client configuration interface 2 Under Protocol options. select SSH under Connection. The following window appears. ■ Select Connection/SSH/Auth.

you will be prompted to enter the username and password. The following SSH client interface appears.. If the connection is normal.. ■ From the window shown in Figure 46. .78 CHAPTER 4: SSH CONFIGURATION EXAMPLE Figure 46 SSH client configuration interface (2) Click Browse. as shown in Figure 47. click Open. to bring up the file selection window. navigate to the private key file and click OK.

136.165.87. The user name for login is client001 and the SSH server’s IP address is 10.87. establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. Password authentication is required.136 255. 87.136 / 24 VLAN -interface1 10.interface1 10.0 [3Com-Vlan-interface1] quit # Generate RSA key pairs.87.255. 137/ 24 Switch A SSH client Configuration procedure 1 Configure Switch B # Create a VLAN interface on the switch and assign an IP address. .165. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10.255. 165. which the SSH client will use as the destination for SSH connection.SSH Configuration Example 79 Figure 47 SSH client interface When the Switch Acts as an SSH Client and the Authentication Type is Password Network requirements As shown in Figure 48. 165. Network diagram Figure 48 Network diagram of SSH client configuration when using password authentication Switch B SSH server VLAN.

[3Com] ssh user client001 authentication-type password 2 Configure Switch A # Create a VLAN interface on the switch and assign an IP address.87.136.0 [3Com-Vlan-interface1] quit # Establish a connection to the server 10.. [3Com-ui-vty0-4] protocol inbound ssh [3Com-ui-vty0-4] quit # Create local user “client001”.87. .255. Press CTRL+K to abort Connected to 10.165.87.136.137 255. [3Com] ssh2 10. RSA authentication is required. and set the authentication password to abc.. The Server is not authenticated. * * Without the owner’s prior written consent. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.87. * ************************************************************************* <3Com> When the Switch Acts as an SSH Client and the Authentication Type is RSA Network requirements As shown in Figure 49.. establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. * * no decompiling or reverse-switch fabricering shall be allowed.165.87..165.136 Username: client001 Trying 10.. and user command privilege level to 3.136 .165.136 . Ltd. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10. which serves as the SSH client’s address in an SSH connection. [3Com] local-user client001 [3Com-luser-client001] password simple abc [3Com-luser-client001] service-type ssh level 3 [3Com-luser-client001] quit # Configure the authentication type of user client001 as password.87.165. the login protocol to SSH.255. Do you continue to access it?(Y/N):y Do you want to save the server’s public key?(Y/N):n Enter password: ************************************************************************* * Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co. The user name is client001 and the SSH server’s IP address is 10.165.80 CHAPTER 4: SSH CONFIGURATION EXAMPLE [3Com] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA.

[3Com] rsa peer-public-key Switch001 RSA public key view: return to System View with "peer-public-key end". <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10.interface1 10. [3Com] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA.0 [3Com-Vlan-interface1] quit # Generate RSA key pair. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. 165. 87.87.255. # Configure the public key of the SSH client on the SSH server. you need to generate an RSA key pair on the client.165. [3Com-ui-vty0-4] user privilege level 3 [3Com-ui-vty0-4] quit # Specify the authentication type of user client001 as RSA.165. For detailed information. and specify the public key name as Switch001.255. [3Com-rsa-key-code] 3047 [3Com-rsa-key-code] 0240 .SSH Configuration Example 81 Network diagram Figure 49 Network diagram of SSH client configuration when using publickey authentication Switch B SSH server VLAN.87. and manually configure the RSA public key for the SSH server. 137/ 24 Switch A SSH client Configuration procedure 1 Configure Switch B # Create a VLAN interface on the switch and assign an IP address. [3Com-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end". refer to “Configuring an SSH Client” on page 62.136 255. which the SSH client will use as the destination for SSH connection. [3Com] ssh user client001 authentication-type rsa n Before proceeding with the following steps. 136 / 24 VLAN. [3Com-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3.interface1 10.

87.165.136 Username: client001 Trying 10. <3Com> display rsa local-key-pair public ===================================================== Time of Key pair created: 05:15:04 2006/12/08 Key name: 3Com_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 C8969B5A 132440F4 0BDB4E5E 40308747 804F608B 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B 074C0CA9 0203 010001 <Omitted> n After generating an RSA key pair on the client.165.255.165.87.255.0 [3Com-Vlan-interface1] quit # Generate a RSA key pair [3Com] rsa local-key-pair create # Display the RSA public key on the client.165...87..137 255. Press CTRL+K to abort Connected to 10.136 .. you need to configure the RSA public key for the SSH server and finish the SSH server configuration before continuing to configure the SSH client. [3Com] ssh user client001 assign rsa-key Switch001 2 Configure Switch A # Create a VLAN interface on the switch and assign an IP address.82 CHAPTER 4: SSH CONFIGURATION EXAMPLE [3Com-rsa-key-code] C8969B5A 132440F4 0BDB4E5E 40308747 804F608B [3Com-rsa-key-code] 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834 [3Com-rsa-key-code] 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B [3Com-rsa-key-code] 074C0CA9 [3Com-rsa-key-code] 0203 [3Com-rsa-key-code] 010001 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] # Assign the public key Switch001 to user client001.165.136.87. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10. . [3Com] ssh2 10.136 . # Establish an SSH connection to the server 10. which serves as the SSH client’s address in an SSH connection.87.

87..255.87. [3Com-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3.0 [3Com-Vlan-interface1] quit # Generate RSA key pairs. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10.136 255. The user name is client001 and the SSH server’s IP address is 10.87. [3Com-ui-vty0-4] user privilege level 3 [3Com-ui-vty0-4] quit .165. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. 136 / 24 VLAN.interface 1 10. [3Com] rsa local-key-pair create # Set AAA authentication on user interfaces.165.SSH Configuration Example 83 The Server is not authenticated. * * Without the owner’s prior written consent. establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange.165. 165. * * no decompiling or reverse-switch fabricering shall be allowed. Network diagram Figure 50 Network diagram of SSH client configuration Switch B SSH server VLAN. 137/ 24 Switch A SSH client Configuration procedure 1 Configure Switch B # Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client.255.136. 87. * ************************************************************************* <3Com> When the Switch Acts as an SSH Client and First-time authentication is not Supported Network requirements As shown in Figure 50. Ltd. The RSA authentication mode is used to enhance security. Do you continue to access it?(Y/N):y Do you want to save the server’s public key?(Y/N):n ************************************************************************* * Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co.interface1 10.

and manually configure the RSA public key for the SSH server. # Configure the public key of the SSH client on the SSH server. # Display the RSA public key on the server. and specify the public key name as Switch001 [3Com] rsa peer-public-key Switch001 RSA public key view: return to System View with "peer-public-key end". [3Com] display rsa local-key-pair public ===================================================== Time of Key pair created: 09:04:41 2000/04/04 Key name: 3Com_Host Key type: RSA encryption Key ===================================================== Key code: 308188 028180 C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86 FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9 E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420 024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33 BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78 C289B7DD 2BE0F7AD 0203 010001 <Omitted> 2 Configure Switch A . For detailed information. [3Com-rsa-key-code] 3047 [3Com-rsa-key-code] 0240 [3Com-rsa-key-code] C8969B5A 132440F4 0BDB4E5E 40308747 804F608B [3Com-rsa-key-code] 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834 [3Com-rsa-key-code] 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B [3Com-rsa-key-code] 074C0CA9 [3Com-rsa-key-code] 0203 [3Com-rsa-key-code] 010001 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] # Assign public key Switch001 to user client001 [3Com] ssh user client001 assign rsa-key Switch001 n If first-time authentication is disabled on the device. it is necessary to configure on the SSH client the RSA public key of the SSH server.84 CHAPTER 4: SSH CONFIGURATION EXAMPLE # Specify the authentication type for user client001 as RSA. refer to “Configuring an SSH Client” on page 62. you need to generate an RSA key pair on the client. [3Com] ssh user client001 authentication-type rsa n Before proceeding with the following steps. [3Com-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end".

[3Com] rsa peer-public-key Switch002 RSA public key view: return to System View with "peer-public-key end". <3Com> display rsa local-key-pair public ===================================================== Time of Key pair created: 05:15:04 2006/12/08 Key name: 3Com_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 C8969B5A 132440F4 0BDB4E5E 40308747 804F608B 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B 074C0CA9 0203 010001 <Omitted> n After the SSH client generates an RSA key pair.87.255. # Disable first-time authentication on the device.0 [3Com-Vlan-interface1] quit # Generate a RSA key pair [3Com] rsa local-key-pair create # Export the generated RSA key pair to a file named Switch001. [3Com-rsa-key-code] 308188 [3Com-rsa-key-code] 028180 [3Com-rsa-key-code] C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86 [3Com-rsa-key-code] FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9 [3Com-rsa-key-code] E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74 [3Com-rsa-key-code] 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420 [3Com-rsa-key-code] 024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33 [3Com-rsa-key-code] BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78 [3Com-rsa-key-code] C289B7DD 2BE0F7AD . [3Com-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end". and specify the public key name as Switch002. it is necessary to configure the RSA public key for the SSH server and finish the SSH server configuration before continuing to configure the SSH client. which serves as the SSH client’s address in an SSH connection. # Configure the public key of the SSH server on the SSH client.165. [3Com] undo ssh client first-time n If first-time authentication is disabled on the device. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10. it is necessary to configure on the SSH client the RSA public key of the SSH server.SSH Configuration Example 85 # Create a VLAN interface on the switch and assign an IP address.255.137 255.

136 . Press CTRL+K to abort Connected to 10. ************************************************************************* * Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co.136 assign rsa-key Switch002 # Establish the SSH connection to server 10.136 Username: client001 Trying 10..136 .165.165. [3Com] ssh2 10.87. * * Without the owner’s prior written consent.165.87. [3Com] ssh client 10. * * no decompiling or reverse-switch fabricering shall be allowed. * ************************************************************************* <3Com> ..87.86 CHAPTER 4: SSH CONFIGURATION EXAMPLE [3Com-rsa-key-code] 0203 [3Com-rsa-key-code] 010001 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] # Specify the host public key pair name of the server...165.87.136. Ltd.87.165..

However. In addition. Although complicated to configure. Routing Protocols Supported by the 3Com Stackable Switches Table 22 Routing protocols supported by the 3Com stackable switches Model\Routing Protocols Switch 4500 Switch 5500 Switch 5500Gs RIP √ √ √ OSPF √ √ BGP √ Configuration Example n ■ ■ This configuration example uses the Switch 5500G. see the configuration guide and command reference guide of the applicable switch. But it requires human intervention when the network topology changes. stability. . It supports area partition and provides hierarchical route management. has flexible and powerful routing policies and eliminates route loops completely. OSPF converges fast and can eliminate route loops completely. so it is applicable to small and medium sized networks. For configuration precautions. and scalability.5 Overview Static Routing and Routing Protocols ROUTING OVERVIEW Static routing Static routing features zero overhead. RIP RIP is easy to configure and is insensitive to CPU and memory. simple configuration. and is applicable to simple and stable networks. It is applicable to medium and large sized networks. it converges slowly and cannot eliminate route loops completely. BGP features high reliability. BGP BGP runs between ASs. periodic RIP updating multicasts or broadcasts consume many network resources. OSPF OSPF is complicated to configure and requires high-performance CPU and memory.

88 CHAPTER 5: ROUTING OVERVIEW Configuration Task List Table 23 Configuration task List Task Static route configuration RIP configuration OSPF configuration BGP configuration Details “Static Route Configuration” on page 88 “RIP Configuration” on page 88 “OSPF Configuration” on page 93 “BGP Configuration” on page 101 Static Route Configuration Table 24 Configure a static route Operation Enter system view Configure a static route Command system-view ip route-static ip-address { mask | mask-length } { interface-type interface-number | next-hop } [ preference preference-value ] [ reject | blackhole ] [ detect-group group number ] [ description text ] Remarks Required By default. RIP Configuration Table 25 RIP configuration tasks Configuration task Configuring basic RIP functions Enabling RIP Remarks Required Related section “Configuring Basic RIP Functions” on page 89 “Setting the RIP operating status on an interface” on page 90 “Specifying the RIP version on an interface” on page 90 Setting the RIP Optional operating status on an interface Specifying a RIP version Optional . the system can obtain the route to the subnet directly connected to the router.

.Configuration Example 89 Table 25 RIP configuration tasks Configuration task Configuring RIP route control Setting the additional routing metrics of an interface Remarks Optional Related section “Setting the additional routing metrics of an interface” on page 90 “Configuring RIP route summarization” on page 91 “Disabling the router from receiving host routes” on page 91 “Configuring RIP to filter incoming/outgoing routes” on page 91 “Setting RIP preference” on page 91 “Enabling load sharing among RIP interfaces” on page 92 “Configuring RIP to redistribute routes from another protocol” on page 92 “Configuring RIP timers” on page 92 “Configuring split horizon” on page 92 “Configuring RIP-1 packet zero field check” on page 92 “Setting RIP-2 packet authentication mode” on page 93 “Configuring RIP to unicast RIP packets” on page 93 Configuring RIP route summarization Optional Disabling the receiving Optional of host routes Configuring RIP to filter incoming/outgoing routes Setting RIP preference Optional Optional Enabling load sharing among interfaces Optional Configuring RIP to import routes from another protocol Optional Adjusting and optimizing a RIP network Configuring RIP timers Configuring split horizon Optional Optional Configuring RIP-1 Optional packet zero field check Setting RIP-2 packet authentication mode Optional Configuring RIP to unicast packets Optional Configuring Basic RIP Functions Table 26 Enable RIP on the interfaces attached to a specified network segment Operation Enter system view Enable RIP and enter RIP view Enable RIP on the specified interface Command system-view rip network network-address Remarks Required Required Disabled by default.

. Setting the additional routing metrics of an interface Additional metric is the metric added to the original metrics of RIP routes on an interface. Table 29 Set additional routing metric Operation Enter system view Enter interface view Set the additional routing metric to be added for incoming RIP routes on this interface Set the additional routing metric to be added for outgoing RIP routes on this interface Command system-view interface interface-type interface-number rip metricin value Remarks Optional By default. the additional routing metric added for outgoing routes on an interface is 1. It does not directly change the metric value of a RIP route in the routing table of a router. the version of the RIP running on an interface is RIP-1. rip metricout value Optional By default. the additional routing metric added for incoming routes on an interface is 0. Enable the interface to receive rip input RIP update packets Enable the interface to send RIP update packets rip output Enable the interface to receive rip work and send RIP update packets Specifying the RIP version on an interface Table 28 Specify the RIP version on an interface Operation Enter system view Enter interface view Specify the version of the RIP running on the interface Command system-view interface interface-type interface-number rip version { 1 | 2 [ broadcast | multicast ] } Remarks Optional By default.90 CHAPTER 5: ROUTING OVERVIEW Setting the RIP operating status on an interface Table 27 Set the RIP operating status on an interface Operation Enter system view Enter interface view Command system-view interface interface-type interface-number Remarks Optional By default. but will be added to incoming or outgoing RIP routes on the interface. all interfaces are allowed to send and receive RIP update packets.

Disabling the router from receiving host routes Table 31 Disable the router from receiving host routes Operation Enter system view Enter RIP view Disable the router from receiving host routes Command system-view rip undo host-route Remarks Required By default. RIP does not filter any outgoing route. Configuring RIP to filter incoming/outgoing routes Table 32 Configure RIP to filter incoming/outgoing routes Operation Enter system view Enter RIP view Configure RIP to filter incoming routes Command system-view rip Remarks - filter-policy { acl-number | Required ip-prefix ip-prefix-name [ gateway By default. RIP-2 automatic route summarization is enabled. RIP does not filter ip-prefix-name ] | route-policy any incoming route. route-policy-name } import The gateway keyword is filter-policy gateway used to filter the incoming ip-prefix-name import routes advertised from a specified address. filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] [ process-id ] filter-policy route-policy route-policy-name export Required By default. . the router receives host routes. Configure RIP to filter outgoing routes Setting RIP preference Table 33 Set RIP preference Operation Enter system view Enter RIP view Set the RIP preference Command system-view rip preference value Remarks Required The default RIP preference is 100.Configuration Example 91 Configuring RIP route summarization Table 30 Configure RIP route summarization Operation Enter system view Enter RIP view Enable RIP-2 automatic route summarization Command system-view rip summary Remarks Required By default.

92 CHAPTER 5: ROUTING OVERVIEW Enabling load sharing among RIP interfaces Table 34 Enable load sharing among RIP interfaces Operation Enter system view Enter RIP view Enable load sharing among RIP interfaces Command system-view rip Remarks - traffic-share-across-interfac Required e By default. load sharing among RIP interfaces is disabled Configuring RIP to redistribute routes from another protocol Table 35 Configure RIP to import routes from another protocol Operation Enter system view Enter RIP view Configure a default cost for an incoming route Configure RIP to redistribute routes from another protocol Command system-view rip default cost value import-route protocol [ process-id ] [ cost value | route-policy route-policy-name ]* Remarks Optional 1 by default. Configuring split horizon Table 37 Configure split horizon Operation Enter system view Enter interface view Enable split horizon Command system-view interface interface-type interface-number rip split-horizon Remarks Required Enabled by default. Configuring RIP timers Table 36 Configure RIP timers Operation Enter system view Enter RIP view Set the RIP timers Command system-view rip Remarks - timers { update update-timer Required | timeout timeout-timer } * By default. the Update timer is set 30 seconds and the Timeout timer to 180 seconds. Configuring RIP-1 packet zero field check Table 38 Configure RIP-1 packet zero field check Operation Enter system view Command system-view Remarks - . Required By default. RIP does redistribute any route from other protocols.

Configuration Example 93 Table 38 Configure RIP-1 packet zero field check Operation Enter RIP view Command rip Remarks Required Enabled by default. you must specify one of the following MD5 authentication types: ■ rfc2453 (this type supports the packet format defined in RFC 2453) rfc2082 (this type supports the packet format defined in RFC 2082) ■ Configuring RIP to unicast RIP packets Table 40 Configure RIP to unicast RIP packets Operation Enter system view Enter RIP view Configure RIP to unicast RIP packets Command system-view rip peer ip-address Remarks Required When RIP runs on the link that does not support broadcast or multicast. OSPF Configuration Table 41 OSPF configuration tasks Configuration task Basic OSPF configuration Remarks Required Related section “Basic OSPF configuration” on page 95 “Configuring OSPF Area Attributes” on page 95 OSPF area attribute configuration Optional . you must configure RIP to unicast RIP packets. Enable the check of the “must checkzero be zero” field in RIP-1 packets Setting RIP-2 packet authentication mode Table 39 Set RIP-2 packet authentication mode Operation Enter system view Enter interface view Command system-view interface interface-type interface-number rip authentication-mode { simple password | md5 { rfc2453 key-string | rfc2082 key-string key-id } } Remarks - Set RIP-2 packet authentication mode Required If you specify to use MD5 authentication.

94 CHAPTER 5: ROUTING OVERVIEW Table 41 OSPF configuration tasks Configuration task OSPF network type configuration Remarks Configuring the Optional network type of an OSPF interface Configuring an NBMA/P2MP neighbor Optional Related section “Configuring the Network Type of an OSPF Interface” on page 96 “Configuring an NBMA/P2MP Neighbor” on page 96 “Configuring the DR Priority on an OSPF Interface” on page 97 “Configuring OSPF Route Summarization” on page 97 “Configuring OSPF to Filter Received Routes” on page 97 “Configuring the OSPF Cost on an Interface” on page 98 “Configuring OSPF Route Priority” on page 98 “Configuring the Maximum Number of OSPF ECMP Routes” on page 98 “Configuring OSPF to Redistribute External Routes” on page 98 Configuring the DR Optional priority on an OSPF interface OSPF route control Configuring OSPF route summarization Configuring OSPF to filter received routes Configuring OSPF interface cost Optional Optional Optional Configuring OSPF route priority Configuring the maximum number of OSPF ECMP routes Configuring OSPF to redistribute external routes Optional Optional Optional .

you are recommended to use the router-id keyword in the ospf command to specify different router IDs for different processes. an interface does not belong to any area.Configuration Example 95 Table 41 OSPF configuration tasks Configuration task OSPF network adjustment and optimization Configuring OSPF timers Configuring the LSA transmission delay Configuring the SPF calculation interval Remarks Optional Optional Related section “Configuring OSPF Timers” on page 99 “Configure the LSA transmission delay” on page 99 “Configuring the SPF Calculation Interval” on page 100 “Disabling OSPF Packet Transmission on an Interface” on page 100 “Configuring OSPF Authentication” on page 100 “Configuring the MTU Field in DD Packets” on page 101 “Enabling OSPF Logging of Neighbor State Changes” on page 101 “Configuring OSPF Network Management” on page 101 Optional Disabling OSPF Optional packet transmission on an interface Configuring OSPF authentication Configuring the MTU field in DD packets Enabling OSPF logging of neighbor state changes Configuring OSPF network management Optional Optional Optional Optional Basic OSPF configuration Table 42 Basic OSPF configuration Operation Enter system view Configure the router ID Command system-view router id router-id Remarks Optional If multiple OSPF processes run on a router. Configuring OSPF Area Attributes Table 43 Configure OSPF area attributes Operation Enter system view Command system-view Remarks - . Enable OSPF and enter OSPF view Enter OSPF area view Configure the network segments in the area ospf [ process-id [ router-id router-id ] ] area area-id network ip-address wildcard-mask Required Enter OSPF view. Required By default.

the cost of the default route to a stub or NSSA area is 1. the priority for the neighbor of an NBMA interface is 1. you need to use this command at both ends of the virtual link and ensure consistent configurations of the hello. Configuring an NBMA/P2MP Neighbor Table 45 Configure NBMA/P2MP neighbor Operation Enter system view Enter OSPF view Configure an NBMA/P2MP neighbor Command system-view ospf [ process-id [ router-id router-id ] ] peer ip-address [ dr-priority dr-priority ] Remarks Required Required By default.96 CHAPTER 5: ROUTING OVERVIEW Table 43 Configure OSPF area attributes Operation Enter OSPF view Enter OSPF area view Configure the current area to be a stub area Configure the current area to be an NSSA area Command Remarks ospf [ process-id [ router-id router-id ] ] area area-id stub [ no-summary ] Optional By default. and other parameters at both ends. By default. nssa [ default-route-advertise | no-import-route | no-summary ] * Optional By default. Optional This can be configured on an ABR only. no area is configured as an NSSA area. dead. Optional For a virtual link to take effect. the network type of an interface depends on the physical interface. Configure the cost of the default-cost cost default route transmitted by OSPF to a stub or NSSA area Create and configure a virtual link vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ] * Configuring the Network Type of an OSPF Interface Table 44 Configure the network type of an OSPF interface Operation Enter system view Enter interface view Configure the network type of the OSPF interface Command system-view interface interface-type interface-number ospf network-type { broadcast | nbma | p2mp [ unicast ] | p2p } Remarks Optional By default. . no area is configured as a stub area.

Configuring OSPF to Filter Received Routes Table 49 Configure OSPF to filter received routes Operation Enter system view Enter OSPF view Configure to filter the received routes Command system-view ospf [ process-id [ router-id router-id ] ] filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import Remarks Required By default. summarization of imported routes is disabled. Table 48 Configure ASBR route summarization Operation Enter system view Enter OSPF view Enable ASBR route summarization Command system-view ospf [ process-id [ router-id router-id ] ] asbr-summary ip-address mask [ not-advertise | tag value ] Remarks Required This command takes effect only when it is configured on an ASBR. Configuring OSPF Route Summarization Table 47 Configure ABR route summarization Operation Enter system view Enter OSPF view Enter area view Enable ABR route summarization Command system-view ospf [ process-id [ router-id router-id ] ] area area-id Remarks - abr-summary ip-address mask Required [ advertise | not-advertise ] This command takes effect only when it is configured on an ABR. . By default. OSPF does not filter received routing information. this function is disabled on an ABR. By default.Configuration Example 97 Configuring the DR Priority on an OSPF Interface Table 46 Configure the DR priority on an OSPF interface Operation Enter system view Enter interface view Configure the DR priority on the OSPF interface Command system-view interface interface-type interface-number ospf dr-priority priority Remarks Optional The default DR priority is 1.

Optional By default. Configure OSPF to filter outgoing routes . Configuring OSPF Route Priority Table 51 Configure OSPF route priority Operation Enter system view Enter OSPF view Configure OSPF route priority Command system-view ospf [ process-id [ router-id router-id ] ] preference [ ase ] value Remarks Optional By default. a fixed value of 10 is used. Configuring the Maximum Number of OSPF ECMP Routes Table 52 Configure the maximum number of OSPF ECMP routes Operation Enter system view Enter OSPF view Command system-view ospf [ process-id [ router-id router-id ] ] Remarks Optional 3 by default. OSPF does not filter advertised routes. Configure the maximum multi-path-number value number of OSPF ECMP routes Configuring OSPF to Redistribute External Routes Table 53 Configure OSPF to redistribute external routes Operation Enter system view Enter OSPF view Configure OSPF to redistribute routes from another protocol Command system-view ospf [ process-id [ router-id router-id ] ] import-route protocol [ process-id ] [ cost value | type value | tag value | route-policy route-policy-name ] * filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol ] Remarks Required By default. the interface calculates the OSPF cost according to the current baud rate on it. For a VLAN interface on the switch. the OSPF route priority is 10 and the priority of OSPF ASE is 150. OSPF does not import the routing information of other protocols.98 CHAPTER 5: ROUTING OVERVIEW Configuring the OSPF Cost on an Interface Table 50 Configure the OSPF cost on an interface Operation Enter system view Enter interface view Configure the OSPF cost on the interface Command system-view interface interface-type interface-number ospf cost value Remarks Optional By default.

including cost. interval. OSPF does not import the default route. and type default { cost value | interval Optional seconds | limit routes | tag These parameters respectively tag | type type } * default to: ■ ■ ■ ■ ■ Cost: 1 Interval: 1 (second) Limit: 1000 Tag: 1 Type: 2 Configuring OSPF Timers Table 54 Configure OSPF timers Operation Enter system view Enter interface view Configure the hello interval on the interface Command system-view interface interface-type interface-number ospf timer hello seconds Remarks Optional By default.Configuration Example 99 Table 53 Configure OSPF to redistribute external routes Operation Enable OSPF to import the default route Command default-route-advertise [ always | cost value | type type-value | route-policy route-policy-name ]* Remarks Optional By default. Optional By default. limit. Configure the default parameters for redistributed routes. p2p and broadcast interfaces send Hello packets every 10 seconds. Configure the poll interval on the NBMA interface ospf timer dead seconds Configure the dead time of the neighboring router on the interface Configure the interval for retransmitting an LSA on an interface ospf timer retransmit interval Configure the LSA transmission delay Table 55 Configure the LSA transmission delay Operation Enter system view Enter interface view Command system-view interface interface-type interface-number Remarks - .tag. Optional By default. . the dead time for the OSPF neighboring router on a p2p or broadcast interface is 40 seconds and that for the OSPF neighboring router on a p2mp or NBMA interface is 120 seconds. while p2mp and NBMA interfaces send Hello packets every 30 seconds. this interval is five seconds. ospf timer poll seconds Optional By default. poll packets are sent every 40 seconds.

Configuring OSPF Authentication Table 58 Configure OSPF authentication Operation Enter system view Enter OSPF view Enter OSPF area view Configure the authentication mode of the OSPF area Command system-view ospf [ process-id [ router-id router-id ] ] area area-id authentication-mode { simple | md5 } Remarks Required By default. all the interfaces are allowed to transmit OSPF packets. Configuring the SPF Calculation Interval Table 56 Configure the SPF calculation interval Operation Enter system view Enter OSPF view Configure the SPF calculation interval Command system-view ospf [ process-id [ router-id router-id ] ] spf-schedule-interval interval Remarks Optional By default. Optional By default. Disabling OSPF Packet Transmission on an Interface Table 57 Disable OSPF packet transmission on an interface Operation Enter system view Enter OSPF view Disable OSPF packet transmission on a specified interface Command system-view ospf [ process-id [ router-id router-id ] ] silent-interface silent-interface-type silent-interface-number Remarks Optional By default.100 CHAPTER 5: ROUTING OVERVIEW Table 55 Configure the LSA transmission delay Operation Configure the LSA transmission delay Command ospf trans-delay seconds Remarks Optional By default. no authentication mode is configured for an area. the SPF calculation interval is five seconds. Return to OSPF view Return to system view Enter interface view Configure the authentication mode of the OSPF interface quit quit interface interface-type interface-number ospf authentication-mode { simple password | md5 key-id key } . OSPF packets are not authenticated on an interface. the LSA transmission delay is one second.

Configuring OSPF Network Management Table 61 Configure OSPF network management (NM) Operation Enter system view Configure OSPF MIB binding Command system-view Remarks By default. the actual MTU value of the interface is not filled in. Enabling OSPF Logging of Neighbor State Changes Table 60 Enable OSPF logging of neighbor state changes Operation Enter system view Enter OSPF view Enable the OSPF logging of neighbor state changes Command system-view ospf [ process-id [ router-id router-id ] ] log-peer-change Remarks Required Disabled by default. ospf mib-binding process-id Optional BGP Configuration Table 62 BGP configuration tasks Configuration task Configuring Basic BGP Functions Remarks Required Related section “Configuring Basic BGP Functions” on page 102 . the MTU value is 0 when an interface transmits DD packets. OSPF MIB is bound to the first enabled OSPF process.Configuration Example 101 Configuring the MTU Field in DD Packets Table 59 Configure to fill the MTU field when an interface transmits DD packets Operation Enter system view Enter Ethernet interface view Enable the interface to fill in the MTU field when transmitting DD packets Command system-view interface interface-type interface-number ospf mtu-enable Remarks Required Optional By default. Enable OSPF Trap sending snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | vifauthfail | vifcfgerror | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ]* Optional You can configure OSPF to send diversified SNMP TRAP messages and specify a certain OSPF process to send SNMP TRAP messages by process ID. That is.

a peer/a peer group is not assigned a description string. Assign a description string for peer { group-name | a BGP peer/a BGP peer group ip-address } description description-text Optional By default. Specify the AS number for the peer group-name as-number By default. a peer is not BGP peers as-number assigned an AS number. BGP is disabled.102 CHAPTER 5: ROUTING OVERVIEW Table 62 BGP configuration tasks Configuration task Configuring the way to advertise/receive routing information Importing routes Remarks Optional Related section “Importing Routes” on page 103 “Configuring BGP Route Aggregation” on page 103 “Enabling Default Route Advertising” on page 104 “Configuring route reception filtering policies” on page 104 “Configure route advertisement filtering policies” on page 105 “Disable BGP-IGP Route Synchronization” on page 105 “Configuring BGP Route Dampening” on page 106 “Configuring BGP Route Attributes” on page 106 “Adjusting and Optimizing a BGP Network” on page 107 “Configuring BGP Peer Group” on page 108 “Configuring BGP Community” on page 109 “Configuring BGP Route Reflector (RR)” on page 109 “Configuring BGP Confederation” on page 110 Configuring route Optional aggregation Enabling Default Optional Route Advertising Configuring route Optional reception filtering policies Configure route advertisement filtering policies Disable BGP-IGP Route Synchronization Optional Optional Configuring BGP Optional Route Dampening Configuring BGP route attributes Optional Adjusting and optimizing a BGP network Optional Configure a large-scale BGP network Configuring BGP Peer Group Configuring BGP Community Configuring BGP RR Configuring BGP Confederation Required Required Optional Optional Configuring Basic BGP Functions Table 63 Configure basic BGP functions Operation Enter system view Enable BGP and enter BGP view Command system-view bgp as-number Description Required By default. .

and enter BGP view Import the default route to the BGP routing table Command system-view bgp as-number default-route imported Description Optional By default. Optional By default. Advertise network segment routes to BGP routing table Configuring BGP Route Aggregation Table 65 Configure BGP route aggregation Operation Enter system view Enable BGP. Importing Routes Table 64 Import routes Operation Enter system view Enable BGP. the source interface of the optimal route update packets is used as the source interface. BGP does not import nor advertise the routing information generated by other protocols. BGP is disabled. Import and advertise routing information generated by other protocols. . BGP logging is enabled. BGP does not import default routes to the BGP routing table. routers that belong to two non-directly connected networks cannot establish EBGP connections. BGP does not advertise any network segment routes. You can configure the maximum hops of EBGP connection by specifying the hop-count argument. Specify the source interface for route update packets peer { group-name | ip-address } connect-interface interface-type interface-number Optional By default.Configuration Example 103 Table 63 Configure basic BGP functions Operation Activate a specified BGP peer Command peer { group-name | ip-address } enable log-peer-change Description Optional By default. and enter BGP view Command system-view bgp as-number Description Required By default. Optional By default. import-route protocol [ process-id ] [ med med-value | route-policy route-policy-name ]* network network-address [ mask ] [route-policy route-policy-name ] Required By default. peer group-name Optional ebgp-max-hop [ hop-count ] By default. Enable BGP logging Allow routers that belong to non-directly connected networks to establish EBGP connections. a BGP peer is active.

routes are not aggregated. the incoming routing information is not filtered. Enabling Default Route Advertising Table 66 Enable default rout advertising Operation Enter system view Enter BGP view Enable default route advertising Command system-view bgp as-number peer group-name default-route-advertise [ route-policy route-policy-name ] Description Required By default. Reference a routing policy to filter routes from a peer/peer group .104 CHAPTER 5: ROUTING OVERVIEW Table 65 Configure BGP route aggregation Operation Configure BGP route aggregation Enable automatic route aggregation Enable manual route aggregation Command summary aggregate ip-address mask [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]* Description Required By default. a BGP router does not send default routes to a specified peer/peer group. no route filtering policy is specified for a peer/peer group. Required By default. Configuring route reception filtering policies Table 67 Configure route reception filtering policies Operation Enter system view Enter BGP view Configure the global route reception filtering policy Command system-view bgp as-number filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import peer { group-name | ip-address } route-policy policy-name import Description Required By default.

Required By default. advertised routes are not filtered. no ACL-based BGP route filtering policy. no route advertising policy is specified for the routes advertised to a peer group. Reference an peer { group-name | AS path ACL to ip-address } as-path-acl filter routes acl-number import from a peer/peer group Reference an IP peer { group-name | ip-address } ip-prefix prefix list to ip-prefix-name import filter routes from a peer/peer group Configure route advertisement filtering policies Table 68 Configure route advertisement filtering policies Operation Enter system view Enter BGP view Command system-view bgp as-number Description Required By default. or IP prefix list-based BGP route filtering policy is configured for a peer/peer group. Required Not configured by default Configure the global route filter-policy { acl-number | advertisement filtering policy ip-prefix ip-prefix-name } export [ protocol [ process-id ] ] Reference a routing policy to peer group-name filter the routes to a peer route-policy group route-policy-name export Filter the routing information to a peer group Reference an peer group-name ACL to filter filter-policy acl-number BGP routes to export a peer group Reference an peer group-name AS path ACL as-path-acl acl-number to filter BGP export routes to a peer group Reference an peer group-name ip-prefix ip-prefix-name export IP prefix list to filter BGP routes to a peer group Disable BGP-IGP Route Synchronization Table 69 Disable BGP-IGP route synchronization Operation Enter system view Enter BGP view Command system-view bgp as-number Description - . AS path ACL-based BGP route filtering policy.Configuration Example 105 Table 67 Configure route reception filtering policies Operation Filter the routing information from a peer/peer group Reference an ACL to filter BGP routes from a peer/peer group Command peer { group-name | ip-address } filter-policy acl-number import Description Required By default.

BGP routes and IGP routes are not synchronized. ■ half-life-reachable: 15 (in minutes) half-life-unreachable: 15 (in minutes) reuse: 750 suppress: 2000 ceiling: 16.106 CHAPTER 5: ROUTING OVERVIEW Table 69 Disable BGP-IGP route synchronization Operation Disable BGP-IGP route synchronization Command undo synchronization Description Required By default. interior and local routes is 256. 256. interior and local routes Command system-view bgp as-number preference ebgp-value ibgp-value local-value Description Optional By default. Set the default local preference default local-preference value . the management preference of the exterior.000 ■ ■ ■ ■ Configuring BGP Route Attributes Table 71 Configure BGP route attributes Operation Enter system view Enter BGP view Configure the management preference of the exterior. route dampening is disabled. Configuring BGP Route Dampening Table 70 Configure BGP route dampening Operation Enter system view Enter BGP view Configure BGP route dampening-related parameters Command system-view bgp as-number dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling ] [ route-policy route-policy-name ] Description Required By default. Optional By default. and 130. the local preference defaults to 100. Other default route dampening-related parameters are as follows.

Optional By default.Configuration Example 107 Table 71 Configure BGP route attributes Operation Configure Configure the default local MED the MED value attribute Command default med med-value Description Optional By default. Optional By default. Permit to compare the MED compare-different-asvalues of the routes coming from med the neighbor routers in different ASs. Configure the local address as the next hop address when a BGP router advertises a route. you can configure the next hop address of a route to be the local address for a BGP router to advertise route information to IBGP peer groups. Required In some network. a BGP update packet carries the private AS number. the med-value argument is 0. Adjusting and Optimizing a BGP Network Table 72 Adjust and optimize a BGP network Operation Enter system view Enter BGP view Command system-view bgp as-number Description - . peer group-name next-hop-local Configure the AS_Path attribute Configure the number of local AS number occurrences allowed Assign an AS number for a peer group peer { group-name | Optional ip-address } By default. to ensure an IBGP neighbor locates the correct next hop. the local AS number is not assigned to a peer group. the allow-as-loop [ number ] number of local AS number occurrences allowed is 1. peer group-name as-number as-number Optional By default. Configure that the peer group-name BGP update packets public-as-only only carry the pubic AS number in the AS_Path attribute when a peer sends BGP update packets to BGP peers. the compare of MED values of the routes coming from the neighbor routers in different ASs is disabled.

Optional peer { group-name | Configure the number of route prefixes that can be learned from a ip-address } route-limit prefix-number BGP peer/peer group [ { alert-only | reconnect reconnect-time } | percentage-value ] * Perform soft refreshment of BGP connection manually return refresh bgp { all | ip-address | group group-name } [ multicast ] { import | export } system-view bgp as-number Configure BGP to perform MD5 authentication when establishing TCP connection peer { group-name | ip-address } password { cipher | simple } password Enter BGP view again Optional By default.108 CHAPTER 5: ROUTING OVERVIEW Table 72 Adjust and optimize a BGP network Operation Configure BGP timer Configure the Keepalive time and Holdtime of BGP. You can add multiple peers to the group. BGP dose not perform MD5 authentication when establishing TCP connection. and configure its AS number as the local AS number. and holdtime is 180 seconds. Configure the Keepalive time and holdtime of a specified peer/peer group. there is no limit on the number of route prefixes that can be learned from the BGP peer/peer group. the keepalive time is 60 seconds. and to EBGP peers is 30 seconds. Optional By default. The priority of the timer configured by the timer command is lower than that of the timer configured by the peer time command. . Configuring BGP Peer Group Table 73 Configure BGP peer group Operation Enter system view Enter BGP view Create an IBGP peer group Create an IBGP peer group Add a peer to a peer group Command system-view bgp as-number group group-name [ internal ] peer ip-address group group-name [ as-number as-number ] Description Optional If the command is executed without the internal or external keyword. an IBGP peer group will be created. Configure the interval at which a peer group sends the same route update packet Command timer keepalive keepalive-interval hold holdtime-interval peer { group-name | ip-address } timer keepalive keepalive-interval hold holdtime-interval peer group-name route-update-interval seconds Description Optional By default. the interval at which a peer group sends the same route update packet to IBGP peers is 15 seconds. Optional By default. and the system will automatically create a peer in BGP view.

no community attribute or extended community attribute is advertised to any peer group. reflector cluster-id cluster-id Optional By default. an RR uses its own router ID as the cluster ID. Create a Create an EBGP peer hybrid group EBGP peer Add a peer to a peer group group Optional You can add multiple peers to the peer group. Optional By default.Configuration Example 109 Table 73 Configure BGP peer group Operation Create an Create an EBGP peer EBGP peer group group Configure the AS number of a peer group Add a peer to a peer group Command group group-name external peer group-name as-number as-number peer ip-address group group-name [ as-number as-number ] group group-name external peer ip-address group group-name [ as-number as-number ] peer { group-name | ip-address } shutdown Description Optional You can add multiple peers to the group. route reflection is enabled between clients. Finish the session with the specified peer/peer group Optional Configuring BGP Community Table 74 Configure BGP community Operation Enter system view Enter BGP view Configure the peers to advertise community attribute to each other Command system-view bgp as-number peer group-name advertise-community Description Required By default. Specify routing policy for peer group-name the routes exported to the route-policy peer group route-policy-name export Configuring BGP Route Reflector (RR) Table 75 Configure BGP RR Operation Enter system view Enter BGP view Command system-view bgp as-number Description Required By default. no routing policy is specified for the routes exported to the peer group. no RR or its client is configured. Configure the local router as peer group-name the RR and configure the peer reflect-client group as the client of the RR Enable route reflection between clients Configure cluster ID of an RR reflect between-clients . The system automatically creates the peer in BGP view and specifies its AS number as the one of the peer group. Required By default.

Configure the compatibility of a confederation confederation nonstandard Optional By default. no confederation ID confederation is configured and no sub-AS is peer-as as-number-list configured for a confederation. Route Policy Configuration Table 77 Route Policy Configuration Configuration task Configure an IP-prefix list Configuring an ip-prefix list AS path list configuration Community list configuration Define a routing policy Defining a Routing Policy Define if-match clauses Define apply clauses Remarks Optional Related section “Configuring an ip-prefix list” on page 110 “AS path list configuration” on page 111 “Community list configuration” on page 111 “Defining a Routing Policy” on page 111 “Define if-match clauses” on page 111 “Define apply clauses” on page 112 Optional Optional Required Optional Optional Configuring an ip-prefix list Table 78 Configure an IPv4 IP-prefix list Operation Enter system view Configure an IPv4 IP-prefix list Command system-view ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network len [ greater-equal greater-equal | less-equal less-equal ] Remarks Required By default.110 CHAPTER 5: ROUTING OVERVIEW Configuring BGP Confederation Table 76 Configure BGP confederation Operation Enter system view Enter BGP view Basic BGP confederation configuration Command system-view bgp as-number Configure confederation id confederation ID as-number Specify the sub-ASs included in a confederation Description Required By default. no IP-prefix list is specified. the confederation configured is consistent with the RFC 1965. .

Configuration Example 111 AS path list configuration Table 79 AS path list configuration Operation Enter system view Configure AS path list Command system-view ip as-path-acl acl-number { permit | deny } as-regular-expression Description Optional By default. no BGP community list is defined Defining a Routing Policy Table 81 Define a routing policy Operation Enter system view Define a routing policy and enter the routing policy view Command system-view route-policy route-policy-name { permit | deny } node node-number Remarks Required By default. no AS path list is defined Community list configuration Table 80 Community list configuration Operation Enter system view Configure basic community list Command system-view ip community-list basic-comm-list-number { permit | deny } [ aa:nn | internet | no-export-subconfed | no-advertise | no-export ]* ip community-list adv-comm-list-number { permit | deny } comm-regular-expression Description Optional By default. no BGP community list is defined Configure advanced community list Optional By default. no matching is performed on the address of routing information. . Define if-match clauses Table 82 Define if-match clauses Operation Enter system view Enter the route-policy view Command system-view route-policy route-policy-name { permit | deny } node node-number if-match as-path as-path-number if-match community { basic-community-number [ whole-match ] | adv-community-number } if-match { acl acl-number | ip-prefix ip-prefix-name } Description Required Define a rule to match AS path of BGP routing information Define a rule to match community attributes of BGP routing information Define a rule to match the IP address of routing information Optional Optional Optional By default. no routing policy is defined.

. Optional By default.. no action is defined to set the routing cost of routing information. Define a rule to match the next-hop address of routing information if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } Define a rule to match the tag if-match tag value field of OSPF routing information Define apply clauses Table 83 Define apply clauses Operation Enter system view Enter the route-policy view Command system-view route-policy route-policy-name { permit | deny } node node-number apply as-path as-number-1 [ as-number-2 [ as-number-3 . no matching is performed on the next-hop address of routing information. ] ] apply community { none | [ aa:nn ] [ no-export-subconfed | no-export | no-advertise ]* [ additive ] } Description Required Add specified AS number for as-path in BGP routing information Configure community attributes for BGP routing information Optional Optional Set next hop IP address for routing information Set local preference of BGP routing information Define an action to set the cost of routing information apply ip next-hop ip-address Optional apply local-preference local-preference apply cost value Optional Optional By default. no matching is performed on the tag field of OSPF routing information. Set route cost type for routing apply cost-type [ internal | information external ] Set route source of BGP routing information apply origin { igp | egp as-number | incomplete } Define an action to set the tag apply tag value field of routing information .112 CHAPTER 5: ROUTING OVERVIEW Table 82 Define if-match clauses Operation Define a rule to match the routing cost of routing information Define a rule to match the next-hop interface of routing information Command if-match cost value Description Optional By default. if-match interface interface-type interface-number Optional By default. Optional By default. Optional Optional Optional By default. no matching is performed on the routing cost of routing information. no action is defined to set the tag field of OSPF routing information. no matching is performed on the next-hop interface of routing information.

2/24 1.0 1.0 1.1.5.1.2/24 1.2/24 1.255.1.255.0 1.Configuration Examples 113 Configuration Examples n Static Routing Configuration Example The following configuration examples use the Switch 5500Gs.2 # Configure static routes on Switch B.1.1. The customer hopes to make the best use of the existing devices that do not support dynamic routing protocols.1.2. configure static routes to realize network interconnection.1 .1.0 255.1.255.1. Network requirements 1 Requirement analysis: A small company requires any two nodes in its network communicate with each other.1.1 .4.2 /24 Host C Host B Configuration procedure Configure the switches: # Configure static routes on Switch A. Based on the customer requirements and networking environment.255.3.2/24 1.1.2.255. Figure 51 Network diagram for static route configuration Host A 1.0 1.1.3.2.1.0 255.1/24 Switch A Switch B 1.1/24 1 .255.2.2 ip route-static 1.1/24 Switch C 1 .5.2.5 .255.1.255.1.1 /24 1 .4.2 ip route-static 1.1 .1.2. 2 Network diagram Figure 51 shows the network diagram.4.3.1/24 1. <SwitchB> system-view [SwitchB] ip route-static 1.1.1. The network should be simple and stable.0 255. <SwitchA> [SwitchA] [SwitchA] [SwitchA] system-view ip route-static 1.0 255.3.

102. # Configure the default gateway as 1. 2 Network diagram Figure 52 shows the network diagram.0.4.3. RIP Configuration Examples Network requirements 1 Requirement analysis: A small company requires any two nodes in its network can communicate with each other.2 Configure the hosts: # Configure the default gateway as 1.2.1.1.1/16 Device Switch B Interface Vlan-int1 Vlan-int3 IP Address 110.1 [SwitchB] ip route-static 1.1.255.1 on host B (omitted).10.0 1.3/24 117.11.255.0 255.11. Based on the customer requirements and networking environment. <SwitchC> system-view [SwitchC] ip route-static 1.3.4.255.165.1.1 on host A (omitted).0 1. Figure 52 Network diagram for RIP configuration Vlan-int 2 Switch A Ethernet Vlan-int 1 Switch C Switch B Vlan-int 4 Vlan-int 3 Device Switch A Switch C Interface Vlan-int1 Vlan-int2 Vlan-int1 Vlan-int4 IP Address 110.1.1.2.1 on host C (omitted).1. # Configure the default gateway as 1.1.1/24 110.1.0 255.1. use RIP to realize network interconnection.1.1.1/24 .1.3. Now any two hosts or switches can communicate with each other.1 [SwitchC] ip route-static 1.114 CHAPTER 5: ROUTING OVERVIEW [SwitchB] ip route-static 1.255.0 1.1.0 1.0 255.255. The devices can dynamically adjust to network topology changes.255.2.11.5.5.2/24 196.1/24 155.1.38.255.1 # Configure static routes on Switch C.2.255.0 255.

1 Configure Switch A. Before performing the following configurations.10. assign proper priorities to interfaces.102.0 [SwitchC-rip] network 110.int1 Vlan-int1 BDR Switch B Switch C .0. Based on the customer requirements and networking environment.2.2.0 2 Configure Switch B.1. Figure 53 Network diagram for OSPF DR selection Switch A DR Vlan.0 3 Configure Switch C. <Switch> system-view [SwitchB] rip [SwitchB-rip] network 196.11.int1 Vlan -int1 Switch D Vlan.2.11. Devices with lower performance are forbidden to take part in DB/BDR election. Devices with higher performance should become the DR and BDR to improve network performance.165.Configuration Examples 115 Configuration procedure n Only RIP-related configurations are described below. # Configure RIP. make sure that the data link layer works normally and the IP addresses of the VLAN interfaces have been configured. <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11. # Configure RIP. 2 Network diagram Figure 53 shows the network diagram.0 OSPF DR Configuration Example Network requirements 1 Requirement analysis Use OSPF to realize interconnection between devices in a broadcast network. <Switch> system-view [SwitchC] rip [SwitchC-rip] network 117.38. # Configure RIP.0 [SwitchB-rip] network 110.0 [SwitchA-rip] network 155.

3 255.3.255.2/24 196.255.0.0.0] network 196.1.0 [SwitchD-Vlan-interface1] quit [SwitchD] router id 4.0.4/24 Router ID 1.0.1.1.1.2 [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0 0.0 0.2 255.255 # Configure Switch C.0] network 196.3.1.255.1.1.3.1.1.1.4.0.0 [SwitchA-Vlan-interface1] ospf dr-priority 100 [SwitchA-Vlan-interface1] quit [SwitchA] router id 1.255 # Configure Switch D.3. <SwitchC> system-view [SwitchC] interface Vlan-interface 1 [SwitchC-Vlan-interface1] ip address 196.255.1.0 0.255.0.2.0.1.1. .1.1.1.1/24 196.3 [SwitchC] ospf [SwitchC-ospf-1] area 0 [SwitchC-ospf-1-area-0.0.0] network 196.2 3.0.3/24 196.1. <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 196. Note that Switch A has three neighbors.0.255 Use the display ospf peer command to display OSPF neighbors on Switch A.0.0.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.1 2.0.0] network 196.4.1.4.116 CHAPTER 5: ROUTING OVERVIEW Device Switch A Switch B Switch C Switch D Interface Vlan-int1 Vlan-int1 Vlan-int1 Vlan-int1 IP address 196.1.2.1.1.255.1.4 255.1.255.0.3 4.1 255.1.0 [SwitchC-Vlan-interface1] ospf dr-priority 2 [SwitchC-Vlan-interface1] quit [SwitchC] router id 3.1.0 0.2.1.0.2.0.1. <SwitchD> system-view [SwitchD] interface Vlan-interface 1 [SwitchD-Vlan-interface1] ip address 196.1.0 [SwitchB-Vlan-interface1] ospf dr-priority 0 [SwitchB-Vlan-interface1] quit [SwitchB] router id 2.4.4 [SwitchD] ospf [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0.255.4 Interface priority 100 0 2 1 Configuration procedure # Configure Switch A. <SwitchB> system-view [SwitchB] interface Vlan-interface 1 [SwitchB-Vlan-interface1] ip address 196.255 # Configure Switch B.

OSPF Virtual Link Configuration Examples Network requirements 1 Requirement analysis Devices in the network run OSPF to realize interconnection. 2 Network diagram Figure 54 shows the network diagram. Note that Switch C that used to be the BDR becomes the DR and Switch B becomes the BDR. Area 2 has no direct connection to the backbone. and it has to reach the backbone through Area 1. The DR will be reelected only after the current DR fails to work. Shut down Switch A and use the display ospf peer command to display neighbors on Switch D. The customer hopes that Area 2 can interconnect with other two areas. Based on the customer requirements and networking environment. Any other neighbor is DRother (neither DR nor BDR). because such operation triggers a new round of DR/BDR election. (Switch A and Switch C can act as the DR and BDR only when they establish adjacencies with all the switches in the network.Configuration Examples 117 The state of each neighbor is full. Switch B with priority 200 will be elected as the DR and Switch A with priority 100 will be elected as the BDR. The network is split into three areas: one backbone area and two non-backbone areas (Area 1 and Area 2). Note that the priority of Switch B is 200 now. but it is not the DR. while Switch C acts as the BDR. If you shut down and then restart all the switches. This means that Switch A has formed adjacencies with all neighbors. Figure 54 Network diagram for virtual link configuration Switch A Area 1 Vlan-int2 Virtual link Vlan-int1 Area 2 Switch B Vlan-int1 Area 0 . <SwitchB> system-view [SwitchB] interface Vlan-interface 1 [SwitchB-Vlan-interface1] ospf dr-priority 200 Use the display ospf peer command to display OSPF neighbors on Switch A.) Switch A acts as the DR. # Change the priority of Switch B to 200. use a virtual link to connect Area 2 to the backbone area.

118

CHAPTER 5: ROUTING OVERVIEW

Device Switch A Switch B

Interface Vlan-int1 Vlan-int2 Vlan-int1 Vlan-int2

IP address 196.1.1.2/24 197.1.1.2/24 152.1.1.1/24 197.1.1.1/24

Router ID 1.1.1.1 2.2.2.2 -

Configuration procedure 1 Configure OSPF basic functions # Configure Switch A.
<SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 196.1.1.2 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 197.1.1.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] area 1 [SwitchA-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.1] quit [SwitchA-ospf-1] quit

# Configure Switch B.
<SwitchB> system-view [SwitchB] interface Vlan-interface 1 [SwitchB-Vlan-interface1] ip address 152.1.1.1 255.255.255.0 [SwitchB-Vlan-interface1] quit [SwitchB] interface Vlan-interface 2 [SwitchB-Vlan-interface2] ip address 197.1.1.1 255.255.255.0 [SwitchB-Vlan-interface2] quit [SwitchB] router id 2.2.2.2 [SwitchB] ospf [SwitchB-ospf-1] area 1 [SwitchB-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.1] quit [SwitchB-ospf-1] area 2 [SwitchB-ospf-1-area-0.0.0.2] network 152.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.2] quit

# Display the OSPF routing table on Switch A
[SwitchA] display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination 196.1.1.0/24 197.1.1.0/24 Total Nets: 2 Intra Area: 2

Cost Type NextHop 10 Stub 196.1.1.2 10 Net 197.1.1.1

AdvRouter 1.1.1.1 2.2.2.2

Area 0.0.0.0 0.0.0.1

Inter Area: 0

ASE: 0

NSSA: 0

Configuration Examples

119

n

Since Area2 has no direct connection to Area0, the routing table of RouterA has no route to Area2. 2 Configure a virtual link # Configure Switch A.
[SwitchA] ospf [SwitchA-ospf-1] area 1 [SwitchA-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [SwitchA-ospf-1-area-0.0.0.1] quit [SwitchA-ospf-1] quit

# Configure Switch B.
[SwitchB-ospf-1] area 1 [SwitchB-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1 [SwitchB-ospf-1-area-0.0.0.1] quit

# Display the OSPF routing table on Switch A.
[SwitchA]display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination 196.1.1.0/24 197.1.1.0/24 152.1.1.0/24 Total Nets: 3 Intra Area: 2

Cost 10 10 20

Type Stub Net SNet

NextHop 196.1.1.2 197.1.1.1 197.1.1.1

AdvRouter 1.1.1.1 2.2.2.2 2.2.2.2

Area 0.0.0.0 0.0.0.1 0.0.0.0

Inter Area: 1

ASE: 0

NSSA: 0

Switch A has learned the route 152.1.1.0/24 to Area2. BGP Confederation Configuration Example Network requirements 1 Requirement analysis BGP runs in a large AS of a company. As the number of IBGP peers increases rapidly in the AS, more network resources for BGP communication are occupied. The customer hopes to reduce IBGP peers and decrease the CPU and network resources consumption of BGP without affecting device performance. Based on user requirements, configure a BGP confederation to achieve the goal. 2 Network diagram Figure 55 shows the network diagram.

120

CHAPTER 5: ROUTING OVERVIEW

Figure 55 Network diagram for BGP AS confederation configuration

AS 1001 AS 200
VLAN -int 50 Switch A VLAN -int 40

AS 1002
Switch B

VLAN-int 10

Switch E VLAN -int 30

AS 1003

VLAN-int 20 Switch C Switch D

AS 100

Device Switch A Switch B Switch C

Interface Vlan-int 10 Vlan-int 50 Vlan-int 10 Vlan-int 10 Vlan-int 20 Vlan-int 30

IP address 172.68.10.1/24 10.1.1.1/24 172.68.10.2/24 172.68.10.3/24 172.68.1.1/24 156.10.1.1/24 172.68.1.2/24 156.10.1.2/24 8.1.1.1/24

AS 100

Switch D Switch E

Vlan-int 20 Vlan-int 30 Vlan-int 40

200

3 Configuration plan
■ ■ ■

Split AS 100 into three sub-ASs: AS 1001, AS 1002, and AS 1003. Run EBGP between AS 1001, AS1002, and AS 1003. AS 1001, AS1002, and AS 1003 are fully meshed within themselves by running IBGP. Run EBGP between AS 100 and AS 200.

Configuration procedure # Configure Switch A.
<SwitchA> system-view [SwitchA] bgp 1001 [SwitchA-bgp] network 10.1.1.0 255.255.255.0 [SwitchA-bgp] confederation id 100 [SwitchA-bgp] confederation peer-as 1002 1003 [SwitchA-bgp] group confed1002 external [SwitchA-bgp] peer 172.68.10.2 group confed1002 as-number 1002 [SwitchA-bgp] group confed1003 external [SwitchA-bgp] peer 172.68.10.3 group confed1003 as-number 1003 [SwitchA-bgp] quit

# Configure Switch B.
<SwitchB> system-view [SwitchB] bgp 1002

Configuration Examples

121

[SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp]

confederation id 100 confederation peer-as 1001 1003 group confed1001 external peer 172.68.10.1 group confed1001 as-number 1001 group confed1003 external peer 172.68.10.3 group confed1003 as-number 1003

# Configure Switch C.
<SwitchC> system-view [SwitchC] bgp 1003 [SwitchC-bgp] confederation id 100 [SwitchC-bgp] confederation peer-as 1001 1002 [SwitchC-bgp] group confed1001 external [SwitchC-bgp] peer 172.68.10.1 group confed1001 as-number 1001 [SwitchC-bgp] group confed1002 external [SwitchC-bgp] peer 172.68.10.2 group confed1002 as-number 1002 [SwitchC-bgp] group ebgp200 external [SwitchC-bgp] peer 156.10.1.2 group ebgp200 as-number 200 [SwitchC-bgp] group ibgp1003 internal [SwitchC-bgp] peer 172.68.1.2 group ibgp1003

# Configure Switch D.
<SwitchD> system-view [SwitchD] bgp 1003 [SwitchD-bgp] confederation id 100 [SwitchD-bgp] group ibgp1003 internal [SwitchD-bgp] peer 172.68.1.1 group ibgp1003

# Configure Switch E.
<SwitchE> system-view [SwitchE] bgp 200 [SwitchE-bgp] network 8.1.1.0 255.255.255.0 [SwitchE-bgp] group ebgp100 external [SwitchE-bgp] peer 156.10.1.1 group ebgp100 as-number 100 [SwitchE-bgp] quit

# Display the BGP routing table on Switch E.
[SwitchE] display bgp routing Flags: # - valid D - damped ^ - active H - history I - internal S - aggregate suppressed

Dest/Mask Next-Hop Med Local-pref Origin Path -------------------------------------------------------------------------#^ 8.1.1.0/24 0.0.0.0 0 100 IGP #^ 10.1.1.0/24 156.10.1.1 0 100 IGP 100 Routes total: 2

# Display the BGP routing table on Switch A.
[SwitchA] display bgp routing Flags: # - valid D - damped ^ - active H - history I - internal S - aggregate suppressed

0/24 156.1. more network resources for BGP communication are occupied.1.1.1.1/8 192.1. Figure 56 Network diagram for BGP route reflector configuration Router Reflector VLAN-int100 Switch C Switch A VLAN-int2 VLAN -int3 VLAN -int4 AS 100 Switch B AS 200 Switch D Device Switch A Switch B Switch C Switch D Interface Vlan-int 100 Vlan-int 2 Vlan-int 2 Vlan-int 3 Vlan-int 3 Vlan-int 4 Vlan-int 4 IP address 1. 2 Network diagram Figure 56 shows the network diagram. Based on the requirements and networking environment. BGP Route Reflector Configuration Example Network requirements 1 Requirement analysis BGP runs in a large AS of a company.1.1/24 194.2 0 100 IGP (1003) 200 #^ 10.2/24 AS 100 200 3 Configuration plan ■ Run EBGP between the peers in AS 100 and AS 200.1.0.122 CHAPTER 5: ROUTING OVERVIEW Dest/Mask Next-Hop Med Local-pref Origin Path -------------------------------------------------------------------------I 8.1.2/24 193.1/24 194.1.1.0/8.1. Advertise network 1. The customer hopes to reduce IBGP peers and decrease CPU and network resources consumption of BGP without affecting device performance.1/24 192.1. In addition. such as Switch E.1. A device in an AS outside of the confederation.2/24 193.1. . cannot learn the sub-AS routing information within the confederation because it treats the confederation as a single AS. As the number of IBGP peers increases rapidly in the AS.1.0.0 0 100 IGP Routes total: 2 The above display shows that sub-AS routing information is advertised only within the confederation.10.1.1. configure a BGP route reflector to achieve the goal.0.0.1. IBGP peers are partially interconnected in the AS.1.0/24 0.

Configuration Examples

123

Run IBGP between the peers in AS 200. Configure a star topology for the AS. Specify the central device as a route reflector and other devices as clients.

Configuration procedure 1 Configure switch A.
<SwitchA> system-view [SwitchA] interface Vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.1.1.1 255.255.255.0 [SwitchA-Vlan-interface2] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 1.1.1.1 255.0.0.0 [SwitchA-Vlan-interface100] quit [SwitchA] bgp 100 [SwitchA-bgp] group ex external [SwitchA-bgp] peer 192.1.1.2 group ex as-number 200 [SwitchA-bgp] network 1.0.0.0 255.0.0.0

2 Configure Switch B. # Configure the VLAN interface IP addresses.
<SwitchB> system-view [SwitchB] interface Vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0 [SwitchB-Vlan-interface2] quit [SwitchB] interface Vlan-interface 3 [SwitchB-Vlan-interface3] ip address 193.1.1.2 255.255.255.0 [SwitchB-Vlan-interface3] quit

# Configure BGP peers.
[SwitchB] bgp [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] 200 group ex external peer 192.1.1.1 group ex as-number 100 group in internal peer 193.1.1.1 group in

3 Configure Switch C. # Configure the VLAN interface IP addresses.
<SwitchC> system-view [SwitchC] interface Vlan-interface 3 [SwitchC-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 [SwitchC-Vlan-interface3] quit [SwitchC] interface vlan-Interface 4 [SwitchC-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 [SwitchC-Vlan-interface4] quit

# Configure BGP peers and configure Switch C as the route reflector.
[SwitchC] bgp [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] 200 group rr internal peer rr reflect-client peer 193.1.1.2 group rr peer 194.1.1.2 group rr

4 Configure Switch D. # Configure the VLAN interface IP address.
<SwitchD> system-view [SwitchD] interface Vlan-interface 4

124

CHAPTER 5: ROUTING OVERVIEW

[SwitchD-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 [SwitchD-Vlan-interface4] quit

# Configure the BGP peer.
[SwitchD] bgp 200 [SwitchD-bgp] group in internal [SwitchD-bgp] peer 194.1.1.1 group in

Use the display bgp routing command to display the BGP routing table on Switch B. Note that Switch B has learned network 1.0.0.0. Use the display bgp routing command to display the BGP routing table on Switch D. Note that Switch D has learned network 1.0.0.0. BGP Path Selection Configuration Example Network requirements 1 Requirement analysis A network consists of two ASs, which run BGP to communicate with each other. OSPF runs in one of them. The requirement is to control the data forwarding path from AS 200 to AS 100. The following give two plans to meet the requirement

Use the MED attribute to control the forwarding path for packets from AS 200 to AS 100. Use the LOCAL_PREF attribute to control the forwarding path for packets from AS 200 to AS 100

2 Network diagram Figure 57 shows the network diagram.
Figure 57 Network diagram for BGP path selection
AS 200 AS 100
VLAN- int4 Vlan -int101 VLAN -int2 VLAN-int2 VLAN-int5 VLAN -int3 VLAN -int3

Switch B

Switch D

Switch A Switch C

Configuration Examples

125

Device Switch A

Interface Vlan-int 101 Vlan-int 2 Vlan-int 3

IP address 1.1.1.1/8 192.1.1.1/24 193.1.1.1/24 192.1.1.2/24 194.1.1.2/24 193.1.1.2/24 195.1.1.2/24 194.1.1.1/24 195.1.1.1/24

AS 100

Switch B Switch C Switch D

Vlan-int 2 Vlan-int 4 Vlan-int 3 Vlan-int 5 Vlan-int 4 Vlan-int 5

200

3 Configuration plan
■ ■ ■

Run EBGP between AS 100 and AS 200. Advertise network 1.0.0.0/8. Run OSPF in AS 200 to realize network interconnection. Run IBGP between Switch D and Switch B as well as between Switch D and Switch C. Apply a routing policy on Switch A to modify the MED attribute of the route to be advertised to AS 200, making the data forwarding path from Switch D to AS 100 as Switch D - Switch C - Switch A. Apply a routing policy on Switch C to modify the LOCAL_PREF attribute of the route to be advertised to Switch D, making the data forwarding path from AS 200 to AS 100 as Switch D - Switch C - Switch A.

Configuration procedure 1 Configure Switch A. # Configure the VLAN interface IP addresses.
<SwitchA> system-view [SwitchA] interface Vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.1.1.1 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] interface Vlan-interface 3 [SwitchA-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 [SwitchA-Vlan-interface3] quit [SwitchA] interface Vlan-interface 101 [SwitchA-Vlan-interface101] ip address 1.1.1.1 255.0.0.0 [SwitchA-Vlan-interface101] quit

# Enable BGP.
[SwitchA] bgp 100

# Advertise network 1.0.0.0/8.
[SwitchA-bgp] network 1.0.0.0

# Configure BGP peers.
[SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] [SwitchA-bgp] group ex192 external peer 192.1.1.2 group ex192 as-number 200 group ex193 external peer 193.1.1.2 group ex193 as-number 200 quit

# Define ACL 2000 to permit the routes destined for 1.0.0.0/8.

126

CHAPTER 5: ROUTING OVERVIEW

[SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule deny source any [SwitchA-acl-basic-2000] quit

# Create a routing policy named apply_med_50, and specify node 10 with the permit matching mode for the routing policy. Set the MED value of the route matching ACL 2000 to 50.
[SwitchA] route-policy [SwitchA-route-policy] [SwitchA-route-policy] [SwitchA-route-policy] apply_med_50 permit node 10 if-match acl 2000 apply cost 50 quit

# Create a routing policy named apply_med_100, and specify node 10 with the permit matching mode for the routing policy. Set the MED value of the route matching ACL 2000 to 100.
[SwitchA] route-policy [SwitchA-route-policy] [SwitchA-route-policy] [SwitchA-route-policy] apply_med_100 permit node 10 if-match acl 2000 apply cost 100 quit

# Apply the routing policy apply_med_50 to routing updates to the peer group ex193 (the peer 193.1.1.2) and apply_med_100 to routing updates to the peer group ex192 (the peer 192.1.1.2).
[SwitchA] bgp 100 [SwitchA-bgp] peer ex193 route-policy apply_med_50 export [SwitchA-bgp] peer ex192 route-policy apply_med_100 export

2 Configure Switch B. # Configure the VLAN interface IP addresses.
<SwitchB> system-view [SwitchB] interface vlan 2 [SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0 [SwitchB-Vlan-interface2] quit [SwitchB] interface Vlan-interface 4 [SwitchB-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 [SwitchB-Vlan-interface4] quit

# Configure OSPF.
[SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit

# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchB] bgp [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] [SwitchB-bgp] 200 undo synchronization group ex external peer 192.1.1.1 group ex as-number 100 group in internal peer 194.1.1.1 group in peer 195.1.1.2 group in

3 Configure Switch C. # Configure the VLAN interface IP addresses.

0. [SwitchC] ospf [SwitchC-ospf-1] area 0 [SwitchC-ospf-1-area-0.0.0] [SwitchD-ospf-1-area-0.2 group in peer 194.0.0 0.1.0.0 [SwitchC-Vlan-interface3] quit [SwitchC] interface Vlan-interface 5 [SwitchC-Vlan-interface5] ip address 195.1.1.255 network 4.1.255.0.0] [SwitchD-ospf-1-area-0.0. and add peers to the peer group.0 from Switch C. <SwitchD> system-view [SwitchD] interface Vlan-interface 4 [SwitchD-Vlan-interface4] ip address 194.0.255.0.1.0.0 [SwitchD-Vlan-interface4] quit [SwitchD] interface Vlan-interface 5 [SwitchD-Vlan-interface5] ip address 195.0.255.255.0] quit [SwitchC-ospf-1] quit # Enable BGP. create a peer group.0.0 learned by Switch C is smaller than that learned by Switch B.0.0.1.0.1.255.0.1 255.1 group ex as-number 100 group in internal peer 195.0.1.0 0.0.1.2 group in To validate the configuration.255.255.0.0.0.255.255 [SwitchC-ospf-1-area-0.0.0] network 193. [SwitchD] ospf [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0. [SwitchC] bgp [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] 200 undo synchronization group ex external peer 193. you need to use the reset bgp all command on all the BGP peers.1. [SwitchD] bgp [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] ■ 200 undo synchronization group in internal peer 195. create a peer group.0 0.0.255 quit # Enable BGP. Since the MED attribute of route 1.0 0.1.2 group in 4 Configure Switch D. ■ .2 255. # Configure the VLAN interface IP addresses.1.0.1.Configuration Examples 127 <SwitchC> system-view [SwitchC] interface Vlan-interface 3 [SwitchC-Vlan-interface3] ip address 193.1 255.1.1.0.255.1.1.255 network 195. Switch D selects the route 1.0.0 [SwitchC-Vlan-interface5] quit # Enable OSPF.0] [SwitchD-ospf-1] quit network 194.255.1.1.1.0 [SwitchD-Vlan-interface5] quit # Enable OSPF.1.0] network 195.2 255.1.255 [SwitchC-ospf-1-area-0.0.0.1 group in peer 194. and add peers to the peer group.1.0 0.1.1.0] [SwitchD-ospf-1-area-0.0.1.

The following examples use the Switch 5500 and Switch 5500G.0 on Switch B.0.0 0.255.0.1 route-policy localpref import Since the local preference (200) of the route learned by Switch C is bigger than that learned by Switch B (100).0/8.1. AS 300.0. Note that the local preference is not set for route 1. Comprehensive Configuration Example n ■ For details about routing protocols. # Define ACL 2000 to permit the routes destined for 1. and specify node 10 with the permit matching mode for the routing policy. see the corresponding command reference guide. Network Diagram and Configuration Plan Requirement analysis An ISP has four ASs: AS 100. and specify node 20 with the permit matching mode for the routing policy. ■ ■ Network Requirements Requirement Analysis.1. AS 200. and AS 400 and forwards data between them.255. and AS 400 constitutes the distribution layer. see corresponding configuration guide of products.0.0. For details on using specific commands.1.0. [SwitchC] route-policy localpref permit node 20 [SwitchC-route-policy] apply local-preference 100 [SwitchC-route-policy] quit # Apply the routing policy localpref to the routing information from the peer 193. The specific requirements are as follows: .128 CHAPTER 5: ROUTING OVERVIEW ■ If you do not configure MED attribute control on Switch A. [SwitchC] bgp 200 [SwitchC-bgp] peer 193. setting the local preference attribute for route 1. Set the local preference value of the route matching ACL 2000 to 200 [SwitchC] route-policy [SwitchC-route-policy] [SwitchC-route-policy] [SwitchC-route-policy] localpref permit node 10 if-match acl 2000 apply local-preference 200 quit # Create a routing policy named localpref.255 [SwitchC-acl-basic-2000] rule deny source any [SwitchC-acl-basic-2000] quit # Create a routing policy named localpref.0.0 on Switch C is another choice.0. They provide access services for users. Switch D prefers the route 1.0 from Switch C. Set the local preference value of the route to 100. AS 300. AS 100 is the core layer.1 (Switch A).1. [SwitchC] acl number 2000 [SwitchC-acl-basic-2000] rule permit source 1. AS 300. It connects AS 200. AS 200. so the route uses the default value 100.0.0. and AS 400.

■ . Use static routes as backup routes to implement link redundancy and improve network reliability. Apply a routing policy when redistributing BGP routes for filtering. ■ ■ ■ ■ ■ ■ ■ Network diagram Figure 58 shows the network diagram designed according to the requirements. The network of AS 300 is small and simple. Use the MED attribute to control the forwarding path. Access users in AS 200. and AS 400. Run OSPF in AS 200. An AS 300 access user is interconnected with the ISP through a single link. and AS 400 are accessible to each other. S300_B in AS 300 is connected with Layer 2 devices. S200_10 in AS 200 is connected with Layer 2 devices. The devices in the network supports only RIP. Figure 58 Network diagram AS 400 S400 _0 S400 OSPF EBGP EBGP IBGP AS 100 S100 _1 S100 _2 EBGP EBGP EBGP AS 200 S 200 AS 300 S300 S200 _0 S 300_A S200 _10 S300_B OSPF RIP Configuration plan ■ Run BGP in AS 100 to interconnect with AS 200. The device in AS 200 connecting to AS 100 runs both OSPF and BGP. AS 300. AS 300. Access users in AS 200 require a very reliable network.Network Requirements 129 ■ Fast convergence is required for AS 200 and AS 400 because their networks are quite large and complicated. Their performances are low and the capacities of routing tables are quite limited. The data forwarding path needs to be controlled when users in AS 400 access AS 200 and AS 300.

Run RIPv2 in AS 300.1.1.1. The device in AS 400 connecting to AS 100 runs both OSPF and BGP. The device in AS 300 connecting to AS 100 runs both RIPv2 and BGP. ■ Table 85 Routing protocols supported by devices Device name S100_1 S100_2 S200 S200_0 S200_10 S300 S300_A S300_B S400 S400_0 Routing protocol BGP (IBGP&EBGP) BGP (IBGP&EBGP) BGP (EBGP)/OSPF OSPF OSPF/STATIC BGP (EBGP)/RIPv2 RIPv2/STATIC RIPv2 BGP (EBGP)/OSPF OSPF 4. Interaction between IGP and BGP is involved in the configuration.1 300 Router ID 1.1.1. Since the default BGP preference is 256.130 CHAPTER 5: ROUTING OVERVIEW ■ Run OSPF in AS 400. you need to modify the BGP preference in order to select the primary route as required.1 2.1 200 AS 100 Software Version Switch 5500 Release 1510 Switch 5500G Release 1510 Switch 7750 Release 3130 .2. ■ ■ ■ Devices Used for Networking Table 84 Device model and device name Model 7500 5600 3600 Device name S200/S300 S100_1/S100_2/S400 S200_0/S200_10/S300_A/S300_B/ S400_0 n Routing Protocols and Related Parameters on Devices ■ Either Switch 7750 Ethernet switches or Switch 5500Gs Ethernet switches can serve as S100_1/S100_2/S400/S200/S300.1. Apply a routing policy when redistributing BGP routes for filtering.1. RIP. Apply a routing policy when redistributing BGP routes for filtering.1 400 3.1.1 1.1. AS 300 users use the combination of static routes. and routing policy to access the ISP. when backup routes exist in the routing table. You can use other partially layer 3 capable switches as S300_B.

run OSPF on 140 the primary link and run static routing on the backup link to realize interconnection “BGP MED Attribute Configuration Example” on page 141 Apply a routing policy to change the MED attribute of routes to control the forwarding path Basic Configuration Creating VLANs and configuring IP addresses for VLAN interfaces are omitted here. Static Route. configure RIP to advertise route updates but does not receive route updates and use static routing to access the ISP. Apply a routing policy for BGP redistribution to IGP as required “BGP and IGP Interaction Configuration Example” on page 138 “Route Backup Configuration Example” on page To improve network reliability. Figure 59 Network diagram for RIPv2 configuration EBGP VLAN -int 22 Basic RIPv2/OSPF/BGP Configuration AS 300 EBGP LAN-int 13 S300 VLAN -int 14 S300 _A AN -int 665 VLAN-int 662 S300 _B VLAN-int 623 VLAN -int 624 RIP . refer to “Displaying the Whole Configuration on Devices” on page 145 for related information. and Routing Policy Configuration Example” on page 137 Description Create VLANs and configure IP addresses for VLAN interfaces Basic RIPv2/OSPF/BGP configuration Using a routing policy.Configuration Procedure 131 Configuration Procedure Configuration Guide Table 86 Configuration guide Configuration task “Basic Configuration” on page 131 “Basic RIPv2/OSPF/BGP Configuration” on page 131 “RIP. IGP and BGP share routes. Basic RIPv2 configuration Figure 59 shows the relevant network diagram of AS 300.

1. [S300_B-rip] undo summary [S300_B-rip] quit .4.1.4.4.1.2. # Run RIP on the interfaces connected to networks 162.0.0.1/24 166.2/24 166. # Run RIP on the interface with the IP address 206.2/24 162.1.1.1/24 S300_B Vlan-int 662 Vlan-int 623 Vlan-int 624 ■ Configure S300. [S300_A] interface vlan-interface 14 [S300_A-Vlan-interface14] rip version 2 [S300_A-Vlan-interface14] quit [S300_A] interface vlan-interface 662 [S300_A-Vlan-interface662] rip version 2 [S300_A-Vlan-interface662] quit ■ Configure S300_B.1. [S300_A-rip] undo summary [S300_A-rip] quit # Run RIPv2 on VLAN-interface 14 and VLAN-interface 662.0.0.0 # Disable RIPv2 route summarization.132 CHAPTER 5: ROUTING OVERVIEW Device S300 S300_A Interface Vlan-int 14 Vlan-int 14 Vlan-int 662 Vlan-int 665 IP address 206.0. <S300> system-view [S300] rip [S300-rip] network 206.0 and 166.0.4. # Run RIP on the interfaces on networks 206.1.1.1.0 # Disable RIPv2 route summarization. <S300_A> system-view [S300_A] rip [S300_A-rip] network 206.3.0.0 and 166.1. [S300] interface vlan-interface 14 [S300-Vlan-interface14] rip version 2 [S300-Vlan-interface14] quit ■ Configure S300_A.2/24 206.1.0 [S300_B-rip] network 166.1.2.0. [S300-rip] undo summary [S300-rip] quit # Run RIPv2 on VLAN-interface 14. <S300_B> system-view [S300_B] rip [S300_B-rip] network 162.1.5.1/24 162.1.4.4.1.0 [S300_A-rip] network 166.0 # Disable RIPv2 route summarization.0.1/24 166.1.4.1.

int 12 S 200_0 VLA VLAN -int 661 VL S200_ 10 VLAN-int 621 VLAN -int 622 OSPF Device S200 S200_0 S200_10 Interface Vlan-int 12 Vlan-int 12 Vlan-int 661 Vlan-int 661 Vlan-int 621 Vlan-int 622 IP address 206.1.int 11 EBGP AS 200 S200 VLAN.1.0.1.Configuration Procedure 133 # Run RIPv2 on VLAN-interface 623. # Run OSPF on the interface connected to network 206.0.2/24 162.1.2.1.2.1.1/24 166.1. Figure 60 Network diagram for OSPF configuration VLAN.0/24 and specify its area ID as 0.1/24 Area 0 0 10 10 10 10 ■ Configure S200. VLAN-interface 624. <S200> system-view [S200] ospf [S200-ospf-1] area 0 [S200-ospf-1-area-0. <S200_0> system-view [S200_0] ospf [S200_0-ospf-1] area 0 .1/24 162. and VLAN-interface 662.1.2. # Run OSPF on the interface connected to network 206.3/24 206.1.1/24 166.0] network 206.255 ■ Configure S200_0.1.0. [S300_B] interface vlan-interface 623 [S300_B-Vlan-interface623] rip version 2 [S300_B-Vlan-interface623] quit [S300_B] interface vlan-interface 624 [S300_B-Vlan-interface624] rip version 2 [S300_B-Vlan-interface624] quit [S300_B] interface vlan-interface 662 [S300_B-Vlan-interface662] rip version 2 [S300_B-Vlan-interface662] quit Basic OSPF configuration Figure 60 shows the relevant network diagram of AS 200.2.0.1.0/24 and specify its area ID as 0.2.0 0.1.2.

4.10] network 166.255 Figure 61 shows the network diagram of AS 400.0/24 and specify its area ID as 10.0. .1/24 166.0 0.0.1.0.0.4.0.0 0.0.0.0/24.0.1.1.0.1.0.0/24 and specify their area ID as 0.1.255 [S200_0-ospf-1-area-0.0.0. # Run OSPF on the interface connected to network 206. <S400> system-view [S400] ospf [S400-ospf-1] area 0 [S400-ospf-1-area-0.0.1.0.0.1.1.0.1.0 0.44 0.0.int 664 S400 _0 VLAN-int 16 S400 OSPF Device S400 S400_0 Interface Vlan-int 16 Vlan-int 16 Vlan-int 663 Vlan-int 664 IP address 206.0/24 and specify its area ID as 0.1.3.3/24 206.44. # Run OSPF on the interface connected to network 206.0. [S200_0-ospf-1] area 10 [S200_0-ospf-1-area-0.0.1. 162.255 [S200_10-ospf-1-area-0.0.6.0.0 0.6.1.255 ■ Configure S200_10. # Run OSPF on interfaces connected to networks 162.1.0.0/24 and 166.0.1.10] network 162.0/24 and specify its area ID as 0.6.0.0] quit # Run OSPF on the interface connected to network 166.1.0.0 0.134 CHAPTER 5: ROUTING OVERVIEW [S200_0-ospf-1-area-0.0 0.0] network 206.10] network 166.6.1.3.0.0.44 ■ Configure S400.2.1.1.1.255 ■ Configure S400_0.0/24. and 166.0.0] network 206.1.1.6.10] network 162.255 [S200_10-ospf-1-area-0. Figure 61 Network diagram for AS 400 configuration AS 400 VLAN-int 663 VLAN.0/24 and specify their area ID as 10.1.1.0.0 0.1. <S200_10> system-view [S200_10] ospf [S200_10-ospf-1] area 10 [S200_10-ospf-1-area-0.0.0.0] network 206.0.1/24 166.2.6.1.0. <S400_0> system-view [S400_0] ospf [S400_0-ospf-1] area 0 [S400_0-ospf-1-area-0.1.255 [S400_0-ospf-1-area-0.1/24 Area 0 0 0.1.1.2.0.0.0] quit # Run OSPF on interfaces connected to networks 166.

1 S200 S300 S400 Vlan-int 11 Vlan-int 13 Vlan-int 22 Vlan-int 13 Vlan-int 15 Vlan-int 23 2.1.2 group 100 [S100_1-bgp] peer 196.3/24 196.1/24 196.2.1.1.3.1.3.44] network 166.1.1.3/24 Router ID 1.1.0.1.2.2.1.1.255 Basic BGP configuration Figure 62 shows the relevant network diagram.2.2/24 206.3/24 196.int 11 EBGP EBGP VLAN -int 22 EBGP VLAN-int 23 AS 100 S100 _1 S100_ 2 AS 200 S200 EBGP VLAN-int 13 AS 300 S300 Device S100_1 Interface Vlan-int 11 Vlan-int 15 Vlan-int 31 IP address 196.0.1.1.1.3/24 206.1.1. Add peer 196.1.2.2/24 196. Add peer 196.0.1. <S100_1> system-view [S100_1] router id 1.3.1.1 4.44 [S400_0-ospf-1-area-0.1. [S100_1] bgp 100 # Create IBGP peer group 100 and EBGP peer groups 200 and 400.1/24 196.1.1. Figure 62 Network diagram for BGP configuration 6 S400 OSPF VLAN-int 15 EBGP IBGP VLAN -int 31 VLAN.1.2.0 0.1.3.44] network 166.3.3 group 400 as-number 400 .1.1 # Enable BGP and specify the local AS number as 100.1.1 3.1.3.0.1/24 196.3 in AS 200 into peer group 200.1.1 200 300 400 ■ Configure S100_1.1.1.Configuration Procedure 135 [S400_0-ospf-1] area 0.3.1.3 in AS 400 into peer group 400.1.3 group 200 as-number 200 [S100_1-bgp] peer 196.4.3.1.3.1.2 in AS 100 into peer group 100.0.1.1.3. [S100_1-bgp] peer 196.1.0.0 0.1 AS 100 S100_2 Vlan-int 22 Vlan-int 23 Vlan-int 31 1.2.3. [S100_1-bgp] group 100 internal [S100_1-bgp] group 200 external [S100_1-bgp] group 400 external # Add peer 196.255 [S400_0-ospf-1-area-0.1.3. # Configure the router ID of S100_1 as 1.3.0.2/24 196.2/24 196.1/24 196.

2 in AS 300 into peer group 300.1.1. [S100_1-bgp] network 196.3. [S100_2-bgp] peer 196.2.1. <S200> system-view [S200] router id 2.1.1.1.2. and local routes to 200. [S100_2] bgp 100 # Create IBGP peer group 100 and EBGP peer groups 300 and 400.3.3.1.0 and 206.3.2.1.1 group 100 as-number 100 [S200-bgp] peer 206. Add peer 196.1.1.1.0 [S100_2-bgp] network 196. and local routes to 200.2 in AS 300 into peer group 300.3.1.0.0 # Set the preferences of EBGP routes.2.3. 196.2.1 group 100 [S100_2-bgp] peer 196. # Configure the router ID of S200 as 2.1. [S100_1-bgp] preference 200 200 200 ■ Configure S100_2.2. [S100_2-bgp] network 196.0 # Set the preferences of EBGP routes.1. Add peer 196.1.3. # Configure the router ID of S200_2 as 1. [S200] bgp 200 # Create EBGP peer groups 100 and 300.3.0. IBGP routes.2 group 300 as-number 300 [S100_2-bgp] peer 196.0 [S200-bgp] network 206.0 # Set the preferences of EBGP routes.1. [S200-bgp] peer 196.1.1 in AS 100 into peer group 100. Add peer 206.3.0 [S100_1-bgp] network 196.1.1.1.2.3.1.136 CHAPTER 5: ROUTING OVERVIEW # Advertise networks 196.1.3. and 196.3. IBGP routes. .1. and local routes to 200.2 group 300 as-number 300 # Advertise networks 192.0.2.2.1 # Enable BGP and specify the local AS number as 100.2. [S100_2-bgp] group 100 internal [S100_2-bgp] group 300 external [S100_2-bgp] group 400 external # Add peer 196.0 [S100_2-bgp] network 196. [S100_2-bgp] preference 200 200 200 ■ Configure S200.0. and 196.1 in AS 100 into peer group 100.1 # Enable BGP and specify the local AS number as 200.3.0.3 in AS 400 into peer group 400.1.2. 196.2.1. <S100_2> system-view [S100_2] router id 1.1.0. IBGP routes.1.1.1.3.1.2. [S200-bgp] group 100 external [S200-bgp] group 300 external # Add peer 196.0 [S100_1-bgp] network 196.3.1.3.2. [S200-bgp] network 192.0.3 group 400 as-number 400 # Advertise networks 196.1.

# Configure the router ID of S300 as 3.3. [S400-bgp] group 100_1 external [S400-bgp] group 100_2 external # Add peer 196. Static Route.1.2.1.3.1.1.2. RIPv2 runs on S300_A/S300_B.3.1. .3.1. [S300-bgp] group 100 external [S300-bgp] group 200 external # Add peer 196. [S300-bgp] network 206.1.2.3.0 # Set the preferences of EBGP routes. and Routing Policy Configuration Example Network requirements As shown in Figure 63.1 # Enable BGP and specify the local AS number as 400.1. and local routes to 200.0 [S300-bgp] network 196. [S400] bgp 400 # Create EBGP peer groups 100_1 and 100_2. Packets from S300_B to S300_A are forwarded through the default route. Add peer 206.0 # Set the preferences of EBGP routes. IBGP routes. <S300> system-view [S300] router id 3.3.2. [S400-bgp] network 196.1. [S300] bgp 300 # Create EBGP peer groups 100 and 200. [S400-bgp] preference 200 200 200 RIP.1.2 group 100_2 as-number 100 # Advertise networks 196.1 group 100 as-number 100 [S300-bgp] peer 206.1 # Enable BGP and specify the local AS number as 300.Configuration Procedure 137 [S200-bgp] preference 200 200 200 ■ Configure S300.1.3.1 group 100_1 as-number 100 [S400-bgp] peer 196.2. IBGP routes.2.1.3.1.0 and 196. [S400-bgp] peer 196.3.0 [S400-bgp] network 196.2 in AS 100 into peer group 100_2. To control the number of routes learned by S300_B through RIP. allow S300_B to advertise routes to S300_A and forbid S300_B to receive routes advertised by S300_A.3.1 in AS 100 into peer group 100_1.3.1 in AS 100 into peer group 100.2.0. Add peer 196.3 group 200 as-number 200 # Advertise networks 206.1.3 in AS 200 into peer group 200. [S300-bgp] preference 200 200 200 ■ Configure S400. and local routes to 200.1.3.2.2.2.1. [S300-bgp] peer 196.1.2.2.1.0. # Configure the router ID of S400 as 4. <S400> system-view [S400] router id 4.0 and 196.

1.0 0.3. and routing policy configuration EBGP VLAN -int 22 AS 300 EBGP LAN-int 13 S300 VLAN -int 14 S300 _A AN -int 665 VLAN-int 662 S300 _B VLAN-int 623 VLAN -int 624 RIP Device S300_A S300_B Interface Vlan-int 662 Vlan-int 662 Vlan-int 623 Vlan-int 624 IP address 166.1.1. 162.1.1/24 162.2. To ensure that devices in each AS can learn network topologies of other ASs.1.0. <S300_B> system-view [S300_B] acl number 2000 [S300_B-acl-basic-2000] rule deny source any [S300_B-acl-basic-2000] quit # Apply ACL 2000 to incoming RIP routes.4. .1.4. 162. 166.1/24 Configuration procedure # Create ACL 2000 and deny all packets.0/24.0.0/24.0/24.2.1.138 CHAPTER 5: ROUTING OVERVIEW Network diagram Figure 63 Network diagram for RIP. 162.3.1. static route.0 166.0. configure interaction between IGP and BGP to share routes. apply a routing policy to redistribute routes with IP prefixes 162. When redistributing routes from IGP to BGP.1.1/24 166.1.1.2. RIPv2 and BGP run on S300.0/24 only.0/24.1.1. OSPF and BGP run on S400/S200.3. and 166.0/24.2. [S300_B] rip [S300_B-rip] filter-policy 2000 import # Configure a default route and specify the next-hop IP address as 166. [S300_B] ip route-static 0.1.4.2/24 162.1 preference 60 BGP and IGP Interaction Configuration Example Network requirements As shown in Figure 64.2.0.

0 166. and 166.3. 166.0 24 24 24 24 . [S200] route-policy ospf_import permit node 10 [S200-route-policy] if-match ip-prefix ospf_import [S200-route-policy] quit # Redistribute BGP routes into OSPF and apply routing policy ospf_import.3.4.0 166.0/24.1.1. 162.0/24. or 166. 162.1.1.3.0 162.0/24.int 11 EBGP EBGP VLAN -int 22 EBGP VLAN-int 23 AS 100 S100 _1 S100_ 2 AS 200 S200 VLAN. <S300> system-view [S300] bgp 300 [S300-bgp] import-route rip [S300-bgp] quit # Define a prefix list named rip_import and permit the routes with IP prefixes 162.1. [S200] [S200] [S200] [S200] ip ip ip ip ip-prefix ip-prefix ip-prefix ip-prefix ospf_import ospf_import ospf_import ospf_import index index index index 10 20 30 40 permit permit permit permit 162.0 162.1. 166.Configuration Procedure 139 Network diagram Figure 64 Network diagram for BGP and IGP interaction VLAN-int 16 S400 OSPF VLAN-int 15 EBGP IBGP VLAN -int 31 VLAN.0/24.4.0/24.1.1. # Redistribute OSPF routes into BGP.1.4.0/24.1.0/24.2. [S200] ospf [S200-ospf-1] import-route bgp route-policy ospf_import ■ Configure interaction between IGP and BGP on S300.0 166.3. <S200> system-view [S200] bgp 200 [S200-bgp] import-route ospf 1 [S200-bgp] quit # Define a prefix list named ospf_import and permit the routes with IP prefixes 162.1. # Redistribute RIP routes into BGP.4.1.1.4.2.4.int 12 EBGP VLAN-int 13 AS 300 S300 VLAN -int 14 Configuration procedure ■ Configure interaction between IGP and BGP on S200.3.0 166.0 24 24 24 24 # Create a routing policy named ospf_import with the match mode as permit.3.1.1. Define an if-match clause to permit routes whose destination addresses match IP prefix list ospf_import.1.1.0/24.1. [S300] [S300] [S300] [S300] ip ip ip ip ip-prefix ip-prefix ip-prefix ip-prefix rip_import rip_import rip_import rip_import index index index index 10 20 30 40 permit permit permit permit 162.

<S400> system-view [S400] bgp 400 [S400-bgp] import-route ospf 1 [S400-bgp] quit # Define a prefix list named ospf_import and permit the routes with IP prefixes 162.3.1. # Redistribute OSPF routes into BGP.1.0/24.4. To achieve the route backup of S200_10. 162.0 162. the device switches to the backup route automatically.2.1. Define an if-match clause to permit the routes whose destination addresses match IP prefix list ospf_import.1. This route is the backup route.1.0 24 24 24 24 # Create a routing policy named ospf_import with the match mode as permit.0/24. [S400] route-policy ospf_import permit node 10 [S400-route-policy] if-match ip-prefix ospf_import [S400-route-policy] quit # Redistribute BGP routes into OSPF and apply the routing policy named ospf_import. [S300] route-policy rip_import permit node 10 [S300-route-policy] if-match ip-prefix rip_import [S300-route-policy] quit # Redistribute BGP routes into RIP and apply routing policy rip_import.140 CHAPTER 5: ROUTING OVERVIEW # Create a routing policy named rip_import with the matching mode as permit. Configure a default route between S200_10 and S300_A. configure a static route to S200_10 on S300_A and redistribute this route into RIPv2.1.0 162. . 162.0/24. Run OSPF between S200_10 and S200_0. and 162. [S300] rip [S300-rip] import-route bgp route-policy rip_import ■ Configure interaction between IGP and BGP on S400.3. The OSPF route is the primary route. implement route backup on S200_10.4. [S400] ospf [S400-ospf-1] import-route bgp route-policy ospf_import Route Backup Configuration Example Network requirements As shown in Figure 65. When the primary route cannot work.0 162.1. When the primary route becomes feasible.1.0/24.2. the device switches to the primary route automatically.1.1. [S400] [S400] [S400] [S400] ip ip ip ip ip-prefix ip-prefix ip-prefix ip-prefix ospf_import ospf_import ospf_import ospf_import index index index index 10 20 30 40 permit permit permit permit 162. Define an if-match clause to permit routes whose destination addresses match IP prefix list rip_import.

0/24 and 162.5.255. Modify the MED value to achieve this goal.0.2.1. Specify the next-hop IP address as 166.Configuration Procedure 141 Network diagram Figure 65 Network diagram for route backup AS 200 S200 VLAN. .1 preference 200 # Redistribute the static route into RIP.255.1.1/24 AS 300 200 Configuration procedure # Configure a default route on S200_10 and specify the next-hop IP address as 166.5.1. S100_1 forwards packets from S400 to S200_10.0/24. <S300_A> system-view [S300_A] ip route-static 162.1.1.2.0 166.0 255.0 255.5.1.255.1/24 162.1.0 166.255.0.0 0.0.0.5.1 and the default preference to 200.5.1.2.1. <S200_10> system-view [S200_10] ip route-static 0.2.1.2 preference 200 # Configure a static route on S300_A and specify the destination IP addresses as 162.5.1.int 12 S 200_0 VLAN -int 665 VLAN -int 661 VLAN-int 662 EBGP VLAN-int 13 AS 300 S300 VLAN -int 14 S300 _A S200_ 10 VLAN-int 621 VLAN -int 622 VLAN-int 623 S300 _B VLAN -int 624 OSPF RIP Device S300_A S200_10 Interface Vlan-int 665 Vlan-int 665 Vlan-int 621 Vlan-int 622 IP address 166.5.1.1.1.1 preference 200 [S300_A] ip route-static 162.1.1.2/24 166.1/24 162. [S300_A] rip [S300_A-rip] import-route static BGP MED Attribute Configuration Example Network requirements As shown in Figure 66.0 166. Set the default preference to 200. S100_2 forwards packets from S400 to S300_B.

1.1.1.3.4.0 24 # Define a prefix list named as300_1 and permit the route with IP prefix 162.1.int 12 S 200_0 VLAN -int 665 VLAN -int 661 EBGP VLAN-int 13 AS 300 S300 VLAN -int 14 S300 _A VLAN-int 662 S200_ 10 VLAN-int 621 VLAN -int 622 VLAN-int 623 S300 _B VLAN -int 624 OSPF RIP Device S200_10 S300_B S400_0 Interface Vlan-int 621 Vlan-int 622 Vlan-int 623 Vlan-int 624 Vlan-int 663 Vlan-int 664 IP address 162.2.2.1. # Define a prefix list named as200_1 and permit the route with IP prefix 162.1.142 CHAPTER 5: ROUTING OVERVIEW Network diagram Figure 66 Network diagram for MED attribute configuration AS 400 VLAN-int 663 VLAN.1.0/24.0/24. [S100_1] ip ip-prefix as200_2 index 10 permit 162.0 24 # Define a prefix list named as200_2 and permit the route with IP prefix 162.1/24 166.int 664 S400 _0 VLAN-int 16 S400 OSPF VLAN-int 15 EBGP IBGP VLAN -int 31 VLAN.1/24 162.3.3.4.1.int 11 EBGP EBGP VLAN -int 22 EBGP VLAN-int 23 AS 100 S100 _1 S100_ 2 AS 200 S200 VLAN.1.1.1.2.1/24 162.1.0 24 .1/24 AS 200 300 400 Configuration procedure ■ Configure S100_1.1.0/24.1. <S100_1> system-view [S100_1] ip ip-prefix as200_1 index 10 permit 162.1/24 166.3.1.1/24 162. [S100_1] ip ip-prefix as300_1 index 10 permit 162.

1.1. [S100_1] route-policy [S100_1-route-policy] [S100_1-route-policy] [S100_1-route-policy] as200 permit node 30 if-match ip-prefix as300_1 apply cost 200 quit # Create node 40 with the permit matching mode in routing policy as200. [S100_1] ip ip-prefix other index 10 permit 0.2.0/24.1. <S100_2> system-view [S100_2] ip ip-prefix as200_1 index 10 permit 162. [S100_1] bgp 100 [S100_1-bgp] peer 400 route-policy as200 export ■ Configure S100_2.1.0. [S100_2] ip ip-prefix as200_2 index 10 permit 162.4. # Define a prefix list named as200_1 and permit the route with IP prefix 162.1.1.2.0 24 . Set the MED value of the route matching prefix list as300_2 to 200.3).1.0/24.4.0 24 # Define a prefix list named other and permit all the routes. [S100_1] route-policy [S100_1-route-policy] [S100_1-route-policy] [S100_1-route-policy] as200 permit node 10 if-match ip-prefix as200_1 apply cost 100 quit # Create node 20 with the matching mode as permit in routing policy as200.0/24. Permit all the routes. [S100_1] route-policy as200 permit node 50 [S100_1-route-policy] if-match ip-prefix other [S100_1-route-policy] quit # Apply the routing policy as200 to the routes outgoing to peer group 400 (the peer 196.0.Configuration Procedure 143 # Define a prefix list named as300_2 and permit the route with IP prefix 162.0 24 # Define a prefix list named as200_2 and permit the route with IP prefix 162.0 0 less-equal 32 # Create a routing policy named as200.1. and specify node 10 with the permit matching mode in the routing policy. Set the MED value of the route matching prefix list as300_1 to 200. [S100_1] route-policy [S100_1-route-policy] [S100_1-route-policy] [S100_1-route-policy] as200 permit node 40 if-match ip-prefix as300_2 apply cost 200 quit # Create node 50 with the permit matching mode in routing policy as200. Set the MED value of the route matching prefix list as200_1 to 100.1. Set the MED value of the route matching prefix list as200_2 to 100 [S100_1] route-policy [S100_1-route-policy] [S100_1-route-policy] [S100_1-route-policy] as200 permit node 20 if-match ip-prefix as200_2 apply cost 100 quit # Create node 30 with the permit matching mode in routing policy as200. [S100_1] ip ip-prefix as300_2 index 10 permit 162.3.

Configure the node number as 10 and the matching mode as permit.144 CHAPTER 5: ROUTING OVERVIEW # Define a prefix list named as300_1 and permit the route with IP prefix 162.4. Set the MED value of the route matching prefix list as300_2 to 100. [S100_2] route-policy as300 permit node 50 [S100_2-route-policy] if-match ip-prefix other [S100_2-route-policy] quit # Apply routing policy as300 to the routes outgoing to peer group 400 (peer 196.0 24 # Define a prefix list named other and permit all the routes. [S100_2] route-policy [S100_2-route-policy] [S100_2-route-policy] [S100_2-route-policy] as300 permit node 10 if-match ip-prefix as200_1 apply cost 200 quit # Create node 20 with the permit matching mode in routing policy as300.1. [S100_2] ip ip-prefix as300_1 index 10 permit 162.3.1. Set the MED value of the route matching prefix list as200_2 to 200.0/24.3). [S100_2] ip ip-prefix as300_2 index 10 permit 162. [S100_2] route-policy [S100_2-route-policy] [S100_2-route-policy] [S100_2-route-policy] as300 permit node 40 if-match ip-prefix as300_2 apply cost 100 quit # Create node 50 with the permit matching mode in routing policy as300 and permit all routes.2.0. Set the MED value of the route matching prefix list as200_1 to 200.0/24.0 0 less-equal 32 # Create a routing policy named as300. [S100_2] bgp 100 [S100_2-bgp] peer 400 route-policy as300 export .4.0 24 # Define a prefix list named as300_2 and permit the route with IP prefix 162. Set the MED value of the route matching prefix list as300_1 to 100. [S100_2] route-policy [S100_2-route-policy] [S100_2-route-policy] [S100_2-route-policy] as300 permit node 30 if-match ip-prefix as300_1 apply cost 100 quit # Create node 40 with the permit matching mode in routing policy as300.0.1.3.3.1. [S100_2] ip ip-prefix other index 10 permit 0. [S100_2] route-policy [S100_2-route-policy] [S100_2-route-policy] [S100_2-route-policy] as300 permit node 20 if-match ip-prefix as200_2 apply cost 200 quit # Create node 30 with the permit matching mode in routing policy as300.

1.1.0 # .1.3.0 network 196.255.1.1.3.1.1.1.1.3 group 400 as-number 400 preference 200 200 200 # route-policy as200 permit node 10 if-match ip-prefix as200_1 apply cost 100 route-policy as200 permit node 20 if-match ip-prefix as200_2 apply cost 100 route-policy as200 permit node 30 .1 255..3.255.1..1 255.0 # interface Vlan-interface15 ip address 196.0 network 196...3 group 200 as-number 200 group 400 external peer 400 route-policy as200 export peer 196.0 undo synchronization group 100 internal peer 196.1.Displaying the Whole Configuration on Devices 145 Displaying the Whole Configuration on Devices Displaying the Whole Configuration on Devices S100_1 <S100_1> display current-configuration # sysname S100_1 # router id 1.255. # undo fabric-port Cascade1/2/1 enable undo fabric-port Cascade1/2/2 enable # interface NULL0 # bgp 100 network 196. # vlan 11 # vlan 15 # vlan 31 # interface Vlan-interface11 ip address 196.2 group 100 group 200 external peer 196.1.3.3.0 # interface Vlan-interface31 ip address 196.255..255.1 # .1 255.1.255.1.3.

2..0 24 ip ip-prefix as300_2 index 10 permit 162.255.146 CHAPTER 5: ROUTING OVERVIEW if-match ip-prefix as300_1 apply cost 200 route-policy as200 permit node 40 if-match ip-prefix as300_2 apply cost 200 route-policy as200 permit node 50 if-match ip-prefix other # ip ip-prefix as200_1 index 10 permit 162.2.0.1.0 undo synchronization group 100 internal .2.255.2 255.3.1.2.3.2 255.0 # .1..0 network 196..4.1.0 # interface Vlan-interface31 ip address 196..2.2.1 255.1..0 0 less-equal 32 # .2..0 24 ip ip-prefix as200_2 index 10 permit 162.0 24 ip ip-prefix as300_1 index 10 permit 162.1 # .0 24 ip ip-prefix other index 10 permit 0.0.255. S100_2 <S100_2> display current-configuration # sysname S100_2 # router id 1. # vlan 22 # vlan 23 # vlan 31 # interface Vlan-interface22 ip address 196.1.1.1..255..255. # interface Cascade1/2/1 # interface Cascade1/2/2 # undo fabric-port Cascade1/2/1 enable undo fabric-port Cascade1/2/2 enable # interface NULL0 # bgp 100 network 196.3.3.2.3..0 network 196.0 # interface Vlan-interface23 ip address 196.255.

.255. S200 <S200> display current-configuration # sysname S200 # .1.4.0.2. # router id 2.2...1.1.2 group 300 as-number 300 group 400 external peer 400 route-policy as300 export peer 196.1.3 255.0 # .2.2.255.1..3.3 group 400 as-number 400 preference 200 200 200 # route-policy as300 permit node 10 if-match ip-prefix as200_1 apply cost 200 route-policy as300 permit node 20 if-match ip-prefix as200_2 apply cost 200 route-policy as300 permit node 30 if-match ip-prefix as300_1 apply cost 100 route-policy as300 permit node 40 if-match ip-prefix as300_2 apply cost 100 route-policy as300 permit node 50 if-match ip-prefix other # ip ip-prefix as200_1 index 10 permit 162...3.3 255.0 24 ip ip-prefix as300_2 index 10 permit 162..0 24 ip ip-prefix as300_1 index 10 permit 162.. # vlan 11 # vlan 12 # vlan 13 # interface Vlan-interface11 ip address 196..1.3.0 0 less-equal 32 # ..1...1.0 # interface Vlan-interface12 ip address 206.255.Displaying the Whole Configuration on Devices 147 peer 196.0 24 ip ip-prefix as200_2 index 10 permit 162...1.0...1..255.3.1 group 100 group 300 external peer 196.255.2.1.0 24 ip ip-prefix other index 10 permit 0.255.1 # ...0 # interface Vlan-interface13 ip address 206.3 255.1.

3..0 # interface Vlan-interface661 ip address 166.255.1...1...0.0 0.1...255....0..0 ip ip-prefix ospf_import index 20 permit 162..1 255...1.4.1.1.1. # ospf 1 area 0.2...1.1.0 0.3. # bgp 200 network 192.0.0..1.255 # route-policy ospf_import permit node 10 if-match ip-prefix ospf_import # ip ip-prefix ospf_import index 10 permit 162.0 # .148 CHAPTER 5: ROUTING OVERVIEW ..1..0 network 206.1.0 network 206..0.1. 24 24 24 24 S200_0 <S200_0> display current-configuration # sysname S200_0 # ..1.2 group 300 as-number 300 preference 200 200 200 # ospf 1 import-route bgp route-policy ospf_import area 0.1 255.0 ip ip-prefix ospf_import index 40 permit 166.1.1 group 100 as-number 100 group 300 external peer 206..0 ip ip-prefix ospf_import index 30 permit 166.10 network 166.0 network 206.0... ...255 # .2.0..4.0 0.3.255 # area 0...1.0.255.3.0.255.0.2.0. # vlan 12 # vlan 661 # interface Vlan-interface12 ip address 206.0.1.0 # ....0 import-route ospf 1 undo synchronization group 100 external peer 196.

255.2.Displaying the Whole Configuration on Devices 149 S200_10 <S200_10> display current-configuration # sysname S200_10 # ...0 0.255 network 166.2 255.10 network 162.0...1.1.255..4.0.1.0 # interface Vlan-interface665 ip address 166....1.0 .255 # ip route-static 0. # vlan 621 to 622 # vlan 661 # vlan 665 # interface Vlan-interface621 ip address 162.1 255. # vlan 13 # vlan 14 # vlan 22 # interface Vlan-interface13 ip address 206.2 preference 200 # .255..0.0 166.5.0.255..255..2.1 255.0..0....1.0 0.1 255.255.1.0 # interface Vlan-interface622 ip address 162.1...255.255.255.1.0 # interface Vlan-interface14 ip address 206.255.1.1.1 # . S300 <S300> display current-configuration # sysname S300 # router id 3.5.0 0.1.1.2 255.1.. # ospf 1 area 0.0.255..255 network 162.0.1.0 # interface Vlan-interface661 ip address 166.1.255.0 # ..0.3..2 255..0..0.0.0 0..1...

.255.5.255.2.1.3 group 200 as-number 200 preference 200 200 200 # rip undo summary network 206..1.1......1.0 ip ip-prefix rip_import index 40 permit 166.0 # .0 rip version 2 multicast # interface Vlan-interface662 ip address 166.0 ip ip-prefix rip_import index 20 permit 162.0 ip ip-prefix rip_import index 30 permit 166.2.1 group 100 as-number 100 group 200 external peer 206.4... 24 24 24 24 S300_A <S300_A> display current-configuration # sysname S300_A # .0 import-route bgp route-policy rip_import # route-policy rip_import permit node 10 if-match ip-prefix rip_import # ip ip-prefix rip_import index 10 permit 162..1..255.2 255.1.4.255.255.1 255.0 # .2.255.1.2.1.0 import-route rip undo synchronization group 100 external peer 196.3...3.150 CHAPTER 5: ROUTING OVERVIEW rip version 2 multicast # interface Vlan-interface22 ip address 196..2. # bgp 300 network 206.1...255.4..2 255. # vlan 14 # vlan 662 # vlan 665 # interface Vlan-interface14 ip address 206.0 # .3.1..1 255.2.2.0 rip version 2 multicast # interface Vlan-interface665 ip address 166.2.0 network 196.255.1.

1..0.1..255..4.1...1...2..255.1..1.1 preference 200 # .0 166....0 import-route static # ip route-static 162.3..0.0 filter-policy 2000 import # ip route-static 0.1 preference 60 # ...255.1..1.255..0 255.. .255. S300_B <S300_B> display current-configuration # sysname S300_B # .0 0.5..1...0..255..2.1..1 255...0 rip version 2 multicast # interface Vlan-interface624 ip address 162..255.0.0.255.0 255...0 rip version 2 multicast # interface Vlan-interface662 ip address 166.1.5.0. # acl number 2000 rule 5 deny # .255.0 network 162.0 166.0 166...1.4. # vlan 623 # vlan 624 # vlan 662 # interface Vlan-interface623 ip address 162. # rip undo summary network 206.1 preference 200 ip route-static 162.0 rip version 2 multicast # .1 255.2.255.Displaying the Whole Configuration on Devices 151 .. # rip undo summary network 166.0.1..2 255.0 network 166.

1.1.255.255 # route-policy ospf_import permit node 10 if-match ip-prefix ospf_import # ip as-path-acl 1 permit ^100 200$ ip as-path-acl 2 permit ^100 300$ # ip ip-prefix ospf_import index 10 permit 162..0.3.255.0 import-route ospf 1 undo synchronization group 100_1 external peer 196.1..3 255..3 255.2.2.0.0.1.1 group 100_1 as-number 100 group 100_2 external peer 196.3.0 0.1..3.3.255.152 CHAPTER 5: ROUTING OVERVIEW S400 <S400> display current-configuration # sysname S400 # router id 4.3.0 24 ..255.0 network 206..2.1..0 # .2 group 100_2 as-number 100 preference 200 200 200 # ospf 1 import-route bgp route-policy ospf_import area 0.3.0 24 ip ip-prefix ospf_import index 20 permit 162.3 255.1 # .255. # vlan 15 to 16 # vlan 23 # interface Vlan-interface15 ip address 196.1...0.1.0 network 196.255.6.2.1. # interface Cascade1/2/1 # interface Cascade1/2/2 # undo fabric-port Cascade1/2/1 enable undo fabric-port Cascade1/2/2 enable # interface NULL0 # bgp 400 network 196.0 # interface Vlan-interface16 ip address 206..1.6.0 # interface Vlan-interface23 ip address 196.

.3..0/24 DIRECT 0 0 162.1.4.3.0.1.255 # area 0.1 166.1 InLoopBack0 162.4..1..1(166.2.3.0 0.1...0.1.0.1.1.255 network 166..1 Vlan-interface623 162.3.1/32 DIRECT 0 0 127..3.4.0.1.0.1.0.2/32 DIRECT 0 0 127..0/24 DIRECT 0 0 166..1 255.Verifying the Configuration 153 ip ip-prefix ospf_import index 30 permit 162.4.0.0 0..4.0..0.1/32 DIRECT 0 0 127.255.0.1 Vlan-interface662 127..44 network 166.1..255.0 # .6.... # ospf 1 area 0. # interface Vlan-interface16 ip address 206.2.0/8 DIRECT 0 0 127.0.....1 Vlan-interface624 162..4..1 InLoopBack0 166.0/24 DIRECT 0 0 162.4.0..1 InLoopBack0 <S300_B> tracert -a 162.1 255.1 InLoopBack0 162.0/0 STATIC 60 0 166..0 # interface Vlan-interface663 ip address 166.0 24 # .1..0.1 255.0.1.255.2..1/32 DIRECT 0 0 127.6.1.255 # .0 # interface Vlan-interface664 ip address 166..1) 30 hops max.4.1.0.255..3.0.1 18 ms 3 ms 3 ms .1.4.0 24 ip ip-prefix ospf_import index 40 permit 162..0.40 bytes packet 1 166.1...0 network 206.1.0.0.1.2.0.1. # vlan 16 # vlan 663 to 664 # ..0..0.1.2 Vlan-interface662 166.2.1.1.0.1.3.0.. S400_0 <S400_0> display current-configuration # sysname S400_0 # .0 0.255.255.1.0.1 traceroute to 166.1 InLoopBack0 127. Verifying the Configuration Verifying the Configuration of Routing Policy and Static Routes <S300_B> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 0..

0.2.1.0.1.2.5.1 Vlan-interface16 127.1.2.1.1.0/24 RIP 100 1 162.0.6.5.2 Interface Vlan-interface665 .1 Vlan-interface621 127.1.1.6.1 InLoopBack0 162.0.0/24 OSPF 10 20 Nexthop Interface 127.0.1.1/32 DIRECT 0 0 162.0/0 STATIC 200 0 Nexthop 166.4.1.3.1.0/24 DIRECT 0 0 206.3.1.1.1 Vlan-interface663 127.0/24 DIRECT 0 0 162.1/32 DIRECT 0 0 166.1.0/24 DIRECT 0 0 166.1.4.0/24 O_ASE 150 1 166.1.0.0/24 O_ASE 150 1 166.1.1.2.0.0.0.2.0.1.1.154 CHAPTER 5: ROUTING OVERVIEW 2 3 4 5 206.0.2 166.1 196.1 InLoopBack0 166.5.4.0.1.1 InLoopBack0 127.0.4.1/32 DIRECT 0 0 <S300_A> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost 127.5.1.4.0.2.1 Vlan-interface665 127.0.1.2.6.6.1 InLoopBack0 166.3.4.0/24 DIRECT 0 0 206.1.1.6.1.3.0/24 RIP 100 1 162.1 Interface InLoopBack0 InLoopBack0 Vlan-interface14 Vlan-interface14 Vlan-interface662 Vlan-interface662 Vlan-interface662 InLoopBack0 Vlan-interface14 Vlan-interface14 Vlan-interface665 InLoopBack0 Vlan-interface14 InLoopBack0 Nexthop Interface 166.0.1/32 DIRECT 0 0 162.1.5.0.4.0/24 O_ASE 150 1 162.1.1 206.1/32 DIRECT 0 0 206.0.0/24 DIRECT 0 0 166.0.3 Vlan-interface16 166.0.1 InLoopBack0 127.0.0/8 DIRECT 0 0 127.5.1.1.1.0/24 RIP 100 1 166.1 Vlan-interface661 Verifying the Route Backup Configuration Verify the primary route is installed into the routing table <S200_10> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost 0.2.1.3.1/32 DIRECT 0 0 162.2.1/32 DIRECT 0 0 <S200_10> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost 0.168.3.0.0.1.0.3.1.0.0.1.1 InLoopBack0 162.1 Vlan-interface661 166.0/8 DIRECT 0 0 127.0.0.4.0.1.0.1 206.3.1 Vlan-interface664 127.4.4.4.1.0/24 DIRECT 0 0 166.1 InLoopBack0 Nexthop 127.1.2.6.0.2 166.1.0.1.3 Vlan-interface16 206.1.2/32 DIRECT 0 0 206.1.1.2 196.0.0/24 DIRECT 0 0 166.1/32 DIRECT 0 0 192.1.1 Vlan-interface661 166.0.1 InLoopBack0 166.2 166.0.0.0/8 DIRECT 0 0 127.1.3.1 Vlan-interface661 166.1 206.1 Vlan-interface622 127.4.1 InLoopBack0 166.1.1.1.0.1.0.1.2.5.4.6.1.0.0.0/24 O_ASE 150 1 166.0/24 O_ASE 150 1 162.1.1.1.1 127.2 127.1 127.2.0.1.168.0/24 O_ASE 150 1 162.0/24 O_ASE 150 1 166.2 206.1.1.0/24 RIP 100 1 162.1 InLoopBack0 206.4.1.1.1 127.0.0/24 RIP 100 1 166.2 Vlan-interface665 127.1.0/0 STATIC 200 0 127.4.3 Vlan-interface16 206.0/24 DIRECT 0 0 192.4.0.2.0.1.0.1.1/32 DIRECT 0 0 162.1.2 206.1.2 166.168.5.0.0.1 9 ms 4 ms 4 ms 9 ms 9 ms 18 ms 6 ms 3 ms 4 ms 14 ms 4 ms 3 ms Verifying the BGP and IGP Interaction Configuration <S400_0> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost 127.1.1.1.0/24 DIRECT 0 0 166.1.1 InLoopBack0 206.6.0/24 DIRECT 0 0 166.3 206.1/32 DIRECT 0 0 162.3 Vlan-interface16 206.0.2 Vlan-interface661 127.1.1.0/24 O_ASE 150 1 162.1.1.1.1 InLoopBack0 192.0.1/32 DIRECT 0 0 166.0.0/24 RIP 100 1 166.2.0.1 Vlan-interface661 166.1.1.30 Vlan-interface1 127.0.1.2/32 DIRECT 0 0 166.30/32 DIRECT 0 0 206.1.0.1.0/24 DIRECT 0 0 162.

2.1 13 ms 4 ms 3 ms 5 166.0/24 DIRECT 0 0 162.1.0/0 STATIC 200 0 166.2 13 ms 3 ms 4 ms .1 162.0/24 DIRECT 0 0 166.0/24 DIRECT 0 0 162.0.1 14 ms 5 ms 3 ms Verify the backup route is installed into the routing table after the primary one fails <S200_10> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 0.0.2 13 ms 3 ms 4 ms 3 196.40 bytes packet 1 166.1.1.0.0.1 InLoopBack0 162.1 10 ms 3 ms 3 ms 2 206.1.0.0/24 DIRECT 0 0 166.1.2.1 Vlan-interface622 162.1.1/32 DIRECT 0 0 127.3 8 ms 3 ms 3 ms 4 206.4.0.1 Vlan-interface661 166.1.1.40 bytes packet 1 166.1 Vlan-interface661 162.1 traceroute to 162.1.1.0.5.3.1.6.1.2.5.1.1.0/24 O_ASE 150 1 166.1.1.0.1.1.1.1.Verifying the Configuration 155 127.1.3.1.0.0.2 Vlan-interface665 127.2.1) 30 hops max.3.1.3.5.1.1 InLoopBack0 166.1.1 12 ms 3 ms 4 ms Verifying the MED Attribute Configuration Trace the packet forwarding path when the default MED is used <S400_0> tracert -a 166.3.1(166.2.3.2 14 ms 3 ms 3 ms 5 206.3 13 ms 3 ms 5 ms 3 196.1.1.0.0.3 11 ms 3 ms 3 ms 2 196.1(162.0.0.1.5.3.1.1.1/32 DIRECT 0 0 127.1.1.1 traceroute to 162.2.1.2.0.3.1.1.1.1.1.1 InLoopBack0 162.0.1.1 InLoopBack0 166.1.4.1.1.2.0/24 O_ASE 150 1 166.1.1 166.0.2.0.1.1 10 ms 3 ms 8 ms 3 196.1.1.2.1.1) 30 hops max.2 11 ms 3 ms 4 ms 2 206.0/24 O_ASE 150 1 166.3 11 ms 3 ms 7 ms 2 196.2 13 ms 4 ms 3 ms <S400_0> tracert -a 166.0.1 Vlan-interface661 166.2.1.1.1.1.2.1.2 Vlan-interface661 166.1.0/8 DIRECT 0 0 127.40 bytes packet 1 206.0/24 OSPF 10 20 166.0.5.0.1/32 DIRECT 0 0 127.1/32 DIRECT 0 0 127.0.1.1 Vlan-interface665 166.2 10 ms 8 ms 17 ms 4 196.1.5.1 14 ms 4 ms 5 ms 3 196.1 13 ms 3 ms 6 ms 4 196.0.1.1.1) 30 hops max.1.1.3.1.1.2/32 DIRECT 0 0 127.0.3 12 ms 3 ms 3 ms 5 206.3.0/24 DIRECT 0 0 162.5.3.1.1 InLoopBack0 206.1.4.6.1.4.1 Vlan-interface665 166.0/24 DIRECT 0 0 166.1/32 DIRECT 0 0 127.1.1.1.1.1.6.1 Vlan-interface621 162.1.3.3 11 ms 3 ms 4 ms 5 206.0.1.2.1.0.1(162.2.1 InLoopBack0 162.1 166.0/8 DIRECT 0 0 127.1 traceroute to 166.0.1.1.1 Vlan-interface661 166.3.1.0/24 DIRECT 0 0 162.1 InLoopBack0 127.1 InLoopBack0 162.3.0.1.0.6.3.1 Vlan-interface661 <S200_10> tracert -a 162.1/32 DIRECT 0 0 127.1 InLoopBack0 <S200_10> tracert -a 162.3.1.1.1 InLoopBack0 127.1 13 ms 3 ms 3 ms 6 166.1(166.3.1.1) 30 hops max.1 traceroute to 166.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface622 162.0.1 Vlan-interface621 162.1.1.1.0.1 InLoopBack0 162.1.1/32 DIRECT 0 0 127.2.1/32 DIRECT 0 0 127.40 bytes packet 1 206.5.0.1.1.3.1.1 162.1 9 ms 3 ms 4 ms 4 196.1.

internal D .1.1.1 100 100 INC 100 200 # 162. <S400> display bgp routing as-path-acl 1 Flags: # .2.4.history S .1.5.1.1.1 162.1 0 100 IGP 100 200 # Create AS path ACL 2 and permit the routes whose AS_PATH starts with 100 and ends with 300.1 traceroute to 162.3.1.1. pay attention to the following points: ■ Disable the Fabric function before enabling BGP on Fabric-capable devices.0/24 196.1 0 100 INC 100 300 # 166.2.1.1 13 ms 4 ms 3 ms 3 196.history S .1.1.damped H .5.2.1.1.1.6.2 14 ms 3 ms 5 ms Precautions In the configuration and verification process.1.0/24 196.aggregate suppressed Dest/Mask Next-Hop Med Local-pref Origin Path ---------------------------------------------------------------------#^ 162.3.1(162.3.1) 30 hops max.valid ^ .3.3.3.0/24 196.3 10 ms 4 ms 3 ms 2 196.3.3.1.2.2.0/24 196.1.1.2.2 12 ms 5 ms 3 ms 4 206.1.0/24 196.1.2.0/24 196.2 100 100 INC 100 300 # 162.3.3.4.valid ^ .3.1.2.1.2.2.0/24 196.1 162.40 bytes packet 1 206.1 12 ms 4 ms 3 ms 5 166.2.1 200 100 INC 100 300 #^ 166.1 0 100 INC 100 200 # 166.0/24 196.1.1.0/24 196.1.2 100 100 INC 100 300 # 162.1.4.active I .1 traceroute to 162.1.3.3.1.1.3.2.3.1.1.6.1.0/24 196.1.aggregate suppressed Dest/Mask Next-Hop Med Local-pref Origin Path ---------------------------------------------------------------------#^ 162.2.3.1.1 200 100 INC 100 300 #^ 162.0 196.1) 30 hops max.40 bytes packet 1 206.1.2 0 100 IGP 100 300 <S400_0> tracert -a 166.damped H .1 100 100 INC 100 200 # 162.3.3.3.1.3.1.1.internal D .0/24 196.2.2 200 100 INC 100 200 #^ 166.2 200 100 INC 100 200 #^ 162.1.3.3 9 ms 4 ms 3 ms 2 196.active I .2 0 100 INC 100 200 #^ 206.1 0 100 INC 100 300 # 166.3.1.3.2 0 100 INC 100 300 #^ 166.0/24 196.3.156 CHAPTER 5: ROUTING OVERVIEW Trace the packet forwarding path after the MED is modified # Create AS path ACL 1 and permit the routes whose AS_PATH starts with 100 and ends with 200.3 14 ms 4 ms 3 ms 4 206.1.1 12 ms 3 ms 3 ms 5 166.2 13 ms 3 ms 5 ms 3 196.3.0/24 196.3.1.0 196.1.2 0 100 INC 100 300 # 206. .1.2 13 ms 4 ms 3 ms <S400_0> tracert -a 166.1.1(162.2.0/24 196.2.1.3.1.2.1.1. [S400] ip as-path-acl 2 permit ^100 300$ # Display the routes that match AS path ACL 2. <S400> display bgp routing as-path-acl 2 Flags: # .1. [S400] ip as-path-acl 1 permit ^100 200$ # Display the routes that match AS path ACL 1.

set a preference for the static routes as required.Precautions 157 ■ To achieve the configuration goal. you are recommended to set the BGP preference to 200. so you need to delete the backup route manually and then add it again. so you are recommended to use the tracert -a /ping -a command to verify the configuration in the source address mode. the backup route (static route) cannot be switched to the primary RIP route automatically. ■ ■ . On S300_A. Since the routing policy is applied when BGP routes are redistributed into IGP. some route entries may not be redistributed. For devices with static routes configured.

158 CHAPTER 5: ROUTING OVERVIEW .

With the multicast technique. Multicast Source Discovery Protocol (MSDP) Multicast Protocol Overview Different from unicast and broadcast. Web TV. Protocol Independent Multicast Sparse Mode (PIM-SM). with and without IGMP Snooping respectively. multicast greatly saves network bandwidth and reduces network load. and other bandwidth.and time-critical information services. Telemedicine. distance learning. with and without IGMP Snooping respectively. Open Shortest Path First . MSDP. Acronyms: Internet Group Management Protocol (IGMP). PIM-SM. based on three typical networking scenarios: 1 Deployment of PIM-DM plus IGMP. such as the Routing Information Protocol (RIP). IGMP As a TCP/IP protocol responsible for IP multicast group membership management. IGMP Snooping Abstract: This document introduces how to configure multicast functions on Ethernet switches in practical networking. Simulated joining is mainly described for this scenario. PIM Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging unicast routing tables generated by static routing or any unicast routing protocol. 2 Deployment of PIM-SM plus IGMP. real-time videoconferencing. 3 IGMP Snooping only. Web radio. Internet Group Management Protocol Snooping (IGMP Snooping). Multicast group filtering in IGMP and IGMP Snooping is mainly described for this scenario. The function of dropping unknown multicast data is mainly described for this scenario. By allowing high-efficiency point-to-multipoint data transmission. Protocol Independent Multicast Dense Mode (PIM-DM). the Internet Group Management Protocol (IGMP) is used by IP hosts to establish and maintain their multicast group memberships to the immediately neighboring multicast router. such as live Webcasting. PIM-DM. the multicast technique efficiently addresses the issue of point-to-multipoint data transmission. service providers can easily provide new value-added services.6 MULTICAST PROTOCOL CONFIGURATION EXAMPLES Keywords: IGMP.

so that multicast data can be transmitted among different domains. After the IGMP Proxy configuration. suitable for small-sized networks with densely distributed multicast group members. so that the Layer 3 switch forwards the IGMP join and IGMP leave messages sent by the hosts attached to it. between these MSDP peers. it is a host. To minimize the workload of such configuration and management without affecting the multicast connections of the multicast networks. PIM falls into two modes: ■ ■ PIM-DM PIM-SM PIM-DM is a type of dense mode multicast protocol. thus to allow multicast traffic to flow between different PIM-SM domains. MSDP propagates source active (SA) messages. By setting up MSDP peering relationships among RPs of different domains. It is tedious work to configure and manage these stub networks. many stub networks may exist. Therefore. Within a PIM-SM domain. the Layer 3 switch is no longer a PIM neighbor to the external network. Based on the forwarding mechanism. PIM-SM is a type of sparse mode multicast protocol. instead. the multicast source registers only with the local rendezvous point (RP). If there is a mechanism that allows RPs of different PIM-SM domains to share their multicast source information. the information of active sources in other domains can be delivered to the local receivers. It uses the “pull mode” for multicast forwarding. . a Layer 2 device running IGMP Snooping establishes mappings between ports and MAC multicast groups and forwards multicast data based on these mappings.and medium-sized networks with sparsely and widely distributed multicast group members. MSDP achieves this objective. By analyzing received IGMP messages. MSDP The Multicast Source Discovery Protocol (MSDP) is an inter-domain multicast solution for the interconnection of PIM-SM domains. Intermediate System to Intermediate System (IS-IS). IGMP Proxy When a multicast routing protocol (such as PIM-DM) is deployed on a large network. IGMP Snooping Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast monitoring mechanism that runs on Layer 2 devices to manage and control multicast groups. suitable for large. the RP knows all the sources within its own domain only. you can configure IGMP Proxy on a Layer 3 switch in the edge networks. PIM uses the unicast routing table to perform reverse path forwarding (RPF) check in multicast forwarding. which carry multicast source information. It is used to discover the multicast source information in other PIM-SM domains. or the Border Gateway Protocol (BGP). It uses the “push mode” for multicast forwarding. The Layer 3 switch receives multicast data for a multicast group only when a member of that group is directly attached to it.160 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES (OSPF).

Table 87 lists the multicast features supported by 3Com series Ethernet switches.Support of Multicast Features 161 Support of Multicast Features Multicast features supported by the 3Com series Ethernet switches vary with device models.. Enter system view Enable IGMP Snooping Enter VLAN view Enable IGMP Snooping Use the command. Required Disabled by default... Table 87 Multicast features supported by the 3Com stackable switches Model\Feature Switch 5500 Switch 4500 Switch 5500Gs Switch 4200 Switch 4200G Switch 4210 E352&E328 E126 S3152P E152 IGMP Snooping IGMP ● ● ● ● ● ● ● ● ● ● ● ● PIM ● ● MSDP ● ● - Configuration Guidance The following configuration guidance describes the configuration of multicast features based on the implementations on the Switch 5500Gs Ethernet switches. system-view igmp-snooping enable vlan vlan-id igmp-snooping enable Remarks Required Disabled by default. For details. For more information. see the corresponding configuration guide. see the corresponding configuration guide.. Complete these tasks to configure IGMP Snooping: Configuration task “Enabling IGMP Snooping” on page 161 “Configuring IGMP-Snooping timers” on page 161 “Configuring fast leave processing” on page 162 “Configuring a multicast group filter” on page 162 “Configuring the maximum number of multicast groups that can be joined on a port” on page 163 “Configuring IGMP Snooping querier” on page 163 Remarks Required Optional Optional Optional Optional Optional Configuring IGMP Snooping Enabling IGMP Snooping Follow these steps to enable IGMP Snooping: To. Configuring IGMP-Snooping timers Follow these steps to configure IGMP-Snooping timers: .

. igmp-snooping Optional max-response-time seconds By default... Enter system view Configure a multicast group filter Use the command. Enter system view Configure an aging timer of router port Configure a response-to-query timer Use the command. the maximum response-to-query time is 10 seconds.. the router port aging time is 105 seconds.. system-view igmp-snooping group-policy acl-number [ vlan vlan-list ] Remarks Required Disabled by default 2 Configure a multicast group filter in Ethernet port view Follow these steps to configure a multicast group filter in Ethernet port view: ...... system-view igmp-snooping fast-leave [ vlan vlan-list ] Remarks Required Disabled by default 2 Configure fast leave in Ethernet port view Follow these steps to configure fast leave processing in Ethernet port view: To. system-view interface interface-type interface-number igmp-snooping fast-leave [ vlan vlan-list ] Remarks Required Disabled by default Configuring a multicast group filter 1 Configure a multicast group filter in system view Follow these steps to configure a multicast group filter in system view: To. Configure an aging timer of a member port of a multicast group Configuring fast leave processing 1 Configure fast leave processing in system view Follow these steps to configure fast leave processing in system view: To. the aging time of the multicast group member port is 260 seconds.162 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES To.. igmp-snooping host-aging-time seconds Optional By default... system-view igmp-snooping router-aging-time seconds Remarks Optional By default. Enter system view Enter Ethernet port view Configure fast leave processing Use the command.... Enter system view Configure fast leave processing Use the command.

[ overflow-replace ] ] Configuring IGMP Snooping querier Follow these steps to configure IGMP Snooping querier: To... system-view interface interface-type interface-number Remarks - igmp-snooping group-limit Required limit [ vlan vlan-list The system default is 255. Enter system view Enter Ethernet port view Configure a multicast group filter Use the command. Enter system view Enable IGMP Snooping Enter VLAN view Enable IGMP Snooping Enable IGMP-Snooping querier Configure the query interval Use the command. system-view igmp-snooping enable vlan vlan-id igmp-snooping enable igmp-snooping querier igmp-snooping query-interval seconds Remarks Required Disabled by default Required Disabled by default Required Disabled by default Optional The system default is 60 seconds..Configuration Guidance 163 To..0.0.. Enter system view Enter Ethernet port view Configure maximum number of multicast groups that can be joined on the port Use the command. Optional The system default is 0.. Configure a source IP address igmp-snooping for general query messages general-query source-ip { current-interface | ip-address } Configuring IGMP Complete these tasks to configure IGMP: Configuration task “Enabling IGMP” on page 164 “Configuring IGMP version” on page 164 “Configuring parameters related to IGMP queries” on page 164 “Configuring the maximum allowed number of multicast groups” on page 165 Remarks Required Optional Optional Optional ....0.... system-view interface interface-type interface-number igmp-snooping group-policy acl-number [ vlan vlan-list ] Remarks Required Disabled by default Configuring the maximum number of multicast groups that can be joined on a port Follow these steps to configure the maximum number of multicast groups that can be joined on a port: To.

All switches on the same subnet must run the same version of IGMP... Configuring IGMP version Follow these steps to configure IGMP version: To. Enter system view Enter VLAN interface view Use the command.. Configure IGMP query interval igmp timer query seconds .. Enter system view Enable multicast routing Enter VLAN interface view Enabling IGMP Use the command.. Configuring parameters related to IGMP queries Follow these steps to configure parameters related to IGMP queries: To. Enter system view Enter VLAN interface view Configure IGMP version Use the command... system-view interface Vlan-interface interface-number igmp version { 1 | 2 } Remarks Required IGMPv2 by default c CAUTION: The device cannot switch from one IGMP version to another automatically..164 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES Configuration task “Configuring a multicast group filter” on page 165 “Configuring simulated joining” on page 166 “Configuring IGMP proxy” on page 166 “Removing joined IGMP groups from an interface” on page 167 Remarks Optional Optional Optional Optional Enabling IGMP Follow these steps to enable IGMP: To. system-view interface Vlan-interface interface-number Remarks Optional The system default is 60 seconds.. Configure the IGMP last member query interval igmp lastmember-queryinterval seconds Optional The system default is 1 second.... system-view multicast routing-enable interface Vlan-interface interface-number igmp enable Remarks Required Disabled by default c CAUTION: The following configurations in this chapter are implemented after multicast routing is enabled on the device and IGMP is enabled on the corresponding interface.

twice the interval specified by the igmp timer query command... c CAUTION: If you configure the maximum number of multicast groups allowed on an interface to 1. system-view interface Vlan-interface interface-number igmp group-policy acl-number [ 1 | 2 | port interface-type interface-number [ to interface-type interface-number ] ] Remarks Optional No filter is configured by default... Enter system view Enter VLAN interface view Configure the maximum number of multicast groups allowed on the interface Use the command. Enter system view Enter VLAN interface view Configure a multicast group filter Use the command.. Configure the IGMP last member query count Configure the IGMP other querier present interval Use the command.. Optional The system default is 10 seconds.Configuration Guidance 165 To.. system-view interface Vlan-interface interface-number igmp group-limit limit Remarks Required The system default is 256. Optional The system default is 120 seconds. igmp robust-count robust-value igmp timer other-querier-present seconds Remarks Optional The system default is two... Configure the maximum response time igmp max-response-time seconds Configuring the maximum allowed number of multicast groups Follow these steps to configure the maximum number of multicast groups allowed to be joined on an interface: To... 2 Configuring a multicast group filter in Ethernet port view Follow these steps to configure a multicast group filter in Ethernet port view: . If the number of existing multicast groups is larger than the limit configured on the interface.. the system will remove the oldest entries automatically until the number of multicast groups on the interface conforms to the configured limit. Configuring a multicast group filter 1 Configure a multicast group filter in VLAN interface view Follow these steps to configure a multicast group filter in VLAN interface view: To. a new group joined on the interface automatically supersedes the existing one.

system-view Remarks Optional No multicast group filter is configured by default..166 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES To.. system-view interface interface-type interface-number igmp host-join group-address vlan vlan-id Remarks Optional Disabled by default c CAUTION: Before configuring simulated joining.. Configuring IGMP proxy Follow these steps to configure IGMP proxy: To. Enter system view Use the command... If you configure a port as a simulated host in Ethernet port view... Enter system view Enter Ethernet port view Configure simulated joining Use the command..... you must enable IGMP in VLAN interface view. The port must belong to the specified VLAN. system-view interface Vlan-interface interface-number igmp host-join group-address port interface-list Remarks Optional Disabled by default 2 Configure simulated joining in Ethernet port view Follow these steps to configure simulated joining in VLAN interface view: To. Enter system view Enter VLAN interface view Configure simulated joining Use the command... otherwise the configuration does not take effect. Enter system view Enable multicast routing Enter VLAN interface view Enable IGMP Use the command. system-view multicast routing-enable interface Vlan-interface interface-number igmp enable Remarks Required Required .... Enter Ethernet port view interface interface-type interface-number Configure a multicast group filter igmp group-policy acl-number vlan vlan-id Configuring simulated joining 1 Configure simulated joining in VLAN interface view Follow these steps to configure simulated joining in VLAN interface view: To. the Ethernet port must belong to the specified VLAN.

reset igmp group { all | interface interface-type interface-number { all | group-address [ group-mask ] } } Remarks The reset command available in user view. pim neighbor-limit limit Optional The default value is 128... Configuring PIM-DM Follow these steps to configure PIM-DM: To.. One interface cannot serve as the proxy interface for two or more interfaces.. c Configuring PIM CAUTION: After a multicast group is removed from an interface. the IGMP proxy feature does not take effect.. system-view multicast routing-enable pim source-policy acl-number Remarks Required Disabled by default Optional You can define the related IP addresses in an ACL.. Enter system view Enable multicast routing Enter PIM view Configure a multicast source or multicast source-group filter Enter VLAN interface view Enable PIM-DM Configure the hello interval on the interface Configure a limit on the number of PIM neighbors on the interface Use the command.. . igmp proxy Vlan-interface interface-number Remarks Required Disabled by default c CAUTION: ■ You must enable PIM on the interface before configuring the igmp proxy command. Otherwise. ■ ■ Removing joined IGMP groups from an interface Follow these steps to remove joined IGMP groups from an interface: To. Remove the specified group or all groups from the specified interface or all interfaces Use the command.. as this will result in failure of multicast data forwarding. interface Vlan-interface interface-number pim dm pim timer hello seconds Required Optional The system default is 30 seconds.... When you configure the IP address of the interface that will serve as an IGMP proxy. Configure IGMP proxy Use the command. hosts attached to interface can join the multicast group again.Configuration Guidance 167 To. make sure that the IP address is not the lowest on this subnet to prevent this interface from being elected as the IGMP querier on the subnet..

system-view multicast routing-enable pim source-policy acl-number Remarks Required Disabled by default Optional You can define the related IP addresses in an ACL. Configure to filter the register register-policy acl-number messages from RP to DR Optional You can define the related IP addresses in an ACL.. Enter system view Enable multicast routing Enter PIM view Configure a multicast source or multicast source-group filter Configure a C-BSR Use the command. Required Configure a C-RP Configure a static RP Configure a legal BSR address bsr-policy acl-number range Configure a legal C-RP address range crp-policy acl-number Enter VLAN interface view Enable PIM-SM interface Vlan-interface interface-number pim sm . no C-RP is configured.. pim neighbor-policy acl-number Remarks Optional You can define the related IP addresses in an ACL. c-bsr interface-type interface-number hash-mask-len [ priority ] c-rp interface-type interface-number [ group-policy acl-number | priority priority ]* static-rp rp-address [ acl-number ] Optional By default. No legal C-RP address range is configured by default. Disabled by default Configuring PIM-SM Follow these steps to configure PIM-SM: To.. Disable RPT-to-SPT switchover spt-switch-threshold infinity [ group-policy acl-number [ order order-value ] ] Optional By default. The default priority is 0. Optional No legal BSR address range is configured by default. Optional You can define the related IP address ranges in an ACL... Optional By default.. Configure the filtering policy for PIM neighbors Use the command.. Optional No static RP is configured by default.168 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES To. The default priority is 0. Disabled by default. the device switches to the SPT immediately after it receives the first multicast packet from the RPT. no C-BSR is configured..

. pim neighbor-policy acl-number Optional You can define the related IP addresses in an ACL. pim neighbor-limit limit Optional The default value is 128.. Enable MSDP and enter msdp MSDP view Create an MSDP peer connection peer peer-address connect-interface interface-type interface-number Configure a static RPF peer static-rpf-peer peer-address [ rp-policy ip-prefix-name ] Configuring MSDP peer connections Complete these tasks to configure connection between MSDP peers: Configuration task “Configure description information for MSDP peers” on page 169 “Configure an MSDP mesh group” on page 170 “Configure MSDP peer connection control” on page 170 Remarks Required Optional Optional 1 Configure description information for MSDP peers Follow these steps to configure description information of an MSDP peer: To. Disabled by default Configuring MSDP Configuring MSDP basic functions Follow these steps to configure MSDP basic functions: To. if BGP or MBGP is not running. Enter system view Use the command. you need to configure a static RPF peer.. pim bsr-boundary Remarks Optional By default. The peer ID is an address pair (the IP address of the local interface and the IP address of the remote MSDP peer).. Configuring a PIM-SM domain boundary Use the command. Optional For an area with only one MSDP peer.... Enter system view Use the command. no PIM-SM domain boundary is configured Configure the hello interval on the interface Configure the maximum number of PIM neighbors allowed on the interface Configure the filtering policy for PIM neighbors pim timer hello seconds Optional The system default is 30 seconds.. system-view Remarks Required Required You need to configure related parameters on both devices between which the peer connection is to be created.... system-view Remarks - ..Configuration Guidance 169 To.

Enter system view Enter MSDP view Add an MSDP peer in a mesh group Use the command. Enter system view Enter MSDP view Shut down an MSDP peer Use the command.. system-view msdp shutdown peer-address Remarks Optional By default... msdp peer peer-address description text Remarks Optional No description information is configured for MSDP peers by default.... Configure the MSDP peer connection retry period timer retry seconds Optional The system default is 30 seconds. system-view msdp peer peer-address mesh-group name Remarks Required An MSDP peer does not belong to any mesh group by default. MSDP peers are connected. make sure that these routers are interconnected with one another.170 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES To..... configure the same mesh group name on them. n ■ Before grouping multiple routers into an MSDP mesh group. 2 Configure an MSDP mesh group Follow these steps to configure an MSDP mesh group: To. Configuring SA message delivery Complete these tasks to configure SA message delivery: . A newly configured mesh group name supersedes the existing one. An MSDP peer can belong to only one mesh group.. Enter MSDP view Configure description information for an MSDP peer Use the command.. To add different MSDP peers into an MSDP mesh group. ■ ■ 3 Configure MSDP peer connection control Follow these steps to configure MSDP peer connection control: To.

2 Configure the SA message cache Follow these steps to configure the SA message cache: To. Enable the SA message cache cache-sa-enable mechanism Configure the maximum number of SA messages the router can cache peer peer-address sa-cache-maximum sa-limit 3 Configure SA message transmission and filtering Follow these steps to configure SA message transmission and filtering: To... a router caches SA state by default. Enable the SA message cache cache-sa-enable mechanism . system-view msdp Remarks Optional Enabled by default Optional The system default is 2048. n In Anycast RP application.... C-BSR and C-RP must be configured on different devices or ports. Enter system view Enter MSDP view Configure the RP address in SA messages Use the command.... Enter system view Enter MSDP view Use the command. system-view msdp Remarks Optional After receiving an SA message..Configuration Guidance 171 Configuration task “Configure the RP address in SA messages” on page 171 “Configure the SA message cache” on page 171 “Configure SA message transmission and filtering” on page 171 “Configure a rule for filtering multicast sources in SA messages” on page 172 “Configure a filtering rule for receiving or forwarding SA messages” on page 172 Remarks Optional Optional Optional Optional Optional 1 Configure the RP address in SA messages Follow these steps to configure the RP address in SA messages: To. the RP address in an SA message is the PIM RP address. Enter system view Enter MSDP view Use the command. system-view msdp originating-rp interface-type interface-number Remarks Optional By default....

SA messages advertise all the (S. system-view msdp peer peer-address sa-policy { import | export } [ acl acl-number ] Remarks Optional By default. Enter system view Enter MSDP view Configure a filtering rule for receiving or forwarding SA messages Use the command. 5 Configure a filtering rule for receiving or forwarding SA messages Follow these steps to configure a filtering rule for receiving or forwarding SA messages: To. a router receives all SA request messages from its MSDP peer. upon receiving a new Join message.. Configure a filtering rule for SA requests from the specified MSDP peer peer peer-address sa-request-policy [ acl acl-number ] 4 Configure a rule for filtering multicast sources in SA messages Follow these steps to configure a rule for filtering the multicast sources of SA messages: To.. G) entries in the domain.. instead it waits for the next SA message. Optional Be default... Enter system view Enter MSDP view Configure multicast source filtering at SA message creation Use the command. Optional The system default is 0.. a router does not send an SA request message to its designated MSDP peer. system-view msdp import-source [ acl acl-number ] Remarks Optional By default. peer peer-address Configure the minimum TTL minimum-ttl ttl-value required for an SA-encapsulated multicast packet to be forwarded to the specified MSDP peer . namely. all SA messages from MSDP peers will be accepted or forwarded...172 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES To... Enable the router to send SA requests to the designated MSDP peer Use the command. peer peer-address request-sa-enable Remarks Optional By default. no filtering rule is configured for receiving or forwarding SA messages...

Typically. Run IGMPv2 on Switch B. and to Switch D through VLAN-interface 101 and VLAN-interface 102 respectively. 4 Enable IGMPv2 on VLAN-interface 100 of Switch A. . Switch B and Switch C provide uplink backup for the directly attached stub network N1. through which Host A and Host B receive the multicast data. IGMP Snooping is enabled on Switch E. Configuration Plan 1 Switch D connects to the network that comprises the multicast source (Source) through VLAN-interface 300. which comprises multicast receivers Host C and Host D. and to Switch D through VLAN-interface 103. Enable IGMP Snooping on Switch E and in VLAN 100. 3 All the Layer 3 switches run RIP for unicast routing and run PIM-DM for multicast routing. the information receiving mode may vary based on user requirements: 1 To avoid video broadcast at Layer 2.PIM-DM plus IGMP plus IGMP Snooping Configuration Example 173 PIM-DM plus IGMP plus IGMP Snooping Configuration Example Requirement Analysis When users receive voice on demand (VOD) information through multicast. 3 Switch B and Switch C connect to stub network N1 through their respective VLAN-interface 200. Switch C. Switch B acts as the IGMP querier. 2 To ensure reliable and stable reception of multicast data. 2 Switch A connects to Switch E through VLAN-interface 100. and the hosts in stub network N1.

168.110.2/24 192.2/24 192.1 24 .110. Ethernet1/0/2.1.110.110.110.2.5.3.168.1/24 10.2. <SwitchA> system-view System View: return to User View with Ctrl+Z.168.1/24 10.100/24 PIM-DM Switch C Host D Device Switch A Switch B Switch C Switch D Interface Vlan-int100 Vlan-int103 Vlan-int200 Vlan-int101 Vlan-int200 Vlan-int102 Vlan-int300 Vlan-int103 Vlan-int101 Vlan-int102 IP address 10.1/24 192.1.168. and their IP addresses on Switch A. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 [SwitchA-vlan100] quit [SwitchA] vlan 103 [SwitchA-vlan103] port Ethernet 1/0/2 [SwitchA-vlan103] quit [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.174 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES Network Diagram Figure 67 Network diagram for PIM-DM plus IGMP plus IGMP Snooping configuration Receiver Switch A Vlan100 Vlan-int100 03 in t1 Host A Switch E t1 03 Vl an -in Vl an - Ethernet Vlan-int300 Source Vlan Vl an 02 t1 in Switch D Vlan -int1 IGMP querier 01 01 N1 Host B Receiver -int1 Vl Vlan-int200 Switch B Vlan-int200 Ethernet an Host C 02 t1 in 10.1/24 192. VLAN interfaces and IP addresses on each switch # Configure VLANs.3.110.5.1/24 192.1.2.1/24 10.1. Ethernet1/0/3 Switch E Vlan 100 Configuration Procedure Configuring VLANs. VLAN interfaces.2.2/24 192.168.168.2/24 - Ports Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/3 Ethernet1/0/4 Ethernet1/0/1.

The detailed configuration steps are omitted here. and their IP addresses on other switches as per Figure 67. and enable PIM-DM on each interface.168.110.1. <SwitchA> [SwitchA] [SwitchA[SwitchA[SwitchAsystem-view rip rip] network 192.0 rip] quit The configuration on Switch B. Configuring the unicast routing protocol # Enable RIP on Switch A.110. and then enable RIP on subnets 192.PIM-DM plus IGMP plus IGMP Snooping Configuration Example 175 [SwitchA-Vlan-interface100] quit [SwitchA] interface Vlan-interface 103 [SwitchA-Vlan-interface103] ip address 192.1. <SwitchD> system-view [SwitchD] multicast routing-enable [SwitchD] interface vlan-interface [SwitchD-Vlan-interface300] pim dm [SwitchD-Vlan-interface300] quit [SwitchD] interface vlan-interface [SwitchD-Vlan-interface103] pim dm [SwitchD-Vlan-interface103] quit [SwitchD] interface vlan-interface [SwitchD-Vlan-interface101] pim dm [SwitchD-Vlan-interface101] quit [SwitchD] interface vlan-interface [SwitchD-Vlan-interface102] pim dm [SwitchD-Vlan-interface102] quit 300 103 101 102 # Enable IGMP Snooping on Switch E. <SwitchA> system-view [SwitchA] multicast routing-enable [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] igmp enable [SwitchA-Vlan-interface100] pim dm [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 103 [SwitchA-Vlan-interface103] pim dm [SwitchA-Vlan-interface103] quit The configuration on Switch B and Switch C is similar to the configuration on Switch A. and then enable IGMPv2 on VLAN-interface 100. Switch C.0 and 10. # Enable multicast routing on Switch D.1. enable PIM-DM on each interface.168.1 24 [SwitchA-Vlan-interface103] quit Configure VLANs.0 rip] network 10.0. .168.1. and enable IGMP Snooping in VLAN 100. VLAN interfaces.1. and Switch D is similar to the configuration on Switch A. Configuring the multicast protocols # Enable IP multicast routing on Switch A.

<SwitchD>display multicast forwarding-table Multicast Forwarding Cache Table Total 1 entries: 0 entry created by IP.110. (10. # View the PIM neighboring relationships on Switch D.1.1 Vlan-interface103 Uptime Expires 02:45:04 00:04:46 02:42:24 00:04:45 02:43:44 00:05:44 # View the multicast forwarding table of Switch D. 224. <SwitchA>display multicast forwarding-table Multicast Forwarding Cache Table Total 1 entry: 0 entry created by IP. <SwitchD> display pim neighbor Neighbor’s Address Interface Name 192.168. Protocol Create List of outgoing interface: 01: Vlan-interface101 Matched 181 pkts(271500 bytes).1 Vlan-interface101 192. Total 1 MAC Group(s).1.110. <SwitchA> display mpm group Total 1 IP Group(s).168. 1 Check whether the multicast stream can flow to Host A.1 Vlan-interface102 192.3. and take the following steps to verify the configurations made on the switches.5. 224. iif Vlan-interface101. [SwitchE] vlan 100 [SwitchE-vlan100] igmp-snooping enable [SwitchE-vlan100] quit Verifying the configuration Now start sending multicast data to multicast group 224. iif Vlan-interface1. 1 oifs.1.1. (10. 1 entries created by protocol 00001. Wrong If 0 pkts Forwarded 451 pkts(676500 bytes) Total 1 entry Listed Matched 1 entry # View the multicast group information that contains port information on Switch A.1.1).2.1).1.110.176 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES <SwitchE> system-view [SwitchE] igmp-snooping enable Enable IGMP-Snooping ok.168.5.110.1. 1 oifs.1 from Source and start receiving the multicast data on Host A. Wrong If 0 pkts Forwarded 130 pkts(195000 bytes) Total 1 entries Listed # View the multicast forwarding table of Switch A. Protocol Create List of outgoing interface: 01: Vlan-interface100 Matched 451 pkts(676500 bytes). 1 entry created by protocol 00001. .

<SwitchE> display igmp-snooping group Total 1 IP Group(s). Router port(s): IP group(s):the following ip group(s) match to one mac group.1.1 on Switch E.1).1.1 0 [SwitchE-acl-basic-2000] rule permit source any [SwitchE-acl-basic-2000] quit [SwitchE]igmp-snooping group-policy 2000 vlan 100 # View multicast forwarding entries on Switch A.1.1. iif Vlan-interface101.1 Host port(s):Ethernet1/0/15 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/15 # View the information about the multicast group entries created by IGMP Snooping on Switch E. Router port(s):Ethernet1/0/2 Vlan(id):200.100.1. IP group address:224. Total 0 MAC Group(s). Wrong If 0 pkts . Total 1 MAC Group(s). <SwitchE> system-view [SwitchE-acl-basic-2000] rule deny source 224. (10.1.1. IP group address:224. Total 0 IP Group(s).1 Host port(s):Ethernet1/0/19 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/19 The above-mentioned information shows that multicast forwarding entries have been correctly established on Switch D and Switch A. Vlan(id):100. Total 1 IP Group(s).PIM-DM plus IGMP plus IGMP Snooping Configuration Example 177 Vlan(id):101.1.1.1. 1 entry created by protocol 00001. Total 1 MAC Group(s).110. 224. and multicast traffic can successfully flow to Host A. <SwitchA> display multicast forwarding-table Multicast Forwarding Cache Table Total 1 entry: 0 entry created by IP. 0 oifs. Total 1 IP Group(s). Router port(s):Ethernet1/0/2 IP group(s):the following ip group(s) match to one mac group.5. 2 Configure IGMP Snooping multicast group filtering on Switch E # Configure to filter the packets for the multicast group 224. Total 1 MAC Group(s). Protocol Create Matched 5 pkts(7500 bytes).

and then display the multicast forwarding entries of Switch A.110.1. Wrong If 0 pkts Forwarded 0 pkts(0 bytes) . (10. Configure to filter the multicast group 224.1).1. Total 0 IP Group(s). # Disable multicast group filtering on Switch E.1.5. # View multicast group information on Switch E. <SwitchE> display igmp-snooping group Total 0 IP Group(s).1 0 [SwitchA-acl-basic-2000] rule permit source any [SwitchA-acl-basic-2000] quit [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] igmp group-policy 2000 [SwitchA-Vlan-interface100] return # View multicast forwarding entries on Switch A. disable IGMP Snooping multicast group filtering on Switch E first. Vlan(id):200.1.1. 1 entry created by protocol 00001. the corresponding ports drop IGMP reports for the filtered group and will be removed for that group when their respective port aging timer expires. # Configure to filter the multicast group 224.1.1. 3 Configure IGMP multicast group filtering on Switch A.1. Total 0 MAC Group(s). Total 0 MAC Group(s). 224. Router port(s):Ethernet1/0/19 With multicast group filtering enabled.1 on VLAN-interface 100 of Switch A. <SwitchE> system-view [SwitchE] undo igmp-snooping group-policy n To verify the configuration of IGMP multicast group filtering on Switch A.1 on VLAN-interface 100 of Switch A.100. <SwitchA> system-view [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny source 224.1. Switch A has stopped forwarding multicast data for the multicast group 224.178 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES Forwarded 0 pkts(0 bytes) Total 1 entry Listed As shown above. 0 oifs. iif Vlan-interface101. Protocol Create Matched 5 pkts(7500 bytes).1.1. <SwitchA> display multicast forwarding-table Multicast Forwarding Cache Table Total 1 entry: 0 entry created by IP.

3 Switch B and Switch C connect to stub network N1 through their respective VLAN-interface 200. Configuration Plan 1 Switch D connects to the network that comprises the multicast source (Source) through VLAN-interface 300. When users receive VOD information through multicast. IGMP Snooping is enabled on Switch E. <SwitchA> display igmp group Total 0 IGMP groups reported on this router After multicast group filtering is enabled. 5 IGMPv2 is required on VLAN-interface 100 of Switch A. Thus. You can use either approach based on the specific situation. through which Host A and Host B receive the multicast data. 2 To ensure reliable and stable reception of multicast data. the corresponding multicast groups are deleted after the port aging timer expires. which comprises multicast receivers Host C and Host D. 2 Switch A connects to Switch F through VLAN-interface 100. and to Switch D and Switch E through VLAN-interface 101 and VLAN-interface 102 respectively. 3 Configure the PIM-SM domain as a single-BSR domain. Run OSPF for unicast routing in the domain. IGMP Snooping is required on Switch F and in VLAN 100. the corresponding port cannot receive IGMP reports. and to Switch E through VLAN-interface 103 and VLAN-interface 104 respectively. IGMP Snooping multicast group filtering has the same function as IGMP multicast group filtering. 4 It is required that VLAN-interface 105 of Switch D and VLAN-interface 102 of Switch E act as C-BSR and C-RP. Typically. IGMPv2 is also required between Switch B. Switch B and Switch C provide uplink backup for the directly attached stub network N1. the information receiving mode may vary based on user requirements: 1 To avoid broadcasting of the video information at Layer 2. Switch B acts as the querier. and stub network N1. . n PIM-SM plus IGMP plus IGMP Snooping Configuration Examples Requirement Analysis As shown above.PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 179 Total 1 entry Listed # View multicast group information on Switch A. Switch C.

2.168.1/24 192. and their IP addresses on Switch A.2/24 192.4.1/24 10.3. Ethernet1/0/3 Switch B Switch C Switch D Vlan-int200 Vlan-int103 Vlan-int200 Vlan-int104 Vlanint300 Vlanint101 Vlanint105 Switch E Vlanint104 Vlanint103 Vlanint102 Vlanint105 Switch F Vlan 100 Configuration Procedure Configuring VLANs.168.9.1/24 10.110.168.4.2/24 192.2/24 192.1.168.1/24 192.5. Ethernet1/0/2.2/24 192.2/24 192.168. VLAN interfaces and IP addresses for each switch # Configure VLANs.168.2.110.110.2/24 192.168.180 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES Network Diagram Figure 68 Network diagram for PIM-SM plus IGMP plus IGMP Snooping configuration Receiver Switch A Vlan-int100 Vlan100 1 -in t1 0 Host A Vlan-int102 Switch F 01 Vl an in t1 an - Ethernet Vlan-int300 Vl Vlan-int102 Vlan-int105 Vlan-int105 Vlan-int103 Vlan-int103 Vlan-int104 N1 Vlan-int200 Host B Receiver Source 10.1.110. VLAN interfaces.5.1.168.1/24 192.168. <SwitchA> system-view System View: return to User View with Ctrl+Z.3.2.9.100/24 Vlan-int104 Vlan-int200 PIM-SM Switch C Ethernet Switch D Switch E Switch B Host C Host D Device Switch A Interface Vlan-int100 Vlan-int101 Vlan-int102 IP address 10. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 [SwitchA-vlan100] quit .2.168.110.1/24 192.1/24 10.1/24 - Ports Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/3 Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/1 Ethernet1/0/2 Ethernet1/0/3 Ethernet1/0/3 Ethernet1/0/2 Ethernet1/0/1 Ethernet1/0/4 Ethernet1/0/1.

1 [SwitchA]ospf [SwitchA-ospf-1]area 0 [SwitchA-ospf-1-area-0. The configuration on Switch D and Switch E is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches.1.1. Configuring the unicast routing protocol # Configure a router ID and enable OSPF on Switch A.0 0. .0]network 192.9.PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 181 [SwitchA] vlan 101 [SwitchA-vlan101] port Ethernet 1/0/2 [SwitchA-vlan101] quit [SwitchA] vlan 102 [SwitchA-vlan102] port Ethernet 1/0/3 [SwitchA-vlan102] quit [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1. <SwitchA> system-view. [SwitchA]router id 1.0.0]network 10.168. and Switch E is similar to the configuration on Switch A.0]network 192.1 24 [SwitchA-Vlan-interface101] quit [SwitchA] interface Vlan-interface 102 [SwitchA-Vlan-interface102] ip address 192.0.0.168.255 The configuration on Switch B.0.110.0.0. enable PIM-SM on each interface. Switch D.1 24 [SwitchA-Vlan-interface100] quit [SwitchA] interface Vlan-interface 101 [SwitchA-Vlan-interface101] ip address 192.0 0.0. Switch C.255 [SwitchA-ospf-1-area-0.0.0.110. The detailed configuration steps are omitted here.0.9. As the default IGMP version is IGMPv2. The configuration on Switch B and Switch C is similar to that on Switch A.0.1.255 [SwitchA-ospf-1-area-0.0 0. VLAN interfaces.168. Configuring the multicast protocols # Enable IP multicast routing on Switch A.1. and their IP addresses on other switches as per Figure 68.168. it is not necessary to use the version configuration command on the interface.1 24 [SwitchA-Vlan-interface102] quit Configure VLANs.0. <SwitchA> system-view [SwitchA] multicast routing-enable [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] igmp enable [SwitchA-Vlan-interface100] pim sm [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] pim sm [SwitchA-Vlan-interface101] quit [SwitchA] interface vlan-interface 102 [SwitchA-Vlan-interface102] pim sm n It is necessary to enable IGMP only on interfaces with attached multicast receivers. and then enable IGMPv2 on VLAN-interface 100.

1 from Source and start receiving the multicast data on Host A and Host C. and take the following steps to verify the configurations made on the switches. [SwitchF] vlan 100 [SwitchF-vlan100] igmp-snooping enable [SwitchF-vlan100] quit Verifying the configuration Now start sending multicast data to multicast group 225. <SwitchE> system-view [SwitchE] acl number 2005 [SwitchE-acl-basic-2005] rule permit source 225.1.4. and enable IGMP Snooping in VLAN 100.1 Vlan-interface103 192.0 0.2.4. <SwitchF> system-view [SwitchF] igmp-snooping enable Enable IGMP-Snooping ok. <SwitchD> system-view [SwitchD] acl number 2005 [SwitchD-acl-basic-2005] rule permit source 225.2 Priority: 2 Mask Length: 24 Expires: 00:01:39 Local Host is C-BSR: 192.1.168. <SwitchE> display pim bsr-info Current BSR Address: 192.255 [SwitchE-acl-basic-2005] quit [SwitchE] pim [SwitchE-pim] c-bsr vlan-interface 102 24 1 [SwitchE-pim] c-rp vlan-interface 102 group-policy 2005 priority 1 [SwitchE-pim] quit # Enable IGMP Snooping globally on Switch E.9.1.255 [SwitchD-acl-basic-2005] quit [SwitchD] pim [SwitchD-pim] c-bsr vlan-interface 105 24 2 [SwitchD-pim] c-rp vlan-interface 105 group-policy 2005 priority 2 [SwitchD-pim] quit # Configure the group range to be served by the RP and configure a C-BSR and a C-RP on Switch E.1.0.1 Vlan-interface104 192.0.1.182 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES # Configure the group range to be served by the RP and configure a C-BSR and a C-RP on Switch D.168.9. <SwitchE> display pim neighbor Neighbor’s Address Interface Name 192.2 Vlan-interface105 Uptime Expires 02:47:04 00:01:42 02:45:04 00:04:46 02:42:24 00:04:45 02:43:44 00:05:44 # View BSR information on Switch E.168.0. # View PIM neighboring relationships on Switch E.3.0 0.2 . 1 Check whether the multicast stream flows to Host A and Host C.168.168.1.168.1 Vlan-interface102 192.0.

PIM-SM plus IGMP plus IGMP Snooping Configuration Examples

183

Priority: 1 Mask Length: 24

# View RP information on Switch E.
<SwitchE> display pim rp-info PIM-SM RP-SET information: BSR is: 192.168.4.2 Group/MaskLen: 225.1.1.0/24 RP 192.168.9.2 Version: 2 Priority: 1 Uptime: 00:03:15 Expires: 00:01:14 RP 192.168.4.2 Version: 2 Priority: 2 Uptime: 00:04:25 Expires: 00:01:09

# View PIM routing table entries on Switch A.
<SwitchA> display pim routing-table PIM-SM Routing Table Total 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry (*, 225.1.1.1), RP 192.168.9.2 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF Uptime: 00:23:21, never timeout Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2 Downstream interface list: Vlan-interface100, Protocol 0x1: IGMP, never timeout (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x80004: SPT Uptime: 00:03:43, Timeout in 199 sec Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2 Downstream interface list: Vlan-interface100, Protocol 0x1: IGMP, never timeout Matched 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry

The information on Switch B and Switch C is similar to that on Switch A. # View PIM routing table entries on Switch D.
<SwitchD> display pim routing-table PIM-SM Routing Table Total 1 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x4: SPT Uptime: 00:03:03, Timeout in 27 sec Upstream interface: Vlan-interface300, RPF neighbor: NULL Downstream interface list: Vlan-interface101, Protocol 0x200: SPT, timeout in 147 sec Vlan-interface105, Protocol 0x200: SPT, timeout in 145 sec Matched 1 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry

184

CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

# View PIM routing table entries on Switch E.
<SwitchE> display pim routing-table PIM-SM Routing Table Total 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry (*,225.1.1.1), RP 192.168.9.2 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF Uptime: 00:02:34, Timeout in 176 sec Upstream interface: Null, RPF neighbor: 0.0.0.0 Downstream interface list: Vlan-interface102, Protocol 0x100: RPT, timeout in 176 sec Vlan-interface103, Protocol 0x100: SPT, timeout in 135 sec (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x4: SPT Uptime: 00:03:03, Timeout in 27 sec Upstream interface: Vlan-interface105, RPF neighbor: 192.168.4.2 Downstream interface list: Vlan-interface102, Protocol 0x200: SPT, timeout in 147 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry

# View the information about multicast group entries created by IGMP Snooping on Switch F.
<SwitchF> display igmp-snooping group Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Router port(s):Ethernet1/0/2 IP group(s):the following ip group(s) match to one mac group. IP group address:225.1.1.1 Host port(s):Ethernet1/0/19 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/19

# View multicast group information that contains port information on Switch B.
<SwitchB> display mpm group Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):200. Total 1 IP Group(s). Total 1 MAC Group(s). Router port(s): IP group(s):the following ip group(s) match to one mac group. IP group address:225.1.1.1 Host port(s):Ethernet1/0/24 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/24

IGMP Snooping-Only Configuration Examples

185

Vlan(id):103. Total 0 IP Group(s). Total 0 MAC Group(s). Router port(s):Ethernet1/0/10

As shown above, multicast traffic can successfully flow to Host A and Host C. 2 Configure simulated joining Configure simulated joining on Switch B, thus to prevent the multicast switch from considering that no multicast receiver exist on the subnet due to some reason and removing the corresponding path from the multicast forwarding tree. # Configure Ethernet 1/0/21 as a simulated host to join multicast group 225.1.1.1.
<SwitchB> system-view [SwitchB] interface Vlan-interface 200 [SwitchB-Vlan-interface200] igmp host-join 225.1.1.1 port Ethernet 1/0/21

# View multicast group information that contains port information on Switch B.
<SwitchB> display mpm group Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):200. Total 1 IP Group(s). Total 1 MAC Group(s). Router port(s): IP group(s):the following ip group(s) match to one mac group. IP group address:225.1.1.1 Host port(s):Ethernet1/0/21 Ethernet1/0/24 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/21 Ethernet1/0/24 Vlan(id):103. Total 0 IP Group(s). Total 0 MAC Group(s). Router port(s):Ethernet1/0/10

As shown above, Ethernet 1/0/21 has become a member port for multicast group 225.1.1.1.

IGMP Snooping-Only Configuration Examples
Network Requirements In case that it is unnecessary or infeasible to build a Layer-3 multicast network, enabling IGMP Snooping on all the devices in a Layer 2 network can implement some multicast functions.

186

CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Configuration Plan 1 As shown in Figure 69, in a Layer-2 network without Layer-3 devices, Switch C connects to the multicast source through Ethernet 1/0/3. At least one receiver is attached to Switch B and Switch C respectively. 2 Enable IGMP Snooping on Switch A, Switch B, and Switch C, with Switch A acting as the IGMP Snooping querier. 3 Enable Switch A and Switch B to drop unknown multicast traffic so that multicast traffic for unknown multicast groups are not flooded in the VLAN. Network Diagram
Figure 69 Network diagram for IGMP Snooping-only configuration

Querier
Eth1/0/1 Eth1/0/2

Switch A

Switch B
Eth1/0/2

Eth1/0/1

Eth1/0/1

Switch C
Eth1/0/3

Eth1/0/3

Eth1/0/2

Receiver

Receiver

Receiver

Source

Host A

Host B

Host C

1.1.1.1/24

Configuration Procedure

Configuring switch A # Enable IGMP Snooping globally.
<SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok.

# Create VLAN 100, add Ethernet 1/0/1 and Ethernet 1/0/2 into VLAN 100, and then enable IGMP Snooping in this VLAN.
[SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 Ethernet 1/0/2 [SwitchA-vlan100] igmp-snooping enable

# Enable IGMP Snooping querier in VLAN 100.
[SwitchA-vlan100] igmp-snooping querier [SwitchA-vlan100] quit

# Enable the function of dropping unknown multicast packets.
[SwitchA] unknown-multicast drop enable

Therefore. To avoid impact on the network and on Switch C caused by multicast flooding. [SwitchC] vlan 100 [SwitchC-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/3 [SwitchC-vlan100] igmp-snooping enable c CAUTION: Switch C is not the IGMP Snooping querier. and the corresponding forwarding entries cannot be created on it. Verifying the configuration 1 View information on Switch B. <SwitchB> display igmp-snooping statistics Received IGMP general query packet(s) number:16. add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 100. <SwitchB> system-view [SwitchB] igmp-snooping enable Enable IGMP-Snooping ok. . [SwitchB] vlan 100 [SwitchB-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/3 [SwitchB-vlan100] igmp-snooping enable [SwitchB-vlan100] quit # Enable the function of dropping unknown multicast packets. [SwitchB] unknown-multicast drop enable Configuring Switch C # Enable IGMP Snooping globally.IGMP Snooping-Only Configuration Examples 187 Configuring Switch B # Enable IGMP Snooping globally. Received IGMP V1 report packet(s) number:0. and then enable IGMP Snooping in this VLAN. it is recommended to enable IGMP Snooping querier on the switch to which the multicast source is directly attached. so it does not have member ports for non-directly-connected hosts. Received IGMP leave packet(s) number:1. and then enable IGMP Snooping in this VLAN. Received IGMP specific query packet(s) number:3. # Create VLAN 100. Sent IGMP specific query packet(s) number:1. # Create VLAN 100. do not enable the function of dropping unknown multicast packets on Switch C. add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 100. Received IGMP V2 report packet(s) number:53. Received error IGMP packet(s) number:0. # View IGMP packet statistics on Switch B. <SwitchC system-view [SwitchC] igmp-snooping enable Enable IGMP-Snooping ok.

2 View information on Switch A. <Switch A> display igmp-snooping group Total 1 IP Group(s).1 has been created on Switch A. # View IGMP packet statistics on Switch A. Received IGMP V2 report packet(s) number:53. Received error IGMP packet(s) number:0. Switch A receives IGMP reports from the receivers. Vlan(id):100.188 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES Switch B received IGMP general queries sent by the querier and IGMP reports from receivers. Vlan(id):100. Total 1 MAC Group(s). Sent IGMP specific query packet(s) number:1.1.1. with Ethernet 1/0/1 as the router port and Ethernet 1/0/2 as the member port. a forwarding entry for the multicast group 224.1. Router port(s): IP group(s):the following ip group(s) match to one mac group.1 Host port(s):Ethernet1/0/1 MAC group(s): MAC group address:0100-5e7f-fffe Host port(s):Ethernet1/0/1 . <Switch B> display igmp-snooping group Total 1 IP Group(s). Received IGMP specific query packet(s) number:0. Total 1 IP Group(s).1. Router port(s):Ethernet1/0/1 IP group(s):the following ip group(s) match to one mac group. Total 1 MAC Group(s). # View multicast group information on Switch B.1.1. Total 1 MAC Group(s). Total 1 IP Group(s).1 Host port(s):Ethernet1/0/2 MAC group(s): MAC group address:0100-5e7f-fffe Host port(s):Ethernet1/0/2 As shown above. IP group address:224. Received IGMP leave packet(s) number:1. IP group address:224. Total 1 MAC Group(s). # View multicast group information on Switch A. <SwitchA> display igmp-snooping statistics Received IGMP general query packet(s) number:0. Received IGMP V1 report packet(s) number:0.

Acting as the IGMP Snooping querier. Loopback 0. PIM-SM 2 and PIM-SM 3 belong to AS 200. Switch D and Switch F are configured as C-BSRs and C-RPs of the respective PIM-SM domains. no forwarding entries have been created on Switch C.MSDP Configuration Examples 189 As shown above. <SwitchC> display igmp-snooping statistics Received IGMP general query packet(s) number:10. and BGP is deployed for interoperability between the two ASs. The switch must flood multicast data in the VLAN to allow the multicast data to flow to the receivers downstream. OSPF runs within each domain for unicast routing. OSPF runs within each AS. Vlan(id):100.1. Total 0 MAC Group(s). MSDP Configuration Examples Network Requirements To enable communication between receivers and multicast sources in different PIM-SM domains. Received IGMP leave packet(s) number:. Router port(s):Ethernet1/0/1 As shown above.0 Received error IGMP packet(s) number:0. <Switch C> display igmp-snooping group Total 0 IP Group(s). a forwarding entry for the multicast group 224. The respective loopback interfaces. Received IGMP V2 report packet(s) number:0. therefore. Received IGMP V1 report packet(s) number:0. Switch C received only IGMP general queries from the querier. use MSDP to establish MSDP peering relationships between the RPs of different PIM-SM domains. # View IGMP packet statistics on Switch C. AS 100 and AS 200. Sent IGMP specific query packet(s) number:0.1. Total 0 IP Group(s). Switch A does not have a router port. ■ ■ ■ . of Switch C. Received IGMP specific query packet(s) number:0. with Ethernet 1/0/1 as the member port. so that these RPs can forward SA messages between PIM-SM domains to share multicast source information. 3 View information on Switch C. Total 0 MAC Group(s). PIM-SM 1 belongs to AS 100. # View multicast group information on Switch C.1 has been created on Switch A. Both PIM-SM domains have 0 or 1 multicast source and at least one receiver. ■ Configuration Plan Two ISPs maintain their respective ASs. do not enable the function of dropping unknown multicast packets on Switch C.

1.110.5.1/24 192. Ensure the network-layer interoperation among Switch A.2/24 3.110. Configure OSPF for interoperation between switches in each PIM-SM domain.1.110.110.3.2/24 10.1.9.168.2/24 2.168.110.2.2.2/32 10. Establish MSDP peering relationship between Switch D and Switch F through IBGP.3.2.1.1/24 10.7.1.2.2/24 10.1/32 Device Switch D Interface Vlan-int300 Vlan-int102 Vlan-int101 Loop0 IP address 10.110.1/24 10.110.1/24 10. Switch B and Switch C Vl .3.110.10.5.2.110.1/24 10.168.1.2/24 10.1/24 10. Network Diagram Figure 70 Network diagram for MSDP configuration AS 100 Receiver Loop0 Vl AS 200 Receiver Switch F 00 t2 -i n an Vl Switch G t1 -in an 00 Vlan-int400 Switch B Vl an -i n t1 00 Switch A Vlan-int400 Vlan-int102 Vlan-int300 PIM-SM 3 Source 1 Vlan-int300 an -in t1 00 Vlan-int200 00 Vl an -in t1 Receiver an Vl Vl Vlan-int200 Vlan-int102 Vlan-int101 Vlan-int300 00 t1 in Vlan-int101 00 Switch C Loop0 Switch D Loop0 Vlan-int300 an -in t2 Source 2 Switch E PIM-SM 1 PIM-SM 2 MSDP peers Device SwitchA Interface Vlan-int100 Vlan-int200 Vlan-int300 IP address 10.2/32 10.1/24 192.4.3.1/24 10.190 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES ■ Establish MSDP peering relationship between Switch C and Switch D through EBGP.8.110.2/24 SwitchB Vlan-int100 Vlan-int200 Vlan-int300 Switch E Vlan-int100 Vlan-int200 Vlan-int300 Loop0 Switch C Vlan-int100 Vlan-int200 Vlan-int101 Loop0 Switch F Vlan-int400 Vlan-int102 Loop0 SwitchG Vlan-int100 Vlan-int400 Configuration Procedure Configuring an interface IP address and a unicast routing protocol for each switch Configure an IP address and a subnet mask for each interface as per Figure 70.110.1/24 10.110.1/24 192.168.110.1/24 1.4.110.6.3.3.3/32 10.2.110. The detailed configuration steps are not discussed in this document.2/24 2.1/24 192.

0. <SwitchA> system-view [SwitchA] multicast routing-enable [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] pim sm [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 200 [SwitchA-Vlan-interface200] pim sm [SwitchA-Vlan-interface200] igmp enable [SwitchA-Vlan-interface200] quit [SwitchA] interface vlan-interface 300 [SwitchA-Vlan-interface101] pim sm The configuration on Switch E and Switch G is similar to the configuration on Switch A.1. <SwitchC> system-view.1.0. # Enable IP multicast routing on Switch C and enable PIM-SM on each interface. Switch D. the network-layer interoperation between Switch D and Switch E in PIM-SM 2. and enable IGMP on VLAN-interface 200. enable PIM-SM on each interface.0. Switch E. Switch B. Configuring a multicast routing protocol 1 Enable IP multicast routing.0]network 10.110. and enable IGMP on the interfaces connected with receivers.0. and Switch F is similar to the configuration on Switch C.0. enable PIM-SM on each interface. Switch F and Switch G is similar to the configuration on Switch C.0 0.MSDP Configuration Examples 191 in PIM-SM 1.0 The configuration on Switch A.255 [SwitchC-ospf-1-area-0.0.110. # Enable IP multicast routing on Switch A. Configuring a unicast routing protocol for each AS # Configure OSPF on Switch C.2.255 [SwitchC-ospf-1-area-0. .0]network 10.0.1 0. The specific configuration steps are omitted here. and the network-layer interoperation between Switch F and Switch G in PIM-SM 3. The specific configuration steps are omitted here.0.1.0.0]network 1. Switch D. <SwitchC> system-view [SwitchC] multicast routing-enable [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] pim sm [SwitchC-Vlan-interface100] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] pim sm [SwitchC-Vlan-interface200] quit [SwitchC] interface vlan-interface 101 [SwitchC-Vlan-interface101] pim sm The configuration on Switch B.0. and ensure the dynamic update of routing information between the switches in each PIM-SM domain through the unicast routing protocol.0 0.0. [SwitchC]ospf [SwitchC-ospf-1]area 0 [SwitchC-ospf-1-area-0.0.

[SwitchF] bgp [SwitchF-bgp] [SwitchF-bgp] [SwitchF-bgp] [SwitchF-bgp] [SwitchF-bgp] 200 group 200 peer 192.1 group 200 import-route ospf 1 import-route direct quit # Configure BGP route redistribution to OSPF on Switch C. C-BSR.255.168. and configure OSPF route redistribution.1. and C-RP.255 [SwitchC-LoopBack0] pim sm [SwitchC-LoopBack0] quit [SwitchC] pim [SwitchC-pim] c-bsr loopback 0 24 [SwitchC-pim] c-rp loopback 0 [SwitchC-pim] quit The configuration on Switch D and Switch F is similar to the configuration on Switch C.3.2 group 100 as-number 200 import-route ospf 1 import-route direct quit # Configure IBGP and EBGP on Switch D.168.1 group 100 as-number 100 peer 192.2 group 200 import-route ospf 1 import-route direct quit # Configure IBGP on Switch F.1. [SwitchC] bgp [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] [SwitchC-bgp] 100 group 100 external peer 192. [SwitchC-Vlan-interface101] pim bsr-boundary [SwitchC-Vlan-interface101] quit The configuration on Switch D and Switch F is similar to the configuration on Switch C. 2 Configure the position of interface Loopback 0. [SwitchC] interface loopback 0 [SwitchC-LoopBack0] ip address 1.1.192 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES # Configure a BSR boundary on Switch C. Configuring inter-AS BGP for mutual route redistribution between BGP and OSPF # Configure EBGP on Switch C. C-BSR.255. and configure OSPF route redistribution. # Configure the position of Loopback 0.168. [SwitchD] bgp [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] [SwitchD-bgp] 200 group 100 external group 200 peer 192. and configure OSPF route redistribution.3.168.1 255. .1. and C-RP on Switch C.

168.168.168. [SwitchC] display bgp peer Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State -------------------------------------------------------------------------192.168.2 connect-interface vlan-interface 101 [SwitchC-msdp] quit # Configure an MSDP peer on Switch D. [SwitchD] msdp [SwitchD-msdp] peer 192. [SwitchD] display bgp peer Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State -------------------------------------------------------------------------192.MSDP Configuration Examples 193 [SwitchC] ospf 1 [SwitchC-ospf-1] import-route bgp [SwitchC-ospf-1] quit The configuration on Switch D and Switch F is similar to the configuration on Switch C.1 connect-interface vlan-interface 102 [SwitchF-msdp] quit When the multicast source Source 1 sends multicast information.1.168. For example: # View the information about BGP peering relationships on Switch C.2 200 4 0 950 945 15:41:14 Established # View the information about BGP peering relationships on Switch D. [SwitchF] msdp [SwitchF-msdp] peer 192. [SwitchC] msdp [SwitchC-msdp] peer 192.3.2 connect-interface vlan-interface 102 [SwitchD-msdp] quit # Configure MSDP peers on Switch F. You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches.1 200 4 0 953 948 15:42:23 Established Configuring MSDP peers # Configure an MSDP peer on Switch C.1 100 4 0 946 953 15:43:32 Established 192.3.3.2 200 4 0 946 954 15:41:18 Established # View the information about BGP peering relationships on Switch F. For example: .1. receivers in PIM-SM2 and PIM-SM3 can receive the multicast data.1.168.168.168.3.1.1 connect-interface vlan-interface 101 [SwitchD-msdp] peer 192. Carry out the display bgp peer command to view the BGP peering relationships between the switches. [SwitchF] display bgp peer Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State -------------------------------------------------------------------------192.

3. [SwitchD] display msdp brief MSDP Peer Brief Information Peer’s Address State 192. Output queue size: 0 Counters for MSDP message: Count of RPF check failure: 0 Incoming/outgoing SA messages: 0/0 Incoming/outgoing SA requests: 0/0 Incoming/outgoing SA responses: 0/0 Incoming/outgoing data packets: 0/0 .1.194 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES # View the brief information about MSDP peering relationships on Switch C.168. [SwitchC] display msdp peer-status MSDP Peer 192.1) Number of sent/received messages: 16/16 Number of discarded output messages: 0 Elapsed time since last connection or counters clear: 00:17:51 Information about (Source. [SwitchF] display msdp brief MSDP Peer Brief Information Peer’s Address State 192. Group)-based SA filtering policy: Import policy: none Export policy: none Information about SA-Requests: Policy to accept SA-Request messages: none Sending SA-Requests status: disable Minimum TTL to forward SA with encapsulated data: 0 SAs learned from this peer: 0.2 Up 192.1 UP Up/Down time 00:15:32 00:06:39 AS 200 100 SA Count 8 13 Reset Count 0 0 # View the brief information about MSDP peering relationships on Switch F. [SwitchC] display msdp brief MSDP Peer Brief Information Peer’s Address State 192. AS 200 Description: Information about connection status: State: Up Up/down time: 00:15:47 Resets: 0 Connection interface: Vlan-interface101 (192.3.1.1.2 Up Up/Down time 00:12:27 AS 200 SA Count 13 Reset Count 0 # View the brief information about MSDP peering relationships on Switch D.1.168.168.168.1 UP Up/Down time 01:07:08 AS 200 SA Count 8 Reset Count 0 # View the detailed MSDP peer information on Switch C.168.168.2. SA-cache maximum for the peer: none Input queue size: 0.

Acronyms: VLAN (Virtual local area network) VLAN Support Matrix Support for VLAN on 3Com Stackable Switches Table 88 Support for VLAN on 3Com stackable switches Feature (right) Model (below) Switch 5500 Switch 4500 Switch 5500Gs Switch 4200 Switch 4210 Switch 4210 52-Port E352/E328 E126 E152 802. the corresponding models support only the VLAN-interface for the management VLAN. refer to the user manual for your device. 802. VLAN interface. ■ . For detailed information about the support of your device for VLAN. the dashes (-) indicate that the corresponding models do not support the function. that is.1Q VLAN ● ● ● ● ● ● ● ● ● VLAN interface ● ● ● ❍ ❍ ● ● ❍ ❍ Protocol VLAN ● ● ● ● ● - n ■ In the above table.1q. the solid dots (●) indicate that the corresponding models provide full support for the function. protocol VLAN Abstract: This document introduces how VLAN of the 3Com series Ethernet switches is applied and configured in practical networking implementations and how protocols are used in conjunction with VLANs. the hollow dots (❍) indicate that the corresponding models provide incomplete support for the function.7 VLAN CONFIGURATION EXAMPLES Keywords: VLAN.

all ports belong to the default VLAN (VLAN 1). VLAN 0001. ■ Configuring Basic VLAN Settings The 3Com series switches support IEEE 802. the description of a VLAN is its VLAN ID. In this guide... The configuration example in this guide provides only basic configuration procedures. Enter system view Use the command. For detailed information about individual functions. For informaiton on how to configure VLAN on other models..196 CHAPTER 7: VLAN CONFIGURATION EXAMPLES Configuration Guide n ■ The configuration procedure differs by device.. Follow these steps to assign a port to a VLAN in Ethernet port view: . Optional By default. system-view vlan vlan-id port interface-list Remarks Required By default. Follow these steps to create a VLAN and perform basic VLAN configuration: To. You can assign trunk or hybrid ports to a VLAN only in Ethernet port view. for example. refer to the Configuraiton Guide and Command Reference Guide for that model. display vlan [ vlan-id [ to vlan-id ] | all | dynamic | static ] Available in any view Create multiple VLANs in bulk vlan { vlan-id1 to vlan-id2 | all } Create a VLAN and enter VLAN view vlan vlan-id Assign a name for the current name text VLAN Configure the description of the current VLAN description text Display VLAN information You can assign a port to a VLAN in Ethernet port view or in VLAN view. Follow these steps to assign a port to a VLAN in VLAN view: To.. VLAN 0001. Enter system view Enter VLAN view Assign a list of Ethernet ports to the VLAN Use the command. only one default VLAN (VLAN 1) exists in the system.1Q VLAN. the name of a VLAN is its VLAN ID... n Only access ports can be assigned to a VLAN in VLAN view. refer to the Configuration Guide for that model. Optional By default. system-view Remarks Optional Required By default. The technology allows you to organize Ethernet ports into virtual workgroups by assigning them to different VLANs. the Switch 5500 is used as an example.. for example.

all the three types of ports belong to the default VLAN (VLAN 1). the description of a VLAN interface is its name. all ports are access ports. Because an access port can be assigned to only one VLAN. description text Optional By default.. Enter system view Create a VLAN interface and enter VLAN interface view Assign an IP address to the current VLAN interface Configure the description of the current VLAN interface Use the command.. Therefore.Configuration Guide 197 To. its default VLAN is the VLAN to which it belongs. Enter system view Enter Ethernet port view Configure the port type Use the command. system-view interface Vlan-interface vlan-id Remarks Required By default. Assign the For an access port access vlan vlan-id current port to port the specified For a trunk port port trunk permit vlan VLAN(s) { vlan-id-list | all } For a hybrid port Specify the default VLAN for the current port port hybrid vlan vlan-id-list { tagged | untagged } For a trunk port port trunk pvid vlan vlan-id For a hybrid port port hybrid pvid vlan vlan-id Optional By default. for example.. . Follow these steps to configure basic settings of a VLAN interface: To.. system-view interface interface-type interface-number port link-type { access | trunk | hybrid } Remarks Optional By defaults... the default VLAN of an Ethernet port is VLAN 1... ip address ip-address { mask | Required mask-length } [ sub ] No IP address is assigned to any VLAN interface by default. no VLAN interface exists. Required By default. you do not need to configure a default VLAN for it. Configuring Basic Settings of a VLAN Interface You can enable your switch to perform Layer 3 forwarding by configuring VLAN interfaces with IP addresses on the switch. Vlan-interface1 Interface.

. a VLAN interface is in the up state. Bring up the VLAN interface Use the command. Follow these steps to configure a protocol VLAN: To. An administratively shut down VLAN interface however will be in the down state until you bring it up. Shut down the VLAN interface shutdown Display information about the display interface VLAN interface Vlan-interface [ vlan-id ] Available in any view n ■ ■ Before creating a VLAN interface for a VLAN.. only one VLAN interface is supported. Return to system view Enter Ethernet port view Configure the port as a hybrid port link-type hybrid port port hybrid vlan vlan-id Assign the port to the protocol VLAN and configure untagged the port to forward the frames of the VLAN with their VLAN tag removed . and then assign Ethernet ports to the protocol VLAN.198 CHAPTER 7: VLAN CONFIGURATION EXAMPLES To. undo shutdown Remarks Optional By default. first create a protocol template to enable protocol VLAN. For detailed configurations. snap } | mode { ethernetii etype etype-id | llc { dsap dsap-id ssap ssap-id } | snap etype etype-id } } quit interface interface-type interface-number Required All Ethernet ports are access ports by default. On some 3Com series switches. and you must configure its VLAN as the default VLAN with the management-vlan command before creating the VLAN interface.. In this case... regardless of how the state of the ports in the VLAN changes. Required All ports belong to VLAN 1 by default. To configure a protocol VLAN.. create the VLAN first. Enter system view Enter VLAN view Create a protocol template Use the command. the VLAN interface is up so long as one port in the VLAN is up and goes down if all ports in the VLAN go down.. refer to the corresponding user manual.. system-view vlan vlan-id Remarks - Required protocol-vlan [ protocol-index ] { at | ip | ipx No protocol template exists by { ethernetii | llc | raw | default. Protocol VLAN Configuration Protocol VLAN enables your switch to assign an incoming untagged frame to a VLAN based on its protocol.

.VLAN Configuration Example 199 To. The design department and part of the R&D department share the same office area. Both the R&D department and the marketing department can access the public servers. The R&D department and the marketing department are on different IP network segments. Use VLANs to fulfill the following: ■ Employees of the same department can communicate with each other.. an Ethernet port is [ to protocol-index-end ] | all } not associated with any protocol VLAN. Remarks port hybrid protocol-vlan Required vlan vlan-id { protocol-index By default. the marketing department. The R&D department and the marketing department are located in different office areas. the hosts and server of the marketing department and those of the design department cannot access the VPN of the R&D department... and the design department. The three departments are located in the same building. ■ ■ ■ . Associate the port with the protocol VLAN Use the command. However. the design server and the R&D server are accessible to only the employees of the design department and the R&D department respectively. The hosts and server of the R&D department and those of the design department cannot access the Internet. and the hosts of the other two departments use Windows. while employees of different departments cannot. Available in any view Display information about the display protocol-vlan vlan { vlan-id [ to vlan-id ] | all } protocol templates of the specified VLAN(s) Display information about the protocol templates of the protocol VLANs associated with the specified port(s) display protocol-vlan interface { interface-type interface-number [ to interface-type interface-number ] | all } VLAN Configuration Example Network Requirements A company has three departments: the R&D department. A switch (Core-Switch A in Figure 71) assigns addresses to hosts of the two departments automatically. The hosts of the design department use the Apple operating system (OS).

On Switch A. you can assign Apple hosts whose network protocol is Appletalk and Windows hosts whose network protocol is IP to different protocol VLANs. Eth1 /0/5 SwitchA GE 1/1/1 Design Dept. Configure GigabitEthernet 1/1/1 to permit frames of all existing VLANs to pass through with VLAN tags for VLAN identification. assigning the port connecting to the area to a VLAN cannot isolate the two departments. Configuration Outlines Configuration on Switch A Figure 72 Network diagram for Switch A R&D Dept. Eth1/0 /7 Eth1/0/10 Market Dept. As the shared office area is used by two departments. Core-SwitchA Core-SwitchB SwitchA SwitchB Market Dept. .200 CHAPTER 7: VLAN CONFIGURATION EXAMPLES Network Diagram Figure 71 Network diagram for VLAN configuration VPN Internet Public Servers R&D Dept. & R& D Dept. thus isolating the two areas. Design Dept. Considering that the design department and the R&D department use different operating systems. R&D Dept. Design Server R& D Server Market Dept. assign the port connecting to the independent office area of the R&D department and the port connecting to the independent office area of the marketing department to different VLANs. & R&D Dept.

Configuration on Core-Switch A Figure 74 Network diagram for Core-Switch A VPN Eth 1/0/20 Core -SwitchA GE 1/1/1 GE 1/1 /2 On Core-Switch A. As it is the egress device for the R&D department to access the VPN. . Note that. Configure the port connecting to Core-Switch A to permit the frames of all existing VLANs to pass through with VLAN tags.VLAN Configuration Example 201 Configuration on Switch B Figure 73 Network diagram for Switch B GE 1/1 /2 GE1/1/1 Eth 1 /0/2 SwitchB Eth 1/0/3 Market Dept. configure Core-Switch A as the gateway for the R&D department and configure the port connecting to the VPN to permit only the frames of the R&D department to pass through. assign the port connecting to the marketing department and the port connecting to the R&D department to different VLANs. Configure Core-Switch A as the DHCP server for IP address assignment. configure Core-Switch B as the gateway for the marketing department. the configuration of the VLAN to which a department belongs must be the same on both Switch A and Switch B. As Core-Switch B is the egress device for accessing the Internet and only the marketing department is allowed to access the Internet. On Switch B. R&D Dept. configure the port connecting to Switch B to permit the frames of the three departments to pass through.

50.202 CHAPTER 7: VLAN CONFIGURATION EXAMPLES Configuration on Core-Switch B Figure 75 Network diagram for Core-Switch B Internet Public Servers Eth 1/0/15 Core-SwitchB GE 1/1 /1 GE 1/1 /3 GE1/1/2 GE1 /1/4 Design Server R&D Server Each server is connected to Core-Switch B through an individual port. and those of the design department to VLAN 100. configure the link between Core-Switch B and Core-Switch A to permit the frames of the VLAN created for the public servers to pass through besides the frames of the three departments. VLAN 200. As Core-Switch A forwards Layer 3 traffic between the R&D department and the public servers. The public servers belong to VLAN 500 and lie on the network segment 192. The IP address of the VLAN interface will be used as the gateway address for the marketing department on Core-Switch A. and VLAN 300 respectively. Assign these ports to different VLANs to provide the departments exclusive access to their respective servers. The following diagram shows the planned VLANs: . Summary Assign the hosts and server of the R&D department. As Core-Switch B is the egress device for accessing the Internet and only the marketing department is allowed to access the Internet.0. create an individual VLAN for the public servers to forward Layer 3 traffic between the servers and the clients. configure a VLAN interface with an IP address for the VLAN of the marketing department and configure the port connecting to the Internet to permit only the frames of the VLAN to pass through.168. those of the marketing department. As the public servers are accessible to both the R&D department and the marketing department.

<SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 300 [SwitchA-vlan300] [SwitchA-vlan300] quit # Assign Ethernet 1/0/5 to VLAN 100.VLAN Configuration Example 203 Figure 76 Network diagram for the deployment of VLANs VPN Internet VLAN 500 VLAN 100 Core-SwitchA Core-SwitchB SwitchA SwitchB VLAN 200 VLAN 300 VLAN 100 Access VLAN 100 VLAN 200 VLAN 100 Access VLAN 200 Hybrid VLAN 100/300 untagged VLAN 100 & VLAN 300 Trunk permit VLAN 100/200/300 Trunk permit VLAN 100/200/300/500 Access VLAN 500 Configuration Procedure Device and version used Switch 5500 Release version 1510. [SwitchA] interface Ethernet 1/0/5 [SwitchA-Ethernet1/0/5] port access vlan 100 [SwitchA-Ethernet1/0/5] quit # Assign Ethernet 1/0/10 to VLAN 200. . VLAN 200. [SwitchA] interface Ethernet 1/0/10 [SwitchA-Ethernet1/0/10] port access vlan 200 [SwitchA-Ethernet1/0/10] quit # Create a protocol template for VLAN 100 to carry IP and a protocol template for VLAN 300 to carry Appletalk. and VLAN 300. Configuration procedure ■ Configure Switch A # Create VLAN 100.

VLAN 300. <SwitchB> system-view [SwitchB] interface Ethernet [SwitchB-Ethernet1/0/2] port [SwitchB-Ethernet1/0/2] quit [SwitchB] interface Ethernet [SwitchB-Ethernet1/0/3] port [SwitchB-Ethernet1/0/3] quit 1/0/2 access vlan 200 1/0/3 access vlan 100 # Configure GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 as trunk ports permitting the frames of VLAN 100. VLAN 200. assuming that Ethernet_II encapsulation is used. VLAN 200. VLAN 200.204 CHAPTER 7: VLAN CONFIGURATION EXAMPLES [SwtichA] vlan 100 [SwitchA-vlan100] protocol-vlan ip [SwitchA-vlan100] quit [SwitchA] vlan 300 [SwitchA-vlan300] protocol-vlan at [SwitchA-vlan300] quit # Create a user-defined protocol template for VLAN 100 to carry ARP for IP communication. [SwitchA] interface GigabitEthernet 1/1/1 [SwitchA-GigabitEthernet1/1/1] port link-type trunk [SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 100 200 300 500 ■ Configure Switch B # Create VLAN 100. VLAN 300. and VLAN 500 to pass through with VLAN tags. [SwitchA-Ethernet1/0/10] port hybrid protocol-vlan vlan 100 all [SwitchA-Ethernet1/0/10] port hybrid protocol-vlan vlan 300 all [SwitchA-Ethernet1/0/10] quit # Configure GigabitEthernet 1/1/1 as a trunk port permitting the frames of VLAN 100. [SwitchA] interface Ethernet 1/0/10 [SwitchA-Ethernet1/0/10] port link hybrid [SwitchA-Ethernet1/0/10] port hybrid vlan 100 300 untagged # Associate Ethernet 1/0/10 with all the protocol templates of VLAN 100 and VLAN 300. [SwitchA] vlan 100 [SwitchA-vlan100] protocol-vlan mode ethernetii etype 0806 # Configure Ethernet 1/0/10 as a hybrid port permitting the frames of VLAN 100 and VLAN 300 to pass through untagged. and VLAN 500 to pass through with VLAN tags. [SwitchB] interface GigabitEthernet 1/1/1 [SwitchB-GigabitEthernet1/1/1] port link-type trunk [SwitchB-GigabitEthernet1/1/1] port trunk permit vlan 100 200 300 500 [SwitchB-GigabitEthernet1/1/1] quit . # Assign Ethernet 1/0/2 and Ethernet 1/0/3 to VLAN 200 and VLAN 100 respectively. and VLAN 300 on Switch B as you have done on Switch A.

255.40.1.1 24 [Core-SwitchA-Vlan-interface500] quit [Core-SwitchA] interface GigabitEthernet 1/1/1 [Core-SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 500 # Create a VLAN-interface on Core-Switch A to forward traffic of the R&D department to the VPN and assign an IP address to the VLAN-interface.168.30. The configuration procedure is the same as that on Switch A. Use this address as the IP address of the gateway for the R&D department.0/24 for the hosts of the R&D department.168. # Create VLAN-interface 100 and assign it IP address 192.30.255.50. # Configure GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 as trunk ports permitting the frames of VLAN 100. [Core-SwitchA] vlan 500 [Core-SwitchA-vlan500] quit [Core-SwitchA] interface Vlan-interface 500 [Core-SwitchA-Vlan-interface500] ip address 192. The configuration procedure is omitted here.168.168. Configure the trunk port GigabitEthernet 1/1/1 to carry VLAN 500 and configure GigabitEthernet 1/1/1 to permit the frames of VLAN 500 to pass through with VLAN tags.1 24 [Core-SwitchA-Vlan-interface100] dhcp select interface [Core-SwitchA-Vlan-interface100] quit # Create a global IP address pool mk with the address segment 192. Assign Ethernet 1/0/20 to the VLAN corresponding to the VLAN-interface. ■ Configuration on Core-Switch B .0 mask 255. [Core-SwitchA] dhcp enable [Core-SwitchA] interface Vlan-interface 100 [Core-SwitchA-Vlan-interface100] ip address 192.0 [Core-SwitchA-dhcp-pool-mk] gateway-list 192. Allocate IP addresses in the address pool 192.40.168.50. and VLAN 300 on Core-Switch A. pointing to Core-Switch B. VLAN 200. The configuration procedure is the same as that on Switch B.40. and VLAN 500 to pass through with VLAN tags.0/24 to allocate IP addresses for the hosts of the marketing department.VLAN Configuration Example 205 [SwitchB] interface GigabitEthernet 1/1/2 [SwitchB-GigabitEthernet1/1/2] port link-type trunk [SwitchB-GigabitEthernet1/1/2] port trunk permit vlan 100 200 300 500 [SwitchB-GigabitEthernet1/1/2] quit ■ Configure Core-Switch A # Create VLAN 100. # Create VLAN 500 and VLAN-interface 500 on Core-Switch A and assign IP address 192.168.1/24 to VLAN-interface 500. VLAN 300.168.1 for the hosts.30.1 n For detailed information about configuring DHCP.168.168.40. [Core-SwitchA] dhcp server ip-pool mk [Core-SwitchA-dhcp-pool-mk] network 192. Configure the gateway IP address as 192. refer to the Switch 5500 Family Configuration Guide. VLAN 200.

the hosts of the marketing department should not be able to access the VPN or the R&D department through Layer 3 forwarding. the hosts of the three departments should be isolated at the data link layer.206 CHAPTER 7: VLAN CONFIGURATION EXAMPLES # Create VLAN 100.168. The configuration procedure is omitted here. As no VLAN interface is created for the VLAN of the marketing department on the VPN gateway Core-Switch A. Configuration remarks After you finish the configuration. as no VLAN interface is created for the VLAN of the R&D department on the Internet gateway Core-Switch B. Similarly. # Configure GigabitEthernet 1/1/1 as a trunk port permitting the frames of all existing VLANs to pass through with VLAN tags. you are recommended to configure the IP and ARP templates in the same VLAN and associate them with the same port to prevent communication failure. ■ Protocols and Standards IEEE 802. refer to the Switch 5500 Family Configuration Guide. you are recommended to enable DHCP-Snooping on Switch A and Switch B to monitor the IP addresses of clients. all departments are isolated at both the data link layer and the network layer. The configuration procedure is the same as that on Switch A. Precautions ■ Because IP depends on ARP for address resolution in Ethernet. VLAN 200. # Assign IP address 192.1 to VLAN-interface 200.40. The configuration procedure is omitted here. Thus.1Q: Virtual Bridged Local Area Networks . # Configure GigabitEthernet 1/1/2 to permit only the frames of VLAN 500 to pass through. # Create a VLAN-interface on Core-Switch B to forward traffic of the marketing department to the Internet and assign an IP address to the VLAN-interface. The configuration procedure is omitted here. # Configure GigabitEthernet 1/1/3 and GigabitEthernet 1/1/4 to permit only the frames of VLAN 300 and only the frames of VLAN 100 to pass through respectively. n To prevent users from modifying the IP addresses and gateways of hosts for accessing unauthorized network resources. The maximum number of protocol templates that can be bound to a port varies by device. Assign Ethernet 1/0/15 to the VLAN corresponding to the VLAN-interface. For detailed information about configuring DHCP-Snooping. and VLAN 500 on Core-Switch B. the hosts of the R&D department should not be able to access the Internet or the marketing department through Layer 3 forwarding. VLAN 300.

port type and other related functions that voice VLAN configuration involves. the following models support voice VLAN: ■ ■ ■ ■ ■ ■ ■ Switch 5500 Switch 5500G Switch 4500 Switch 4200 E352/E328 Switch 4210 E126A Configuring Voice VLAN n ■ For how to configure VLAN.. Acronyms: VLAN (Virtual local area network) Voice VLAN Support Matrix In the 3Com series Ethernet switches based on the Comware V3. Enter system view Use the command. ■ ■ Configuring a Voice VLAN in automatic mode Follow these steps to configure a voice VLAN in automatic mode: To. refer to the Configuration Guide for that model.1q. The configuration example in this guide provides only basic configuration procedures. 802.. voice VLAN Abstract: This document introduces how voice VLAN of the 3Com series Ethernet switches is applied and configured in a network.. For information on how to configure voice VLAN on other switches.10 software platform. refer to the configuration guide that applicable to your switch. The configuration procedure differs by device. This configuration example uses the Switch 5500. refer to the switch’s configuration guide and command reference guide. system-view Remarks - ..8 VLAN CONFIGURATION EXAMPLES Keywords: VLAN. For detailed information about the involved functions.

system-view Remarks - voice vlan mac-address Optional oui mask oui-mask By default. Optional 1440 minutes by default.. Remarks voice vlan mac-address oui Optional mask oui-mask [ description By default. voice vlan security enable Optional Enabled by default. Optional Enabled by default. Configuring a Voice VLAN in manual mode Follow these steps to configure a voice VLAN in manual mode: To. Optional 1440 minutes by default.. Add a recognizable voice device vendor OUI to the OUI address list Use the command. the switch [ description text ] identifies voice traffic according to the default OUI address list. Optional Disabled by default..208 CHAPTER 8: VLAN CONFIGURATION EXAMPLES To. voice vlan legacy Optional Disabled by default. Required Required Disabled by default... Required Required Disabled by default. Enable the voice VLAN security mode voice vlan security enable Set the voice VLAN aging time Enable voice VLAN globally Enter Ethernet port view Enable voice VLAN on the port voice vlan aging minutes voice vlan vlan-id enable interface interface-type interface-number voice vlan enable Enable voice VLAN legacy on the port voice vlan legacy to allow for automatic voice VLAN assignment for voice traffic from third-party vendors’ voice devices .. Enable the voice VLAN security mode Set the voice VLAN aging time voice vlan aging minutes Enable voice VLAN globally Enter Ethernet port view Enable voice VLAN on the port Enable voice VLAN legacy on the port to allow for automatic voice VLAN assignment for voice traffic from third-party vendors’ voice devices voice vlan vlan-id enable interface interface-type interface-number voice vlan enable Configure the voice VLAN to voice vlan mode auto operate in automatic mode on the port Optional Automatic mode applies by default... the switch text ] identifies voice traffic according to the default OUI address list. Enter system view Add a recognizable voice device vendor OUI to the OUI address list Use the command.

. In addition. The OUI address of the IP phone is 00e3-f200-0000. In meeting room 2. the IP address of the IP phone is manually configured. The core switch connects to the Internet through an egress router. It is required that the switch port exit the voice VLAN automatically if no voice traffic has passed by within 100 minutes. In addition. The two switches and an XE voice server are connected to the core switch. and the IP phones in the two meeting rooms connect to the enterprise network via Switch B. The IP phones connect to a switch port via the PCs of their users. assign different network segments for the IP phones in the meeting rooms and those in the office area. the voice traffic must be transmitted in a VLAN dedicated to voice traffic. To guarantee voice quality.. Remarks Required Automatic mode applies by default. ■ Overall network requirements The IP phones and PCs in the office area connect to the enterprise network through Switch A. The IP phone in meeting room 1 sends VLAN untagged voice traffic. The IP phone sends VLAN tagged voice traffic. they can send tagged voice traffic.Voice VLAN Configuration Examples 209 To. a Cisco IP phone capable of getting an IP address and voice VLAN information automatically is deployed. Use the command. the core switch also operates as the DHCP server to . Required Configure the voice VLAN to operate undo voice vlan mode in manual mode on the port auto Return to system view Assign the port to the voice VLAN Access port quit Enter VLAN vlan vlan-id view Assign the specified port(s) to the VLAN Trunk port or hybrid port Enter port view Assign the port to the specified VLAN Configure the voice VLAN as the default VLAN of the port port interface-list interface interface-type interface-number port trunk permit vlan vlan-id port hybrid vlan vlan-id { tagged | untagged } port trunk pvid vlan vlan-id port hybrid pvid vlan vlan-id Optional Voice VLAN Configuration Examples A company plans to deploy IP phones in the office area and meeting rooms. At the same time. ■ Network requirements of the IP phones in the office area All IP phones can get an IP address and voice VLAN information automatically.. In addition. ■ Network requirements of the IP phones in the meeting rooms The company deploys IP phones in two meeting rooms..

210 CHAPTER 8: VLAN CONFIGURATION EXAMPLES allocate IP addresses and voice VLAN configuration for the IP phones configured to get IP addresses automatically. it responds with a temporary IP address. For the actual procedure of your IP phone. and the IP address of the voice server. When the DHCP server receives a request. the voice VLAN ID. . the IP phone gets an IP address within the voice VLAN to communicate with the voice server normally. Network Diagram Figure 77 Network diagram for voice VLAN configuration Internet XE SIP Server Router Switch A Core switch (DHCP Server Office area Switch B Meeting room 1 Meeting room 2 Configuration Outlines Configuration on Switch A Figure 78 Network diagram for Switch A Switch A GE 1/1 /1 Eth1/ 0/10 Office area As the IP phones connected to Switch A get IP addresses automatically. they should send an untagged DHCP request to the DHCP server for an IP address upon their startup. n The above procedure describes how a common IP phone gets an IP address. Thus. and in addition. After the IP phone receives the response. it discards the temporary IP address and re-sends a DHCP request with the voice VLAN tag to the DHCP server. refer to its user manual. The procedure may differ depending on your IP phone.

As the traffic from the PCs is untagged. Figure 77 lists the port configurations on Switch A. In the following configuration. it will be transmitted through the default VLAN. Ethernet 1/0/10 is configured as a hybrid port. As the switch is required to send traffic of the two VLANs tagged. n A hybrid port with voice VLAN enabled in automatic mode joins the voice VLAN in tagged mode automatically and sends the traffic of the voice VLAN tagged. Ethernet 1/0/10 is configured as a hybrid port. untagged VLAN100: tagged VLAN200: tagged Port Ethernet 1/0/10 GigabitEthernet 1/1/1 Voice VLAN mode Port type Automatic mode Trunk/hybrid Trunk n The following describes the operations on VLAN traffic ■ ■ ■ pvid: Indicates that the VLAN is configured as the default VLAN of the port. In this example. To discriminate data. As the IP phones send tagged traffic after getting IP addresses within the voice VLAN. do not configure either of them as the default VLAN. configure the port as a trunk port to carry VLAN 100 and VLAN 200. Table 89 Port configurations on Switch A Permitted VLANs and operations on the VLAN traffic VLAN100: pvid. GigabitEthernet 1/1/1 is uplinked to the core switch to transmit both service traffic and voice traffic. you should configure Ethernet 1/0/10 as a trunk port or hybrid port. For instructions on configuring the port’s default VLAN and configuring the port to send traffic untagged or tagged. refer to the applicable configuration guideconfiguration guide. as Ethernet 1/0/10 of Switch A is required to forward traffic of the default VLAN and the voice VLAN. Configure VLAN 100 as the default VLAN and configure the port to transmit the traffic of the default VLAN untagged. the port can join/exit the voice VLAN automatically. . configure VLAN 200 as the voice VLAN and configure the voice VLAN to operate in automatic mode on the port. Thus. On Switch A. tagged: Indicates that the port sends the traffic of the VLAN tagged.Voice VLAN Configuration Examples 211 In this network. untagged: Indicates that the port sends the traffic of the VLAN untagged.

In addition. For the Cisco IP phones connected to the port to communicate with the switch.212 CHAPTER 8: VLAN CONFIGURATION EXAMPLES Configuration on Switch B Figure 79 Network diagram for Switch B GE1/ 1/ 2 Eth1/ 0/ 2 Eth1/0/1 Switch B Meeting room 1 Meeting room 2 As two types of IP phones are connected to Switch B. because only IP phones are connected to Ethernet 1/0/2. you should configure the voice VLAN to operate in manual mode on the port. Table 90 Port configurations on Switch B Permitted VLANs and operations on the VLAN traffic VLAN400: pvid untagged VLAN400: tagged Port Ethernet 1/0/1 Ethernet 1/0/2 Voice VLAN mode Port type Manual mode Manual mode Access/hybrid/trunk Trunk/hybrid . enable voice VLAN legacy on the port to notify them of the voice VLAN ID. As the port with the voice VLAN mode set to auToes not support receiving untagged voice traffic. ■ GigabitEthernet 1/1/2 The port sends the voice traffic received on Switch B. As the meeting rooms should use a voice VLAN different from that for the office area. you can assign the port to the voice VLAN manually to guarantee stable transmission for voice traffic. However. so that the Cisco IP phones can request IP addresses within the voice VLAN. the configuration on Ethernet 1/0/1 is different from that on Ethernet 1/0/2. Because the IP phones send tagged voice traffic. configure the voice VLAN as the default VLAN of the port. you should configure the port to send the traffic of the voice VLAN tagged. configure VLAN 400 as the voice VLAN on Switch B and configure the port to send the traffic of VLAN 400 tagged. ■ Ethernet 1/0/2 You can configure Ethernet 1/0/2 in a way similar to configuring Ethernet 1/0/10 on Switch A. ■ Ethernet 1/0/1 The IP phones connected to Ethernet 1/0/1 are configured with an IP address manually and they send voice traffic untagged. Table 90 lists the port configurations on Switch B.

As both the XE voice server and the egress router are connected to the core switch. After the IP phone gets the voice VLAN information. The DHCP server should return not only an IP address but also the voice VLAN and the voice server address to the IP phone. and specifies the voice VLAN and the voice server address. . Note that VLAN 200 and VLAN 400 use different IP address segments. and VLAN 400. Configuration on Core Switch Figure 80 Network diagram for the Core Switch GE 1/0/3 GE 1/0/1 GE1/0/4 Core switch (DHCP Server) GE1/0/2 The core switch forwards traffic. Ethernet 1/0/1 is configured as an access port. thus achieving Layer-3 forwarding. To achieve that. VLAN 200. When receiving the request. According to the configuration on Switch A and Switch B. it first gets an IP address in the default VLAN (VLAN 100) from the DHCP server. you should configure the core switch to use option 184 in the DHCP responses in VLAN 100 for conveying voice related information. and allocate IP addresses to IP phones in VLAN 200 and VLAN 400. allocates IP addresses to IP phones. and assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to the two VLANs respectively. whichever the IP phone belongs to. it requests for an IP address in the voice VLAN instead of using the IP address obtained in the default VLAN. Table 91 lists the interface and port configurations on Switch A. and Ethernet 1/0/2 and GigabitEthernet 1/1/2 are configure as trunk ports. when an IP phone is powered up. you should create two VLAN interfaces. As analyzed earlier.Voice VLAN Configuration Examples 213 Table 90 Port configurations on Switch B Permitted VLANs and operations on the VLAN traffic VLAN400: tagged Port GigabitEthernet 1/1/2 Voice VLAN mode Port type Trunk/hybrid In the following configuration. the core switch is required to forward the traffic of VLAN 100. the core switch allocates an IP address in VLAN 200 or VLAN 400.

3. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit # Assign GigabitEthernet 1/1/1 and Ethernet 1/1/10 to the specified VLANs according to Table 89.168.1/24 0 Vlan-interface50 192.1/24 0 Vlan-interface20 192.214 CHAPTER 8: VLAN CONFIGURATION EXAMPLES Table 91 Interface and port configurations on the core switch IP address and network VLAN interface segment Vlan-interface10 192.5. [SwitchA-Ethernet1/0/10] quit [SwitchA] voice vlan aging 100 . The core switch is a Switch 5500Gs Ethernet switch whose software version is Release 1510.1/24 0 Vlan-interface40 192.1/24 0 Vlan-interface30 192.1/24 0 Operations on the VLAN traffic tagged tagged tagged untagged untagged Ports involved GigabitEthernet 1/0/1 GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 GigabitEthernet 1/0/4 Port type Trunk Trunk Trunk Access Access Configuration Procedure Devices and software version used Switch A and Switch B are Switch 5500s with software version Release 1510.168.2.4.168.1.168. Configuration steps ■ Configuration on Switch A # Create VLAN 100 and VLAN 200. [SwitchA] interface GigabitEthernet 1/1/1 [SwitchA-GigabitEthernet1/1/1] port link-type trunk [SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 100 200 [SwitchA-GigabitEthernet1/1/1] quit [SwitchA] interface Ethernet 1/0/10 [SwitchA-Ethernet1/0/10] port link-type hybrid [SwitchA-Ethernet1/0/10] port hybrid vlan 100 untagged [SwitchA-Ethernet1/0/10] port hybrid pvid vlan 100 [SwitchA-Ethernet1/0/10] quit # Enable voice VLAN on Ethernet 1/0/10. [SwitchA-Ethernet1/0/10] voice vlan enable # Set the voice VLAN aging time to 100 minutes.168.

The voice VLAN security mode is enabled by default. [SwitchB] interface Ethernet 1/0/1 [SwitchB-Ethernet1/0/1] port access vlan 400 [SwitchB-Ethernet1/0/1] quit [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] port link-type trunk [SwitchB-Ethernet1/0/2] port trunk permit vlan 100 400 [SwitchB-Ethernet1/0/2] quit [SwitchB] interface GigabitEthernet1/1/2 [SwitchB-GigabitEthernet1/1/2] port link-type trunk [SwitchB-GigabitEthernet1/1/2] port trunk permit vlan 100 400 [SwitchB-GigabitEthernet1/1/2] quit # Enable voice VLAN legacy on Ethernet 1/0/2. Ethernet 1/0/2. <SwitchB> system-view [SwitchB] vlan 100 [SwitchB-vlan100] quit [SwitchB] vlan 400 [SwitchB-vlan400] quit # Assign Ethernet 1/0/1. and enable voice VLAN on the two ports.) [SwitchA] voice vlan security enable # Configure VLAN 200 as the voice VLAN globally.Voice VLAN Configuration Examples 215 # Enable voice VLAN security mode so that only voice traffic is transmitted in the voice VLAN. [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] voice vlan legacy [SwitchB-Ethernet1/0/2] quit # Configure the voice VLAN to operate in manual mode on Ethernet 1/0/1 and Ethernet 1/0/2. (Optional. [SwitchB] voice vlan mac-address 00e3-f200-0000 mask ffff-ff00-0000 description Meeting room1 . [SwitchB] interface Ethernet 1/0/1 [SwitchB-Ethernet1/0/1] undo voice [SwitchB-Ethernet1/0/1] voice vlan [SwitchB-Ethernet1/0/1] quit [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] undo voice [SwitchB-Ethernet1/0/2] voice vlan [SwitchB-Ethernet1/0/2] quit vlan mode auto enable vlan mode auto enable # Add an OUI address 00e3-f200-0000 with the description of Meeting room1 globally. [SwitchA] voice vlan 200 enable ■ Configuration on Switch B # Create VLAN 100 and VLAN 400. and GigabitEthernet 1/1/2 to the specified VLANs according to Table 90.

1.3. . Assign the specified ports to their respective VLANs according to Table 91. VLAN 300.0 mask 255.168.1. [CoreSwitch] dhcp server ip-pool vlan100 [CoreSwitch-dhcp-pool-vlan100] network 192. [CoreSwitch-dhcp-pool-vlan100] voice-config ncp-ip 192. [CoreSwitch] interface Vlan-interface 200 [CoreSwitch-Vlan-interface200] dhcp select interface [CoreSwitch-Vlan-interface200] quit [CoreSwitch] interface Vlan-interface 400 [CoreSwitch-Vlan-interface400] dhcp select interface n For detailed information about configuring DHCP. # Enable DHCP globally.0 # Configure VLAN 200 as the voice VLAN and the voice server IP address as 192.1/24 to devices in the default VLAN (VLAN 100). The voice VLAN security mode is enabled by default. [SwitchB] voice vlan 400 enable ■ Configure the core switch # Create VLAN 100. [SwitchB] voice vlan security enable # Configure VLAN 400 as the voice VLAN globally. refer to the Switch 5500 Family Configuration Guide.255. and VLAN 500 on the core switch. <CoreSwitch> system-view [CoreSwitch] dhcp enable # Create a global address pool vlan100 to allocate IP addresses on the network segment 192. [CoreSwitch] interface Vlan-interface 100 [CoreSwitch-Vlan-interface100] dhcp select global [CoreSwitch-Vlan-interface100] quit # Create an address pool for VLAN-interface 200 and VLAN-interface 400 respectively to allocate IP addresses for the IP phones in the office area and the IP phone in meeting room 2.168. This step is optional. The configuration procedure is omitted here.168. The configuration procedure is omitted here. # Create VLAN interfaces and assign IP addresses to the VLAN interfaces according to Table 91.216 CHAPTER 8: VLAN CONFIGURATION EXAMPLES # Enable voice VLAN security mode so that only voice traffic is transmitted in the voice VLAN.168.3 [CoreSwitch-dhcp-pool-vlan100] voice-config voice-vlan 200 enable [CoreSwitch-dhcp-pool-vlan100] quit # Configure VLAN-interface 100 to operate in global address pool mode. VLAN 400. VLAN 200.3.255.3 for option 184 in the address pool vlan100.

and to forward voice traffic at Layer 3. get telephone numbers. and communicate normally. Configuration remarks After you finish the configuration. You are recommended to enable DHCP snooping and some security functions on Switch A and Switch B to ensure that only legal IP phones that get IP addresses from the core switch can use the service.Protocols and Standards 217 The core switch thus configured should be able to allocate IP addresses. For the configuration on the voice server. thus preventing malicious interception. the IP phones in each area can establish connections with the voice server. refer to the user manual of the 3Com XE voice server. If required. and the voice server IP address for IP phones in VLAN 200 and VLAN 400. Protocols and Standards IEEE 802. configure dynamic routing protocols on the core switch. voice VLANs. which is beyond the scope of this document.1Q: Virtual Bridged Local Area Networks .

218 CHAPTER 8: VLAN CONFIGURATION EXAMPLES .