Professional Documents
Culture Documents
DPtech LSW6600 Series Ethernet Switches Command Configuration Manual v3.0
DPtech LSW6600 Series Ethernet Switches Command Configuration Manual v3.0
Declaration
Copyright © 2008-2019 Hangzhou DPtech Technologies Co., Ltd. All rights reserved.
No Part of the manual can be extracted or copied by any company or individuals without
written permission, and cannot be transmitted by any means.
Owing to product upgrading or other reasons, information in this manual is subject to change.
Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual,
as it is a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the
preparation of this document to ensure accuracy of the contents, but all statements,
information, and recommendations in this document do not constitute the warranty of any
kind express or implied.
Conventions
Command conventions
Convention Description
The keywords of a command line are in Boldface. (It must be entered and cannot be
Boldface
changed).
italic Command arguments are in italic. (It must be substitute by real value in command line).
{} Items (keywords and arguments) in braces { } emerges one time or several times.
Alternative items are grouped in parentheses and separated by vertical bars. One is
(x|y|…)
selected.
Sign conventions
Convention Description
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
Contents
1 Common Maintenance Commands Introduction .................................................................................. 1-1
1.1 Log in to the device ........................................................................................................................... 1-1
1.2 Viewing device information ................................................................................................................ 1-2
1.3 Software version upgrade .................................................................................................................. 1-3
1.4 Clear configuration ............................................................................................................................ 1-9
2 Basic Layer 2/3 Forwarding Configuration Example ............................................................................ 2-1
2.1 Introduction to Layer 2 forwarding ..................................................................................................... 2-1
2.2 Introduction to Layer 3 forwarding ..................................................................................................... 2-2
3 Port Aggregation Configuration Example ............................................................................................. 3-1
3.1 Introduction to port aggregation ......................................................................................................... 3-1
3.2 Dynamic port aggregation configuration example ............................................................................. 3-3
4 Port Mirroring Configuration Example .................................................................................................. 4-1
4.1 Introduction to port mirroring ............................................................................................................. 4-1
4.2 Local port mirroring configuration example ....................................................................................... 4-2
4.3 Remote port mirroring configuration case implemented by the reflection port .................................. 4-4
4.4 Remote port mirroring for outbound port implementation ................................................................. 4-8
5 Port Rate limiting Configuration Example ............................................................................................ 5-1
5.1 Port rate limiting introduction ............................................................................................................. 5-1
5.2 Configuration example ....................................................................................................................... 5-1
6 Port Isolation Configuration Example ................................................................................................... 6-1
6.1 Introduction to port isolation .............................................................................................................. 6-1
6.2 Configuration example ....................................................................................................................... 6-1
7 MAC/IP/Port Binding Configuration Example ....................................................................................... 7-1
7.1 Introduction to MAC/IP/Port binding .................................................................................................. 7-1
7.2 Configuration example ....................................................................................................................... 7-1
8 PVLAN Configuration Example ............................................................................................................ 8-1
8.1 PVLAN introduction ........................................................................................................................... 8-1
8.2 Configuration example ....................................................................................................................... 8-1
9 QinQ Configuration Example ................................................................................................................ 9-1
9.1 QinQ introduction ............................................................................................................................... 9-1
9.2 Basic QinQ configuration example .................................................................................................... 9-1
9.3 Flexible QinQ configuration example................................................................................................. 9-4
10 ARP Protection Configuration Example ............................................................................................ 10-1
1 Common Maintenance
Commands Introduction
1.1 Log in to the device
After SSH is enabled on the switch, you can log in to the device by entering the management
address, user name (initial user name admin), and password (initial password admin_default) on
the serial terminal.
<DPTECH>conf-mode
[DPTECH]ssh enable
[DPTECH]
After Telnet is enabled on the switch, you can log in to the device by entering the management
address and password of the device on the serial terminal. The terminal information is displayed
as follows:
User Access Verification
Password:
<DPTECH>
After Telnet is enabled on the switch, you can log in to the device through the management
address, user name (initial user name admin), and password (initial password admin_default) of
the serial terminal input device. The terminal information is displayed as follows:
User Access Verification
Username:admin
Password:admin_default
<DPTECH>
Item Description
Ensure that the user terminal and the switch are properly connected before upgrading the
version: connect the serial port cable configured by the host to the console port of the switch, and
use the network cable to connect the host's network card to the physical port of the switch. Open
the TFTP server on the host.
When the device is powered on or restarted, the following message will be displayed on the
terminal. When printing to will boot in 3, it prompts us whether to enter the Conboot menu and
provides 3 seconds of waiting time. Type <Ctrl+B> in this second and the system will prompt:
please enter the password:
After entering the correct password, you can enter the boot menu. The switch does not set a
password by default. After entering Enter, the Conboot menu is displayed. Then you can upgrade
the software version of the device according to the following prompts.
*********************************************************
* *
* ConBoot, basic Version 1.25.05 *
* *
*********************************************************
Power On reset config = 0x0000000000D4093B
Compiled Date:Compiled on Wed, 23 Dec 2015 00:43:03 +0800
Type [CTRL+F] to enter board setup 0
Trying configuration: CMD:0x18
Dram page thrash test PASSED.
update successfully
=====================<GIGEERNET SUB-MENU>=====================
<1> Download Application Program To SDRAM And Run
<2> Modify Gigeernet Parameter
<3> Update Main Application File
<4> Update Backup Application File
<0> Exit To Main Menu
=============================================================
enter your choice (0 - 4):0-------------------------------> After the upgrade is successful,
type 0 to return to the main menu
====================<EXTEND-ConBoot-MENU>====================
<1> Boot System
<2> Enter Serial SubMenu
<3> Enter Ethernet SubMenu
<4> File Control
<5> Modify ConBoot Password
<6> Skip Current System Configuration
<7> ConBoot Operation Menu
<8> Skip Current System Password
<0> reboot
=============================================================
enter your choice (0 - 7):0------------> Type 0 to restart the device. The version used after
the device is up is the upgraded version.
Before upgrading the version, ensure that the physical ports of the host NIC and the switch are
correctly connected. The host and the device can communicate normally, and the TFTP server is
enabled on the host. Use the terminal to log in to the serial port of the device and follow the
prompts below to upgrade the version.
Set the backup version in the command line mode. When the main version is deleted, the
standby version is used after the device is restarted.
[DPTECH]boot-file backup LSW6600-S111C011D007.bin
[DPTECH]
The company's internal network is divided into multiple different VLANs, and users in the same
VLAN can use Layer 2 forwarding for communication.
gige0_1 gige0_2
HostA SW HostB
You can use the show mac-address-table slot 0 all command to view the MAC address table,
which contains the mapping between MAC A and MAC B. Host A and Host B can communicate
with each other after the address of the same network segment is configured.
There are multiple different VLANs in the company, and the VLANs are isolated at the second
layer. Users in different VLANs want to communicate, and can only be implemented through
Layer 3 forwarding.
Layer 3 forwarding needs to ensure that the routes of the 1.1.1.0 network segment and the
3.3.3.0 network segment are reachable. You can configure static routes on SW1 and SW2 or use
routing protocols such as RIP and OSFP.
(1) Create VLAN 2 and VLAN 3 on SW1 and add interfaces to the corresponding VLANs.
(2) Configure the IP address and static route of the vlan-if interface on SW1.
(3) Create VLAN 2 and VLAN 3 on SW2 and add interfaces to the corresponding VLANs.
(4) Configure the IP address and static route of the vlan-if interface on SW2.
(1) Create VLAN 2 and VLAN 3 on SW1. Add an interface to the corresponding VLAN and
configure the IP address of the vlan-if interface.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_2
(2) Configure the IP address and static route of the vlan-if interface on SW1.
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
(3) Create VLAN 2 and VLAN 3 on SW2 and add interfaces to the corresponding VLANs.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_2
(4) Configure the IP address and static route of the vlan-if interface on SW2.
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 2.2.2.2/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip address 3.3.3.1/24
[DPTECH-vlan-if3]exit
[DPTECH]ip route 1.1.1.0 255.255.255.0 2.2.2.1
After HostA and HostB are configured with the IP addresses of the corresponding network
segments, they can communicate normally.
3 Port Aggregation
Configuration Example
3.1 Introduction to port aggregation
Port aggregation is also called link aggregation. It is a logical link by binding multiple physical
links. This not only increases the bandwidth of the link, but also forms a dynamic backup of the
bundled links, which effectively improves the reliability of the link. When the switch detects that
the link of a member port in the port aggregation is faulty, the switch stops sending packets on the
port and distributes the original load on the faulty link to the remaining link according to the load
balancing policy. After the faulty link is restored, the packet is restarted.
Item Description
The bundled Ethernet interface is called the member port of the aggregation
Member port
group.
Item Description
Selected state Member ports can participate in the forwarding of user data when they are in
this state.
Unselected state When a member port is in this state, it cannot participate in the forwarding of
user data.
Item Description
Master port (Master) The port in the Selected state with the smallest port number is called the
Master Port.
There are two modes for port aggregation: static aggregation and dynamic aggregation.
Item Description
In static aggregation mode, the establishment of an aggregation port and the joining
Static aggregation of member ports are completely configured manually. There is no port aggregation
control protocol involved.
Currently, port aggregation load balancing of a switch supports the following types:
Currently, the load balancing type supported by the switch is based on the source IP address, the
destination IP address, the source IP address, the destination IP address, the source MAC
address, the destination MAC address, the source MAC address, the destination MAC address,
and the enhanced port. users can select the appropriate type of the device according to the actual
application requirements.
The logical link bandwidth generated after the port is aggregated is equal to the total bandwidth of
the physical link, and multiple links are backed up each other, which effectively improves the
reliability of the link. Can be used on some important links of the enterprise to make the network
more secure.
vlan2 vlan2
gige0_4 gige0_4
gige0_1 gige0_1
SW1 SW2
gige0_2 gige0_2
gige0_5 bond1 gige0_5
vlan3 vlan3
(1) Create bond1 on SW1 and SW2 respectively, configure the aggregation group type as
dynamic aggregation, and the outbound port algorithm as the source IP address and
destination IP address, and add the aggregation member ports gige0_1 and gige0_2.
(2) Create VLAN2-3 in SW1 and SW2 respectively, configure the bond1 port as a trunk, and
allow VLAN2-3 to pass.
(1) Create bond1 on SW1 and SW2, set the aggregation group type to dynamic aggregation, the
outbound port algorithm as the source IP address and destination IP address, and add the
aggregation member ports gige0_1 and gige0_2.
[DPTECH]interface bond 1
[DPTECH-bond1]bond mode dynamic
[DPTECH-bond1]bond load-sharing mode source-destination-ip
[DPTECH-bond1]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1]bond group 1
[DPTECH]interface gige0_2
[DPTECH-gige0_1]bond group 1
[DPTECH-gige0_1]exit
(2) Create VLAN2-3 in SW1 and SW2 respectively, configure the bond1 port as a trunk, and
allow VLAN2-3 to pass.
[DPTECH]vlan 2 to 3
[DPTECH]interface bond1
[DPTECH-bond1]switchport mode trunk
[DPTECH-bond1]switchport trunk allowed vlan 2-3
[DPTECH-bond1]switchport trunk native vlan 3
bond listing:
-------------
bond: 1
--------
Bond state : L2
MII Status : up
Bond mode : dynamic
Load sharing : source-destination-ip
Bond description:
Minimum Links :
Maxports : 8
Protocol : LACP
Select mode : speed
System-priority : 32768
System-id : 00:24:AC:71:AD:F1
Par system-id : 00:24:AC:B5:47:12
Minimum port : gige0_1
Select port : gige0_1,gige0_2
Unselect port :
bond listing:
-------------
bond: 1
--------
Bond state : L2
MII Status : up
Bond mode : dynamic
Load sharing : source-destination-ip
Bond description:
Minimum Links :
Maxports : 8
Protocol : LACP
Select mode : speed
System-priority : 32768
System-id : 00:24:AC:B5:47:12
Par system-id : 00:24:AC:71:AD:F1
Minimum port : gige0_1
Select port : gige0_1,gige0_2
Unselect port :
The aggregation group status information indicates that the aggregation group 1 is a dynamic
aggregation group that performs load sharing based on the source IP address and the destination
IP address. When the data traffic of VLAN 2 and VLAN 3 is aggregated, load balancing and link
backup can be implemented, which increases the reliability of the link.
Table 4-1 Source port and destination port of the port mirroring group
Item Description
Source port The monitored port allows users to copy packets passing through the port to the
destination for monitoring and analysis.
Destination port Monitors the port and receives the packets copied from the source port and forwards the
packets to the server for monitoring and analyzing packets.
Reflective port Remote port mirroring a special port in the source mirroring group. This port uses a single
VLAN and the port does not need to be connected to the network cable.
Item Description
Inbound direction Only mirror packets received from the source port。
Item Description
Outbound direction Only mirror packets forwarded from the source port.
Bidirectional Mirroring messages received and sent from the source port。
Port mirroring is divided into two categories: local port mirroring and remote port mirroring.
Item Description
Both the source port and the destination port are on the same device, and the source
Local port mirroring
port packets are copied to the destination port.
The source port and the destination port are on different devices. The two devices are
Remote port mirroring connected through the Layer 2 network. The mirrored packets are forwarded to the
destination port through the Layer 2 network.
A port can be added to only one mirroring group. The source port cannot be configured as the
destination port of the mirroring group or other mirroring group.
Local port mirroring is mainly used to monitor and analyze the packets entering and leaving the
port of the device. When you need to monitor the packets of a port, configure the port as the
source port and connect to the server on the destination port to perform real-time monitoring.
When the network is faulty and you need to check the device, configure the suspicious port as the
source port and connect the packet capture analysis on the destination port.
(3) Create local mirroring group 1 on the SW. The source port is gige0_1 and gige0_2, and the
destination port is gige0_3. The direction is bidirectional.
[DPTECH-vlan3]exit
[DPTECH]vlan 4
[DPTECH-vlan4]port gige0_3
[DPTECH-vlan4]exit
[DPTECH]
(3) Create local mirroring group 1 on the SW. The source port is gige0_1 and gige0_2, and the
destination port is gige0_3. The direction is bidirectional.
[DPTECH] mirror 1 source interface gige0_1 gige0_2 both
[DPTECH] mirror 1 destination interface gige0_3
The above information indicates that the mirroring group is local mirroring, the mirroring group ID
is 1, the source port is gige0_1, gige0_2, the destination port is gige0_3, and the mirroring
direction is bidirectional. When packets are sent in and out of gige0_1 and gige0_2, all messages
can be monitored on the server.
department 2 through the monitoring device server, and uses remote port mirroring to implement
the requirement.
Figure 4-2 Network diagram for remote port mirroring implemented by the reflector port
(1) Switch A is the source device, Switch B is the intermediate device, and Switch C is the
destination device.
(2) Create vlan2 vlan3 on SW1, add gige0_1 port to vlan2, add gige0_2 port to vlan3, configure
gige0_3 to allow vlan10 to pass.
(3) On the SwitchA, configure vlan 10 as the remote mirroring VLAN, port gige0_1 and port
gige0_2 as the mirroring source port, and port gige0_5 as the mirroring port.
(4) Configure the port gige0_3 on SwitchA, the ports gige0_1 and gige0_2 on SwitchB, and the
port gige0_1 on SwitchC as trunk ports, and allow packets from vlan10 to pass.
(5) Configure vlan10 as the remote mirroring VLAN on SwitchC and the port gige0_2 connected
to the data monitoring device as the mirroring destination port.
(2) Add gige0_1 port to vlan2 on SwitcheA, add gige0_2 port to vlan3, and configure gige0_3 to
allow VLAN 10 to pass.
[SwitchA]vlan 2
[SwitchA-vlan2]port gige0_1
[SwitchA-vlan2]exit
[SwitchA]vlan 3
[SwitchA-vlan3]port gige0_2
[SwitchA-vlan3]exit
[SwitchA]interface gige0_3
[SwitchA-gige0_3]switchport mode trunk
[SwitchA-gige0_3]switchport trunk allowed vlan 10
(3) Configure the remote mirroring VLAN, source port, and egress port on SwitcheA.
<SwitchA>conf-mode
[SwitchA]mirror 1000 source interface gige0_1 gige0_2 both
[SwitchA]mirror 1000 destination remote-vlan 10 reflector-port gige0_5
(4) Configure the port trunk port on SwitcheB to allow packets from vlan10 to pass.
<SwitchB>conf-mode
[SwitchB]interface gige 0_1
[SwitchB-gige0_1]switchport mode trunk
[SwitchB-gige0_1]switchport trunk allowed vlan 10
[SwitchB-gige0_1]exit
[SwitchB]interface gige 0_2
[SwitchB-gige0_2]switchport mode trunk
[SwitchB-gige0_2]switchport trunk allowed vlan 10
(5) Configure the port type of port gige0_1 as the trunk port on Switche C and allow vlan10
packets to pass.
<SwitchC>conf-mode
[SwitchC]interface gige 0_1
[SwitchC-gige0_1]switchport mode trunk
[SwitchC-gige0_1]switchport trunk allowed vlan 10
(6) Configure the remote mirroring vlan and destination port of the destination device on
SwitcheC.
<SwitchC>conf-mode
[SwitchC]vlan 10
[SwitchC-vlan10]port gige0_2
[SwitchC-vlan10]exit
[SwitchC]mirror 2000 source remote-vlan 10
(3) The packet capture tool can be used to capture packets from the mirroring source port.
Figure 4-3 Network diagram for remote port mirroring on the outbound port
(1) Switch A is the source device, Switch B is the intermediate device, and Switch C is the
destination device.
(2) Create vlan2 vlan3 on SW1, add gige0_1 port to vlan2, add gige0_2 port to vlan3, configure
gige0_3 to allow vlan10 to pass;
(3) On the SwitchA, configure vlan 10 as the remote mirroring VLAN, port gige0_1 and port
gige0_2 as the mirroring source port, and port gige0_3 as the outbound port.
(4) Configure the port gige0_3 on SwitchA, the ports gige0_1 and gige0_2 on SwitchB, and the
port gige0_1 on SwitchC as trunk ports, and allow packets from vlan10 to pass.
(5) Configure vlan10 as the remote mirroring VLAN on SwitchC and gige0_2 on the data
monitoring device as the mirroring destination port.
(2) Add gige0_1 port to vlan2 on SwitchA, add gige0_2 port to vlan3, and configure gige0_3 to
allow VLAN 10 to pass.
[SwitchA]vlan 2
[SwitchA-vlan2]port gige0_1
[SwitchA-vlan2]exit
[SwitchA]vlan 3
[SwitchA-vlan3]port gige0_2
[SwitchA-vlan3]exit
[SwitchA]interface gige0_3
[SwitchA-gige0_3]switchport mode trunk
[SwitchA-gige0_3]switchport trunk allowed vlan 10
(3) Configure the remote mirroring VLAN, source port, and egress port on SwitchA.
<SwitchA>conf-mode
[SwitchA]mirror 1000 source interface gige0_1 gige0_2 both
[SwitchA]mirror 1000 destination remote-vlan 10 out-port gige0_3
(4) Configure the port trunk port on SwitchB to allow packets from vlan10 to pass.
<SwitchB>conf-mode
[SwitchB]interface gige 0_1
[SwitchB-gige0_1]switchport mode trunk
[SwitchB-gige0_1]switchport trunk allowed vlan 10
[SwitchB-gige0_1]exit
[SwitchB]interface gige 0_2
[SwitchB-gige0_2]switchport mode trunk
[SwitchB-gige0_2]switchport trunk allowed vlan 10
(5) Configure the port type of port gige0_1 as the trunk interface on SwitchC to allow vlan10
packets to pass.
<SwitchC>conf-mode
[SwitchC]interface gige 0_1
[SwitchC-gige0_1]switchport mode trunk
[SwitchC-gige0_1]switchport trunk allowed vlan 10
(6) Configure the remote mirroring vlan and destination port of the destination device on
SwitchC.
<SwitchC>conf-mode
[SwitchC]vlan 10
[SwitchC-vlan10]port gige0_2
[SwitchC-vlan10]exit
[SwitchC]mirror 2000 source remote-vlan 10
(3) The packet capture tool can be used to capture packets from the mirroring source port.
interface gige0_1
switchport mode trunk
switchport trunk allowed vlan 10
!
interface gige0_2
switchport mode trunk
switchport trunk allowed vlan 10
Item Description
Inbound port rate limiting Rate limiting on the port where the packet enters
Outbound port rate limiting Limit the rate on the port forwarded by the packet.
When an enterprise wants to limit the rate at which a department accesses resources such as
external networks and servers, it can be implemented through the port rate limiting function.
(1) Create VLAN 2 on the SW and add gige0_1 and gige0_2 to VLAN 2.
(2) Configure the inbound port rate limiting on the SW. The ingress port is gige0_1, the rate
limiting is 10 Mbits/s, and the burst traffic is 1024 Kbits.
(1) Create VLAN 2 on the SW and add gige0_1 and gige0_2 to VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]
(2) Configure the inbound port rate limiting on the SW. The ingress port is gige0_1, the rate
limiting is 10 Mbits/s, and the burst traffic is 1024 Kbits.
[DPTECH]interface gige0_1
[DPTECH-gige0_1]rate-limit input 10000 burst-bucket 1024
[DPTECH-gige0_1]exit
[DPTECH]
After the rate limiting is configured on the port, the total bandwidth of the R&D department
accessing the external network is 10 Mbits/s.
Port isolation enables Layer 2 packet isolation in the same VLAN. When users need to restrict
access between different departments in the same VLAN and ensure that each department can
access resources such as servers and extranets, users only need to These departments can be
added to the isolation group.
(1) Create VLAN2 in SW, add gige0_1, gige0_2, and gige0_3 to VLAN2。
(1) Create VLAN 2 in SW and add gige0_1, gige0_2, and gige0_3 to VLAN 2.
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]port gige0_3
[DPTECH-vlan2]exit
[DPTECH]
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport protected
[DPTECH-gige0_1]interface gige0_2
[DPTECH-gige0_2]switchport protected
[DPTECH-gige0_2]
Interfaces with port isolation enabled, "false" if "Protected" is "true" in the show interface.
<DPTECH>show interface gige0_1
Interface gige0_1
administration state is UP, line state is UP
LAN mode
Media type is copper
Layer2 interface
Description: gige0_1
flow control disable
MTU : 1500
Protected: true
Input speed: 0 pps, 0 bps
Output speed: 0 pps, 0 bps
Input(normal): 21 packets and 0.00% rxpackets lost, 1,692 bytes, 3 broadcasts, 6
multicasts
Input: 0 input errors, 0 length_errors, 0 over_errors, 0 crc_errors, 0 frame_errors,
0 fifo_errors, 0 missed_errors
Output(normal): 18 packets and 0.00% txpackets lost, 1,486 bytes, 3 broadcasts, 3
multicasts
Output: 0 output errors, 0 aborted_errors, 0 carrier_errors, 0 fifo_errors, 0
heartbeat_errors, 0 window_errors
1000Mbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Layer2 port type access
vlan belong 456
pvid 456
Tr mode: Normal mode
Broadcast Is Not Set
Unicast Is Not Set
Multicast Is Not Set
Long frame Length 1536 B
Virtual machine support: Disable
<DPTECH>
After the port isolation function is enabled, both the administration and the marketing department
can access the server, but the administrative department and the marketing department cannot
access each other.
7 MAC/IP/Port Binding
Configuration Example
7.1 Introduction to MAC/IP/Port binding
MAC/IP/port binding refers to binding the MAC address and IP address of the user host to the
connected switch port. If the packet received on the port matches the binding entry, the packet will
be forwarded. Otherwise, the packet will be discarded. This prevents the user from modifying the
host IP address at will, resulting in inconvenient management.
The company wants certain employees to use a fixed IP address, and cannot modify it at will. If
the address is modified at will, the employee cannot access resources such as servers and
extranets.
(1) Configure the host MAC address and IP address on the SW to be bound to the gige0_1 port.
The packets matching the binding are forwarded. Otherwise, packets are lost.
(1) Configure the host MAC address and IP address on the interface to be bound to the gige0_1
port. The packets matching the binding entry are forwarded. Otherwise, packets are lost.
[DPTECH]acl mode mac-ipv4 type icap
[DPTECH-acl-mac-ipv4-icap]rule-name 1 source-mac 00:24:AC:be:00:01 source-ipv4
192.168.0.1 physical-ports gige0_1 action permit
[DPTECH-acl-mac-ipv4-icap]rule-name 2 physical-ports gige0_1 action drop
The Host uses the original IP address and remains connected to the gige0_1 interface of SW1 to
access the external network. When the host changes the IP address or changes the interface
connected to the SW and cannot access the external network, the MAC/IP/port binding takes
effect.
8 PVLAN Configuration
Example
8.1 PVLAN introduction
PVLAN (Private VLAN), which is a private VLAN. With the two-layer VLAN isolation technology,
the upper VLAN is visible globally and the lower VLANs are isolated from each other. PVLANs are
commonly used on intranets to prevent communication between network devices connected to
certain interfaces or interface groups, but allow communication with the default gateway.
Although each device is in a different PVLAN, they can use the same IP subnet.
Item Description
Primary VLAN Can isolate VLAN communication with all associated community VLANs
Community Ports in the same community VLAN can communicate with each other or with the primary
VLAN VLAN.
The ports in the isolated VLAN cannot communicate with each other. They can only
Isolated VLAN communicate with the ports in the primary VLAN. There can be only one isolated VLAN in
each primary VLAN.
There are mobile users in the intranet of a company, and there are several servers. To isolate
servers from communication, and mobile users cannot communicate with company intranet
employees, all users and servers can connect to the Internet.
You can use the PVLAN function to assign mobile users and employee users to community VLAN
10 and VLAN 11, respectively, and the server is assigned to isolated VLAN 12, which can be
connected to the external network through the primary VLAN 100.
(1) Configure PVLAN, VLAN 100 is the primary VLAN, VLAN 10 and VLAN 11 are the
community VLANs, and VLAN 12 is the isolated VLAN.
(1) Configure the PVLAN, vlan100 is the primary VLAN, vlan10 and vlan11 are the community
vlan, and vlan12 is the isolated VLAN.
[DPTECH]pvlan primary-vlan 100 isolate-vlan 12 community-vlan-range 10-11
(2) Add the interface to the VLAN and enable the PVLAN.
[DPTECH]interface gige 0_0
[DPTECH-gige0_0]pvlan promisc-association primary-vlan 100
[DPTECH-gige0_0]exit
[DPTECH]interface gige 0_1
[DPTECH-gige0_1]pvlan host-association secondary-vlan 10
[DPTECH-gige0_1]exit
[DPTECH]interface gige 0_2
[DPTECH-gige0_2]pvlan host-association secondary-vlan 10
[DPTECH-gige0_2]exit
[DPTECH]interface gige 0_3
[DPTECH-gige0_3]pvlan host-association secondary-vlan 11
[DPTECH-gige0_3]exit
[DPTECH]interface gige 0_4
[DPTECH-gige0_4]pvlan host-association secondary-vlan 11
[DPTECH-gige0_4]exit
[DPTECH]interface gige 0_5
[DPTECH-gige0_5]pvlan host-association secondary-vlan 12
[DPTECH-gige0_5]exit
[DPTECH]interface gige 0_6
[DPTECH-gige0_6]pvlan host-association secondary-vlan 12
[DPTECH-gige0_6]exit
HostA can communicate with HostB, PCA can communicate with PCB, HostA and PCA can't
communicate; ServerA and ServerB can't communicate, all Host, PC and Server can connect to
the external network.
Item Description
The port configured with the basic QinQ function adds a layer of the default VLAN tag of
Basic QinQ
the local port to the received packets.
It is implemented based on the combination of port and VLAN. By matching the traffic
Flexible QinQ classifier, you can add different outer VLAN tags to the traffic of different VLANs on the
same port.
When the operator's network needs to carry the traffic of company A and company B, and the two
companies have branches in different areas, the operator needs to assign different VLANs to
company A and company B, so that the traffic of the two companies is separated and Ensure that
branch offices of the same company can communicate with each other. Operators can use basic
QinQ functions on devices connected to users.
(2) Configure gige0_1 as trunk on SW1 and SW2 to allow VLAN 2, 5-20 to pass, pvid to 2;
gige0_2 as trunk to allow VLAN 3, VLAN 10-20 to pass, pvid to 3; configure gige0_3 as trunk,
allow VLAN2- 4 passes, pvid is 4.
(3) Enable the basic QinQ function on gige0_1 and gige0_2 on SW1 and SW2 respectively.
(2) Configure gige0_1 as a trunk on SW1 and SW2, allow VLAN 2 to pass, and set the native
VLAN ID to 2; configure gige0_2 as a trunk, allow VLAN 3 to pass, and set the native VLAN
ID to 3. Configure gige0_3 as a trunk and allow VLAN 2-4 to pass. The Native VLAN ID is 4.
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport mode trunk
[DPTECH-gige0_1] switchport trunk allowed vlan 2
[DPTECH-gige0_1] switchport trunk native vlan 2
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2] switchport mode trunk
[DPTECH-gige0_2] switchport trunk allowed vlan 3
[DPTECH-gige0_2] switchport trunk native vlan 3
[DPTECH-gige0_2]exit
[DPTECH]interface gige0_3
[DPTECH-gige0_3] switchport mode trunk
[DPTECH-gige0_3] switchport trunk allowed vlan 2-4
[DPTECH-gige0_3] switchport trunk native vlan 4
[DPTECH-gige0_3]exit
[DPTECH]
(3) Enable the basic QinQ function on gige0_1 and gige0_2 on SW1 and SW2 respectively.
[DPTECH]interface gige0_1
[DPTECH-gige0_1]qinq enable
[DPTECH]interface gige0_2
[DPTECH-gige0_2]qinq enable
The above information indicates that the basic QinQ function is enabled on the gige0_1 and
gige0_2 ports. Company A and Company B can use operators to assign different VLANs to
communicate with different departments.
When the carrier's network needs to carry the traffic of a company, and the company's
department A and department B are in different VLANs, the departments A and B have branches
in a far place, and need to communicate through the public network, the operator can Enable the
flexible QinQ function on the edge device connected to the user to identify the tag of the packets
sent by different departments and encapsulate different outer tags.
(2) Configure gige0_1 as the hybrid on SW1 and SW2, allow VLAN 2 and VLAN 3 to pass,
configure gige0_2 as the trunk, allow VLAN 2-4 to pass, and set the native VLAN ID to 4.
(3) Enable the selective QinQ function on the gige0_1 interface on SW1 and SW2. When the
received packet VLAN tag is 20, the outer VLAN tag is encapsulated. When the received
packet VLAN tag is 30, the packet is encapsulated. Outer Tag VLAN3.
(2) Configure gige0_1 as the Hybrid on SW1 and SW2, allow VLAN 2 and VLAN 3 to pass,
configure gige0_2 as the trunk, allow VLAN 2-4 to pass, and set the Native VLAN ID to 4.
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport mode hybrid
[DPTECH-gige0_1]switchport hybrid allowed vlan 2-3 untagged [DPTECH-gige0_1]switchport
hybrid native vlan 2
[DPTECH]interface gige0_2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 2-4
[DPTECH-gige0_2]switchport trunk native vlan 4
[DPTECH-gige0_2]exit
(3) Enable the selective QinQ function on the gige0_1 interface on SW1 and SW2. When the
received packet VLAN tag is 20, the outer VLAN tag is encapsulated. When the received
packet VLAN tag is 30, the packet is encapsulated. Outer Tag VLAN3.
[DPTECH]interface gige0_1
[DPTECH-gige0_1]qinq inner-vid 20 outer-vid 2 outer-priority 0
[DPTECH-gige0_1]qinq inner-vid 30 outer-vid 3 outer-priority 0
The flexible QinQ function is enabled on the gige0_1 of SW1 and SW2, and different outer tags
are applied to departments A and B. Departments A and B located in different locations can use
the different VLANs assigned by the operator for normal communication.
10 ARP Protection
Configuration Example
10.1 ARP protection introduction
To prevent ARP packet attacks, you can use the ARP packet validity check function to detect the
ARP packets received by the device, discard the invalid ARP packets, and process the legal ARP
packets. The ARP trusted port is not checked. For an ARP untrusted port, packets with invalid
MAC addresses and IP addresses need to be filtered. Check mode active MAC address,
destination MAC address or IP address mode
Item Description
Check whether the source MAC address in the ARP packet is the same as the source
Source MAC
MAC address in the Ethernet packet header. If the packet is valid, the packet is
check mode
processed. Otherwise, the packet is discarded.
Check whether the destination MAC address in the ARP reply packet is all 0s or all 1s,
Destination MAC
and it is consistent with the destination MAC address in the Ethernet packet header. All 0,
check mode
all 1, and inconsistent packets are regarded as invalid packets and discarded directly.
Check the source and destination IP addresses of the ARP packets. The multicast
IP address check address, all 0s, and all 1s are invalid. The ARP reply packet needs to check the source IP
mode address and the destination IP address. The ARP request packet only checks the source
IP address.
A network attacker masquerades as a legitimate user using the IP address of a legitimate user,
accesses network resources, and communicates with legitimate users on the network, resulting
in network information transmission errors and leakage of important information. ARP user
legality detection can identify illegal users and discard illegal packets. For the ARP trusted port,
the user validity check is not performed. For the ARP untrusted port, the user validity check is
required to prevent the counterfeit user from attacking.
The user validity check is based on the source IP address and the source MAC address of the
ARP packet. Check whether the user is a valid user on the port where the VLAN belongs. The
check is based on the static ARP entry check and the DHCP snooping security entry. Check the
DHCP snooping entries after checking the static ARP entries.
Table 10-2 Checking static ARP entries and DHCP snooping entries
Item Description
If the source IP address and source MAC address of the ARP packet match the static ARP
Check based entry, the user is considered to be legal and forwarded to send ARP packets. If the source IP
on static ARP address does not match the source MAC address, the user is considered to be illegal and the
entries ARP packet sent by the user is discarded. If the source IP address and the source MAC
address do not match, continue to search for DHCP snooping security entries.
DHCP After the static ARP entry is checked, the DHCP snooping security entry is checked. The
snooping entry ARP packet is considered to be valid and forwarded. If no match is found for all the check,
check the device considers it to be an illegal packet and discards it directly.
The ARP gateway protection function prevents the forged gateway attack. After the port is
enabled with the function, the port checks whether the source IP address of the packet is the
same as the protected gateway IP address. If the packet is the same, the packet is considered
illegal and discarded. Otherwise, the packet is considered legal and processed.
ARP packet consistency detection is enabled on the access layer of the company to prevent the
attacks of counterfeit users.
Figure 10-1 Figure 10-1 Network diagram of ARP packet consistency detection
gige0_1 gige0_2
Vlan2
HostA SW HostB
(1) Create VLAN 2 on the SW and add gige0_1 and gige0_2 to VLAN 2.
(1) Create VLAN 2 on the SW and add gige0_1 and gige0_2 to VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]
After receiving the ARP packet, the gige0_1 and gige0_2 on the SW will detect whether the
source MAC address of the ARP packet is the same as the source MAC address of the Ethernet
header. If they are the same, the packet is forwarded. Otherwise, the packet is discarded.
After the ARP user validity check is enabled on the access switch of the company, the device will
query the static ARP entries and DHCP snooping entries in sequence after receiving the ARP
packets. If no matching user is found, the ARP packet is considered to be sent by an
unauthorized user, and the ARP packet is discarded.
DHCP Server
SW1
gige0_1 Vlan-if2
1.1.1.1/24
1.1.1.11/24 1.1.1.10/24
gige0_3
gige0_1 gige0_2
Vlan2
HostA SW2 HostB
DHCP client DHCP Snooping DHCP client
(1) Create vlan-if2 on SW1 and configure the IP address and DHCP address pool.
(2) Create VLAN 2 on SW2 and add ports gige0_1, gige0_2, and gige0_3 to VLAN 2.
(3) Enable DHCP snooping on SW2 and enable the function of recording IP MAC addresses.
(4) Enable ARP detection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
(1) Create vlan-if2 on SW1 and configure the IP address and DHCP address pool.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]dhcp server pool test
[DPTECH-dhcp-pool-test]address range 1.1.1.10 1.1.1.100 24
[DPTECH-dhcp-pool-test]default-router 1.1.1.1
[DPTECH-dhcp-pool-test]exit
[DPTECH]dhcp server enable
[DPTECH]
(2) Create VLAN 2 on SW2 and add ports gige0_1, gige0_2, and gige0_3 to VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]port gige0_3
(4) Enable ARP detection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
[DPTECH]arp inspection vlan 2 untrust interface gige0_1 gige0_2
DHCP snooping is enabled on SW2. After obtaining the address, HostA and HostB form a
Snooping information list on SW2, which records the MAC address, IP address, and
corresponding port of the client. After receiving the ARP packet, the gige0_1 and gige0_2 of the
SW2 will query the DHCP snooping entry. If the matching user is found, the ARP packet will be
forwarded. Otherwise, the device will discard the ARP packet.
The risk of a gateway attack may exist in the user's network. The ARP gateway protection
function effectively prevents the gateway attack.
(1) Create VLAN 2 on SW2 and add ports gige0_1, gige0_2, and gige0_3 to VLAN 2.
(2) Enable ARP gateway protection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
(1) Create VLAN 2 on SW2 and add ports gige0_1, gige0_2, and gige0_3 to VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]port gige0_3
(2) Enable ARP gateway protection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
[DPTECH]arp inspection vlan 2 untrust interface gige0_1 gige0_2 filter source 1.1.1.1
After you configure the gateway protection on SW2, the gige0_2 interface receives the ARP
packet from the forged gateway sent by HostB will be discarded. This prevents HostA from
learning the MAC address of the fake gateway and prevents the packets wrongly sent to HostB
communicate with the gateway device SW1.
11 Routing Protocol
Configuration Example
11.1 Introduction to routing protocols
A static route is a route that is manually configured on a switch and does not pass routing
information to other devices. Static routes are generally applicable to a relatively simple network
environment. In such an environment, the network administrator can easily understand the
topology of the network and set up correct routing information.
RIP (Routing Information Protocol) is a relatively simple Interior Gateway Protocol (IGP). RIP is
the earliest distance vector routing protocol. Although RIP lacks the complex functions of many
more advanced routing protocols, the simplicity and breadth of its use make it very viable. RIP is
generally applicable to the delivery of routing information within an autonomous system (AS) of a
small homogeneous network.
OSPF (Open Shortest Path First) is a typical link-state routing protocol. OSPF routers exchange
and store link information of the entire network to master the topology of the entire network and
calculate routes independently. As an internal gateway protocol (IGP), OSPF is used to advertise
routing information between routers in the same autonomous domain (AS). Different from the
distance vector protocol (RIP), OSPF has the advantages of supporting large networks, fast route
convergence, and occupying less network resources, and occupies a very important position in
the currently applied routing protocols.
OSPF supports multi-process configuration. Multiple OSPF processes can be run on the same
device. The processes do not affect each other and are independent of each other. Route
interaction between different OSPF processes is equivalent to routing interaction between
different routing protocols. Supports multiple OSPF processes to share a single RID. An interface
A company has only a few switches on its intranet. The networking is relatively simple. You need
to implement communication between network segments.
gige0_0 gige0_0
Vlan-if10
Vlan-if10
2.1.1.1
SW1 2.1.1.2 SW2
(1) Add VLAN 2 and VLAN 10 to SW1 and SW2, assign the port to the corresponding VLAN, and
configure the IP address of the vlan-if.
# Configure on SW1.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan 2]exit
[DPTECH]vlan 10
[DPTECH-vlan 10]exit
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH] interface gige0_1
[DPTECH-gige0_1] switchport access vlan 2
[DPTECH-gige0_1]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.1/24
[DPTECH-vlan-if10]
# Configure on SW2.
[DPTECH]vlan 2
[DPTECH-vlan 2]exit
[DPTECH]vlan 10
[DPTECH-vlan 2]exit
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 2
[DPTECH-gige0_1]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 3.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH] interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.2/24
[DPTECH-vlan-if10]
# Configure on SW1.
[DPTECH]ip route 3.1.1.0 255.255.255.0 2.1.1.2
[DPTECH]
# Configure on SW2.
[DPTECH]ip route 1.1.1.0 255.255.255.0 2.1.1.1
[DPTECH]
1.1.1.0 network segment and 3.1.1.0 network segment can communicate normally.
A company's intranet is small in scale and simple in structure and equipment. It is easier to use
RIP routing protocol for route management.
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
# Configure on SW1.
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 10
[DPTECH-vlan10]exit
[DPTECH]interface gige0_0
[DPTECH-gige0_0]switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport access vlan 2
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.1/24
[DPTECH-vlan-if10]
# Configure on SW2.
[DPTECH]vlan 10
[DPTECH-vlan10]exit
[DPTECH]vlan 11
[DPTECH-vlan11]exit
[DPTECH]interface gige0_0
[DPTECH-gige0_0]switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport access vlan 11
[DPTECH]interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.2/24
[DPTECH-vlan-if10]exit
[DPTECH]interface vlan-if11
[DPTECH-vlan-if11]ip address 3.1.1.1/24
[DPTECH-vlan-if11]
# Configure on SW3.
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 11
[DPTECH-vlan11]exit
[DPTECH]interface gige0_0
[DPTECH-gige0_0]switchport access vlan 2
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 11
[DPTECH] interface vlan-if2
[DPTECH-vlan-if2]ip address 4.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if11
[DPTECH-vlan-if11]ip address 3.1.1.2/24
[DPTECH-vlan-if11]
# Configure on SW1.
[DPTECH]router rip
[DPTECH-rip]network 1.1.1.0/24
[DPTECH-rip]network 2.1.1.0/24
[DPTECH-rip]
# Configure on SW2.
[DPTECH]router rip
[DPTECH-rip]network 2.1.1.0/24
[DPTECH-rip]network 3.1.1.0/24
[DPTECH-rip]
# Configure on SW3.
[DPTECH]router rip
[DPTECH-rip]network 3.1.1.0/24
[DPTECH-rip]network 4.1.1.0/24
[DPTECH-rip]
The 1.1.1.0 network segment and the 4.1.1.0 network segment can communicate normally.
A new planning department in a company adds three switches and has four network segments.
The entire network uses OSPF routing protocol networking. The newly added switches join the
intranet, requiring each network segment to communicate with the intranet.
Aera0
Vlan-if2 Vlan-if2
gige0_1 1.1.1.1 gige0_0 4.1.1.1/24
gige0_0 gige0_0 gige0_1 gige0_1
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
# Configure on SW1.
[DPTECH]vlan 2
[DPTECH]vlan 10
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 2
[DPTECH]interface vlan-if2
# Configure on SW2.
[DPTECH]vlan 10
[DPTECH]vlan 11
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 11
[DPTECH]interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.2/24
[DPTECH-vlan-if10]exit
[DPTECH]interface vlan-if11
[DPTECH-vlan-if11]ip address 3.1.1.1/24
[DPTECH-vlan-if11]
# Configure on SW3.
[DPTECH]vlan 2
[DPTECH]vlan 11
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 2
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 11
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 4.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if11
[DPTECH-vlan-if11]ip address 3.1.1.2/24
[DPTECH-vlan-if11]
# Configure on SW1.
[DPTECH]router ospf 1
[DPTECH-ospf-1]network 1.1.1.0/24 area 0
[DPTECH-ospf-1]network 2.1.1.0/24 area 0
[DPTECH-ospf-1]
# Configure on SW2.
[DPTECH]router ospf 1
[DPTECH-ospf-1]network 2.1.1.0/24 area 0
[DPTECH-ospf-1]network 3.1.1.0/24 area 0
[DPTECH-ospf-1]
# Configure on SW3.
[DPTECH]router ospf 1
[DPTECH-ospf-1]network 3.1.1.0/24 area 0
[DPTECH-ospf-1]network 4.1.1.0/24 area 0
[DPTECH-ospf-1]
The 1.1.1.0 network segment and the 4.1.1.0 network segment can communicate normally.
When the networking of users is complex and you want to implement partition management so
that devices in certain areas are independent of routing information of other areas, you can use
multiple OSPF processes for routing and partition management. The routing information between
different OSPF processes is isolated. If you want to learn the routing information of other
processes, you can reference the routing information of the process.
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
# Configure on SW1.
[DPTECH]vlan 2
[DPTECH]vlan 10
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 2
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.1/24
[DPTECH-vlan-if10]
# Configure on SW2.
[DPTECH]vlan 10
[DPTECH]vlan 11
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 11
[DPTECH]
[DPTECH]interface vlan-if10
[DPTECH-vlan-if10]ip address 2.1.1.2/24
[DPTECH-vlan-if10]exit
[DPTECH]interface vlan-if11
[DPTECH-vlan-if11]ip address 3.1.1.1/24
[DPTECH-vlan-if11]
# Configure on SW3.
[DPTECH]vlan 2
[DPTECH]vlan 11
[DPTECH]interface gige0_0
[DPTECH-gige0_0] switchport access vlan 2
[DPTECH-gige0_0]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1] switchport access vlan 11
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 4.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if11
[DPTECH-vlan-if11]ip address 3.1.1.2/24
[DPTECH-vlan-if11]
# Configure on SW1.
[DPTECH]router ospf 1
[DPTECH-ospf-1]network 1.1.1.0/24 area 1
[DPTECH-ospf-1]network 2.1.1.0/24 area 1
[DPTECH-ospf-1]
# Configure on SW2.
[DPTECH]router ospf 1
[DPTECH-ospf-1]network 2.1.1.0/24 area 1
[DPTECH-ospf-1]exit
[DPTECH]router ospf 2
[DPTECH-ospf-2]network 3.1.1.0/24 area 2
[DPTECH-ospf-2]
# Configure on SW3.
[DPTECH]router ospf 2
[DPTECH-ospf-2]network 3.1.1.0/24 area 2
[DPTECH-ospf-2]network 4.1.1.0/24 area 2
[DPTECH-ospf-2]
Process 1 and process 2 are used to isolate the routing information of area 1 and area 2, and the
routing information of the two areas does not affect each other. SW1 and SW3 cannot
communicate with each other, which can achieve the effect of the user to isolate certain special
areas. But when the user wants SW1 to access SW3, he can enter the configuration view of
process 1 on SW2 to refer to the route of process 2:
[DPTECH]route ospf 1
[DPTECH-ospf-1]redistribute ospf 2
Conversely, when the user wants SW3 to access SW1, he can enter the configuration view of
process 2 on SW2 to refer to the route of process 1:
[DPTECH]route ospf 2
[DPTECH-ospf-2]redistribute ospf 1
12 DHCP Configuration
Example
12.1 DHCP introduction
DHCP (Dynamic Host Configuration Protocol) is used to automatically assign an IP address to the
internal network, which is convenient for the user network administrator to manage all the
computers, and also makes the use of the PC and the wireless network more convenient. DHCP
adopts the client/server communication mode. The client actively requests the IP address and
corresponding configuration from the server to dynamically configure the IP address and other
information.
The IP address obtained by the client through dynamic allocation has a lease term. After the
lease expires, the server will reclaim the address. However, if the client wants to continue using
the address, it can obtain the right to use the address by actively renewing the contract. Before
the address lease expires, the client sends a renewal message to the server. If the server
determines that the address can continue to be used by the client, the client reverts to the client
successfully.
The packets sent by the DHCP client are broadcasted in the broadcast mode. They can only be
broadcast on the same network segment. When the client and server are not on a network
segment, the DHCP relay function can be used to obtain IP addresses across network segments.
Item Description
Dynamic The IP address assigned by the client from the DHCP server cannot be used permanently.
allocation There is a valid period.
Manual Manually assign a fixed IP address to some clients, statically bind the IP address to the
allocation client, and use it permanently.
When the network size is large and the manual configuration of the client IP address is heavy, the
DHCP server dynamically allocates the IP address to effectively manage the network.
SW1 Vlan-if2
192.168.0.1/24
gige0_1 gige0_3
gige0_1
gige0_2 SW2
DHCP Server HostB
HostA
(1) Create vlan-if2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
vlan-if2.
(2) Enable the DHCP server on SW1 and create a dynamic address pool and static binding
address.
(3) Create VLAN2 on SW2 and add gige0_1, gige0_2, gige0_3 to VLAN 2.
(1) Create VLAN 2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 192.168.0.1/24
[DPTECH-vlan-if2]exit
[DPTECH]
(2) Enable the DHCP server on SW1 and create a dynamic address pool and static binding
address.
[DPTECH]dhcp server pool 192
[DPTECH-dhcp-pool-192]address range 192.168.0.10 192.168.0.100 24
[DPTECH-dhcp-pool-192]binding interface vlan-if2
[DPTECH-dhcp-pool-192]lease 1440
[DPTECH-dhcp-pool-192]default-router 192.168.0.1
[DPTECH-dhcp-pool-192]dns-server 172.153.0.1
[DPTECH-dhcp-pool-192]static-bind ip-address 192.168.0.120 mac-address 00:10:94:00:00:01
client-name administrator
[DPTECH-dhcp-pool-192]exit
[DPTECH]dhcp server enable
[DPTECH]
View the DHCP server dynamic address pool and static binding address.
<DPTECH>show dhcp server pool 192
Pool 192:
Address range : 192.168.0.10 to 192.168.0.100
Mask : 255.255.255.0
Lease time : 1 days 0 hours 0 mins
Static bind ip address 192.168.0.120 mac address 00:10:94:00:00:01
<DPTECH>
After HostA and HostB take the initiative to apply for an address, the device will display the
address assigned by the DHCP server. When the MAC address of the host that matches the IP
address matches the static binding entry, the host obtains the bound IP address. You can use the
show dhcp-server ip-in-use command to view the IP addresses that have been assigned to the
address pool.
When the DHCP client and the DHCP server are not on the same network segment, the DHCP
server cannot receive the address request packet from the client. In this case, the DHCP relay
function can be enabled on the device between the client and the DHCP server to enable the
relay. The device forwards the mutual notification between the client and the server.
The address request packet of the DHCP client is sent by broadcast and can only be broadcast
on the same network segment. When using the DHCP relay function, you need to ensure that the
routes between the DHCP server and the client are reachable.
To ensure that the route is reachable between SW1 and the host network segment, you can
configure a static route to the client host network segment on SW1.
(1) Create vlan-if2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
vlan-if2.
(2) Enable the DHCP server on SW1, create a dynamic address pool, and configure a static
route.
(3) Create vlan-if2 on SW2, configure IP address to be 192.168.0.2/24, add gige0_1 to vlan-if2,
create vlan-if3, configure IP address to 192.168.1.1/24, add gige0_2 to vlan-if3.
(1) Create vlan-if2 on SW1, configure IP address to be 192.168.0.1/24, add gige0_1 to vlan-if2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 192.168.0.1/24
[DPTECH-vlan-if2]exit
[DPTECH]
(2) Enable the DHCP server on SW1, create a dynamic address pool, and configure static
routes.
[DPTECH]dhcp server pool 192
[DPTECH-dhcp-pool-192]address range 192.168.1.20 192.168.0.250 24
[DPTECH-dhcp-pool-192]binding interface vlan-if2
[DPTECH-dhcp-pool-192]lease 1440
[DPTECH-dhcp-pool-192]default-router 192.168.2.1
[DPTECH-dhcp-pool-192]dns-server 172.153.0.1
[DPTECH-dhcp-pool-192]exit
[DPTECH]dhcp server enable
[DPTECH]
[DPTECH]ip route 192.168.1.0 255.255.255.0 192.168.0.2
(3) Create vlan-if2 on SW2, configure IP address to be 192.168.0.2/24, add gige0_1 to vlan2,
create vlan-if3, configure IP address to 192.168.1.1/24, add gige0_2 to vlan-if3.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 192.168.0.2/24
[DPTECH-vlan-if2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_2
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 192.168.1.1/24
[DPTECH-vlan-if3]exit
[DPTECH]
The client sends an address request message actively. If the corresponding address can be
applied, the DHCP function takes effect.
DHCP snooping is a security method. When an illegal DHCP server exists on the network, the
client may obtain the address of the illegal server, causing the network to fail. To ensure that the
DHCP client can obtain the address from a valid DHCP server, you can enable DHCP snooping
on the device between the legal DHCP server and the client. The port connected to the DHCP
server and the DHCP snooping port is set to the trusted port. Is an untrusted port. After the client
obtains the address, the device that enables DHCP snooping can record the correspondence
between the user's IP address and MAC address.
The trusted port can forward all DHCP packets. The untrusted port discards some DHCP packets
to ensure that the client can obtain an IP address from the legal server.
(1) Create vlan-if2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
vlan-if2.
(2) Enable the DHCP server on SW1 and create a dynamic address pool.
(3) Create VLAN2 on SW2 and add gige0_1, gige0_2, gige0_3 to VLAN 2.
(4) Enable DHCP snooping on SW2, configure gige0_1 as a trusted port, and the remaining
ports as untrusted ports, and enable the recording of IP MAC addresses.
(1) Create vlan-if2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
vlan-if2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 192.168.0.1/24
[DPTECH-vlan-if2]exit
[DPTECH]
(2) Enable DHCP server and create a dynamic address pool on SW1.
<DPTECH>conf-mode
[DPTECH]dhcp server pool 192
[DPTECH-dhcp-pool-192]address range 192.168.0.10 192.168.0.100 24
[DPTECH-dhcp-pool-192]binding interface vlan-if2
[DPTECH-dhcp-pool-192]lease 1440
[DPTECH-dhcp-pool-192]default-router 192.168.0.1
[DPTECH-dhcp-pool-192]dns-server 172.153.0.1
[DPTECH-dhcp-pool-192]exit
[DPTECH]dhcp server enable
[DPTECH]
(3) Create VLAN2 on SW2 and add gige0_1, gige0_2, gige0_3 to VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]port gige0_3
(4) Enable DHCP snooping on SW2, set gige0_1 as a trusted port, and the remaining ports as
untrusted ports.
<DPTECH>conf-mode
[DPTECH]interface gige0_1
[DPTECH-gige0_1]dhcp snooping trust
[DPTECH]dhcp snooping enable
After obtaining the address, the client checks the DHCP snooping information list and records the
mapping between the MAC address and the IP address of the host that obtains the address.
<DPTECH>show dhcp snooping
Dhcp Snooping information
-----------------------------------------------
Port_name Macaddr Ipaddr
gige0_2 00:24:ac:13:14:02 192.168.0.10
13 QoS Configuration
Example
13.1 QoS introduction
QoS (Quality of Service) is a security mechanism of the network and is a technology used to solve
problems such as network delay and congestion. Network bandwidth is always limited, as long as
there is a situation of robbing the network bandwidth, there will be a requirement for quality of
service. QoS can guarantee the highest priority of service bandwidth and make its data forwarded
preferentially.
On our switch, the QoS trust mode supports the following four types:
Item Description
Trust port priority Priority mapping based on the port that the packet enters.
Trust COS priority Perform priority mapping based on the COS priority lookup mapping table carried in
the packet.
Trust DSCP priority Priority mapping based on the DSCP priority lookup mapping table carried in the
packet.
Trust IP priority Priority mapping based on the IP precedence lookup mapping table carried in the
packet.
When multiple ports of a device receive different traffic, you can configure the priority of the port to
forward traffic preferentially on certain ports. When the traffic received by the device carries the
COS, DSCP, and IP precedence, you can configure the mapping between the priority and the
COS queue on the device to implement the forwarding of traffic. There are 8 COS queues on the
switch, which are represented by 0-7, and queues with large COS values have higher priority.
When the traffic is forwarded from the device, the egress port can adjust the traffic forwarding
sequence and the occupied bandwidth ratio in each queue by configuring the queue scheduling
mode and the queue weight value. The queue scheduling mode has three modes: SP, WRR, and
WDRR. In the WRR and WDRR modes, you need to configure the forwarding ratio of different
COS queues, that is, the weight value.
Item Description
SP mode In the absolute mode, the queues with the highest priority are queued and
forwarded. The packets with the highest priority are forwarded until the bandwidth is
full. If the bandwidth is exceeded, packets with lower priority will be discarded.
WRR mode In the polling mode, the weights of different COS queues are configured to allow
different queues to forward traffic proportionally.
WDRR mode The traffic forwarding mechanism is similar to the WRR mode.
The network bandwidth allocation in a company is uneven, which causes the finance department
to often break when transmitting data, and it cannot work normally. The switch configuration
function is now required to enable its finance department to transmit data with the highest priority
to ensure normal operation.
(1) Add ports gige0_0 and gige0_1 to queues 7 and 1, respectively, on the SW.
(2) Configure the QoS in the port gige0_2 on the SW to use the WRR mode. The weight of the
queue 7 is set to 7. The weight of the queue 1 is set to 3.
(1) Add ports gige0_0 and gige0_1 to queues 7 and 1 respectively on SW.
[DPTECH]interface gige0_0
[DPTECH-gige0_0]qos trust port
[DPTECH-gige0_0]qos map port-cos 7
[DPTECH-gige0_0]interface gige0_1
[DPTECH-gige0_1]qos trust port
[DPTECH-gige0_1]qos map port-cos 1
[DPTECH-gige0_1]
(2) Configure the QoS in the port gige0_2 on the SW to use the WRR mode. Set the weight of
queue 7 to 7. Set the weight of queue 1 to 3.
[DPTECH]interface gige0_2
[DPTECH-gige0_2]qos scheduler wrr
[DPTECH-gige0_2]qos wrr queue 7 weight 7
[DPTECH-gige0_2]qos wrr queue 1 weight 3
[DPTECH]
Full bandwidth transmission data under gige0_0 and gige0_1, check bandwidth usage should be
70% bandwidth data forwarding for Finance Department traffic, 30% bandwidth data forwarding
for other departments.
14 802.1x Configuration
Example
14.1 802.1x introduction
With the large-scale development of applications such as mobile office and resident network
operations, service providers need to control and configure user access. In particular, WLAN
applications and LAN access are carried out on a large scale on the telecommunication network.
It is necessary to control the port to achieve user-level access control. 802.lx is IEEE to solve
port-based access control (Port-Based Network Access). Contro1) is a standard defined.
The 802.1x protocol is a client/server-based access control and authentication protocol, and is
also a port-based network access control protocol. After the client access port is authenticated, it
can access external resources.
Item Description
Radius certification Use Radius authentication to configure username and password on the Radius server.
Item Description
Mandatory
The port can access external resources without authentication.
authorization mode
Forced
The port cannot be authenticated and cannot access external resources.
unauthorized mode
Only one client authentication is required under this port, and other clients can access
Port based mode
external resources normally.
The access clients used on this port need to be authenticated to access external
MAC based mode
resources. The device defaults to MAC mode.
Item Description
The EAP is carried in other high-level protocols, such as EAP over Radius, so that
Radius relay mode
the extended authentication protocol packets traverse the complex network to reach
(Relay)
the authentication server.
EAP packets are terminated on the device and mapped to Radius packets. The
Radius termination
standard Radius protocol is used to complete authentication, authorization, and
method (End)
accounting.
A company needs to restrict employees and visitors from accessing internal resources and
external networks. Employees must pass account authentication to access resources and
communications. Visitors do not have access to internal resources and external networks.
(2) Select the local authentication mode on the SW and configure the username and password
locally.
(2) Select local authentication mode on the SW and configure the username and password
locally.
[DPTECH] dot1x auth-method local
[DPTECH] dot1x local-user test123
[DPTECH-luser-test123]password cipher test123456
[DPTECH]
Install the 802.1x authentication client on the host and use the corresponding username and
password for dial-up authentication. After the authentication is passed, the host can access the
external network. Enter the user view. You can view online users by using the command line show
dot1x users.
A company needs to restrict employees and visitors from accessing internal resources and
external networks. Employees must pass account authentication to access resources and
communications. Visitors do not have access to internal resources and external networks.
(2) Configure the Radius authentication mode on the SW and configure the Radius server using
the relay authentication process.
(2) Configure the Radius authentication mode on the SW and use the relay authentication
process to configure the Radius server.
[DPTECH] dot1x auth-method radius relay
[DPTECH] dot1x radius-server primary 192.168.0.1 key test123 port 1812
After the 802.1x authentication client is installed on the host, the corresponding user name and
password are used for dial-up authentication. After the authentication is passed, the host can
access the external network and enter the user view. Use the show dot1x online-users command
to view the online user.
15 MAC Authentication
Configuration Example
15.1 Introduction to MAC address authentication
MAC address authentication is an authentication method that controls user network access
rights. It is authenticated based on port and MAC address, and does not require the user to install
any client software. After the device detects the MAC address of the user for the first time, it starts
the authentication operation for the user. During the authentication process, the user is not
required to manually enter a username or password. After the user is authenticated, the network
resource can be accessed. If the user fails to be authenticated, the device will be added as a
silent MAC address. The device will not process the authentication packet of the user.
Item Description
Radius certification Use Radius server to configure username and password for authentication.
Item Description
MAC address
Use the user's MAC address as the authenticated username and password.
username
Fixed username Regardless of the user's MAC address, all users are authenticated using a
pre-configured username and password on the device.
When using Radius authentication with the MAC address username, you only need to configure
the username and password on the Radius server. When using Radius authentication with a fixed
username, you need to configure the username and password on both the local and the Radius
server.
A company needs to restrict the connection of the guest to the external network, and the
employee needs to operate transparently. The MAC address authentication function can be used
to authenticate the employee's MAC address. The employee can connect to the external network
without manually entering the user name and password. This restricts the guest user from
connecting to the external network.
(2) Configure the local authentication mode on the SW, use a fixed username for authentication,
and configure the username and password locally.
[DPTECH]mac-authentication enable
(2) Configure the local authentication mode on the SW, use a fixed username for authentication,
and configure the username and password locally.
[DPTECH]mac-authentication auth-method local
[DPTECH]mac-authentication auth-username fixed
[DPTECH]mac-authentication local-user zhangsan
[DPTECH-luser-zhangsan]password 123456
[DPTECH-luser-zhangsan]mac-address 11:11:11:11:11:11
[DPTECH-luser-zhangsan]exit
The host does not need to be installed with the client for authentication. After the authentication is
passed, the host can access the external network. Use show mac-authentication access-user
in the configuration view to view online users.
A company needs to restrict the connection of the guest to the external network, and the
employee needs to operate transparently. The MAC address authentication function can be used
to authenticate the employee's MAC address. The employee can connect to the external network
without manually entering the user name and password. This restricts the guest user from
connecting to the external network.
(2) Configure the Radius authentication mode on the SW, use the MAC address username for
authentication, and configure the Radius server.
(2) Configure the Radius authentication mode on the SW, use the MAC address username for
authentication, and configure the Radius server.
[DPTECH]mac-authentication auth-method radius
[DPTECH]mac-authentication auth-username mac
[DPTECH] mac-authentication radius-server 192.168.0.1 key test123
[DPTECH]mac-authentication local-user f0:de:f1:ea:7f:5e
[DPTECH-luser-f0:de:f1:ea:7f:5e]password simple f0:de:f1:ea:7f:5e
[DPTECH-luser-f0:de:f1:ea:7f:5e]mac-address f0:de:f1:ea:7f:5e
The host does not need to add a client for authentication. After the authentication is passed, you
can access the external network and enter the user view. You can use the show macauth users
command to view online users.
16 Portal Configuration
Example
16.1 Introduction to Portal authentication
Portal authentication is a way to restrict users from accessing the Internet. There are two
methods: web authentication and terminal authentication. When the web authentication method
is used, the user opens the web page and is pushed to a specific authentication page. The user
needs to enter the user name and password. After the authentication succeeds, the user can
access the Internet normally. When the terminal authentication mode is used, the user inputs the
corresponding user by using the client. Name and password, the authentication can be
successful before accessing the external network.
Portal authentication is implemented by issuing Portal-acl. Portal-acl can be configured with user
source IP address, destination IP address, port and action (authentication or pass). In this way,
you can flexibly control the source IP to authenticate (or pass) users on a certain network
segment, or you can configure users to go to certain destination IP network segments for
authentication (or pass).
Item Description
Web authentication The user uses the web page to enter the username and password to access the
Internet.
Terminal authentication The user uses the client software to enter the username and password to log in to
the Internet.
Local authentication User logs in with the username and password on the device
method
Radius authentication The user logs in using the username and password on the Radius server.
method
A company needs to restrict employees from accessing the Internet. Employees with user name
and password accounts can authenticate to the Internet. If they do not have an account, they can
use the Web login authentication.
vlan-if2
192.168.2.1/24
PC SW
(1) Add vlan2 to the SW, assign it to the port, and configure the vlan-if IP address.
[DPTECH]vlan 2
[DPTECH-vlan2]interface vlan-if 2
[DPTECH-vlan-if2]ip address 192.168.2.1/24
[DPTECH-vlan-if2]interface gige 0_2
[DPTECH-gige0_2]switchport access vlan 2
[DPTECH-gige0_2]
When the PC accesses the external network test, it will push the input user name and password
page. After entering the user name and password, you can access the network normally.
17 Spanning Tree
Configuration Example
17.1 Introduction to spanning tree
The Spanning Tree Protocol (Spanning Tree Protocol) is an anti-ring protocol for Layer 2
networks to provide link redundancy. When the spanning tree protocol senses that there is a loop
in the network, it selects an appropriate location on the loop to block the port on the link to prevent
the port from receiving and forwarding packets. In this way, the possible broadcast on the loop is
eliminated. storm. According to the topology structure in the network, the spanning tree protocol
generates a tree topology according to a certain algorithm in the network, thereby avoiding the
existence of loops in the network. When the topology changes in the network, the spanning tree
algorithm recalculates the tree according to the new Network topology to generate a new tree
structure, which provides loop protection.
The work of spanning tree is mainly divided into three parts: election process, topology
calculation, and port behavior determination. After the root bridge is elected, the tree topology is
calculated under the unified command of the root bridge, and the root bridge is extended as the
root of the tree. After the tree topology is calculated, the port role is determined. The root port and
the designated port are involved in packet forwarding. The blocked port does not forward packets.
Item Description
Root bridge Elected or manually designated to direct the work of the entire network device, is the root of
the generated tree structure.
Root port A port that is not optimally configured from the bridge device to the root bridge.
Designated port The ports on the root bridge are all designated ports. The ports on the non-root bridge that
forward data except the root port are designated ports.
The Rapid Spanning Tree Protocol (RSTP) is too long for the STP protocol to converge. The IEEE
defines the 802.1w RSTP protocol. The concept of importing an edge port, replacing a port, and
backing up a port allows the port state change to be switched quickly in some cases, thus
achieving fast convergence of the spanning tree.
Item Description
Edge port A specified port is configured to connect to a PC and a downstream switch that does not
need to run STP. When BPDU protection is enabled on an edge port, the port is
automatically closed after receiving a BPDU.
Replace port Is the backup port of the root port. When the root port fails, it can quickly become the new
root port and enter the forwarding state.
The MSTP protocol is a multi-spanning tree protocol. Compared with RSTP, it mainly introduces
the concept of instance and domain. The concept of the domain is to divide the network segments
with different configurations in the network, and implement unified configuration inside the
network segment. You can perform independent spanning tree construction in the domain. The
domain uses a single spanning tree to connect all the domains (the spanning tree is called CST,
public spanning tree), ensuring full links and no loops. Multiple spanning tree instances can be
constructed inside a domain, and different VLANs can be mapped to different spanning tree
instances. Inside each domain, there is an instance with an instance ID of 0, which together with
CST forms a CIST (Common Internal Spanning Tree). The spanning tree connects the domain in
the entire network and the bridge devices and network segments inside the domain into a fully
acyclic tree.
Item Description
Domain Is composed of multiple devices in the switch network and the network segments
between them
When the network is complex, the user cannot determine whether there is a loop in the network.
All the packets forwarded by the broadcast in the Layer 2 network may generate storms on the
loop. If a broadcast storm occurs on the loop, it will hardly stop. Unless human intervention
causes the loop to disappear. Enable the spanning tree protocol on the Layer 2 network, and
block the ports on the loop according to a certain algorithm to make the loop disappear and solve
the storm hazard.
SW1 SW3
gige0_2 gige0_2
gige0_1
gige0_1
gige0_1
gige0_2
SW2
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2 to VLAN2, enable STP, set the bridge priority
to 0 (highest priority), and add STP-enabled ports gige0_1 and gige0_2.
(2) Create VLAN 2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable STP, set the
bridge priority to 4096, and add STP-enabled ports gige0_1 and gige0_2.
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2, go to VLAN 2, enable STP, set the bridge
priority to 0 (the highest priority), and add STP-enabled ports gige0_1 and gige0_2.
<DPTECH>conf-mode
[DPTECH]
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode stp
[DPTECH]spanning-tree bridge-priority 0
[DPTECH]interface gige0_1
[DPTECH-gige0_1]
[DPTECH-gige0_1]spanning-tree enable
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]spanning-tree enable
(2) Create VLAN 2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable STP, and
configure the bridge priority 4096 to add STP-enabled ports gige0_1 and gige0_2.
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode stp
[DPTECH] spanning-tree bridge-priority 4096
[DPTECH]interface gige0_1
[DPTECH-gige0_1]
[DPTECH-gige0_1]spanning-tree enable
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]spanning-tree enable
# SW1 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol STP
Root ID Priority 0
Address 00:24:AC:71:AD:85
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 0
Address 00:24:AC:71:AD:85
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Configuration Digest Oxac36177f 50283cd4 b83821d8 ab26de62
<DPTECH>
# SW2 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol STP
Root ID Priority 0
Address 00:24:AC:71:AD:85
Cost 20000
Port gige0_1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
<DPTECH>
# SW3 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol STP
Root ID Priority 0
Address 00:24:AC:71:AD:85
Cost 20000
Port gige0_1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
<DPTECH>
The above information indicates that the spanning tree protocol blocks the gige0_2 port on SW2,
making the original loop into a tree structure, as shown in the following figure:
There may be loops in the user's network. If a broadcast storm occurs on the loop, it will hardly
stop. The RSTP and STP protocols can block the ports on the loop according to certain
algorithms, and the loop disappears. The RSTP convergence time is shorter. It is better to use
RSTP when users have higher requirements on convergence time.
SW1 SW3
gige0_2 gige0_2
gige0_1
gige0_1
gige0_1
gige0_2
SW2
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2 to VLAN2, enable RSTP, set the bridge
priority to 0 (the highest priority), and add the RSTP-enabled ports gige0_1 and gige0_2.
(2) Create VLAN2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable RSTP, and
configure the bridge priority 4096 to add RSTP-enabled ports gige0_1 and gige0_2.
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2 to VLAN2, enable RSTP, set the bridge
priority to 0 (the highest priority), and add the RSTP-enabled ports gige0_1 and gige0_2.
<DPTECH>conf-mode
[DPTECH]
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode rstp
[DPTECH] spanning-tree bridge-priority 0
[DPTECH]interface gige0_1
[DPTECH-gige0_1]
[DPTECH-gige0_1]spanning-tree enable
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]spanning-tree enable
(2) Create VLAN2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable RSTP, and
configure the bridge priority to 4096 to add RSTP-enabled ports gige0_1 and gige0_2.
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode rstp
[DPTECH]spanning-tree bridge-priority 4096
[DPTECH]interface gige0_1
[DPTECH-gige0_1]
[DPTECH-gige0_1]spanning-tree enable
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]spanning-tree enable
Enter the user view. Use the show spanning-tree command to check the RSTP status. The RSTP
protocol blocks a port according to a certain algorithm to make the loop disappear.
The MSTP protocol is a multi-spanning tree protocol. Compared with STP, MSTP has a short
convergence time and allows the port to be quickly forwarded. Compared with RSTP, MSTP can
divide the network into different domains. Different VLANs are mapped to different instances.
Each instance corresponds to a separate spanning tree. Provide link redundancy and load
sharing. When the user's networking is complex and the convergence time is strict, it is a good
choice to use the MSTP function.
SW1 SW4
gige0_3 gige0_3
gige0_2 gige0_2
gige0_1 gige0_1
gige0_1
gige0_1
gige0_2 gige0_2
gige0_3 gige0_3
SW2 SW3
(1) In SW1 configuration, the protection VLAN of instance 1 is VLAN 2, the bridge priority is 0,
the protection VLAN of instance 2 is VLAN 3, the bridge priority is 4096, and the member
ports are gige0_1, gige0_2, and gige0_3.
(2) Configure the protected VLAN of instance 1 as VLAN 2 and the bridge priority of 4096 on
SW2 and SW3. The protected VLAN of instance 2 is VLAN 3, the bridge priority is 4096, and
the member ports are gige0_1, gige0_2, and gige0_3.
(3) Configure the protection VLAN of instance 1 to be VLAN 2, the priority of the bridge is 4096,
the protection VLAN of instance 2 is VLAN 3, the priority of the bridge is 0, and the member
ports are gige0_1, gige0_2, and gige0_3.
(1) In SW1 configuration, the protection VLAN of instance 1 is VLAN 2, the bridge priority is 0,
the protection VLAN of instance 2 is VLAN 3, the bridge priority is 4096, and the member
ports are gige0_1, gige0_2, and gige0_3.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport mode trunk
[DPTECH-gige0_1]switchport trunk allowed vlan 2-3
[DPTECH-gige0_1]switchport trunk native vlan 3
[DPTECH]interface gige0_2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 2-3
[DPTECH-gige0_2]switchport trunk native vlan 3
[DPTECH]interface gige0_3
[DPTECH-gige0_3]switchport mode trunk
[DPTECH-gige0_3]switchport trunk allowed vlan 2-3
[DPTECH-gige0_3]switchport trunk native vlan 3
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode mst
[DPTECH]interface gige0_1
[DPTECH-gige0_1]
[DPTECH-gige0_1]spanning-tree enable
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]spanning-tree enable
[DPTECH]interface gige0_3
[DPTECH-gige0_3]spanning-tree enable
[DPTECH]spanning-tree mst configuration
[DPTECH-MSTP]instance 1 vlan 2
[DPTECH]spanning-tree mst 1 bridge-priority 0
[DPTECH-MSTP]instance 2 vlan 3
[DPTECH]spanning-tree mst 2 bridge-priority 4096
[DPTECH]
(2) Configure the protected VLAN of instance 1 as VLAN 2 and the bridge priority of 4096 on
SW2 and SW3 respectively. The protected VLAN of instance 2 is VLAN 3, the bridge priority
is 4096, and the member ports are gige0_1, gige0_2, and gige0_3.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport mode trunk
[DPTECH-gige0_1]switchport trunk allowed vlan 2-3
[DPTECH-gige0_1]switchport trunk native vlan 3
[DPTECH]interface gige0_2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 2-3
[DPTECH-gige0_2]switchport trunk native vlan 3
[DPTECH]interface gige0_3
[DPTECH-gige0_3]switchport mode trunk
[DPTECH-gige0_3]switchport trunk allowed vlan 2-3
[DPTECH-gige0_3]switchport trunk native vlan 3
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode mst
[DPTECH]interface gige0_1
[DPTECH-gige0_1]
[DPTECH-gige0_1]spanning-tree enable
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]spanning-tree enable
[DPTECH]interface gige0_3
[DPTECH-gige0_3]spanning-tree enable
[DPTECH]spanning-tree mst configuration
[DPTECH-MSTP]instance 1 vlan 2
[DPTECH]spanning-tree mst 1 bridge-priority 4096
[DPTECH-MSTP]instance 2 vlan 3
[DPTECH]spanning-tree mst 2 bridge-priority 4096
[DPTECH]
(3) Configure the protected VLAN of instance 1 as VLAN 2, the bridge priority is 4096, the
protected VLAN of instance 2 is VLAN 3, the bridge priority is 0, and the member ports are
gige0_1, gige0_2, and gige0_3.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport mode trunk
[DPTECH-gige0_1]switchport trunk allowed vlan 2-3
[DPTECH-gige0_1]switchport trunk native vlan 3
[DPTECH]interface gige0_2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 2-3
[DPTECH-gige0_2]switchport trunk native vlan 3
[DPTECH]interface gige0_3
# SW1 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol MSTP
Root ID Priority 32768
Address 00:11:55:44:33:99
Cost 6666
Port bond1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
MST1
Spanning tree enabled protocol MSTP
Root ID Priority 0
Address 00:24:AC:71:AD:85
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 0
Address 00:24:AC:71:AD:85
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Configuration Digest Oxb41829f9 3a54f b74ef7a8 587ff58d
MST2
Spanning tree enabled protocol MSTP
Root ID Priority 0
Address 00:11:55:44:33:99
Cost 6666
Port bond1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
# SW2 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol MSTP
MST1
Spanning tree enabled protocol MSTP
Root ID Priority 4096
Address 00:24:AC:D4:BB:40
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 0
Address 00:24:ac:3a:95:bb
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Configuration Digest Oxb41829f9 3a54f b74ef7a8 587ff58d
MST2
Spanning tree enabled protocol MSTP
Root ID Priority 0
Address 00:24:AC:D4:BB:40
Cost 6666
Port bond1
# SW3 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol MSTP
Root ID Priority 32768
Address 00:11:55:44:33:99
Cost 6666
Port bond1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
MST1
Spanning tree enabled protocol MSTP
Root ID Priority 0
Address 00:24:AC:71:AD:85
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
MST2
Spanning tree enabled protocol MSTP
Root ID Priority 0
Address 00:11:55:44:33:99
Cost 6666
Port bond1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
# SW4 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol MSTP
Root ID Priority 32768
Address 00:11:55:44:33:99
Cost 6666
Port bond1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
MST1
Spanning tree enabled protocol MSTP
Root ID Priority 4096
Address 00:24:AC:71:AD:85
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
MST2
Spanning tree enabled protocol MSTP
Root ID Priority 0
Address 00:24:ac:3a:95:bb
Cost 6666
Port bond1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 0
Address 00:24:ac:3a:95:bb
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Configuration Digest Oxb41829f9 3a54f b74ef7a8 587ff58d
The above results show that in the instance 1, SW1 has the highest priority. As the root of MSTP,
the topology diagram is as follows:
SW1 SW4
gige0_3 gige0_3
gige0_2
gige0_1
gige0_1 gige0_2
SW2 SW3
The above results show that in Instance 2, SW4 has the highest priority. As the root of MSTP, the
topology diagram is as follows:
SW1 SW4
gige0_3
gige0_3
gige0_2 gige0_2
gige0_1
gige0_1
gige0_2 gige0_2
SW2 SW3
18 VRRP Configuration
Example
18.1 VRRP introduction
The Virtual Router Redundancy Protocol (VRRP) is a routing protocol proposed by the IETF to
solve the single-point failure phenomenon of a static gateway configured in a LAN. It is a routing
fault-tolerant protocol, which can also be called a backup routing protocol. All hosts in a local area
network set a default route. When the destination address sent by the host is not on the local
network segment, the packets are sent to the external router through the default route, thus
implementing communication between the host and the external network. When the default router
is down (that is, the port is closed), the internal host will not be able to communicate with the
outside. If the router has VRRP set, then the virtual router will enable the backup router to
implement network-wide communication.
A company's intranet needs a redundant function of the gateway device. When one device is
broken, the other device can work normally without affecting the company's business operations.
SW2
SW1 gige0_1 gige0_1
VLAN-if 10 VLAN-if 10
1.1.1.2 1.1.1.3
gige0_0
gige0_0 V_IP
1.1.1.1
(1) Configure VLAN 10 on SW1 and SW2, and configure the port and vlan-if IP.
(2) Enable VRRP on SW1 and SW2, configure virtual IP, and set priority.
(1) Configure VLAN 10 on SW1 and SW2, and configure the port and vlan-if IP.
# Configure on SW1
[DPTECH]vlan 10
[DPTECH-vlan10]port gige0_0
[DPTECH-vlan10]exit
[DPTECH]inter vlan-if10
[DPTECH-vlan-if10]ip address 1.1.1.2/24
[DPTECH-vlan-if10]exit
[DPTECH]
# Configure on SW2
[DPTECH]vlan 10
[DPTECH-vlan10]port gige0_0
[DPTECH-vlan10]exit
[DPTECH]inter vlan-if10
[DPTECH-vlan-if10]ip address 1.1.1.3/24
[DPTECH-vlan-if10]
(2) Enable VRRP on SW1 and SW2, configure virtual IP, set priority and enforce mode
# Configure on SW1.
[DPTECH-vlan-if10]vrrp 1 ip 1.1.1.1
[DPTECH-vlan-if10]vrrp 1 priority 150
[DPTECH-vlan-if10]vrrp vrid 1 preempt delay 10
# Configure on SW2.
[DPTECH-vlan-if10]vrrp vrid 1 ip 1.1.1.1
[DPTECH-vlan-if10]vrrp vrid 1 priority 100
[DPTECH-vlan-if10]vrrp vrid 1 preempt delay 10
The user can set the gateway to 1.1.1.1 and can communicate with the gateway normally.
19 VSM Configuration
Example
19.1 VSM introduction
A Virtual Switch Matrix (VSM) connects two or more devices through physical ports to form a
virtual logical device. Each device in the VSM is called a member device. All the configurations of
the member devices are consistent. The member devices can be classified into two modes
according to their functions: Master and Slave.
item Description
When the master fails, the slave will automatically become the new master to take over the
original master. Both the master and the slave are elected by the role. Only one master can exist
in one VSM at the same time. The other member devices are slaves.
Item Description
VSM identification That is, the VSM ID. In the VSM, each device is uniquely identified by the VSM ID. The
VSM ID is elected through the VSM ID. The VSM ID value on the switch is 0-7.
VSM cascade board It is used to make VSM cascading boards. The switch supports dedicated LSW-2xcx4
cards for cascading boards.
VSM cascade port On the VSM cascading board, the 10M optical port is dedicated to the VSM. The two
devices use the VSM expansion port to form a VSM channel. When multiple physical
ports are used for cascading, the cascading port names of the same device must be the
same.
VSM channel The communication between the two devices and the forwarding of packets across
devices are implemented through the VSM channel.
There is currently no one member of the Master who does not need an election;
Elections are made when the Modes of the two devices are the same;
When the devices in the VSM are all slaves, the device with the smallest VSM ID is the
master, and the others are all slaves.
When the device in the VSM is the master, the device with the smallest VSM ID is the master,
and the other devices will restart in the slave mode.
Item Description
Batch synchronization When two devices are combined to form a VSM, the Master device is elected first. The
master device is started with its own startup configuration file. During the startup
process, the device is synchronized to the slave device. The slave device is initialized
and the VSM is formed. During the VSM operation, when a new member device is
added, the batch synchronization is also performed. The new device reboots into the
VSM as a slave, and Mater will batch synchronize the current configuration to the new
device. The new device is initialized with the synchronized configuration.
Real-time After all devices are initialized, the VSM runs as a single network device on the
synchronization network. As the management center of the VSM system, the master device is
responsible for synchronizing the user's configuration to the slave device, so that the
configuration of the devices in the VSM can be highly consistent at any time.
During the VSM maintenance process, the heartbeat information sent by other devices is
continuously detected. When a new member device is added, different processes are taken
according to the state of the newly added device:
The newly added device does not form a VSM. For example, if the newly added device is
configured with the VSM function, and then power is disconnected, and then the VSM cable
is used to connect to the existing VSM system and power on and restart, the device will be
selected as Slave.
The added device has formed a VSM. For example, the newly added device is configured
with the VSM function and has been used as the VSM system. After that, the VSM is
connected to the existing VSM system. In this case, there are two master devices in the
VSM. In general, it is not recommended to use this method to form a VSM). In this case, the
two VSMs perform the active and standby elections. The elections follow the rules of the
active and standby elections. After the slave device is elected, the device rejoins the VSM in
the role of the slave.
Possible reasons for member devices to join are: artificially increasing the members of the VSM
system; when the fault is rectified, the restored device will rejoin the VSM when the device is
faulty or the link is faulty.
The VSM can accurately determine whether a member device is removed or not.
When the VSM channel between the member devices in the VSM is down, the expansion
port will be down. Other member devices in the VSM will quickly detect that the device is
leaving (you do not wait for the heartbeat information to time out).
When an abnormality occurs on the VSM channel, all members in the VSM cannot receive
heartbeat information from other members. If the timeout period is exceeded, it is determined
that other devices except the device leave.
The member device that obtains the leaving message will judge whether it is the master or the
slave according to the locally maintained VSM information. If the master is left, the new
active/standby election is triggered, and the local VSM information is updated. If the slave is
leaving, Then directly update the local VSM information. The possible reasons for the member
device to leave are: manually removing the member device; the member device is faulty; the link
is faulty.
The VSM uses a series of redundant backup technologies to ensure the high reliability of the VSM
system. Users can use VSM devices for the access layer, aggregation layer, and data center to
minimize daily maintenance operations and sudden system crashes. The resulting downtime
reduces the impact of network failures.
After the VSM is enabled, the port displayed on the device is named VSM ID + slot number +
port number, such as gige0_1_0.
After the VSM is enabled, the device automatically elects the master. The device with the
smaller VSM ID is elected as the master. You can use the show vsm command to view which
device is the master. All configurations are configured on the master. When the VSM function
is enabled or disabled, the device will clear the configuration restart.
You need to ensure that the route between SW1 and the gateway is reachable. You can
configure static routes or dynamic routing protocols. For details, see the chapter Routing
Protocols.
(1) Enable the VSM function on SW2 and SW3, set the VSM ID of SW2 to 0, and set the VSM ID
of SW3 to 1.
(2) Create corresponding vlan-if ports on SW1 and SW2 and configure IP addresses.
# Configure on SW2.
<DPTECH>conf-mode
[DPTECH] vsm enable id 0 uplink-port-list tengige1_0 downlink-port-list null
The configuration will cause rebooting and take effect after that.
Are you sure? (Y/N) [N]: y
# Configuration on SW3.
<DPTECH>conf-mode
[DPTECH]vsm enable id 1 uplink-port-list null downlink-port-list tengige1_0
The configuration will cause rebooting and take effect after that.
Are you sure? (Y/N) [N]: y
(2) Create corresponding vlan-if ports on SW1 and SW2 and configure IP addresses.
# Configure on SW1.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_3
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_1
[DPTECH-vlan3]port gige0_2
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 2.2.2.1/24
[DPTECH-vlan-if3]exit
[DPTECH]
# Configure on SW2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_0_1
[DPTECH-vlan2]port gige1_0_1
[DPTECH-vlan2]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 2.2.2.2/24
[DPTECH-vlan-if2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_0_2
[DPTECH-vlan3]port gige1_0_2
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if3
# Configure on SW1.
<DPTECH>conf-mode
[DPTECH]interface bond 1
[DPTECH-bond1]bond mode dynamic
[DPTECH-bond1]bond load-sharing mode source-destination-ip
[DPTECH-bond1]switchport access vlan 3
[DPTECH-bond1]exit
[DPTECH]interface gige 0_1
[DPTECH-gige0_1]bond group 1
[DPTECH-gige0_1]exit
[DPTECH]interface gige 0_2
[DPTECH-gige0_2]bond group 1
[DPTECH-gige0_2]exit
[DPTECH]
[DPTECH-bond2]exit
[DPTECH]interface gige0_0_2
[DPTECH-gige0_0_2]bond group 1
[DPTECH-gige0_0_2]exit
[DPTECH]interface gige1_0_2
[DPTECH-gige1_0_2]bond group 1
[DPTECH-gige1_0_2]exit
[DPTECH]
The master and the slave device can forward packets based on the outbound interface algorithm.
The master can access the external network through the gateway. When the master device fails,
the slave device automatically becomes the master to forward packets. The host can also access
the external network. When the slave device fails, the master bears the packet forwarding, and
the host can still access the external network. This achieves link redundancy and improves
network reliability.
20 OVC Configuration
Example
20.1 OVC introduction
OVC (OS-Level Virtual Context) technology is a virtualization technology that virtualizes one
physical device into multiple logical devices. After the OVC is virtualized, multiple logical devices
on the same physical device have independent hardware, software, forwarding entries,
management planes, and logs. The operation of each logical device does not affect each other.
The OVC technology implements the virtualization of resources and management. After the
physical device resources are virtualized, the rapid deployment and adjustment of services are no
longer limited by the physical devices themselves. This saves construction and operation and
maintenance costs, flexible on-demand deployment, and complete fault isolation. And so on,
effectively solve the problem of multi-service security isolation and resource allocation on
demand. The foundational conditions for the transition to a dynamic and resilient cloud service
model for networks and security.
Item Description
Public OVC The default OVC instance exists in the initial state of the system, called the public OVC, and all
resources are used by the public OVC.
Ordinary Other OVC instances outside the public OVC are referred to as normal OVC. After creating a
OVC normal OVC, any resources in the system that are not mapped to the normal OVC belong to
the public OVC.
OVC technology is an operating system level virtualization technology that enables 1:N
virtualization. Through OS-level virtualization technology, each OVC can be assigned a series of
software and hardware resources such as independent ports, CPU, memory resources, number
of sessions, new, concurrent, throughput, number of routing entries, and number of security
policies. Flexible customization of the actual specifications of the OVC. OVC virtualization
technology enables the system to perform independent process management, memory
management, and disk management for each virtual device. There is no resource consumption
and performance loss caused by switching and scheduling between virtual devices, and support
through operating system virtualization. The OVC can be completely isolated from the
management plane, the control plane, the data plane, and the service plane to form completely
independent logic devices. The operating system kernel completes the scheduling between the
OVC virtual devices and allocates hardware resources for each OVC virtual device according to a
preset resource template.
As shown in Figure 23-2, OVC1 has OSPF/ISIS enabled, OVC2 has OSPF/RIP/BGP enabled,
and OVC3 has ISIS/BGP enabled. They have separate processes. Any OVC protocol process
failure will not affect other OVC. The normal operation of the protocol process.
The benefit of control plane virtualization is fault isolation between OVCs. As shown in Figure
23-3, the OSPF process in OVC2 crashes, causing the OSPF protocol of the OVC to fail to run
normally. The OSPF processes in other OVCs can still operate normally without being affected.
managed by their respective virtual data planes, and the different OVCs are completely isolated.
When the traffic enters the system from an interface of the AVC, only the forwarding entries
belonging to the OVC are queried, and only the interfaces belonging to the OVC are forwarded.
The routing protocols can only run on these interface resources. Ensure that each OVC's
forwarding entry contains only the interfaces belonging to this OVC, thus completely separating
the routing and forwarding of different OVCs.
On the security device, the session entry needs to be set up to record some status information. To
ensure complete isolation of each OVC forwarding information, each OVC has an independent
session table. Maintain the session table belonging to this OVC. Each OVC session does not
interfere with each other, ensuring that the address space and forwarding information of each
OVC are completely independent.
When the intranet data of the enterprise needs to be kept secret, the host that can access the
intranet data does not allow access to the external network, but also needs to ensure that other
hosts can access the external network, the enterprise can use the OVC function to isolate it into
two networks, achieving two The networks are independent of each other and do not interfere
with each other.
(1) Create VLANs on SW1, SW2, SW3, and SW4, and configure VLANs for the corresponding
ports.
(3) Create corresponding vlan-if ports on SW2 and SW3 respectively, and configure
corresponding IP addresses.
(1) Create VLANs on SW1, SW2, SW3, and SW4, and configure VLANs for the corresponding
ports.
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_2
[DPTECH-vlan3]exit
[DPTECH]interface gige0_3
[DPTECH-gige0_3]switchport mode trunk
[DPTECH-gige0_3]switchport trunk allowed vlan 2-3
[DPTECH-gige0_3]switchport trunk native vlan 3
[DPTECH-gige0_3]exit
[DPTECH]
# Configure on SW2.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 6
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH]vlan 6
[DPTECH-vlan6]port gige0_4
[DPTECH-vlan6]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 4-5
[DPTECH-gige0_2]switchport trunk native vlan 5
[DPTECH-gige0_2]exit
# Configure on SW3.
[DPTECH]interface gige0_1
[DPTECH-gige0_1]switchport mode trunk
[DPTECH-gige0_1]switchport trunk allowed vlan 2-3
[DPTECH-gige0_1]switchport trunk native vlan 3
[DPTECH-gige0_1]exit
[DPTECH]interface gige0_2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 2-3
[DPTECH-gige0_2]switchport trunk native vlan 3
[DPTECH-gige0_2]exit
[DPTECH]interface gige0_3
[DPTECH-gige0_3]switchport mode trunk
[DPTECH-vlan-if3]exit
[DPTECH] interface vlan-if5
[DPTECH-vlan-if5]bind ovc ovc2
[DPTECH-vlan-if3]exit
[DPTECH]
(3) Configure the IP address of the corresponding vlan-if port in the OVC on SW2 and SW3.
# Configure on SW2.
<DPTECH> switch-ovc ovc1
Now change to new ovc: ovc1.
<DPTECH-ovc1>conf-mode
[DPTECH-ovc1]interface vlan-if2
[DPTECH-vlan-if2-ovc1]ip add 5.5.5.1/24
[DPTECH-vlan-if2-ovc1]exit
[DPTECH-ovc1]interface vlan-if5
[DPTECH-vlan-if5-ovc1]ip add 4.4.4.2/16
[DPTECH-vlan-if5-ovc1]end
<DPTECH-ovc1>exit
Connection closed by foreign host.
<DPTECH> switch-ovc ovc2
Now change to new ovc: ovc2.
<DPTECH-ovc2>conf-mode
[DPTECH-ovc2]interface vlan-if4
[DPTECH-vlan-if4-ovc2]ip add 3.3.3.2/24
[DPTECH-vlan-if4-ovc2]exit
[DPTECH-ovc2]interface vlan-if3
[DPTECH-vlan-if3-ovc2]ip add 6.6.6.1/24
[DPTECH-vlan-if3-ovc2]exit
[DPTECH-ovc2]interface vlan-if6
[DPTECH-vlan-if6-ovc2]ip add 7.7.7.1/24
[DPTECH-vlan-if6-ovc2]exit
# Configure on SW3.
<DPTECH> switch-ovc ovc1
Now change to new ovc: ovc1.
<DPTECH-ovc1>conf-mode
[DPTECH-ovc1]interface vlan-if2
[DPTECH-vlan-if2-ovc1]ip add 1.1.1.1/24
[DPTECH-vlan-if2-ovc1]exit
[DPTECH-ovc1]interface vlan-if4
[DPTECH-vlan-if4-ovc1]ip add 3.3.3.1/24
[DPTECH-vlan-if-ovc1] end
<DPTECH-ovc1>exit
Connection closed by foreign host.
<DPTECH> switch-ovc ovc2
Now change to new ovc: ovc2.
<DPTECH-ovc2>conf-mode
[DPTECH-ovc2]interface vlan-if3
[DPTECH-vlan-if3-ovc2]ip add 2.2.2.1/24
[DPTECH-vlan-if3-ovc2]exit
[DPTECH-ovc2]interface vlan-if5
[DPTECH-vlan-if5-ovc2]ip add 4.4.4.1/24
[DPTECH-vlan-if5-ovc2]exit
[DPTECH-ovc2]
[DPTECH-ovc1]route ospf 1
[DPTECH-ospf-1-ovc1]network 1.1.1.0/24 area 0
[DPTECH-ospf-1-ovc1]network 3.3.3.0/24 area 0
[DPTECH-ospf-1-ovc1]exit
[DPTECH-ovc1]exit
<DPTECH-ovc1>exit
Connection closed by foreign host.
<DPTECH> switch-ovc ovc2
Now change to new ovc: ovc2.
<DPTECH-ovc2>conf-mode
[DPTECH-ovc2]route ospf 1
[DPTECH-ospf-1-ovc2]network 2.2.2.0/24 area 0
[DPTECH-ospf-1-ovc2]network 4.4.4.0/24 area 0
[DPTECH-ospf-1-ovc2]exit
[DPTECH-ovc2]exit
<DPTECH-ovc2>exit
Connection closed by foreign host.
<DPTECH>
vlan-if4
<DPTECH>show ovc ovc2
VFW : PublicSystem
Manage service: managable
Interface list:
vlan-if3
vlan-if5
<DPTECH>
By configuring the OVC function on SW2 and SW3, network A and network B are isolated from
each other and cannot communicate with each other. Host A1 and HostA2 of network A can
access each other and can access Server A, but cannot access the external network. Hosts B1
and HostB2 on the network B can access each other and access the server B. They can also
access the external network.
21 VRF Configuration
Example
21.1 VRF introduction
VRF (Virtual Route Forwarding) is mainly used for route isolation to solve address overlap
problems. Each VRF can be thought of as a virtual switch that includes the following elements:
Two important parameters related to VPN services defined in the VRF are RT and RD:
Item Description
It is mainly used to control the publishing and installation strategies of VPN routes. Divided
into import and export two properties, the former indicates that I am interested in those
RT routes, while the latter indicates the attributes of the route I issued. When a route is
advertised by a PE, it is sent to other PEs directly by using the RT export rule of the VRF to
(Route Target) which the route belongs. When receiving the route, the peer PE first receives all the routes
and checks the import rules of the RT configured by the VRF. If the RT attribute matches
the route, the route is added to the corresponding VRF.
It is used to indicate which VPN the route belongs to. In theory, an RD can be configured for
each VRF. It is generally recommended to configure the same RD for each VPN VRF, and
RD(Route to ensure that the RD is globally unique. If the same address exists in the two VRFs, but the
Distinguisher) RDs are different, the two routes are not confusing during the inter-PE publishing process.
The RD and the route are sent together. The peer PE can determine the VPN to which the
route belongs according to the RD. Install the route into the correct VRF.
Item Description
The edge device of the backbone network is mainly used to store the VRF, learn the route to the
PE directly connected CE, and then exchange the learned VPN routes with other PEs through IBGP.
This is the main implementer of MPLS.
The core device of the backbone network is not directly connected to the CE and is mainly
P
responsible for MPLS forwarding.
A user edge device, usually a switch or router in a VPN Site. The main function is to exchange VPN
CE routing user routing information with the PE, advertise local routes to the PE, and learn remote site
routes from the PE.
Site An isolated IP network in a VPN. Each site is connected through a carrier backbone network.
A user accesses an MPLS VPN. Each site provides one or more CEs and connects to the PEs of
the backbone network. Configure a VRF for the site on the PE and bind the physical interface and
logical interface connected to the PE-CE to the VRF.
When the operator's network carries traffic of several companies (such as company A and
company B), the off-site departments of company A and company B can access each other and
prohibit A and B from mutual visits. At this time, the PE device of the carrier network may
encounter problems such as local route conflicts, the propagation of routes in the network, and
the forwarding of packets from the PE to the CE. The VRF function on the PE device can
effectively solve these problems.
CE1 is a switch of Site1, CE2 is a switch of Site2, CE3 is a switch of Site3, and CE4 is a switch of
Site4.
Site1 and Site3 are the two sites of VPN1, and Site2 and Site4 are the two sites of VPN2.
The OSFP routing protocol is used between PE, CE, and P.
(1) Create corresponding vlan-if ports on SW1, SW2, SW3, SW4, SW5, SW6, and SW7, and
configure corresponding IP addresses.
(3) Configure OSPF routes on SW1, SW2, SW3, SW4, SW5, SW6, and SW7.
(4) Configure IBGP on SW3 and SW5 and establish VPNv4 neighbors.
(1) Create corresponding vlan-if ports on SW1, SW2, SW3, SW4, SW5, SW6, and SW7, and
configure corresponding IP addresses.
# Configure on SW1.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 1.1.1.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 10.10.1.1/16
[DPTECH-vlan-if3]exit
[DPTECH]
# Configure on SW2.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 2.2.2.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 10.10.1.1/16
[DPTECH-vlan-if3]exit
[DPTECH]
# Configure on SW3.
[DPTECH]vlan 2 to 4
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]vlan 4
[DPTECH-vlan4]port gige0_4
[DPTECH-vlan4]exit
[DPTECH]interface vlan-if2
# Configure on SW4.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 3.3.3.2/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 4.4.4.1/24
[DPTECH-vlan-if3]exit
[DPTECH]interface loopback 1
[DPTECH-loopback1]ip add 40.40.40.1/24
[DPTECH-loopback1]exit
[DPTECH]
# Configure on SW5.
[DPTECH]vlan 2 to 4
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]vlan 4
[DPTECH-vlan4]port gige0_4
[DPTECH-vlan4]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 5.5.5.2/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 6.6.6.2/24
[DPTECH-vlan-if3]exit
[DPTECH]interface vlan-if4
[DPTECH-vlan-if4]ip add 4.4.4.2/24
[DPTECH-vlan-if4]exit
[DPTECH]interface loopback 1
[DPTECH-loopback1]ip add 50.50.50.1/24
[DPTECH-loopback1]exit
[DPTECH]
# Configure on SW6.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 5.5.5.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 20.20.1.1/16
[DPTECH-vlan-if3]exit
[DPTECH]
# Configure on SW7.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]port gige0_3
[DPTECH-vlan3]exit
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip add 6.6.6.1/24
[DPTECH-vlan-if2]exit
[DPTECH]interface vlan-if3
[DPTECH-vlan-if3]ip add 20.20.1.1/16
[DPTECH-vlan-if3]exit
[DPTECH]
(3) Configure OSPF routes on SW1, SW2, SW3, SW4, SW5, SW6, and SW7 respectively.
(4) Configure IBGP on SW3 and SW5 and establish VPNv4 neighbors.
Hosts in the two sites of VPN1 can access each other but cannot access hosts in VPN2. Similarly,
hosts in the two sites of VPN2 can access each other but cannot access hosts in VPN1. Thereby
achieving logical division and security isolation between the two VPNs.